BOISL

Sign In / Sign Up

Personal Security Policy

Objective of Personnel Security Policy

The policy aims at providing guidelines for addressing personnel issue related to security.

Policy Applicability of personnel security

This policy applies to all employees of BOISL and shall extend to all contractors, sub-contractors and any other third party who require access to system and application software, servers, desktops and networking/ security components.

Responsibilities

Personnel Department and Deputy Chief Manager / CA would be responsible for implementation of this policy.

Policy Statement

  • Potential recruits should be screened for good character, adequate qualifications and authentication. Potential recruit should be made aware of terms and conditions for the position in BOISL for information security.
  • Design and implement access control depending upon segregation of duties.
  • Employees/ Third party users should be trained in the computer security responsibilities and duties associated with their jobs.
  • Outgoing or transferring employees should be depleted of accesses, privileges, the controls he/she holds.
  • All employees and contractors should be made aware handling security related incidents.
  • A confidentiality agreement has to be placed for employees as well as third party users and should be used and reviews periodically.
  • Setting in place a disciplinary process that will act as deterrent to employees who might be inclined to disregard security procedures.
  • Clear agreement with employee/ third party users about ownership of the intellectual property rights of work.
  • All employees of BOISL should be made aware of various IS policies implemented for the information integrity and system security.

Procedure

Procedure for Personnel Department

  • Potential recruits should be adequately screened for example:
  • Obtain character references
  • Check the applicants CV for completeness/ accuracy
  • Check identity (passport or addahar/PAN card)
  • The terms and conditions for all positions / employees should be clearly defined and a copy of the same should be handed over to the employee before joining and take acceptance for the same.
  • The terms and conditions of employment should include requirements for compliance with information security.
  • The granting of access should be based on separation of duties and least privilege. Least privilege means granting users only those accesses they need to perform their official duties. A process should be developed that requests, establishes, issues and closes user accounts and track users and their authorization.
  • Employee should be trained in the computer security responsibilities; information security awareness should be included in induction training that is provided to all relevant staff.
  • All staff and where relevant third party users should be provided with appropriate training and regular updates in organizational policies and procedures. This includes security requirements, legal responsibilities and business controls before access to information or service is granted.
  • Systematic assessment of staff training needs and evaluation of training that has occurred should be undertaken and the same should form part of the Training and Development Policy of the company.
  • The personnel department should develop procedures for outgoing or transferring employee in respect of the removal of access, privilege, the control of keys, the briefing on continuing responsibilities for confidentiality and privacy, return of property and the continued availability of data the employee may have created, modified or used during the day to day operations. Temporarily freezing of access priority should be ensured in respect of any employee remaining absent from duty for more than one month.
  • The personnel department should undertake periodical rotation of employees so that no single employee gains full control of any of the processes.
  • Users of BOISL IT facilities should sign an appropriate confidentiality (non-disclosure) undertaking. Employees should be made to sign such an undertaking as part of their initial conditions of employment.
  • BOISL personnel department should maintain up to date records of employees name /addresses/phone numbers and changes therein.

Procedure for Personnel Department

  • Employees should be trained in the duties associated with their jobs.
  • All staff and where relevant third party users should be provided with appropriate training and regular updates in the correct use of information processing facilities e.g. log-on procedure, use of software packages before access to information or services is granted.
  • A formal reporting procedure should be established together with a security related incident response procedure.
  • Security incident should be reported through appropriate management channels as quickly as possible.
  • Procedures should be established for reporting software malfunctions.
  • Procedure should be established to monitor security incidents and should include compliance with security policies and procedure and adequacy of policies and procedures.
  • Agency staff and third party users not already covered by an existing contract (Containing the confidentiality undertaking) should be required to sign a confidentiality agreement prior to connection to BOISL IT facilities.
  • A formal disciplinary process should be established for employees who have allegedly violated organizational security policies and procedures. Such a process will act as a deterrent to employees who might be inclined to disregard security procedures.
  • All employees and third party contactors should sign a formal undertaking regarding the intellectual property rights of work undertaking during their terms of employment / contract respectively. The terms of employment / contract should clearly indicate who would own the intellectual property rights of work done.
  • The employee data kept with BOISL should be treated as strictly confidential and same should be made available only to the authorized personnel of BOISL or any to other individual/organization as authorized by management.
  • The employees / contractors should be informed about BOISL right to have access to all information created or store on the systems available in the organization with due regards to employees privacy at the workplace.
  • Any BOISL employee who does not access an administrative system in a one year time period will have his /her access removed and must be reauthorized for access.

Procedure for employee

  • All employee and contractors should be made aware of the procedure for reporting security related incidents.
  • Users are required to note and report any observed or suspected security weaknesses in or threats to systems or services.
  • Users are individually responsible for protecting the data and information in their hands. Security is everyone’s responsibility.
  • Use of the resources at the hands of staff should be done only for the benefit of BOISL
  • The BOISL staff should log off before they leave their workstation, if they are working on sensitive information or leaving their workstation for any length of time.
  • The BOISL staff should protect equipment from theft and keep it away from food, drinks and smoking
  • BOISL staff should not be allowed to install any software on his /her machine or alter its configuration. This work may only undertaken by IT service staff.
  • All employees should treat passwords as private and highly confidential and the confidential information should be shared with the authorized personnel only.
  • A list of authorized personnel should be prepared for undertaking the following activities.
  • Signing for work undertaken by third parties.
  • Receiving the goods on behalf of the organization.
  • Ordering the goods on behalf of the organization.
  • Approving the expenditures made
  • Handling telephone enquiries for sensitive and confidential information.
  • Procedure for Deputy Chief Manager / CA
  • Information security officer should be provided with appropriate training in order to keep up-to-date with all applicable legislation information security standards, security threats.
  • Confidentiality agreements should be reviewed when there are changes to terms of employment or contract, particularly when employees are due to leave the organization or contracts due to end.
  • Disciplinary process established for employees who have allegedly violated organizational security policies and procedures should ensure correct, fair treatment for employees who are suspected of committing serious or persistent breaches of security