This Policy defines the key responsibilities and processes associated with resource changes within the Force – new starters & leavers to the organisation. These responsibilities are key to safeguarding Nanonets' physical and data assets and ensuring the security of those assets at all times.
Background
In order to minimize the risk of information loss or exposure (from both inside and outside the organisation), the organisation is reliant on the principle of least privilege. Account creation and permission levels are restricted to only the resources absolutely needed to perform each person’s job duties. When a user’s role within the organisation changes, those accounts and permission levels are changed/revoked to fit the new role and disabled when the user leaves the organisation altogether.
Policy
a. During onboarding:
HR services shall:
1. Ensure that the appropriate pre-employment checks and screening are undertaken. Where access to more sensitive information or information systems is required, further vetting processes against standards shall be required;
2. Ensure that Employees commence employment with the appropriate paperwork and checks are completed and received;
3. Ensure that Employees security risks are effectively managed through robust security processes to ensure actions are in accordance with Nanonets' legal obligations;
4. Provide a legally binding contract of employment. The contract of employment shall explicitly state all applicable roles, benefits and responsibilities bestowed on the employee by Nanonets. From an information security perspective, it shall include the expected Employee Code of Conduct, confidentiality clauses, required compliance to legal requirements, policies and procedures, and the consequences of noncompliance and subsequent information breaches;
5. Ensure that prior to recruitment the security responsibilities are outlined to the candidates. This includes embedding these responsibilities appropriately into each job description.
Managers shall:
1. Ensure they understand the needs of the Starter and what is expected of them, including all relevant policies
2. Ensure the Starter shall not have access to the Nanonets systems until they have read and signed all the relevant policies
3. Manager creates a checklist of ICT assets, systems, accounts and permission levels needed for that role.
4. Prepare a comprehensive induction programme covering: the role, the responsibilities assigned to the individual, the Nanonets Information Governance Policy and associated policies, the assets associated with the role, and the access permissions granted
5. Identify relevant training for the individual, including Information Security Training
6. Ensure the employee is familiar with all relevant information security policies, including the Information Security Incident Reporting and Management Policy
7. Provide the Starter with an overview of information handling within the department, including electronic and paper
8. Manager works with the owner of each resource to set up the user.
a. During offboarding:
HR services shall:
1. Facilitate the Leaver process with the Manager in a timely manner.
2. Notifying of other relevant functions such as payroll and conducting of an exit interview.
Managers shall:
1. Explain the Leaver process to the Employee and clarify any questions they may have
2. Initiate the Leaver process and action all elements of the Leaver process in a timely manner
3. Remind the leaver of their Terms and Conditions of employment, including Information Governance obligations – namely, that they must not leave with Nanonets information in any format. In addition, they shall respect confidentiality agreements and personal information requirements
4. Ensure that the Employee understands their post termination responsibilities under the appropriate governing laws
5. Identify Nanonets assets to which the Leaver has, or has had access, and ensure these are all returned, and access removed prior to, or on, the leave date
6. Ensure that a robust handover is completed, and contact lists are updated, recorded and communicated to appropriate areas
7. Return the completed termination checklist to HR Support confirming that all stages of the process have been actioned and ensuring that an exit interview is carried out
8. Ensure, with the Head of department, that the Systems Administrator has been informed that the Employee is no longer entitled to access any internal system or equipment or data and information
9. Report any non-compliance of the Policy to the relevant Head of department.