HR Discipline and Dismissal

Guidance below is based on best practice, and seeks to provide pragmatic advice that operates within the law.

However, the law is complex, as are the myriad rules and regulations regarding employment. In matters of doubt or great importance, always seek professional assistance.

Discipline

A formal disciplinary process should be established for all disciplinary matters, not just those relating to breaches of information security policy and procedures.

However, information security breaches should be explicitly stated as being disciplinary offences within the process documentation.

Terms & Conditions

Standard terms and conditions of employment should state:

• The employee's responsibilities regarding information security
• How an employee's information security responsibilities can continue after the employment has ended (if appropriate)
• How breaches of policy can result in disciplinary action
• The employee's legal responsibilities and rights, including data protection
• The employee's responsibilities for the classification and management of the employer's data
• The employee's information security responsibilities extend outside normal working hours and outside the organisation's premises. For example, people working from home

Non Disclosure Documents (NDAs)

• Employees should sign a non-disclosure agreement (NDA), as part of their initial terms and conditions
• Any external users of the company's IT facilities (for example, agency staff, users in third parties) should also be required to sign non-disclosure agreements
• NDAs should be reviewed when employees change jobs and when contracts are due to expire

Job Descriptions

Job descriptions should specify general responsibilities (for example, compliance with the organisation's information security policies).

Where possible, job descriptions should incorporate specific security roles and responsibilities. As requirements often evolve, it's worth making the adoption of such responsibilities part of any annual appraisal process.

Termination of Employment

The termination process must ensure that:

• Leavers are processed in a timely way, and that all company property is returned prior to departure
• The IT Security administration team are informed of the departure, so that they can ensure the departing user's logon IDs are dealt with appropriately

Similar processes should exist for people transferring within the company (especially if the company is large), as users may retain access rights that may enable them to damage the company (accidentally as well as deliberately).

IT security administration should be informed of the transfer, so that they can ensure appropriate management of the relevant logon IDs and access profiles.

Sensitive Information Systems

It is best practice to monitor the work of staff with access to sensitive information. The authority of staff to access sensitive information systems should be periodically reviewed.

• Personal information concerning employees should be handled in accordance with the Data Protection Act  and associated legislation