Establish, document, and communicate to all personnel the procedures outlining the roles and responsibilities concerning changes in employment.
Employees sign the employee agreement prior to being granted access to organizational information systems, resources and assets.
The organization includes within the employment agreements provisions and/or terms for adherence to established information governance and security policies.
Document and communicate roles and responsibilities of employees, as they relate to information assets and security.
Identify, document, and review, at planned intervals, requirements for non-disclosure/confidentiality agreements reflecting the organization's needs for the protection of data and operational details.
Establish, document, approve, communicate, apply, evaluate and maintain a security awareness training program for all employees of the organization and provide regular training updates.
Provide all employees with access to sensitive organizational and personal data with appropriate security awareness training and regular updates in organizational procedures, processes, and policies relating to their professional function relative to the organization.
Make employees aware of their roles and responsibilities for maintaining awareness and compliance with established policies and procedures and applicable legal, statutory, or regulatory compliance obligations.
Establish, document, approve, communicate, implement, apply, evaluate and maintain policies and procedures for identity and access management. Review and update the policies and procedures at least annually.
Establish, document, approve, communicate, implement, apply, evaluate and maintain strong password policies and procedures. Review and update the policies and procedures at least annually.