Standard for Information Security Related to Employees
I. Purpose
Information security should be built into the entire Human Resources (HR) process from pre-employment, during employment and through termination. Consistent management and training throughout the entire process ensures that employees and contractors are fully aware of their roles and responsibilities and that they understand the criticality of their actions in protecting and securing university information resources.
II. Scope
This standard is applicable to UNC Charlotte personnel with human resource or management responsibilities as well as to all employees of the university including contracted personnel and other authorized users of sensitive university data.
III. Contacts
Direct any general questions about this standard to your unit’s Information Security Liaison. If you have specific questions, please contact OneIT Information Security Compliance at ISCompliance-group@charlotte.edu.
IV. Standard
Employees, including contracted personnel and other authorized users of sensitive university data, must have the appropriate skills and knowledge to perform their job duties and be aware of their responsibilities for protecting university information resources. In addition, the employee’s access should be appropriate to the position they hold during their active employment.
Prior to Employment
Job descriptions should clearly define security roles and responsibilities aligned with UNC Charlotte policies, standards, and guidelines. Employees and contractors should understand their responsibilities and be qualified and suitable for the roles for which they are considered.
Screening
Qualifications and references should be carefully reviewed and background checks conducted.
Terms and conditions of employment
Contractual agreements with employees and contractors should state responsibilities for information security.
During Employment
Employees and contractors should be aware of and fulfil their information security responsibilities.
Employee orientation
All new employees should participate in new employee orientation workshops in which they should be made aware of University Policy 311 Information Security and supporting Standards and Guidelines. In addition, new employees are required to take the IT Security Training.
Management responsibilities
All managers and supervisors should be expected to know the information security responsibilities of their employees and ensure they have the knowledge and training to protect university information with measures such as:
- Ensuring employees have the appropriate access to systems and services to perform the tasks and responsibilities associated with their position and role including applying the minimum levels of access or permissions needed to perform the job functions, actively managing group access, and removing access when an employee changes positions or leaves the university
- Ensuring employees who handle sensitive university information have taken the IT Security Training
- Ensuring employees are familiar with UNC Charlotte Policy 311 Information Security and supporting Standards and Guidelines
- Ensuring employees have signed the university confidentiality statement in Banner Self Service
- Ensuring employees know how to report a security incident (see Standard for Managing Information Security Incidents)
Note: Managers should follow the Standard for Business Requirements for Access Control, the Guideline for User Access Management, and the Guideline for Privileged Account Management.
Termination and Change of Employment
Protection of university information resources should be an integral part of any process for changing or terminating employment. The employee’s supervisor should ensure Human Resources receives information needed to initiate this process in a timely manner.
When an employee has been terminated or changes positions or roles within the university, the supervisor is responsible for ensuring the employee’s special or privileged access to systems and services has been removed.
Related Resources
- University Policy 311 Information Security
- Standard for Business Requirements for Access Control
- Guideline for User Access Management
- Guideline for Privileged Account Management
- Standard for Managing Information Security Incidents
- Standard for Responsible Use
- Computing Network Policies
- ISO/IEC 27002
ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.
Revision History
Initially approved by Information Assurance Committee 7/23/15
Updated 8/1/24