Policy for human resource security (A.7)

On this page you will find the current policy for staff security. The policy ensures that employees and contractors are aware of their responsibilities and roles in relation to information security in connection with their affiliation to Aarhus University.


Objective

The objectives of AU's policy for human resource security are:

  • to ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered
  • to ensure that employees and contractors are aware of and fulfil their information security responsibilities
  • to protect the organization's interests as part of the process of changing or terminating employment 

Prior to employment (A.7.1)

Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. (A.7.1.1)

The HR unit in question and the unit employing the employee must ensure that employees in particularly trusted positions, including managerial and IT positions, are subject to a thorough background check.

The contractual agreements with employees and contractors shall state their and the organization's responsibilities for information security. (A.7.1.2)

The person at Aarhus University responsible for concluding the employment contract must inform the new member of staff about the university's information security policy.

A number of initiatives have been planned and established centrally in order to comply with the above requirements:

During employment (A.7.2)

Management shall require alle employees and contractors to apply information security in accordance with the established policies and procedures of the organization. (A.7.2.1)

All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. (A.7.2.2)

The manager is responsible for ensuring that all unit employees:

  • are adequately informed about their roles and responsibilities in relation to security before they are granted access to the university's systems and data.
  • have been made aware of the necessary guidelines so that they can comply with Aarhus University's information security policy.
  • have a level of training and awareness of information security issues that corresponds with their roles and responsibilities at the university.
  • know about how information is classified.

There shall be a formal and communicated disciplinary process in place to take aktion against employees who have committed an information security breach. (A.7.2.3)

The responsible HR unit and the unit employing the employee must ensure that the formal disciplinary process is followed.

A number of initiatives have been planned and established centrally in order to comply with the above requirements:

  • Re. A.7.2 Information security during employment:
    • Responsibility for this lies with the individual unit manager. See documents mentioned in A.7.1
    • Assistance can be sought from HR

Termination and change of employment (A.7.3)

Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced. (A.7.3.1)

Employees and contractors must return all assets issued by Aarhus University upon termination of employment, contract or special agreement, such as emeritus schemes. It is also incumbent upon them to uphold confidentiality regarding information pertaining to Aarhus University after the end of the contractual relationship.

A number of initiatives have been planned and established centrally in order to comply with the above requirements:

QUESTION GUIDE

Consider the question guide as a tool to navigate the requirements of the policy:

  • How are proper background checks of employees ensured?
  • How can we ensure that employees and contractors are aware of their shared responsibility for information security at Aarhus University?
  • Are the contractual arrangements in place? How is the need for information security covered in the contract?
  • How do on-/offboarding procedures take account of information security in relation to granting access rights and returning assets?

A contractor at Aarhus University is defined as an agreement partner (can be either a person or an institution) who has entered into a contract or an agreement with Aarhus University.

Students are not considered contractors.