Policy for human resource security (A.7)

Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. (A.7.1.1)

The HR unit in question and the unit employing the employee must ensure that employees in particularly trusted positions, including managerial and IT positions, are subject to a thorough background check.

The contractual agreements with employees and contractors shall state their and the organization's responsibilities for information security. (A.7.1.2)

The person at Aarhus University responsible for concluding the employment contract must inform the new member of staff about the university's information security policy.

A number of initiatives have been planned and established centrally in order to comply with the above requirements: Re. A.7.1.2 Terms of employment: As part of the individual unit’s work on information security and awareness, see the following key information security documents: Aarhus University’s information security policy, subjacent policies A.5-A.8 policies, Rules regarding information security and a central ISMS for AU.

Management shall require alle employees and contractors to apply information security in accordance with the established policies and procedures of the organization. (A.7.2.1)

All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. (A.7.2.2)

The manager is responsible for ensuring that all unit employees:

• are adequately informed about their roles and responsibilities in relation to security before they are granted access to the university's systems and data.
• have been made aware of the necessary guidelines so that they can comply with Aarhus University's information security policy.
• have a level of training and awareness of information security issues that corresponds with their roles and responsibilities at the university.
• know about how information is classified.

There shall be a formal and communicated disciplinary process in place to take aktion against employees who have committed an information security breach. (A.7.2.3)

The responsible HR unit and the unit employing the employee must ensure that the formal disciplinary process is followed.

A number of initiatives have been planned and established centrally in order to comply with the above requirements: Re. A.7.2 Information security during employment: Responsibility for this lies with the individual unit manager. See documents mentioned in A.7.1 Assistance can be sought from HR

Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced. (A.7.3.1)

Employees and contractors must return all assets issued by Aarhus University upon termination of employment, contract or special agreement, such as emeritus schemes. It is also incumbent upon them to uphold confidentiality regarding information pertaining to Aarhus University after the end of the contractual relationship.

A number of initiatives have been planned and established centrally in order to comply with the above requirements: Re A.7.3.1 Termination of employment: Refer to the Rules regarding information security guidelines from HR the relevant unit is responsible for ensuring the actual return of assets