Cybersecurity in human resources

The employment contracts specify the responsibilities of the employee and the organization for cyber security.

Contracts should include e.g.:

• the employee's legal responsibilities and rights, such as those related to copyright or data protection law
• the employee's responsibility for following the instructions, e.g. related to the use of hardware and data and the classification of information
• the employee's or temporary employee's responsibility for processing information received from other companies or other parties
• measures if the employee or temporary worker violates the safety requirements of the organization
• continuing obligations after termination of employment

Applicants applying for cyber security should have their background checked, taking into account relevant laws and regulations.

The check may include:

• review of recommendations
• verification of CV accuracy
• verification of educational qualifications
• verification of identity from an independent source
• other more detailed checks (e.g. credit information, review of previous claims or criminal record)

The background check may also be extended to, for example, teleworkers, contractors or other third parties. The depth of the background check can be related to the category of the accessed data.

Our organization has defined the actions to be taken in the event of a breach of confidentiality. These may include e.g. the following steps:

• investigating what data was breached and how harmful this was
• investigating the intentionality of the act
• investigating what was set as conseguence on the confidentiality agreement
• deciding whether and how to proceed (e.g. legal actions)
• deciding whether outside assistance is needed

Before granting access rights to data systems with confidential information employees have:

• received appropriate guidance on their security responsibilities (including reporting responsibilities and responsibility for their own devices)
• received appropriate guidance on their security roles related to their own role (including digital security rules related to their role and information systems and their acceptable use)
• received information from cyber security contacts who can be asked for more information

Training arranged before granting access rights applies not only to new employees but also to those who move to new tasks or roles, especially when the data systems used by the person and the security requirements related to the job role change significantly with the change of job role. The training is arranged before the new job role becomes active.