Personnel Security
Security in Job Definition and Resourcing
Personnel Screening Policy
CX Index conducts background checks to ensure the safety of existing employees and to ensure that the employees we hire possess the highest possible level of integrity and business ethics.
The purpose of this policy is to assure that information assets are protected from personnel that may not be trustworthy of the responsibilities associated with security protection and handling.
All screening and supervision shall be in accordance with appropriate legislation and data protection requirements.
Types of Background Checks
CX Index requests the following types of background checks for all positions:
- Employment Verification
- Education Verification (for highest level only)
CX Index may request staff who may work with certain clients be willing to submit themselves to the necessary security and background clearances where required.
Who Requires a Background Check?
All new employees of CX Index require the successful completion of a background check prior to beginning their first day of work at CX Index.
When to Request a Background Check
If the hiring manager is considering making an offer to a candidate, a background check should be requested any time after the first Interview.
Who Decides if a Candidate Passes the Background Check?
CX Index’s Senior Management will make the determinations as to whether a candidate passes the CX Index guidelines for the background check.
Confidentiality Agreements
CX Index expects that information disclosed to CX Index employees will be treated with the appropriate level of confidentiality. Except as required by law, information concerning CX Index’s business is not to be discussed with competitors, outsiders, or the media. Employees are prohibited from forwarding e-mails containing information on CX Index’s business to anyone outside of the company or otherwise transmitting CX Index-confidential information outside of the company, whether over the Internet or otherwise. Failure to honour this confidentiality requirement may result in disciplinary action, up to and including, termination of employment.
In the course of an employee’s work, they will have access to CX Index’s confidential and/or proprietary information, including information concerning clients and suppliers, as well as fellow employees. It is imperative that no employees disclose such information in any inappropriate ways, and that such information be used only in the performance of regular job duties.
CX Index requires confidentiality or non-disclosure agreements from all employees and third party staff not otherwise covered by third party contracts before access to sensitive information will be allowed.
This policy requires that staff sign a confidentiality or non-disclosure agreements (unless otherwise contractually bound) prior to being granted access to any sensitive information or systems.
Agreements will be reviewed with the employee when there is any change to the employment or contract, or prior to leaving CX Index.
Senior Management will provide the agreements to the employees, and be responsible for maintaining all agreements in use by CX Index
Only members of the Senior Management team shall sign non-disclosure agreements or any type of contract, such as warranty and Terms and Conditions on behalf of CX Index.
All requests for information about CX Index and its business shall be referred to CX Index’s Senior Management.
Terms and Conditions of Employment
CX Index will state the employee’s roles and responsibilities for information security in the terms and conditions of employment.
The purpose of this policy is to make clear to all employees their responsibilities for maintaining and promoting security within CX Index during and subsequent to their employments as well as the sanctions for not doing so.
The employee’s manager will provide the employee specific responsibilities that are particular to the specific position.
User Training
Information Security Education and Training
All employees will be appropriately trained on CX Index’s Information Security policies and kept up-to-date on any additions or changes to the policies. Training is mandatory prior to receiving access to information or services.
The Human Resources department is responsible for initial training and education on CX Index’s security policies during the employee orientation process. Employees should have recurring annual refresher training on current threats, as well as material changes to policy. This training may be conducted by annual refresher seminars or continual reminders (such as posters, e-mail or intranet newsletters, etc.)
When employees sign acknowledgements for complying with policy, these acknowledgements should include acknowledgement of initial training.
The Senior Management will be responsible for the on-going policy education and training policy.
Responding to Security Incidents and Malfunctions
Reporting Security Incidents
CX Index will educate employees on, and establish formal reporting and feedback procedures and incidence response procedures for all security incidents. In this way, CX Index will react to all security incidents immediately and providing all employees with the information necessary to assist CX Index is doing so immediately.
All suspected policy violations, system intrusions, virus infestations and other conditions that might jeopardise CX Index information or CX Index information systems shall be immediately reported to the Senior Management.
If an employee learns that CX Index confidential information has been lost, disclosed to unauthorised parties, or is suspected of being lost or disclosed to unauthorised parties, the employee shall immediately notify the Senior Management or other members of the Senior Management team.
The Senior Management will inform employees how to report possible incidents by providing information to Human Resources to be included in the initial training material.
Incidents may be used in on-going security awareness training to illustrate policy or procedures.
Incidents will be reviewed for the purposes of learning how they can be avoided in the future.
Reporting Security Weaknesses
CX Index requires all users to immediately report suspected security weaknesses in, or threats to, systems or services to management or service providers. These weaknesses should only be reported if actually discovered by the user, as the Senior Management will maintain a watch for vendor and forum notifications of new vulnerabilities.
Only users authorised by the Senior Management may test systems for suspected security weaknesses. Any unauthorised testing by users shall be considered misuse of the system and be subject to disciplinary measures.
Learning from Incidents
The purpose of this policy is to allow CX Index to enhance CX Index’s security policy to limit such occurrences in the future.
Incidents and malfunctions will be reviewed during the security review process. Analysis of incidents and malfunctions will be done to determine new controls that can be established to prevent future incidents
Disciplinary Process
In support of the Information Security Program, CX Index will establish a formal disciplinary process for those who violate CX Index’s security policies and procedures.
Disciplinary processes shall be documented by Human Resources and given to all employees and applicable third parties. Discipline for violating security policy or causing a security breach will be as appropriate, up to and including termination or possible criminal/civil charges.
If an employee is suspected of a breach of security, management shall be informed and the Senior Management, together with the manager of the person suspected, shall begin the investigation.