Texas Security and Risk Management

4.0 Personnel Practices

Copyright(c), 1995 - Management Analytics - All Rights Reserved

In any organization, people represent the greatest possible assets in maintaining an active level of security. At the same time, people represent the greatest threats to information security. No security program can be effective without maintaining employee awareness and motivation.

4.1 The Agency Information Security Manual

STANDARD. Each agency shall prepare a security manual that lists the agency's security policies and procedures. All agency personnel shall be required to provide written acknowledgement that they have received, read and understand the security policies and procedures. The agency head, or the information resources manager acting on delegated authority, shall determine how often this written acknowledgement must be renewed.

GUIDELINES. The manual should:

The manual should avoid references to people, places, or things that frequently change within the organization. For example, avoid using individual names or system acronyms. Instead, describe the agency's security policies and procedures in terms of program goals and job functions.

Every employee should be held responsible for information security to the degree that the duties of the job require the use of information and associated systems. Fulfillment of security responsibilities should be mandatory and violations of security policies, procedures, and/or requirements may be cause for disciplinary action, up to and including dismissal, civil penalties, or criminal penalties per the relevant federal laws or Texas statutes.

4.2 Positions of Special Trust or Responsibility

Individual positions should be analyzed to determine the potential vulnerabilities associated with work in those positions. In some cases it may be appropriate for agencies to designate classes of employment as being positions of special trust or responsibility. It may also be appropriate to designate locations as sensitive and require appropriate procedures and safeguards for all employees whose duties include access to those areas.

STANDARD. Each agency shall establish procedures for reviewing information resource functions to determine which positions require special trust or responsibilities.

GUIDELINES. The review procedures should be based on risk analysis and should consider the following criteria:

4.3 Non-Disclosure Agreements

STANDARD. Agencies shall use non-disclosure agreements to document the acceptance by employees and contractors of special information security requirements as defined by agency standards and risk management decisions.


4.4 Security Awareness and Training

An effective level of awareness and training is essential to a viable information security program. Employees who are not informed of risks or of management's policies and interest in security are not likely to take steps to prevent the occurrence of violations.

STANDARD. Agencies shall provide an ongoing awareness and training program in information security and in the protection of state information resources for all personnel whose duties bring them into contact with confidential or sensitive state information resources. Security training sessions for these personnel shall be held at least annually. Further, awareness and training in security shall not be limited to formal training sessions, but shall include periodic briefings and continual reinforcement of the value of security consciousness in all employees whose duties bring them into contact with confidential or sensitive state information resources.


4.5 Hiring and Terminating Procedures

RESPONSIBILITY. A significant portion of computer security problems are caused by careless, uninformed or disgruntled employees. It is necessary that supervisory and management personnel take precautionary actions when hiring and/or terminating state employees. Security privileges must be removed whenever appropriate.

STANDARD. State agencies shall take advantage of new employee orientation to establish security awareness and inform new employees and contractors of information security policies and procedures. If an employee leaves the employment of any agency of the state, for whatever reason (resignation, termination, retirement), all security privileges shall be immediately revoked and the employee shall be prevented from having any opportunity to access information.


4.6 Alcohol and/or Drug Use

Employees who abuse alcohol or use illegal drugs pose a security problem. The abuse of alcohol and the use of illegal drugs on state premises constitutes a hazard to the employee as well as a potential risk to state assets.

The use of alcohol or illegal drugs should be brought to the attention of management for appropriate action.

4.7 Disciplinary Actions

In the course of enforcing each agency's information security policies and procedures, it may be necessary to employ disciplinary actions. Disciplinary actions may include a letter of reprimand, time off without pay, or even dismissal from state service. The availability of each option depends, among other factors, upon the severity of the infraction. It must be demonstrated that the employee was informed of the agency's information security policies and procedures and of the possible disciplinary actions for failure to comply with requirements. Any disciplinary actions taken by the agency should be conducted in compliance with the agency personnel manual as well as the relevant state and federal statutes governing personnel matters, including all relevant labor laws and regulations.

4.8 Criminal Actions

Any person who commits an unlawful breach of computer security or harmful access may be subject to prosecution under appropriate state and/or federal law. For example, chapter 33 of Texas Penal Code states that any person commits an offense who knowingly accesses and/or without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network without the effective consent of the owner of the computer or data or a person authorized to license access to the computer or data.