HRS-003 Employment Agreements and Security Obligations
Description
Employment contracts and agreements include explicit information security obligations, confidentiality requirements, and acknowledgement of the organization's security policies. Personnel sign these agreements before receiving system access, and they are updated when security obligations change.
Rationale
Security obligations are legally unenforceable unless they are written into employment agreements and acknowledged. Signed agreements create a documented record of consent and obligation that can be relied upon in disciplinary or legal proceedings.
Framework Mappings (6)
| HRS-07 | Employment Agreement Process | full |
| HRS-08 | Employment Agreement Content | full |
| HRS-10 | Non-Disclosure Agreements | partial |
| 6.2 | Terms and conditions of employment | full |
| 6.6 | Confidentiality or non-disclosure agreements | partial |
| PL-4 | Rules of Behavior | partial |
Evidence (2)
Signed employment agreement template containing explicit information security obligations, confidentiality requirements, and policy acknowledgement clauses.
Example: Employment agreement template (legal counsel-approved), with clearly identified sections for: information security obligations, confidentiality and NDA terms, acceptable use policy acknowledgement, and data protection obligations — signed copies on file for a sample of current employees.
Test: Request the current employment agreement template and signed copies for a sample of five current employees spanning different tenures. Verify: (1) information security obligations are explicitly stated (not just by reference to a policy document without specifics), (2) confidentiality obligations survive employment, (3) the agreement was signed before or on the first day of employment, (4) signed copies are retained in the HRIS or document store.
Evidence that agreements are updated and re-acknowledged when security obligations change materially.
Example: Change notification record and re-acknowledgement log (HRIS / policy platform) showing the date a material change was made to the employment agreement or security obligations, the communication sent to affected staff, and the re-acknowledgement completion date.
Test: Request records of any material changes to employment agreements or security obligations in the last two years. Verify: (1) affected personnel were notified of the change, (2) re-acknowledgement was required and tracked, (3) completion records show all affected employees acknowledged the updated terms within a defined period.
Questions (2)
Do your employment agreements contain explicit information security obligations, confidentiality requirements, and acknowledgement of organizational security policies?
Obligations should be stated in the agreement itself, not just referenced by pointer. Signed copies should be on file and the agreement should be signed before or on the first day of employment.
When security obligations in employment agreements change materially, how does your organization ensure affected personnel acknowledge the updated terms?
A change notification record and re-acknowledgement log showing all affected employees confirmed updated terms within a defined period is the expected evidence.