+ORP.2 Personnel
---+ORP.2.G1. Shortage of Personnel
---+ORP.2.G2. Insufficient Knowledge of Rules and Procedures
---+ORP.2.G3. Carelessness in Handling Information
---+ORP.2.G4. Insufficient Employee Qualifications
---+ORP.2.A1 Well-Regulated Orientation of New Employees [Supervisor] (B)
---+ORP.2.A2 Regulated Procedure for Employees Leaving the Organisation [Supervisor, IT Operation Department] (B)
---+ORP.2.A3 Defining Deputising Rules [Supervisor] (B)
---+ORP.2.A4 Defining Procedures for Using Third-Party Personnel (B)
---+ORP.2.A5 Confidentiality Agreements for Third-Party Personnel (B)
---+ORP.2.A14 Tasks and Responsibilities of Employees [Supervisor] (B)
---+ORP.2.A15 Qualifications of Personnel [Supervisor] (B)
---+ORP.2.A7 Verifying the Trustworthiness of Employees (S)
---+ORP.2.A13 Security Vetting (H)

1. Overview

ORP.2 Personnel

1. Description
1.1. Introduction
The staff of a company or public authority are crucial to its success or failure. In particular, employees have an important task in implementing information security. Even the most elaborate security precautions can come to nothing if they are not put into active use. The fundamental importance of information security to an organisation and its business processes must therefore be transparent and comprehensible to its staff.
1.2. Objective
The aim of this module is to highlight the security safeguards HR departments and supervisors must take to ensure that employees handle their organisation's information responsibly and behave in accordance with the relevant guidelines.
1.3. Scoping and Modelling
Module ORP.2 Personnel must be applied once to the entire information domain under consideration.
The module covers the requirements which must be observed and fulfilled by the human resources department and supervisors of an organisation. Personnel requirements linked to a specific role, such as the appointment of a system administrator for a LAN, are provided in the modules on the corresponding topics. Module ORP.2 Personnel does not deal with specific aspects of employee training or the management of identities and permissions. These aspects are covered in the modules ORP.3 Awareness and Training in Information Security and ORP.4 Identity and Access Management.
4. Additional Information
4.1. Useful Resources
The International Organization for Standardization (ISO) provides guidelines for handling security incidents in annex A.7 (“Human Resource Security”) of ISO/IEC 27001:2013, “Information Technology – Security Techniques – Information Security Management Systems – Requirements”.
“The Standard of Good Practice for Information Security” published by the Information Security Forum (ISF) provides guidelines for HR security under "PM: People Management".

Summary	Standard
ORP.2.A1 Well-Regulated Orientation of New Employees [Supervisor] (B)	An organisation's human resources department and supervisors MUST ensure that employees are provided with orientation regarding their new tasks at the start of their employment. Employees MUST be informed about existing regulations, instructions, and procedures. A corresponding checklist and a direct contact person (mentor) can be helpful and SHOULD be established.
ORP.2.A2 Regulated Procedure for Employees Leaving the Organisation [Supervisor, IT Operation Department] (B)	If an employee leaves an organisation, their successor MUST be briefed in good time, ideally by the departing staff member. If a direct handover is not possible, detailed documentation MUST be prepared by the employee leaving the organisation. Moreover, all documents, keys, and devices, as well as ID cards, badges, and site-access authorisations received in connection with their tasks, MUST be returned by employees leaving an organisation. Before an employee leaves an organisation, they MUST be reminded of their ongoing confidentiality obligations. In particular, it SHOULD be ensured that no conflicts of interest arise. In order to avoid conflicts of interest when someone takes a position at a different organisation, non-competition agreements and waiting periods SHOULD be agreed. Moreover, business continuity plans and other schedules MUST be updated. All the parties affected within the organisation, such as the security personnel or the IT Operation Department, MUST also be informed about the employee leaving the organisation. A checklist SHOULD also be created here to ensure the completion of all the tasks that arise when an employee leaves. In addition, there SHOULD be a permanent contact person from the Human Resources Department who supports the departure procedure for employees.
ORP.2.A3 Defining Deputising Rules [Supervisor] (B)	Supervisors MUST ensure that deputising rules are implemented in day-to-day operations. This MUST be done by ensuring that workable deputising rules are in place for all key business processes and tasks. With respect to these arrangements, a deputy’s scope of tasks MUST be defined clearly in advance. It MUST be ensured that the deputy has the knowledge required for the position in question. If this is not the case, considerations MUST be made as to how the deputy is to be trained or whether it is sufficient to adequately document the current process or project status. Should it prove impossible to appoint or train a competent deputy for individual employees in exceptional cases, it MUST be determined in advance whether external personnel could be called in to act as deputies.
ORP.2.A4 Defining Procedures for Using Third-Party Personnel (B)	If third-party personnel are employed, they MUST be required to comply with applicable laws, regulations, and internal rules in the same way as the employees of the organisation in question. Third-party personnel employed on a short-term or one-off basis MUST be supervised in security-relevant areas. If third-party personnel are engaged for longer periods, however, they MUST be instructed in their tasks in the same way as the organisation's own employees. Deputising rules MUST also be introduced for these employees. If third-party personnel leave the organisation, they MUST follow the same procedures as internal staff with regard to handing over the results of their work and returning any access authorisations they have been issued.
ORP.2.A5 Confidentiality Agreements for Third-Party Personnel (B)	Before external persons are granted data and site access to confidential information, confidentiality agreements MUST be concluded with them in writing. The confidentiality agreements MUST consider all the important aspects relating to the protection of the respective organisation's internal information.
ORP.2.A14 Tasks and Responsibilities of Employees [Supervisor] (B)	All employees MUST be obliged to comply with the relevant laws, regulations, and internal provisions. Employees MUST be aware of the legal framework that governs their work. Employees' tasks and responsibilities MUST be documented in a suitable manner. Furthermore, all employees MUST be informed that all the information they receive during their work is intended for internal use only. Employees MUST be made aware of their obligations to protect their organisation's information security outside of working hours and the organisation's premises.
ORP.2.A15 Qualifications of Personnel [Supervisor] (B)	Employees MUST receive regular training and other opportunities to further their development. In all areas, it MUST be ensured that no employee is working with outdated knowledge. Moreover, employees SHOULD be given the opportunity to acquire new skills within their field of work during their employment. When filling positions, the required qualifications and skills MUST be clearly stated. It SHOULD then be checked whether the job applicants meet these criteria. It MUST be ensured that positions are only filled by qualified employees.
ORP.2.A7 Verifying the Trustworthiness of Employees (S)	New employees SHOULD be screened for trustworthiness before they are hired. Whenever possible, all those involved in the selection process SHOULD check that the information provided by applicants that is relevant to the assessment of their trustworthiness is credible. In particular, careful consideration SHOULD be given to whether submitted CVs are accurate, plausible, and complete. Any information that seems abnormal SHOULD be checked.
ORP.2.A13 Security Vetting (H)	In high-security areas, additional security vetting beyond the basic verification of employees' trustworthiness SHOULD be carried out. If employees deal with material that is classified as confidential, they SHOULD be subjected to security vetting in line with the German Security Clearance Check Act (SÜG). In this regard, the CISO SHOULD involve their organisation's Confidentiality Officer or Security Representative.

1.1 References

1.2 Identified Requirements

1.2 Related Regulation

2. Identified Requirements

Requirements
Source	Requirement

3. Related Regulations

Regulations
Source	Regulation

Linked Issues

Issuelinks
Linktype	Issue
includes	ORP.2.G1. Shortage of Personnel
includes	ORP.2.G2. Insufficient Knowledge of Rules and Procedures
includes	ORP.2.G3. Carelessness in Handling Information
includes	ORP.2.G4. Insufficient Employee Qualifications

ITGC -
Bundesamt für Sicherheiter in der Informationstechnik - IT-Grundschutzkompendium Stand 2022