人力资源安全政策
Human Resources Security Policy
Last Updated Date : 2024-02-24
目的
确保员工和承包商满足安全要求、了解其职责并适合其角色。
范围
本政策适用于 Xiazhi 的所有员工、顾问、承包商和其他有权访问 Xiazhi 生产网络和系统资源的第三方实体。
政策
筛选
对 Xiazhi 人员的背景核实检查应根据相关法律、法规进行,并应与业务要求、要访问的信息的分类和感知风险成比例。
所有对 Xiazhi 生产系统或网络具有技术特权或管理访问权限的第三方均需接受背景调查或要求提供可接受背景的证据,具体取决于他们的访问级别和对 Xiazhi 的感知风险。
能力和绩效评估
员工和承包商的技能和能力应作为招聘流程的一部分进行评估。职位描述和职位要求中应列出所需技能和能力,和/或与信息安全角色和职责政策中概述的职责保持一致。能力评估可能包括参考检查、教育和认证验证、技术测试和面试。
所有 Xiazhi 员工都将接受年度绩效评估,其中包括对工作绩效、职位能力、遵守公司政策和行为准则以及实现特定角色目标的评估。
雇佣条款和条件
公司政策和信息安全角色和职责应在雇用或聘用时传达给员工和第三方,员工和承包商必须正式承认他们理解并接受其安全责任。
员工和相关第三方应遵守所有 Xiazhi 信息安全政策。
管理职责
每个政策所有者应负责确保每年审查信息安全政策和程序(可在公司手册中找到),并确保员工和承包商在其受雇或聘用期间遵守这些政策和程序。
政策的主要来源是公司手册。每项政策的审查状态均在 Leanx 中跟踪。
年度政策审查应包括对任何相关或参考的程序、标准或指南的审查。
PeopleOps 应确保通过书面职位描述、政策或其他记录在案的方法向个人传达信息安全责任,并准确更新和维护这些责任。
应在绩效审查过程中评估对信息安全政策和程序的遵守情况以及信息安全责任的履行情况。
管理层在建立激励措施和划分角色、职责和权限时,应考虑过度压力和欺诈机会。
信息安全意识、教育和培训
所有 Xiazhi 员工和对 Xiazhi 生产系统和网络具有管理或特权技术访问权限的第三方应在入职时以及此后每年完成安全意识培训。
这通过 Leanx 平台进行管理。
管理层应监督培训完成情况,并采取适当措施确保遵守本政策。员工和承包商应了解相关的信息安全和数据隐私政策和程序。公司应确保人员接受适合其角色和数据处理职责的安全和数据隐私培训。
为了保持强大的安全意识水平,公司将根据需要通过常规沟通渠道持续向公司人员提供与安全相关的更新和沟通。
终止流程
员工和承包商的终止和离职流程应确保根据公司 SLA 和政策及时撤销物理和逻辑访问权限,并归还公司发放的所有设备。
完整的离职流程可在此处查看
例外情况
此政策例外情况的申请必须通过电子邮件提交给 CEO 或 CTO 审批。
违规与执行
任何已知的违反此政策的行为都应报告给 CEO(邮箱是 ) 或 CTO。违反此政策可能会导致立即撤销或暂停系统访问权限和/或根据公司程序采取纪律处分,直至终止雇佣关系。
Purpose
To ensure that employees and contractors meet security requirements, understand their responsibilities, and are suitable for their roles.
Scope
This policy applies to all employees of Xiazhi, consultants, contractors and other third-party entities with access to Xiazhi production networks and system resources.
Policy
Screening
Background verification checks on Xiazhi personnel shall be carried out in accordance with relevant laws, regulations, and shall be proportional to the business requirements, the classification of the information to be accessed, and the perceived risks.
All third-parties with technical privileged or administrative access to Xiazhi production systems or networks are subject to a background check or requirement to provide evidence of an acceptable background, based on their level of access and the perceived risk to Xiazhi.
Competence & Performance Assessment
The skills and competence of employees and contractors shall be assessed as part of the hiring process. Required skills and competencies shall be listed in job descriptions and requisitions, and/or aligned with the responsibilities outlined in the Information Security Roles and Responsibilities Policy. Competency evaluations may include reference checks, education and certification verifications, technical testing, and interviews.
All Xiazhi employees will undergo an annual performance review which will include an assessment of job performance, competence in the role, adherence to company policies and code of conduct, and achievement of role-specific objectives.
Terms & Conditions of Employment
Company policies and information security roles and responsibilities shall be communicated to employees and third-parties at the time of hire or engagement, and employees and contractors are required to formally acknowledge their understanding and acceptance of their security responsibilities.
Employees and relevant third-parties shall follow all Xiazhi information security policies.
Management Responsibilities
Each policy owner shall be responsible for ensuring that information security policies and procedures are reviewed annually, available in the company handbook, and that employees and contractors abide by those policies and procedures for the duration of their employment or engagement.
The primary source for the policies is the company handbook. The review status of each policy is tracked in Leanx.
Annual policy reviews shall include a review of any linked or referenced procedures, standards or guidelines.
PeopleOps shall ensure that information security responsibilities are communicated to individuals, through written job descriptions, policies or some other documented method which is accurately updated and maintained.
Compliance with information security policies and procedures and fulfillment of information security responsibilities shall be evaluated as part of the performance review process wherever applicable.
Management shall consider excessive pressures, and opportunities for fraud when establishing incentives and segregating roles, responsibilities, and authorities.
Information Security Awareness, Education & Training
All Xiazhi employees and third-parties with administrative or privileged technical access to Xiazhi production systems and networks shall complete security awareness training at the time of hire and annually thereafter.
This is managed via the Leanx platform.
Management shall monitor training completion and shall take appropriate steps to ensure compliance with this policy. Employees and contractors shall be aware of relevant information security and data privacy policies and procedures. The company shall ensure that personnel receive security and data privacy training appropriate to their role and data handling responsibilities.
In order to maintain a robust level of security awareness, the company will provide security-related updates and communications to company personnel on an on-going basis through the usual communication channels as needed.
Termination Process
Employee and contractor termination and offboarding processes shall ensure that physical and logical access is promptly revoked in accordance with company SLAs and policies, and that all company issued equipment is returned.
The full offboarding process is available here
Exceptions
Requests for an exception to this policy must be submitted by email to the CEO or CTO for approval.
Violations & Enforcement
Any known violations of this policy should be reported to the CEO or CTO. Violations of this policy can result in immediate withdrawal or suspension of system access and/or disciplinary action in accordance with company procedures up to and including termination of employment.
