Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
11.2.1.3 Establish Risk Categorizations for Each Role<br />
In order to ensure that to be hired personnel are appropriate for their<br />
role from a risk management perspective, the risk associated with<br />
each role must be defined:<br />
• Review the complete set <strong>of</strong> systems to be accessed by each<br />
role.<br />
• List the established risk categorization for each <strong>of</strong> the systems<br />
to be accessed (see section 2.1.1.6 <strong>of</strong> these Non-Mandatory<br />
Procedures).<br />
• Set role risk categorization to be equivalent to the highest risk<br />
categorization assigned to a system the role will access.<br />
11.2.1.4 Establish Screening Criteria for Each Categorization<br />
In order to ensure that to be hired personnel are appropriate for their<br />
role from a risk management perspective they must be screened to<br />
ensure an appropriate level <strong>of</strong> trustworthiness.<br />
• Use a hierarchical scheme such that personnel hired for roles<br />
with higher risk categorizations undergo more stringent<br />
screening.<br />
11.2.2. Hire Employees in a Structured Fashion<br />
Upon initial hire, Agencies should verify employee identity and create accounts<br />
with appropriate access rights and permissions:<br />
11.2.2.1 Conduct Employee Screening<br />
Verify that applicants <strong>of</strong>fer an appropriate level <strong>of</strong> trustworthiness by<br />
checking their background as per established screening criteria.<br />
• Review the risk categorization <strong>of</strong> the role.<br />
• Conduct the appropriate screening for a role <strong>of</strong> that risk<br />
categorization.<br />
11.2.2.2 Complete Access Agreements<br />
Access agreements capture employee recognition <strong>of</strong> and consent to<br />
the rules and regulations <strong>of</strong> the organization as a whole as well as<br />
their own individual responsibilities:<br />
• Require all incoming employees to complete access<br />
agreements.<br />
• Require all access agreements be witnessed by an existing<br />
employee in either a supervisory or Human Resources role.<br />
11.2.2.3 Provision Accounts and Permissions<br />
Provide employees with the accounts and permissions they need to<br />
be able to complete their work assignments:<br />
• Review the role(s) to which the employee has been assigned<br />
and create specified accounts with the indicated privileges.<br />
38