Require personnel to sign the Code of Conduct as a part of the Terms and Conditions of employment.
CONTROL ID 06664
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain a Code of Conduct., CC ID: 04897
This Control has the following implementation support Control(s):
Require all personnel to re-sign the Code of Conduct, as necessary., CC ID: 06666
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Define, monitor and supervise roles, responsibilities and compensation frameworks for personnel, including the requirement to adhere to management policies and procedures, the code of ethics, and professional practices. The level of supervision should be in line with the sensitivity of the position … (PO7.3 Staffing of Roles, CobiT, Version 4.1)
There should be a requirement for internal staff to accept Terms and Conditions of employment in writing. (CF.02.01.03-1, The Standard of Good Practice for Information Security)
There should be a requirement for internal staff to accept Terms and Conditions of employment in writing. (CF.02.01.03-1, The Standard of Good Practice for Information Security, 2013)
Employees committing to collective business objectives (e.g., aligning individual targets and performance with the entity's business objectives). (Enforcing Accountability ¶ 3 Bullet 3, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
Train: Enable individuals to develop and maintain enterprise risk management competencies appropriate for assigned roles and responsibilities, reinforce standards of conduct and desired levels of competence, tailor training to specific needs, and consider a mix of delivery techniques, including clas… (Attracting, Developing, and Retaining Individuals ¶ 1 Bullet 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
Employees and contractors should sign the Code of Conduct in order to acknowledge their understanding of it. (SG.PS-9 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization ensures that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements {organizationally documented frequency, at least annually}. (AR-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)