S 2.226 Procedures regarding the use of outside staff

Initiation responsibility: Agency/company management

Implementation responsibility: Head of IT Section, Head of Human Resources

Often used is made of external support in public bodies and companies where there is a shortage of appropriate personnel resources within the organisation. In the extreme case this can result in outsiders being used for such prolonged periods in the organisation that many employees no longer know whether they are dealing with the company's own staff or external contractors.

External employees who work for extended periods in or for an organisation and could have physical access to confidential documents and data must sign an undertaking to adhere to the relevant laws, regulations and internal procedures (see also S 3.2 Commitment of staff members to compliance with relevant laws, regulations and provisions).

Where use is made of external staff, in every case it is necessary to ensure that right from the beginning, just like normal employees, they are properly briefed about their tasks (see S 3.1 Well-regulated familiarisation/training of new staff with their work). As far as is necessary to fulfil their tasks and obligations, they must be informed of in-house procedures and regulations regarding IT security and of the organisation-wide IT security policy. This applies particularly when they are working on the customer's premises.

Steps should be taken to ensure that deputising arrangements exist for contractors as well (see S 3.3 Arrangements for substitution). Steps should also be taken to ensure that the deputies are familiar with the IT applications they will need to use and know how to apply any IT security measures that are necessary.

On termination of the relationship the products of the work and any documents and resources received by the contractor must be handed over in an orderly manner. All access rights configured for the departing contractor must be revoked or deleted. Moreover, the person leaving should be explicitly reminded that the duty of confidentiality continues even after termination of the contractual relationship (see also S 3.6 Regulated procedure as regards termination of employment).

Outsiders who are employed in the short-term or on a one-off basis must be treated like visitors, i.e., for example, they should only be allowed to visit security-relevant areas when accompanied by permanent employees of the agency or company (see also S 2.16 Supervising or escorting outside staff/visitors).

Additional controls:

• Are external staff who are hired on a long-term basis obliged to observe the relevant laws and regulations?

• Are external staff systematically given induction training on their tasks and briefed on existing procedures regarding IT security?

• When the contractual relationship is terminated, are all access authorisations revoked or deleted?