Last revised: April 2021

Human Resources Security Policy Last reviewed: April 2021

Ministry of SaskBuilds and Procurement Next review: April 2022
Information Technology Division, Information Security Branch

Purpose
Prior to employment, to ensure that employees and contractors understand their responsibilities and are suitable for
the roles for which they are considered. During employment, to ensure that employees and contractors are aware of
and fulfil their information security responsibilities. At termination or change in employment, to protect the
government’s interests as part of the process of changing or terminating employment.

Scope
This Human Resource Security Policy applies to all business processes and data, information systems, as well as
components, personnel, and physical areas of The Government of Saskatchewan.

Definitions
This section intentionally left blank.

Governing Laws & Regulations

Guidance Section
ISO27001:2013 A.7 (A.7.1, A.7.2., A.7.3)
NIST SP 800-53 v4 XX-1 controls, PL-4, PS-2, PS-3, PS-6, PS-7, SA-21, PM-13, PM-14, AT-2, AT-
3, CP-3, IR-2, SA-16, PS-8, PS-4, PS-5, AC-2, PE-2, PS-4, PS-5

Policy Statements
Prior to Employment:
 All candidates for employment, including contractors and third-party users, must undergo background
verification checks in accordance with the appropriate laws. The screening must include verification of:
o Identity
o Education, skills, and experience
o Employment history
o Character references
 A criminal record check must be conducted in accordance with Section PS 816 of the Human Resource Manual.
 Contractual agreements with all employees and contractors will clearly outline the responsibility of the
individual/contractor to information security. The terms and conditions for contractors and external party users
must include:
o A confidentiality or non-disclosure agreement
o Legal responsibilities and rights
o Responsibilities for the classification of information and management of government assets
o Responsibilities for the handling of external party information
o Responsibilities for the handling of personal information and personal health information.
o Responsibilities will be reviewed and updated regularly.

1
  All personnel must be made aware of and agree to the Government of Saskatchewan’s expectations related to
information security.
 The terms and conditions for employees of the Government of Saskatchewan are described in the Ethics and
Conduct section of the Employees Services Portal. The Oath of Office includes an entry regarding the protection
of sensitive information and must be signed by the employee.
During Employment:
 Management must require and ensure all employees and contractors adhere to applicable information policies
and procedures within the organization. Managers must ensure that personnel apply security in accordance with
standards, policies, and procedures by:
o Briefing all personnel on their security roles and responsibilities prior to granting access to sensitive data
and systems
o Ensuring all personnel have access to these Information Security Standards
o Ensuring all personnel conform to the terms and conditions of employment.
o This includes access agreements which must be signed by personnel prior to being granted access.
 All employees and contractors must be made aware of the protection provides by the Public Interest
Disclosure Act (2011) regarding the reporting of wrongdoings.
 All employees must undergo awareness training based on their roles, as well as relevant updates in policies
and procedures applicable to their jobs:
o Safeguarding sensitive government information
o Known threats to Information security.
o Legal responsibilities
o Information security standards, policies, directives, and guidelines
o How to report information security events
o Appropriate use of Government information and assets
o Related disciplinary processes.
o How to obtain security advice
o The Government of Saskatchewan’s management should require employees, contractors, and third-
party users to apply security in accordance with established policies and procedures of the organization.
o Training must be accompanied by an assessment procedure based on the cyber security training content
presented to determine comprehension of key cyber security concepts and procedures.
 There must be a formal and communicated disciplinary process in place to act against employees who
have committed an information security breach.
 When it is determined that an employee or contractor was responsible for a security breach or a violation of
standards or policies, Information Security Branch must notify the appropriate Ministry Security Office.
 Appropriate personnel in the Ministry must review details of the incident, consider disciplinary action if
warranted and arrange for permanent or temporary removal of access privileges when appropriate.
 The Human Resources Manual Section 803 defines Corrective Discipline process in the Government of
Saskatchewan.

2
Termination and Change of Employment:
 Managers must advise personnel of their information security responsibilities when employment changes or is
terminated. Terminated employees and contractors must be made aware of:
o Ongoing security requirements including the need to not disclose sensitive government information.
o Legal responsibilities.
o Responsibilities described in confidentiality or non-disclosure agreements.
o Any other applicable policy standards or contract.
o This process includes exit interviews and removal of documents (and all copies thereof) and other
Government of Saskatchewan property and materials in their possession or control.
Managers can find the applicable instructions and forms on the Employee Services Centre.

Non-Compliance
In cases where it is determined that a breach or violation of Government of Saskatchewan policies has occurred, the
Information Security Branch, under the direction of the Chief Information Officer and the respective Ministry, will
initiate corrective measures including restricting access to services or initiating disciplinary action up to and including
dismissal, or in the case of contractors, vendors, or agents, the termination of a contract or agreement with the
contractor, vendor, or agent.

Exceptions
In certain circumstances, exceptions to this policy may be allowed based a review and acceptance of risk by the Security
Governance Committee. Exceptions to this policy must be formally documented and approved by the Chief Information
Officer, under the guidance of the Information Security Branch. Policy exceptions will be reviewed periodically for
appropriateness.

Revision History
Date of
Version ID Change Author Rationale