Help Center/ Cloud Adoption Framework / Cloud Adoption Framework and Practices/ O&M Governance/ Secure Operations/ Personnel Security Management
Updated on 2025-05-07 GMT+08:00
View PDF
Share

Personnel Security Management

Enterprises need to manage the security of IT personnel who may access sensitive data. This includes security awareness education, capability training, key position management, and accountability for security violations.

  • Security awareness education

    To enhance the information security awareness of all employees, avoid information security violations, and ensure normal business operations, enterprises can conduct security awareness education in three areas: general education, publicity activities, and commitment letter signing.

    • General education: Regularly organize cybersecurity awareness training, requiring employees to continuously learn about cybersecurity, understand relevant policies and regulations, and be aware of acceptable behaviors.
    • Publicity activities: Conduct various information security publicity activities for all employees, such as information security community operations, case studies, information security activity weeks, and animated promotions.
    • Commitment letter signing: Integrate information security into the employee conduct guidelines. Convey the company's information security requirements through annual routine learning, exams, and signing activities to improve employees' information security awareness. Employees sign the information security commitment letter, promising to comply with the company's information security policies and regulations.
  • Security capability training

    Establish a comprehensive information security training system by referencing to industry best practices. Integrate various forms of security skills training into employee onboarding, on-the-job training, and promotion processes to enhance employees' security skills.

    • Basic cybersecurity training: Enterprises need to develop role-based training plans for foundational security skills. New hires must complete cybersecurity and privacy onboarding training and exams within their probation period. Current employees should select and complete relevant courses and exams based on their roles. Managers are required to participate in cybersecurity training and workshops.
    • Precise training: Identify typical security issues and responsible parties during product R&D through big data analysis, and provide targeted security training plans (including case studies, courses, and exercises) to continuously improve security quality.
    • Practical drills: Adopt industry best practices to develop an information security practical drill platform. Conduct red-blue team exercises and offer scenario-based drill environments for employees to practice and communicate, thereby enhancing their security skills and response capabilities.
    • C&Q guidance for security capabilities: To facilitate more conscious and effective cybersecurity learning, enterprises should integrate cybersecurity requirements into Competency and Qualification (C&Q) criteria. Employees must attend cybersecurity courses and pass exams before promotion to boost their cybersecurity capabilities.
  • Key position management
    To ensure orderly internal management and reduce the impact of personnel risks on business continuity and security, enterprises should implement special management for key positions, such as O&M engineers. The details are as follows.
    • Onboarding security review: Conduct background and qualification checks on new hires to ensure they meet the company's information security requirements.
    • On-the-job security training: Provide cybersecurity training and exams based on awareness, service specifications, user data, and privacy protection. Update the training and exam content regularly to reflect service changes.
    • Onboarding qualification management: Key position employees must pass a cybersecurity exam and obtain a certificate. Issue a two-year valid e-Cert to those who pass, and remind them to retake the exam before the certificate expires.
    • Off-job security review: Conduct security reviews for transferring or departing employees, including account clearance or modification, according to the transfer and resignation checklists.
  • Accountability for security violations

    Enterprises must establish a strict security responsibility system and implement an accountability mechanism for violations. Each employee is responsible for their actions and outcomes at work, including legal responsibilities. Security issues can significantly impact the enterprise, so accountability is based on behavior and results, regardless of intent. Accountability levels are determined by the nature of the violation and its consequences. If a legal violation occurs, the employee will be handed over to the authorities. Supervisors, both direct and indirect, are also accountable for inadequate management. The violator's attitude and cooperation during investigations will influence the severity of the punishment.

Parent topic: Secure Operations