Answer

ISO/IEC 27002 standard

Information security forms one of the crucial facets of current organizational management. Increased utilization of technology in organizational information management systems prompts the need for the establishment of universal standards implicit on regulating frameworks through the privacy of information is established. The enactment of ISO/IEC 27002 standards came at the backdrop of the need to harness frameworks that guide, implement, maintain, and improve privacy information management systems in organizations. ISO/IEC 27002 requires organizations to understand the specific contexts in which they process privacy protection protocols and adjust the set of specific controls and associated implementation and processing activities. ISO/IEC 27002 provides best practices for information security management and section 8 of the standard human resource security (Kurniawan & Riadi, 2018).

ISO/IEC 27002 provides the requirements and procedures that need to be followed concerning human resources’ roles in security and management of information. The standard`s provisions underline that organizations must follow due process in hiring employees and suppliers who may handle sensitive information. It requires that firms properly analyze individuals before hiring to reduce the risks of internal data fraud, theft, and misuse of resources. It further defines the essence of accountability and responsibility in the part of employees. They should remain aware of threats involving information security the roles they have to play to mitigate them.

In the view of increased threats against enterprise information and the need to establish coherent frameworks for protection, ISO/IEC 27002 aims to provide enterprises with standards that can help reduce information breaches. Besides recruitment, the provisions of the standard regulate code of conduct training, which includes giving employees adequate information on rules and regulations regarding information protection. The Code of conduct should contain instructions on employees’ obligations on protecting sensitive or proprietary information (Dimoff, 2016).

Application of section 8 of ISO/IEC 27002 in organizations provides opportunities for mitigation of information security challenges emerging from the human resource component. The vulnerabilities available in organizations relating to human resource security include minimal or lack of security for new employees and the fact that most employees have access to information beyond the scoping threshold. Solving these vulnerabilities is vested on how organizations implement human resource security, and one of the requirements of ISO/IEC 27002 promotes the idea of increased employee scrutiny during and after recruitment (Dimoff, 2016). The mandate lies with the human resource department, especially in terms of conducting background checks on employees. Background checks allow the proper identification of employees and the potential security risks they present to the enterprise. ISO/IEC 27002 provides the framework background checks of employees which include assessment of criminal records if any, requiring letters of recommendations from previous employers and general assessment of employee conduct based on personal values.

Secondly, ISO/IEC 27002 provides the framework that limits access to enterprise information. Through section 8 on human resource security, the standard reiterates that ensuring information security entails limiting the scope of accessibility of sensitive information to employees. It allows access to information for employees to be based on relevance and roles. Another inherent vulnerability in the organization entails a lack of security awareness and training programs. Part of harnessing strong data privacy at enterprise levels entails establishing training programs for employs to fine-tune their skill sets to data protection and effective management of information systems. ISO/IEC 27002 requires organizations to establish a code of conduct training to ensure that employees develop an awareness of rules. It provides instructions against malicious conduct and handling of information. Training of employees further improves the organization`s ability to reduce the impact of vulnerabilities associated with negligence and ignorance of information protection. Training programs empowers the enterprise`s employees to understand the benefits the limitations of information privacy.