IT Human Resource Policy

Version: 1.00Issue Date: 10/10/2015

This IT Human Resource Policy defines policies regarding roles and duties, management of skills and qualifications, training, employee hiring and termination, and staffing management.

1.0 Overview

This IT Human Resource Policy will help ensure that IT critical functions are supported by competent personnel. It will help ensure that compensation meets appropriate levels of competence, skills, and performance. It will be sure that roles and task descriptions are formalized.

2.0 Purpose

This IT Human Resource Policy requires that roles and responsibilities are formalized and staff are recruited and managed in compliance with the needs of the organization.

3.0 Scope

This IT Human Resource Policy applies to all IT personnel and any third party personnel that support any IT role. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 IT Roles and Duties

  • Areas of authority and responsibility must be defined and aligned with the organizational structure.
  • Information technology department roles and duties must be formalized with a job description and qualifications list. Activities of each job must be listed.
  • Job roles must be appropriate to the needs of the organization.
  • Job descriptions must specify required skills, qualifications, and responsibilities which include the responsibilities of security and information systems. The descriptions should include key goals and objectives of the position and tasks. The goals should be used to evaluate performance.
  • Required skills and experience for all information technology tasks must be formalised and job roles that have authority to perform the task must be authorized.
  • All information technology tasks must be assigned to one or more positions. If tasks are changed, the appropriate position descriptions must also be changed. New positions should be created when it is appropriate.
  • When job roles and responsibilities are created, segregation of duties must be applied so the job does not allow too much control in one position.
  • Training must be regularly conducted so staff members understand their job roles and responsibilities.
  • Employees should be cross trained to reduce reliance on key or critical personnel.
  • Documentation of information technology tasks and processes should be used to reduce the reliance on specific information technology personnel.
  • Personnel who fill information technology positions must be appropriately skilled as specified by the job descriptions.
  • A process must be created to review the staffing needs of the information technology department. The process must consider the skills required and the number of personnel required to perform the information technology function. It must also ensure that staff members are filling appropriate positions for their skill level and address underutilization of skills.
  • Review of the staffing needs of the information technology department must be performed at least annually. Senior management must review the results of the staffing assessment and take required action in a time frame that meets the needs of the business.
  • A process must be created which is used to review qualifications of internal and external staff members related to the job function so that need for additional training or need for changes in staffing can be recognized and addressed.
  • Membership in relevant industry or technical organizations relevant to needed skill classifications must be encouraged.
  • Information technology positions and tasks must be reviewed by information technology management (for the positions they supervise)at least annually. Changes should be made when necessary. Management must identify critical positions.
  • Where critical positions are identified (which support critical processes), steps should be taken to be sure more than one individual can perform required tasks. Skill sets and availability of staff both internally and externally should be considered.
  • All staff members must be required to take at least one week continuous minimum time length vacation each year.
  • Retention plans for individuals in key positions that are critical to the organization should be in place.
  • A succession plan for each key position in the organization should be created so staff changes will not cripple the organization.
  • An annual staff performance and career plan must be created and utilized objectively and consistently through the organization. It must provide:
    • Staff must be at least annually assessed to determine their job performance and understanding of their job role and responsibilities. The evaluation must be based on specific, measurable, achievable, realistic, results-oriented, and timely objectives. The objectives must reflect the skills required for the position (core competencies) and organizational values.
    • Annual assessment of staff must include career planning and goals of training should be set. Training above the requirements for the position should be encouraged.
    • A process to review the results of performance plans relative to operations, goals, and training needs must be created and utilized.
    • A process must be created and utilized for recognizing and rewarding outstanding achievement or achievement of performance goals.
  • The management structure of the information technology department must provide proper supervision for sections of information technology based on the critical nature of each function and internal control requirements.
  • A process for escelating issues through the management chain must be created, documented, and communicated to staff.
  • Information technology management must:
    • Appraise the effectiveness of staff that work for them.
    • Determine whether internal controls are adequate or too stringent and make corrections when needed.
    • Determine whether their staff have the resources and authority to do their jobs and take corrective action when needed.
    • Review key performance indicators.
  • Information technology managers must be chosen based on experience and skills.
  • Information technology staff hiring, compensation, and evaluation must be based on attitude, experience, and skills.
  • Information technology staff training must be based based on skills needs and criticality of the position.
  • Staff must be encouraged to improve their education and obtain certifications when relevant.
  • Information technology managers are assessed based on their effectiveness as manager of a technical function.
  • Policies and procedures describing under what types of conditions that work may be outsourced and the type of work that can be outsourced must be defined.

5.0 IT Skill Management

  • A plan (IT human resource management plan) for managing (acquiring and retaining) required skills including contingencies for loss of staff must be created. Skill requirements both in quality and quantity must be defined for the short and long term.
  • The IT human resource management plan must provide planning for:
    • Promotion practices
    • Personal evaluations
    • Career development plans
    • Required skills for specific positions
  • A process must be created and periodically used to review the required staffing skills, determine whether skills are in place, and make adjustments as necessary.
  • A formal procedure for recruiting and promoting IT staff must be created and utilized.
  • A staff selection process must be created and utilized. The selection process must include a candidate verification process.
  • The candidate verification process must include identification verification, verification of character references, verification of education, verification of experience, criminal history checks, drug screening checks, and credit checks.
  • An advertisement process for recruiting required skills must be created and utilized.
  • Hiring processes must exist and include nondisclosure agreements aand agreements to follow organizational policies.
  • All employees must be required to attend computer security awareness training and data retention training at the start of employment. Computer security training must be repeated every two years as a minimum.
  • A compensation and incentive policy must be defined by management. The policy must address retention of essential skills and prevent unacceptable loss of staff due to poor compensation and incentives. The compensation and incentive package must be benchmarked against information known about industry practices and regional trends.

6.0 IT Personnel Compliance

  • Employees and third party personnel must agree to all terms and conditions of employment including IT policies and procedures and nondisclosure agreements.
  • An employee handbook must be created and given to all staff members and applicable third party personnel who must acknowledge its receipt. The employee handbook must define Human Resource policies and require compliance with organizational policies, providing information about how to find all applicable policies where possible. The employee handbook must be kept updated and re-issued as appropriate.
  • All new employees and applicable third party personnel must attend orientation which must include information security training and data retention training. The orientation and training must take place before access to information technology resources is granted.
  • Any personnel who have access to confidential or sensitive data or systems must undergo a background check appropriate to their level of access. All applicable regulations must be fulfilled for system or data access at the appropriate security levels.
  • Records of background checks must be retained for a minimum of ten years.
  • The security clearance must be periodically updated. The time between updates should be determined by the level of access.
  • Data owners must determine the sensitivity and criticality of their data and systems.
  • Access to the data or systems must be authorized by the data owners.
  • A disciplinary process must be created and utilized consistently through the organization. The process must provide appropriate response to employee activities in violation of organizational policy.

6.0 Miscellaneous

  • Personal information about staff members and prospective employees must be obtained, handled, and stored in compliance with applicable legislation and organizational policy.
  • Job change procedures which cover both transfer and termination must be created and utilized. The procedures must include continuation of the business functionality with minimal disruption. The procedures may include steps for handing over authorization and information. The procedures may provide for formal training, mentoring, and monitoring performance after the job transfer.
  • The effectiveness of job change and termination procedures must be reviewed by management regularly.

7.0 Safety

  • Legal requirements regarding safety and ergonomic practices must be defined and adhered to.
  • A process must be created and utilized which provides for periodic reviews to be sure regulartory and organizational safety and ergonomic requirements are being met.
  • A staff member is made responsible for keeping current with any changes in legislation that may affect organizational or ergonomic compliance. A program must be implemented so the responsible staff member can ensure that appropriate changes are made.
  • All staff members must be made aware of security policies and procedures and those that apply to specific job functions.
  • All staff members must be made aware of their responsibilities regarding safety and ergonomic standards.
  • Regularly safety training should be required for all staff members.

8.0 Enforcement

Since following the IT Human Resource Policy is important for the welfare of the organization, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

9.0 Other Policies

  • Account Management Policy
  • Computer Training Policy
  • Employee Termination Policy
  • Employee Development Policy - doesnt exist yet
  • Employee training policy - Doesnt exist yet

10.0 Additional Requirements

Employee Training Policy

  • An active formal training program must be created and implemented.
  • The training program must include a process to identify training needs for all employees as a group, IT employees as a group, and for specific job roles.
  • Authorization and accountability for training and creation and utilization of the various processes including resource allocation must be defined.
  • Adequate training resources must be allocated according to the needs of the staff and the organization. The budget process must consider the training resources and needs.
  • The training program must include training for:
    • Use of computers
    • Information security training
    • Training specific to job roles such as system administrator. This training should include applicable policies and procedures.
    • New policies and processes.
    • Software that the staff member uses on the job.
    • Applicable products
    • New technologies.
  • A process must be created and utilized to assess the effectiveness and benefits of the training program compared to the investment, to determine appropriate changes and make them.
  • All training courses must have clear objectives.
  • All training cources must be established to address specific performance or development needs.


Approved by:__________________________ Signature:_____________________ Date:_______________