HR security

Introduction


Altus Group is responsible for ensuring every employee hired, no matter the department or role, poses a low threat to the Altus Group’s information security posture. This includes conducting due diligence checks, as appropriate, and providing employees with security training during onboarding.  



Our guiding principles


  • To maintain confidentiality of information accessible by employees or external parties 

  • To protect the Altus Group’s interests as part of the process of changing or terminating employment or contracts. 

  • To require all employees hired to be eligible and suitable for the roles for which they are considered and remain eligible and suitable during their employment. 

  • To provide employees with clarity regarding their information security responsibilities to enable them to fulfil their information security responsibilities. 

  • To provide employees and other relevant interested parties with a clear understanding of the consequences of information security policy violation, to deter and appropriately deal with employees and other relevant interested parties who commit the violation.  

  • To support timely, consistent, and effective reporting of information security events that can be identified by employees. 

  • To enable compliance with applicable laws and regulations (such as GDPR, CCPA, etc.). 



Screening background


Verification checks on all relevant candidates to become employees is carried out prior to joining Altus Group and on an ongoing basis, to ensure all employees are eligible and suitable for the roles for which they are considered and remain eligible and suitable during their employment. 

  • All relevant candidates for employment are screened during the recruitment process per relevant legislation and business requirements including those accessing a system that stores, transmits, or processes information requiring special protection. 

  • The screening process addresses the relevant requirements per geography, business unit and role, and defines requirements for contractors in addition to employees. 

  • Verification checks are repeated periodically to confirm ongoing suitability of employees, depending on the criticality of a person’s role.



Terms and conditions of employment


The employment contractual agreements should state the employees’ and Altus Group’s responsibilities for information security to ensure employees understand their information security responsibilities for the roles for which they are considered. 

  • Confidentiality or non-disclosure clauses are required in all employment agreements signed by employees, prior to start of employment or access to company sensitive information and systems. 

  • Employees with advanced security risk profile (admin/ops/infosec) should have specific security terms of employment. 

  • Contractors’ confidentiality obligations should be contained within non-Disclosure agreements and/or the Independent Contractor Agreement entered between Altus Group and the contractor. 



Management responsibilities


  • A mechanism exists for employees to be able to anonymously report violations relating to information security policy, standards, and procedures, as part of a company whistleblower policy. 

  • A clear desk policy is established. 

  • Altus Group has a documented the code of conduct and ethical standards that are reviewed and updated regularly. 



Information security awareness, education, and training


An information security awareness program exists and provides training to employees to understand and comply with relevant aspects of the information security policy and standards, as well as general guidelines for secure behaviour. The information security awareness program t: 

  • is completed by new employees before they can access sensitive systems or data.  

  • informs employees of their cybersecurity responsibilities and training before accessing Altus group’s devices, or networks. 

  • Is repeated at appropriate timescales  



Termination and change of employment responsibilities


Information security responsibilities and duties that remain valid after termination or change of employment are defined, enforced, and communicated to relevant employees and other interested parties to protect the organization’s interests as part of the process of changing or terminating employment or contracts. 

  • Terminated employees are advised of any continuing contractual obligations, such as Confidentiality and Non-disclosure obligations, that remain in effect after the date of termination. 

  • The termination process reinforces the information security responsibilities and duties that remain valid after termination or change of employment. 

  • Changes of responsibility or employment are managed as the termination of the current responsibility or employment combined with the initiation of the new responsibility or employment. 



HR information and data management


Effective HR data management is essential to protect employee privacy, ensure data accuracy, and support strategic decision-making. 

  • HR processes ensure that the acquisition, storage, processing, and disposal of data complies with data protection and governance requirements, including the data of leavers and unsuccessful applicants.


Trust Center quick links
Access controlAssurance standardChange managementCorporate governanceCryptographic standardHR securityIncident response planMobile devices and laptopsNetwork securityPhysical and environmental securityRisk managementSecure development