S 2.226 Procedures regarding the use of outside staff

Initiation responsibility: Top Management

Implementation responsibility: Head of Personnel, Head of IT

In many cases, government agencies and companies make use of external support staff when the corresponding personnel resources are not available internally in the organisation. In extreme cases, this can lead to external personnel being used for such a long time in the organisation that many employees do not even know any more if these people are internal employees or external employees.

External employees working in or for an organisation over a longer period of time and who could possibly gain access to confidential documents and data must be required to sign a written obligation to follow the relevant and applicable laws, regulations, and internal rules (see also S 3.2 Commitment of staff members to compliance with relevant laws, regulations and provisions).

When deploying external employees, it is also necessary to ensure that they are instructed regarding their tasks when they start working for the organisation in all cases - just like for the organisation's own employees (see S 3.1 Well-regulated familiarisation/training of new staff with their work). They must also be informed of the internal rules and regulations relating to IT security and of the organisation-wide IT security policies to the extent this is necessary for them to perform their tasks and fulfil their duties. This applies particularly when they do their work on their client's premises.

In addition, it should be ensured that substitutes are arranged for the external employees as well (see S 3.3 Arrangements for substitution). Likewise, it should also be guaranteed that they are familiar with the IT applications they use and know how to properly implement the necessary security safeguards.

When the contract relationship is terminated, the results of the work and the documents and resources provided must be returned in a controlled manner. Furthermore, all access authorisations and data access rights granted must be revoked and/or deleted. In addition, the employee leaving the organisation should be reminded explicitly that the confidentiality obligation also applies after completion of the work (see also S 3.6 Regulated procedure as regards termination of employment).

Temporarily or non-recurrently deployed external personnel must be treated like visitors, meaning that they are only allowed to enter security-relevant areas when accompanied by an employee of the government agency and/or company, for example (see also S 2.16 Supervising or escorting outside staff/visitors).

Review questions:

• Are external employees working in the organisation over the long term required to follow the relevant laws and regulations by signing an obligation?
• Are external employees instructed regarding their tasks and informed of the IT security regulations existing in the organisation?
• Are there substitution arrangements for external employees?
• Is there a controlled process for terminating the contract relationship with external employees?
• Are temporarily or non-recurrently deployed external personnel treated like visitors?