How to complete your new joiner and current employees controls
OVERVIEW
New Joiners: The new joiner selection and onboarding process should ensure quality candidates are selected that support the entity's values, that boarding is effective to set up new hires for success and that control activities that support the entity's information security and risk management are performed effectively. This is typically outlined in the Information Security Policy or Hiring and Onboarding Policy and non-disclosure agreements. It may include background checks, communicating security and confidentiality responsibilities, and granting appropriate access.
Current Employees: Maintaining an effective security posture of an entity requires controls to be designed and implemented for employees to ensure continued security and integrity of data and the environments they live in. These employee controls can include defining and updating (as required) job descriptions, annual performance reviews, system device security measures (e.g. session lock, password managers, encryptions, etc.), and regular security education or training.
CONTROLS AND EVIDENCE
New Joiners: We will review your Acceptable Use Policy (DCF-37) and Code of Conduct (DCF-44) to validate it outlines the workforce conduct standards of integrity, ethical values, and appropriate behaviour, and boundaries and requirements for how employees should protect systems against data leakage, malware and security breaches. A sample of new employees will be selected for their background checks (DCF-39) prior to their start date/onboarding, system access requests/approval (DCF-69) and signed non-disclosure agreements (NDAs) (DCF-105). Completion of these steps may be monitored as a part of an onboarding checklist.
Current Employees: We'll inspect the job descriptions (DCF-47) for a sample of current employees/positions to validate descriptions were documented to support the hiring of suitable candidates and to communicate the key job responsibilities of each individual. Based on the frequency of your employee performance evaluations (DCF-38), the evidence of the latest review for a sample of employees will be reviewed to confirm employee performance is assessed regularly against company values, team objectives and individual goals (as applicable). We will inspect the configurations for device security to confirm the following has been implemented: session locks (DCF-48), password manager (DCF-49), malware detection software (DCF-50), automated security patches (DCF-51), hard disk encryption (DCF-52) and multi-factor authentication (MFA) (DCF-67). To ensure employees are regularly updated on the latest security trends and requirements, we will inspect the completion of an at least annual security awareness training (DCF-36) for a sample of employees.
Other resources
- You can find an example of what might be included in an onboarding checklist in our knowledge base.
- More info on types of background checks.
- More info on security awareness training.