HR Lifecycle
Implementation and audit guidance for cybersecurity-related practices during the HR lifecycle.
Guidance to Implement
Revise job descriptions to include mandatory cybersecurity skills and benchmark these against industry standards.
Guidance to Audit
Verify job description templates and recruitment process guidelines.
Guidance to Implement
Embed a cybersecurity awareness assessment into the recruitment process via structured interviews and practical tests; incorporate results into hiring decisions.
Guidance to Audit
Candidate assessment scorecards and interview evaluation reports.
Guidance to Implement
Ensure that candidates for roles with data ownership responsibilities receive clear information about these duties, and verify acknowledgment via documented forms.
Guidance to Audit
Signed acknowledgment forms and training records.
Guidance to Implement
Develop a risk-based matrix to determine the depth of background checks based on role sensitivity, and document the criteria.
Guidance to Audit
Role risk matrix and corresponding background check records.
Guidance to Implement
Revise employment contracts to explicitly incorporate confidentiality
Guidance to Audit
Signed contracts with embedded policy clauses
Guidance to Implement
Revise employment contracts to explicitly incorporate IT acceptable usage policiy
Guidance to Audit
Signed contracts with acceptance of IT chart
Guidance to Implement
Set up automated reminders for annual confidentiality agreement renewals and maintain version-controlled agreements.
Guidance to Audit
Renewal logs with updated, signed agreements and timestamps.
Guidance to Implement
Incorporate clearly defined security KPIs into performance review templates and link them to training outcomes.
Guidance to Audit
Performance review documents, KPI dashboards, and training completion records.
Guidance to Implement
Establish a documented process for managers and HR to trigger access reviews when an employee changes role.
Guidance to Audit
HR-IT access review log, updated access matrix, evidence of approval workflows and revocation timestamps
Guidance to Implement
Create a graduated response policy. Ensure the process is transparent, consistent, and known by employees.
Guidance to Audit
Sanction policy, training record acknowledgement
Guidance to Implement
Automate access revocation workflows immediately upon termination. Verify deactivation through system audit logs.
Guidance to Audit
Access revocation logs and system audit reports.
Guidance to Implement
Implement a structured asset return process with checklists and digital tracking for both physical and digital assets.
Guidance to Audit
Asset return checklists and IT inventory reconciliation reports.
Guidance to Implement
Implement a structured asset return process with checklists and digital tracking for both physical and digital assets.
Guidance to Audit
Asset return checklists and IT inventory reconciliation reports.
Guidance to Implement
Develop and regularly update a responsibility matrix for roles with elevated privileges; review and sign off annually.
Guidance to Audit
Documented responsibility matrix with review dates and stakeholder approvals.