Starters Process
Recruitment:
- Conduct background checks and verify the identity of new employees, where relevant and permissible by law;
- Ensure that employment contracts include clauses addressing confidentiality, data protection and compliance with relevant security policies.
Onboarding:
- Provide new employees with comprehensive induction training that covers UK GDPR and UK Cyber Essentials requirements.
- Ensure new employees read, understand, and sign a confidentiality agreement and an acceptable use policy.
- Grant access to systems, applications and data based on the principle of least privilege, only allowing access to the information necessary for their role.
- Provide new employees with unique login credentials and enforce the use of strong, unique passwords.
- Provide relevant training on secure data handling, password management and phishing awareness.
Movers Process:
Role Changes:
- Regularly review and update access rights when employees change roles or departments.
- Revoke unnecessary access and privileges when an employee’s role changes.
- Update the employee’s information in relevant systems and directories.
- Provide additional training and support for employees moving to roles with increased security responsibilities.
Leavers Process:
Offboarding:
- Inform relevant departments (e.g., IT, HR) about the departure of an employee and the termination date.
- Disable and/or delete the departing employee’s accounts, access rights and login credentials for all systems, applications, and data.
- Collect any physical access tokens (e.g., ID cards, key cards) and organisation-owned devices (e.g., laptops, smartphones).
- Conduct an exit interview, emphasising the importance of maintaining confidentiality even after employment termination.
Post-employment:
- Regularly monitor for unauthorised access attempts by former employees.
- Maintain contact details for former employees in case of any data breach or incident that requires their involvement.
- Ensure that all ex-employees’ data is retained, archived or deleted in accordance with the organisation’s data retention policies and GDPR requirements.