PDOC-03

Does your employee onboarding and offboarding policy include training of employees on information security and data privacy?

Explanation

This question is asking whether your organization's process for bringing on new employees (onboarding) and processing departing employees (offboarding) includes specific training components related to information security and data privacy. Why this matters in a security assessment: 1. Human error is one of the biggest security vulnerabilities in any organization. Proper training helps mitigate this risk. 2. Employees need to understand their responsibilities regarding data handling, privacy regulations (like GDPR, CCPA, HIPAA), and security protocols. 3. During offboarding, employees need to be reminded of their ongoing confidentiality obligations and proper procedures for returning company assets and access credentials. 4. Regulators and business partners want assurance that your organization has a systematic approach to ensuring all employees understand security and privacy requirements. A good answer should include: - Details about when and how security/privacy training occurs during onboarding - The specific topics covered in the training - How you ensure completion and comprehension of the training - Any role-specific additional training for employees handling sensitive data - How security and privacy obligations are reinforced during offboarding - How you keep training materials current with evolving threats and regulations

Example Responses

Example Response 1

Yes, our employee onboarding process includes mandatory information security and data privacy training that must be completed within the first week of employment This training covers our security policies, acceptable use guidelines, data classification, privacy regulations relevant to our business (GDPR, CCPA, HIPAA), incident reporting procedures, and social engineering awareness The training includes interactive modules and a final assessment that requires a minimum score of 80% to pass Employees who handle sensitive data receive additional role-specific training During offboarding, employees attend an exit interview where they are reminded of their ongoing confidentiality obligations, all access credentials are revoked following a documented checklist, and they sign an acknowledgment reaffirming their understanding of data protection responsibilities that continue after employment ends Our training materials are reviewed and updated quarterly to address emerging threats and regulatory changes.

Example Response 2

Yes, our organization incorporates comprehensive security and privacy training in both onboarding and offboarding processes New employees receive a multi-part security curriculum during their first month that includes: (1) General cybersecurity awareness (phishing, password management, device security), (2) Data handling procedures based on our classification system, (3) Privacy regulation compliance specific to their department, and (4) Incident response protocols Training effectiveness is measured through scenario-based assessments and periodic follow-up quizzes We also conduct annual refresher training for all employees During offboarding, we have a dedicated security session where departing employees return all company assets, their access is systematically revoked, and they review and sign documentation acknowledging their ongoing obligations regarding confidentiality and non-disclosure of company information Our security team reviews and updates all training content biannually with input from legal and compliance teams.

Example Response 3

No, we currently do not have formalized security and privacy training as part of our employee onboarding and offboarding processes While new employees receive general orientation about company policies, we haven't developed specific modules focused on information security and data privacy Our IT team does provide basic guidance on password requirements and system access during onboarding, and managers typically explain data handling expectations informally During offboarding, we have a checklist for revoking system access and collecting company equipment, but we don't conduct formal exit interviews covering ongoing security and privacy obligations We recognize this is a gap in our security program, and we're currently developing a comprehensive security awareness training program that we plan to implement within the next quarter, which will include formal onboarding and offboarding components.

Context

Tab
Privacy
Category
General Privacy

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron