Hornbill understands that our employees are not only our biggest assets but have the potential to be our biggest threats. It is well documented that the majority of data breaches occur from within a business either intentionally or by accident. We therefore take recruitment, vetting and should it be needed, disciplinary and leaving very seriously to reduce these risks. Below are the key points from our HR polices that ensure employees are vetted, trained and nurtured in best practices to ensure data security.
Recruitment of new staff can only be undertaken with the approval of the Chief Technical Officer.
This approval may be recorded in minutes or by e-mail. Each position has a Job Description which includes any relevant security requirements. Master copies of Job Descriptions are held by the HR Department.
New positions are advertised or a suitable agency appointed dependent upon the role being considered.
Interviews are arranged as necessary along with appropriate practical tests with likely candidates who are usually identified from CV review.
For suitable candidate(s) an offer is made in writing. This offer is dependent upon satisfactory screening and completion of a probationary period (normally a minimum of 3 months).
A minimum of one reference is taken up and the persons’ right to work in the UK is validated. Education achievements are also checked/validated.
Should these checks indicate an issue then the HR Dept reviews the circumstances with the Chief Technical Officer and whoever else is relevant prior to determining a suitable course of action. Records of the vetting are retained by the HR Dept.
A New Starter Checklist is completed during the induction process and is retained by the HR Dept during the period of employment.
All employees must undertake a security screening to BS7858:2012 standard. This includes, Proof of identity, Proof of residence, References, A copy of their police record, A statement of financial status, A history of all employment (going back five years or to 12 years’ old, whichever occurs first)
Employees are provided with and sign a Contract of Employment which includes a confidentiality agreement covering the various responsibilities and actions required of signatories in order to avoid unauthorized information disclosure, the permitted use of the information, the signatories’ rights in respect of that information and the required actions on termination of the agreement. A copy of the signed contract is retained within the employee personnel file.
All new starters are inducted with information security training as well as other appropriate training. This is recorded on the New Starter Checklist.
All employees receive appropriate training including information security awareness as relevant. Such training is recorded as necessary.
Employees are reviewed by the appraisal process.
If a member of staff changes roles (e.g. following a promotion) then any alteration in access rights is notified to the IT Department by e-mail by the person’s manager. A copy of this e-mail is retained by the IT department for a minimum of one year. Any such change will normally require Chief Technical Officer approval.
Assets given to employees in order to perform their duties either at start or during employ are noted as relevant by the IT department (e.g. for laptops) or the Quality Engineering Manager.
Should an employee leave then the Leavers checklist is completed by the HR Dept and retained for a minimum of 3 years following cessation of their employment.
The Leavers checklist includes a list of items to be returned (such as keys, building fob, credit card etc).