Background verification checks on all candidates for employees and contractors should be carried out in accordance with relevant laws, regulations, and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risk.

[If local laws and regulations prohibit criminal background checks, you will still need to perform screening procedures such as right to work authorization, reference checks, etc. We recommend working with your Human Resources lead to determine the most appropriate screening methods. Most frameworks do not prescribe the specific type of screening procedures that need to be performed.]

Employees, contractors and third party users must agree and sign the terms and conditions of their employment contract, and comply with acceptable use.

[This should be documented in a formal contract, offer letter, etc.]

Employees will go through an onboarding process that familiarizes them with the environments, systems, security requirements, and procedures [COMPANY NAME] has in place. Employees will also have ongoing security awareness training that is audited.

[This is handled through Drata unless you have an external training provider.]

Employee offboarding will include reiterating any duties and responsibilities still valid after terminations, verifying that access to any [COMPANY NAME] systems has been removed, as well as ensuring that all company owned assets are returned.

[COMPANY NAME] and its employees will take reasonable measures to ensure no corporate data is transmitted via digital communications such as email or posted on social media outlets.

[This statement refers to any internal monitoring you may perform related to managing where data is being sent and how it is being sent. This will differ from organization to organization. Some companies may implement a formal DLP process and logging, or some may rely on policy language to make sure data is not sent using unauthorized digital communications channels.]

[COMPANY NAME] will maintain a list of prohibited activities that will be part of onboarding procedures and have training available if/when the list of those activities changes.

[This statement will require the development of an internal list of activities which you disallow company provided resources to be used for. An example would be using a company laptop to play games during business hours. This statement may need to be modified or removed if you operate in a 100% “Bring Your Own Device” environment.]

A fair disciplinary process will be utilized for employees that are suspected of committing breaches of security. Multiple factors will be considered when deciding the response, such as whether or not this was a first offense, training, business contracts, etc. [COMPANY NAME] reserves the right to terminate employees in the case of serious cases of misconduct.

All workforce members are primarily considered as remote users and therefore must follow all system access controls and procedures for remote access.

[This statement may be modified if you have physical facilities.]

Use of [COMPANY NAME] computing systems is subject to monitoring by [COMPANY NAME] IT and/or Security teams.

[In order to comply with this, you will have to determine internally how you plan to monitor these activities. You may develop a formal monitoring plan, or you may simply reserve the right to check any relevant logs if an incident were to occur or need to be investigated.]

Employees may not leave computing devices (including laptops and smart devices) used for business purposes, including company-provided and BYOD devices, unattended in public.

Device encryption must be enabled for all mobile devices accessing company data, such as whole-disk encryption for all laptops.

[This statement requires you to enable hard drive encryption on all laptops/workstations.]

[Certain Operating Systems may only let you enable encryption at the time of installation, such as Ubuntu. In these cases, folder-level encryption may be more appropriate for those devices rather than re-imaging the laptop.]

All email messages containing sensitive or confidential data will be encrypted.

[This is usually done by default on most modern email providers, but you should check to make sure that your email provider does encrypt emails or at least offers the option to encrypt specific emails.]

Employees may not post any sensitive or confidential data in public forums or chat rooms. If a posting is needed to obtain technical support, data must be sanitized to remove any sensitive or confidential information prior to posting.

All data storage devices and media must be managed according to the [COMPANY NAME] Data Classification specifications and Data Handling procedures.

Employees may only use photocopiers and other reproduction technology for authorized use.

Media containing sensitive/classified information should be removed from printers immediately.

[You can remove this statement if your organization does not use printers.]

The PIN code function will be used on printers with such capability, so that the originators are the only ones who can get their print-outs and only when physically present at the printer.

[You can remove this statement if your organization does not use printers.]

Restrictions on Software Installation

Anti-malware or equivalent protection and monitoring must be installed and enabled on all endpoint systems that may be affected by malware, including workstations, laptops and servers.

Controls that prevent or detect the use of unauthorized software (e.g. application whitelisting) will be implemented.

Controls that prevent or detect the use of known or suspected malicious websites (e.g. blacklisting) will be implemented.

[Blacklisting and whitelisting of software can be done through tools (such as a Mobile Device Management tool or Endpoint Detection and Response tool, or can be implemented manually through manual checks of software installed on devices and log reviews to determine which websites were visited.]

Vulnerabilities that could be exploited by malware will be reduced, e.g. through technical vulnerability management.

[COMPANY NAME] will conduct regular reviews of the software and data content of systems supporting critical business processes; the presence of any unapproved files or unauthorized amendments should be formally investigated.

[This can be implemented through either manual or automated solutions. Automated solutions will often be alert driven, such as File Integrity Monitoring solutions which send alerts when unauthorized modifications occur.]

Malware detection and repair software will be installed and regularly updated to scan computers and media as a precautionary control, or on a routine basis; the scan carried out will include:

Defining procedures and responsibilities to deal with malware protection on systems, training in their use, reporting and recovering from malware attacks.

Preparing appropriate business continuity plans for recovering from malware attacks, including all necessary data and software backup and recovery arrangements.

Implementing procedures to regularly collect information, such as subscribing to mailing lists or verifying websites giving information about new malware.

[There are many opensource threat intelligence feeds, but one example is VirusTotal which can be used to identify malicious websites, files, etc. https://www.virustotal.com/gui/home/upload]

Implementing procedures to verify information relating to malware, and ensure that warning bulletins are accurate and informative; managers should ensure that qualified sources, e.g. reputable journals, reliable Internet sites or suppliers producing software protecting against malware, are used to differentiate between hoaxes and real malware; all users should be made aware of the problem of hoaxes and what to do on receipt of them.

Isolating environments where catastrophic impacts may result.

[Such as deploying development, staging, and production environments to separate VPC, configuring your production environment to run in multiple availability zones, etc.]