HR Security Procedure¶
Document ID: PROC-007 Document owner: Jan Marc Castlunger (ISO) Classification: Confidential Version: 1.0 Approved: March 2026 Next review: March 2027 Frameworks: ISO 27001 (A.6.1, A.6.2, A.6.3, A.6.4, A.6.5) | SOC 2 (CC1.4)
1. Purpose¶
This procedure defines the security requirements for personnel throughout the employment lifecycle — from hiring to termination. It ensures that employees and contractors are suitable, aware of their responsibilities, and that access is managed appropriately.
2. Scope¶
All employees, contractors, and temporary staff of CTW Data Solutions GmbH.
3. Pre-Employment¶
3.1 Background Checks¶
| Check | Scope | Applies To |
|---|---|---|
| Identity verification | Government-issued ID check | All hires |
| Employment history | Previous employer verification (last 2 roles) | All hires |
| Criminal record check | Where legally permitted and role-appropriate | Roles with access to Top Secret data |
| Reference checks | At least 1 professional reference | All hires |
Legal Compliance
All background checks comply with German employment law (BDSG) and GDPR. Checks are proportionate to the role and data access level.
3.2 Employment Terms¶
Before starting, all personnel must sign:
- [ ] Employment contract or contractor agreement
- [ ] Confidentiality / non-disclosure agreement (NDA)
- [ ] Acceptable Use Policy acknowledgement
- [ ] Data protection acknowledgement (GDPR)
4. During Employment¶
4.1 Security Awareness Training¶
| Training | Frequency | Scope | Tracked By |
|---|---|---|---|
| Security awareness induction | Within first week | All new hires | Jan Marc Castlunger (ISO) |
| Annual security refresher | Annually | All staff | Jan Marc Castlunger (ISO) |
| Role-specific training | As needed | Staff with privileged access | Jan Marc Castlunger (ISO) / Sebastian Windeck (CTO) |
| Phishing simulation | Annually (from Q2 2026) | All staff | Jan Marc Castlunger (ISO) |
4.2 Training Content¶
- Information security policies and procedures
- Data classification and handling
- Phishing and social engineering awareness
- Incident reporting procedure
- GDPR obligations and data subject rights
- Acceptable use of company systems
- Password and MFA best practices
4.3 Competence Records¶
- Training completion is recorded in
Google Workspace > HR > Training Records - Competence is assessed through training completion and annual review
- Records retained for duration of employment plus 2 years
5. Role Changes¶
When an employee changes role:
- Manager notifies ISO within 5 business days
- Access rights reviewed and adjusted per Access Control Policy
- Additional training provided if new role requires it
- Previous unnecessary access removed
6. Termination / Offboarding¶
6.1 Offboarding Checklist¶
| # | Action | Responsible | Timeline |
|---|---|---|---|
| 1 | Notify Jan Marc Castlunger (ISO) of termination date | Manager | Immediately |
| 2 | Revoke Azure AD access | Sebastian Windeck (CTO) | Within 24 hours |
| 3 | Revoke GitHub access and tokens | Sebastian Windeck (CTO) | Within 24 hours |
| 4 | Suspend Google Workspace account | Jan Marc Castlunger (ISO) | Within 24 hours |
| 5 | Revoke any API keys or service credentials | Sebastian Windeck (CTO) | Within 24 hours |
| 6 | N/A — BYOD policy (no company devices issued; no MDM) | — | — |
| 7 | Ensure departing employee removes company data from personal devices (BYOD) | Jan Marc Castlunger (ISO) | Within 24 hours |
| 8 | Confirm NDA obligations with departing employee | Jan Marc Castlunger (ISO) | On last day |
| 9 | Update access register and asset register | Jan Marc Castlunger (ISO) | Within 48 hours |
| 10 | Archive employee data per retention policy | Sebastian Windeck (DPO) | Within 30 days |
6.2 Post-Termination¶
- Monitor for any unauthorised access attempts for 30 days post-departure
- Ensure all shared credentials the employee had knowledge of are rotated
- Review and reassign any assets or responsibilities
7. Disciplinary Process¶
Security policy violations are handled through the following escalation:
| Severity | Action |
|---|---|
| First minor violation | Verbal warning + additional training |
| Repeated minor violation | Written warning + access restriction |
| Major violation | Suspension pending investigation |
| Gross violation / intentional breach | Termination; potential legal action |
8. Review¶
This procedure is reviewed annually or when employment practices change.
Approved by: Jan Marc Castlunger (CEO / ISO), CTW Data Solutions GmbH Date: March 2026