Skip to content
Changineers Engineering Handbook

HR and Personnel Security

2026.1

Changineers is committed to ensuring all workforce members actively address security and compliance in their roles at Changineers. We encourage self management and reward the right behaviors. This policy specifies acceptable use of end-user computing devices and technology. Additionally, training is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.

Policy Statements

Section titled “Policy Statements”

In addition to the roles and responsibilities stated earlier, Changineers policy requires all workforce members to comply with the Acceptable Use Policy for End-use Computing and HR Security Policy.

Changineers policy requires that:

(a) Background verification checks on all candidates for employees and contractors should be carried out in accordance with relevant laws, regulations, and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risk.

(b) Employees, contractors and third party users must agree and sign the terms and conditions of their employment contract, and comply with acceptable use.

(c) Employees will go through an onboarding process that familiarizes them with the environments, systems, security requirements, and procedures Changineers has in place. Employees will also have ongoing security awareness training that is audited.

(d) Employee offboarding will include reiterating any duties and responsibilities still valid after terminations, verifying that access to any Changineers systems has been removed, as well as ensuring that all company owned assets are returned.

(e) Changineers and its employees will take reasonable measures to ensure no sensitive data is transmitted via digital communications such as email or posted on social media outlets.

(f) Changineers will maintain a list of prohibited activities that will be part of onboarding procedures and have training available if/when the list of those activities changes.

(g) A fair disciplinary process will be utilized for employees are suspected of committing breaches of security. Multiple factors will be considered when deciding the response such as whether or not this was a first offense, training, business contracts, etc. Changineers reserves the right to terminate employees in the case of serious cases of misconduct.

Controls and Procedures

Section titled “Controls and Procedures”

HR Management and Reporting

Section titled “HR Management and Reporting”

Changineers uses Google Drive to manage its workforce personnel records.

Organization Structure

Section titled “Organization Structure”

Reporting lines follow the company’s business functions. The organisation chart is available to all employees via Google Drive.

Job Functions and Descriptions

Section titled “Job Functions and Descriptions”

Job descriptions record the skills and responsibilities for each role, and are updated when roles change.

Performance Reviews and Feedback

Section titled “Performance Reviews and Feedback”

Employees receive regular feedback from their manager. Formal performance reviews are conducted annually, with records retained in Google Drive. Managers set performance expectations and rewards appropriate to each role.

Acceptable Use of End-user Computing

Section titled “Acceptable Use of End-user Computing”

Changineers requires all workforce members to comply with the following acceptable use requirements and procedures, such that:

(a) Per Changineers security architecture, all workforce members are primarily considered as remote users and therefore must follow all system access controls and procedures for remote access.

(b) Use of Changineers computing systems may be subject to monitoring by Changineers Security, in accordance with applicable law.

(c) Employees may not leave company-issued computing devices (including laptops and smart devices) unattended in public.

(d) Device encryption must be enabled for all mobile devices accessing company data, such as whole-disk encryption for all laptops.

(e) Use only legal, approved software with a valid license installed through a pre-approved application store. Do not use personal software for business purposes and vice versa.

(f) Do not send sensitive or confidential data over email. Where a sensitive message is unavoidable, use Google Workspace Confidential Mode to restrict forwarding, copying, and download.

(g) Employees may not post any sensitive or confidential data in public forums or chat rooms. If a posting is needed to obtain technical support, data must be sanitized to remove any sensitive or confidential information prior to posting.

(h) Anti-malware or equivalent protection and monitoring must be installed and enabled on all endpoint systems that may be affected by malware, including workstations, laptops and servers.

(i) All data storage devices and media must be managed according to the Changineers Data Classification specifications and Data Handling procedures.

(j) Sensitive data must not be downloaded or stored on end-user computing devices (laptops, workstations, mobile devices) except where explicitly approved by the Security team. Any approved local copy must be deleted as soon as the task requiring it is complete.

(k) Mobile devices are not allowed to connect directly to Changineers production environments.

Employee Screening Procedures

Section titled “Employee Screening Procedures”

Changineers publishes job descriptions for available positions and conducts interviews to assess a candidates technical skills as well as culture fit prior to hiring.

Background checks of an employee or contractor is performed by HR/operations and/or the hiring team prior to the start date of employment.

Employee Onboarding Procedures

Section titled “Employee Onboarding Procedures”

A master checklist for employee onboarding is maintained in Changineers’s intranet.

The Head of Engineering or a nominated delegate is responsible for completing the checklist when a new employee joins Changineers.

  1. Training.

    • New workforce member is provided training on Changineers security policy, acceptable use policy, and given access to the Employee Handbook.
    • Records of training and policy acceptance is kept in the HR system (currently EaseCentral).
    • The training and acceptance must be completed within 30 days of employment.

  2. Access.

    • Standard access is provisioned according to the job role and approval as specified in the HR onboarding GitHub ticket.
    • All system access is tracked in the master checklist
    • Non-standard access requires additional approval following the access request procedures.
    • Non-standard access requires additional approval following the access request procedures.
    • Request for modifications of access for any Changineers employee can be made using the procedures outlined in the Access Establishment and Modification policy and procedures.

  3. System configuration.

    • The end-user computing device (e.g. workstation or laptop) may be provisioned by IT to install necessary software, malware protection, security agents, and setting system configurations.
    • Users in a technical role, such as Development, may choose to self configure their system. In this case, the user is given configuration guidelines defined by IT and Security. The system must have the required security configuration and endpoint agents installed for monitoring and to ensure compliance.

Employee Exiting/Termination Procedures

Section titled “Employee Exiting/Termination Procedures”

A master checklist for employee existing/termination is maintained by the Head of Engineering in Changineers’s intranet.

  1. The Human Resources Department (or other designated department), users, and their supervisors (HR) are required to notify Security upon completion and/or termination of access needs and facilitating completion of the “Termination Checklist”.

  2. HR are required to notify Security to terminate a user’s access rights if there is evidence or reason to believe the following (these incidents are also reported on an incident report and is filed with the Privacy Officer):

    • The user has been using their access rights inappropriately;
    • A user’s password has been compromised (a new password may be provided to the user if the user is not identified as the individual compromising the original password);
    • An unauthorized individual is utilizing a user’s User Login ID and password (a new password may be provided to the user if the user is not identified as providing the unauthorized individual with the User Login ID and password).

  3. Security will terminate users’ access rights immediately upon notification, and will coordinate with the appropriate Changineers employees to terminate access to any non-production systems managed by those employees.

  4. Security audits and may terminate access of users that have not logged into organization’s information systems/applications for an extended period of time.

Revision History

Section titled “Revision History”
DateSummaryApproved by
2020-01Initial revision.James Gregory
2026-04-24Refreshed HR management procedure and adopted acceptable use policy.James Gregory

Hiring & onboarding

Acceptable use of AI tools Approved software

Building software

Engineering principles Secure development Solution design Shipping code Penetration testing

Shipping & operations

Operations security Architecture Change management Emergency change Configuration baselines Observability Threat detection Vulnerability management

Data

Customer data deletion

Resilience & response

Incident response

Public

Modern slavery statement Responsible disclosure

Deprecated (pending removal)

Security Program Overview Policy Management Compliance Audits and External Communications Security Architecture and Operating Model Roles, Responsibilities and Training Risk Management System Audits, Monitoring and Assessments HR and Personnel Security Access Facility Access and Physical Security Data Management Data Protection Secure Software Development and Product Security Configuration and Change Management Threat Detection and Prevention Vulnerability Management Mobile Device Security and Media Management Business Continuity and Disaster Recovery Incident Response Breach Investigation and Notification Third Party Security and Vendor Risk Management Employee Handbook Subprocessors