Skip to content

HR and Personnel Security

2020.1

Changineers is committed to ensuring all workforce members actively address security and compliance in their roles at Changineers. We encourage self management and reward the right behaviors. This policy specifies acceptable use of end-user computing devices and technology. Additionally, training is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.

Policy Statements

In addition to the roles and responsibilities stated earlier, Changineers policy requires all workforce members to comply with the Acceptable Use Policy for End-use Computing and HR Security Policy.

Changineers policy requires that:

(a) Background verification checks on all candidates for employees and contractors should be carried out in accordance with relevant laws, regulations, and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risk.

(b) Employees, contractors and third party users must agree and sign the terms and conditions of their employment contract, and comply with acceptable use.

(c) Employees will go through an onboarding process that familiarizes them with the environments, systems, security requirements, and procedures Changineers has in place. Employees will also have ongoing security awareness training that is audited.

(d) Employee offboarding will include reiterating any duties and responsibilities still valid after terminations, verifying that access to any Changineers systems has been removed, as well as ensuring that all company owned assets are returned.

(e) Changineers and its employees will take reasonable measures to ensure no PHI or corporate data is transmitted via digital communications such as email or posted on social media outlets.

(f) Changineers will maintain a list of prohibited activities that will be part of onboarding procedures and have training available if/when the list of those activities changes.

(g) A fair disciplinary process will be utilized for employees are suspected of committing breaches of security. Multiple factors will be considered when deciding the response such as whether or not this was a first offense, training, business contracts, etc. Changineers reserves the right to terminate employees in the case of serious cases of misconduct.

Controls and Procedures

HR Management and Reporting

Changineers uses Google Drive to manage its workforce personnel records.

Organization Structure

A reporting structure has been established that aligns with the organization’s business lines and/or individual’s functional roles. The organizational chart is available to all employees via the Google Drive and/or posted on the internal web portal.

Job Functions and Descriptions

Position / Job descriptions are documented and updated as needed that define the skills, responsibilities, and knowledge levels required for certain jobs.

Performance Reviews and Feedback

Employees receive regular feedback and acknowledgement from their manager and peers. Formal performance reviews are conducted annually. Performance measures, incentives, and other rewards are established by management according to responsibilities at all levels, reflecting appropriate dimensions of performance and expected standards of conduct.

Employee Screening Procedures

Changineers publishes job descriptions for available positions and conducts interviews to assess a candidates technical skills as well as culture fit prior to hiring.

Background checks of an employee or contractor is performed by HR/operations and/or the hiring team prior to the start date of employment as necessary.

Employee Onboarding Procedures

A master checklist for employee onboarding is maintained in Changineers’s intranet.

The Head of Engineering or a nominated delegate is responsible for completing the checklist when a new employee joins Changineers.

  1. Training.

    • New workforce member is provided training on Changineers security policy, acceptable use policy, HIPAA awareness, and given access to the Employee Handbook.
    • Records of training and policy acceptance is kept in the HR system.
    • The training and acceptance must be completed within 30 days of employment.

  2. Access.

    • Standard access is provisioned according to the job role and approval as specified in the HR onboarding GitHub ticket.
    • All system access is tracked in the master checklist
    • Non-standard access requires additional approval following the access request procedures.

  3. System configuration.

    • The end-user computing device (e.g. workstation or laptop) may be provisioned by IT to install necessary software, malware protection, security agents, and setting system configurations.
    • Users in a technical role, such as Development, may choose to self configure their system. In this case, the user is given configuration guidelines defined by IT and Security. The system must have the required security configuration and endpoint agents installed for monitoring and to ensure compliance.

Employee Exiting/Termination Procedures

A master checklist for employee existing/termination is maintained by the Head of Engineering in Changineers’s intranet.

  1. Security will terminate users’ access rights immediately upon employee termination or end-of-contract.
  2. Security audits and may terminate access of users that have not logged into organization’s information systems/applications for an extended period of time.