CSA CCM HRS-08
Employment Agreement Content

Employment agreements are a critical tool for protecting an organization's information assets. By including provisions mandating adherence to established information governance and security policies, organizations can ensure employees understand their responsibilities. A well-crafted employment agreement sets clear expectations and provides a basis for taking action if an employee violates the agreement.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. The Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing, composed of 17 domains covering all key aspects of cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain.

Who should care?

This control is relevant for several roles:

  • Human Resources managers with responsibility for drafting employment agreements and onboarding new employees
  • Information Security managers with a need to ensure all employees comply with security policies
  • Legal counsel with a duty to limit the organization's liability exposure
  • Hiring managers with an interest in setting expectations for how their team members will protect information

What is the risk?

Without proper employment agreement provisions, several adverse events could occur:

  • Employees may inappropriately disclose confidential information, either intentionally or inadvertently. This could lead to reputational damage, loss of competitive advantage, or regulatory fines.
  • Employees may fail to follow security best practices like using strong passwords, resulting in preventable data breaches.
  • Organizations may have limited recourse to discipline employees who violate policies.

While employment agreements alone cannot fully prevent these issues, they are an important tool in the overall security strategy. Well-crafted agreements reduce risk likelihood by increasing awareness and accountability.

What's the care factor?

For most organizations, implementing strong employment agreements should be a high priority, for several reasons:

  1. It is a relatively low-effort, high-impact security control. Drafting a good template takes some up-front work, but once in place it can be reused.
  2. The consequences of poor agreements can be severe, as discussed in the "What is the risk?" section.
  3. Employment agreements are relevant for all employees, not just those in technical roles. A receptionist with access to client files can cause as much damage as a system administrator.
  4. Increasingly, regulators, auditors, and cyber insurance providers are looking for employment agreements as evidence of a mature security program. Failing to implement them can lead to failed audits or higher premiums.

When is it relevant?

Employment agreement security provisions are relevant for:

  • All new hires, regardless of role
  • Existing employees who transition into roles with access to sensitive information
  • Employees subject to new regulatory requirements (e.g. GDPR)
  • Contractors and temporary workers

They may be less relevant for employees with no access to confidential data, such as factory workers. Even then, some general confidentiality language is still a best practice.

What are the trade offs?

The main cost of this control is the time required to draft the agreement template and customize it for each role. Some potential downsides:

  • Highly restrictive agreements may be off-putting to some candidates and slow down hiring. Balance is needed.
  • If not worded carefully, some provisions may conflict with employees' legal rights (e.g. whistleblower protections).
  • Overly broad confidentiality language may limit an ex-employee's job prospects. This should be narrowly tailored.

These costs are minor compared to the risk reduction in most cases, but still worth considering.

How to make it happen?

Implementing this control involves several steps:

  1. Assemble a cross-functional team with representation from HR, Legal, and Information Security.
  2. Review any existing employment agreements to identify gaps. Pay special attention to confidentiality sections.
  3. Draft a template employment agreement with language mandating adherence to information security policies. Tailor sections for specific roles as needed. Key provisions to include:
    • Requirement to comply with acceptable use policies, access control procedures, and data handling standards
    • Prohibition on disclosing confidential data to unauthorized parties
    • Consequences for violating policies, up to and including termination
    • Affirmative statement that the employee has read and agrees to abide by all security policies
    • Survival clause stating confidentiality obligations remain in effect after termination
  4. Have the template reviewed by legal counsel to ensure enforceability.
  5. Train HR staff on when and how to use the new template. Store it in a secure central repository.
  6. Develop a process to have all new hires sign the agreement before being provisioned access to any systems.
  7. Meet with existing employees to have them sign the updated agreement. This is a good chance to refresh security awareness training.
  8. Periodically review the template to ensure it stays current with changing regulations and business needs.

What are some gotchas?

A few things to watch out for:

  • The agreement must be signed before granting system access. Retroactively applying it has little value.
  • Managers must understand they cannot override the agreement or promise conflicting terms.
  • Certain employee rights like NLRA Section 7 (concerted activity) cannot be waived. Have counsel vet the template.
  • Agreements may need to be tweaked for international employees to comply with local laws.
  • Applying the agreement inconsistently (e.g. only to lower-level staff) may undermine enforceability.

What are the alternatives?

Some organizations try to cover security obligations in employee handbooks or acceptable use policies. While better than nothing, these lack the contractual power of a signed agreement.

Using a general confidentiality agreement without specific security language is another common approach. Again, this helps but is not as targeted.

Ultimately, there is no great substitute for a well-drafted employment agreement with explicit security provisions. It is a foundational control for any mature security program.

Explore further

For more on employment agreements and other HR-related security controls, see:

This control supports and reinforces CIS Control 14.4 ("Train Workforce on Data Sensitivity") by establishing individual responsibility for data protection.

Blog

Learn cloud security with our research blog

Your queues, your responsibility
August 20, 2024
Things you wish you didn't need to know about S3
May 30, 2024
S3 Bucket Encryption Doesn't Work The Way You Think It Works
April 19, 2024
Read more