Before granting access to organizational systems and data, it's crucial that employees sign an employment agreement. This agreement outlines the terms and conditions related to information security that the employee must adhere to. The specifics of the agreement may vary based on the employee's role and responsibilities within the company.

Where did this come from?

CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. You can download the full matrix here.

The Cloud Security Alliance developed the Cloud Controls Matrix as a baseline set of security controls to help organizations assess cloud computing risk. It provides a framework for what security measures should be in place when leveraging cloud technology.

Who should care?

• HR managers responsible for onboarding new employees
• IT security teams tasked with protecting company data
• Compliance officers ensuring adherence to regulations
• Legal counsel drafting employment contracts

What is the risk?

Without a signed employment agreement covering infosec responsibilities:

• Employees may mishandle sensitive data due to lack of awareness
• Organizations open themselves up to insider threats
• Companies may fail compliance audits without proof of agreements
• Lawsuits become harder to defend if expectations weren't documented

While an agreement alone won't prevent all issues, it's a critical foundation. It ensures everyone understands their security obligations from day one.

What's the care factor?

For companies dealing with regulated data like PII, PCI, or PHI, employment agreements are a must-have. Auditors will look for them. Even if not legally required, these agreements are Security 101.

Any organization that values its data should make this a high priority. The reputational and financial damage from a preventable data breach can be devastating. Employment agreements are an easy win.

When is it relevant?

Employment agreements make sense for:

• Any employee with access to sensitive data
• Roles with elevated privileges like admins or developers
• Companies in regulated industries
• Remote workers handling company data offsite

They are less critical for:

• Employees with no digital access like maintenance staff
• Companies with no sensitive data whatsoever

But when in doubt, it's better to have an agreement in place. Better safe than sorry.

What are the trade offs?

Drafting, customizing, and tracking employment agreements takes time and effort. HR and Legal need to be involved. Employees may find yet another form to sign annoying.

Overly restrictive agreements can erode trust and hurt recruiting. No one wants to feel like Big Brother is always watching.

There's also the question of enforcement. An agreement alone doesn't guarantee compliance. Additional security controls and monitoring are needed to verify and catch violations.

How to make it happen?

1. Determine what terms and conditions need to be included for each role. Work with HR, Legal, and IT Security.
2. Draft agreement templates, ideally customized per role type. Be specific about expected behaviors.
3. Setup a system to track which employees have signed. Many HR Information Systems have this functionality.
4. Integrate employment agreement signing into the onboarding workflow. Make it a gate before provisioning access.
5. Have employees re-sign whenever significant changes are made to the agreement language.
6. Train managers to verify agreements are in place before granting access requests.
7. Periodically audit HR records to ensure no one slipped through the cracks.

What are some gotchas?

• Employment agreements often need to be localized per geo to meet local laws and language requirements. Engage regional HR/Legal to assist.
• Ensure agreement terms don't conflict with other company policies or handbooks. Inconsistency creates confusion.
• Double-check that procedures are being followed. An agreement is worthless if not properly executed. Trust but verify.

What are the alternatives?

Some organizations rely on general Acceptable Use Policies or Code of Conduct agreements to cover security expectations. These can work if sufficiently detailed.

However, infosec-specific employment agreements leave less room for ambiguity or loopholes. They make it crystal clear that protecting data is part of the job.

Explore further

• NIST 800-53 includes related controls around Personnel Agreements: PS-6
• ISO 27001 also touches on this topic in controls A.7.1.2 & A.7.3.1
• For a deeper dive, check out the SANS InfoSec Employment Agreement Template

‍