People: Onboarding, Offboarding, and Third Parties

Document ID: DPWAT-ISMS-PROC-001
Version: 1.0
Owner: Administrator + CISO — Anna Boros; Timo Andreas Bejan
Approved by: Administrator (ADM) — Anna Boros
Effective date: 2025-11-10
Next review: 2027-02-01 (or on major change)

1. Purpose

Define how DP WAT manages people-related information security controls: joining, changes, offboarding, contractors, and third parties.

2. Screening (before offer/engagement)

Before extending an offer or engaging a contractor:

• Background check: verify identity and check for relevant legal/criminal issues as permitted by law.
• Reference check: contact previous employers or professional references.
• Qualifications: verify claimed qualifications/certifications where relevant to the role.

Screening is proportionate to the role and access level. Records are retained per privacy requirements.

3. Before access is granted (joiner)

• Confirm business need and role (Administrator + relevant Process Owner).
• Ensure confidentiality obligations are in place (employment/contract + NDA as needed).
• Identify which systems access is needed for (principle of least privilege).
• If BYOD will be used, obtain written acknowledgement that:
• device encryption is enabled (e.g., FileVault),
• device has a screen lock,
• DP WAT data is handled per AUP.

4. Onboarding (day 1)

• Provide ISMS onboarding: AUP, access control, incident reporting, secure development expectations.
• Create accounts / provision access via the access procedure.
• Record the onboarding checklist completion as evidence (store in 07-records/).

5. Training and awareness (ongoing)

• Provide refresher security awareness at least annually.
• Provide project-specific security training when required by customer contract or project risk.
• Record training in training-register.

6. Contractors and consultants

• Contractors may use DP WAT devices or BYOD as approved.
• Access must be time-bound and reviewed.
• Ensure offboarding is timely at contract end (see below).

7. Customer-owned devices (third-party assets)

If a person is issued a customer-owned device:

• Treat it as a third-party asset (record in asset register as third-party).
• Confirm whether that device is allowed to access DP WAT systems or other customers' resources.
• If allowed, perform a risk assessment and record compensating controls (exception/risk acceptance if needed).

8. Offboarding (leaver)

Trigger: end of employment/contract or role change requiring access removal.

Notice period (if applicable)

During a notice period, access may be reduced to essential systems only:

• Review current access and remove access to sensitive projects or customer environments not required for handover.
• Revoke admin/privileged access unless specifically needed for transition tasks.
• Monitor for unusual activity (bulk downloads, access to unrelated systems).

Full access revocation occurs on the final day or earlier if circumstances warrant (e.g., immediate termination, security concern).

Offboarding steps

1. Process Owner/Administrator notifies the CISO of the offboarding date/time.
2. During notice period: reduce access to essential systems; remove privileged access.
3. On final day: disable accounts and revoke all remaining access.
4. Recover company assets (laptops, phones, tokens, keys, documents).
5. Obtain confirmation of deletion/return of DP WAT information from BYOD where applicable.
6. Record offboarding completion in access register and store evidence in 07-records/.