This week’s controls are on the Employee Handbook and Code of Conduct, and Code of Ethics. Jose Costa (CISO at Tugboat Logic), Harpreet Shergill (Senior Manager, IS Risk & Compliance at Tugboat Logic), and Chika Nwajagu (Senior Security Analyst at Tugboat Logic) explain why these common HR documents can be important to your audit.
Let’s be honest. In most cases, handbooks, codes of conduct, terms of service, codes of ethics and other similar documents are only skimmed at best unless you are scouring them for a specific piece of information. However, while they aren’t the most entertaining reads, they’re extremely important for laying the groundwork for your organization’s policies and procedures.
The key takeaway here is setting expectations, outlining the rules up-front, and giving employees an idea of what is and is not acceptable in your organization. Not only are you setting these expectations internally, but you’re showing your customers, partners and businesses you work with that you won’t misuse their data or assets.
An organization that doesn’t have a solid Code of Conduct and or Code of Ethics is a huge red flag! Note a Code of Conduct states how your company expects employees to behave, whereas a Code of Ethics states the moral standards and expectations your company has of employees.
These controls boil down to having the documentation prepared, and ensuring that your employees read and sign off on them. This can be accomplished in the greater onboarding process. The documents themselves can be separate, or all part of one comprehensive Employee Handbook.
In a lot of large organizations, entire departments can be dedicated to any one of the documents covered by these two controls. A smaller organization may have a single owner for all this documentation, which is easy enough to enforce until they reach a large enough size.
If at any time your Code of Conduct (which in some companies is included in the employee handbook) is updated, you will need to repeat this process and have your employees acknowledge that they have read the changes.
One last thing: if you happen to have a Code of Ethics either as part of or separate from the Code of Conduct, then you can use the guidelines from the Tugboat platform to implement a Code of Ethics. Here’s what you need to consider: