Cybersecurity is included in human resources practices
Employees are both the most common attack vector and the most effective security control. Integrating security into hiring, onboarding, role changes, and offboarding ensures that people have the right access, the right training, and no residual access when they leave. Skipping HR integration is how terminated employee accounts linger for months and new hires get admin rights on day one.
Implementation steps
- 1
Add security checks to hiring and onboarding
Include background checks appropriate to role sensitivity during the hiring process. On day one, provision access based on role (not a copy of a senior colleague's permissions). Deliver security awareness training before granting access to production systems. Document that these steps were completed for each new hire.
ripplingworkdaybamboohrcheckr - 2
Define role-change access procedures
When an employee changes roles, trigger a review of their existing access permissions. Remove access that no longer applies and provision new access for the new role. This prevents privilege accumulation over time, where employees collect permissions from every role they have ever held.
oktamicrosoft-entrasailpoint - 3
Enforce an offboarding checklist that covers access revocation
On the employee's last day, revoke all system access within 24 hours: IdP account, email, cloud consoles, SaaS tools, VPN, and any physical access credentials. Assign a named HR or IT person responsible for completing this checklist and documenting completion.
ripplingoktagoogle-workspacemicrosoft-entra
Evidence required
Onboarding security checklist
A documented checklist used for each new hire covering background screening, initial access provisioning, and security awareness training completion.
- · HR onboarding template with security steps
- · Ticket or task showing access provisioning was completed for a recent hire
- · LMS record showing security training completion date
Offboarding access revocation records
Evidence that access was fully revoked when employees departed, with timestamps showing timely completion.
- · Offboarding ticket with access revocation tasks checked off
- · IdP account deactivation log for departed employees
- · IT checklist signed off by HR confirming offboarding completion
Related controls
Organizational leadership is responsible and accountable for cybersecurity risk
Roles, Responsibilities, and Authorities
Cybersecurity roles, responsibilities, and authorities are established and enforced
Roles, Responsibilities, and Authorities
Adequate resources are allocated to cybersecurity commensurate with risk
Roles, Responsibilities, and Authorities
Personnel activity and technology usage are monitored to detect potentially adverse events
Continuous Monitoring