Five skeleton templates for docs/compliance/templates/. Each has YAML frontmatter (status: template, playbook-section), a "not code-enforced" banner, and [FILL IN:] markers throughout. password-policy banner cites ADR-025 §Deferred items by number (MFA + password policy + lockout deferral). Cross-template relative links all resolve. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
80 lines
5.2 KiB
Markdown
80 lines
5.2 KiB
Markdown
---
|
|
status: template
|
|
playbook-section: 60
|
|
title: "Staff Onboarding Checklist (Data Access & Security)"
|
|
last-reviewed: "[FILL IN: YYYY-MM-DD]"
|
|
---
|
|
|
|
# Staff Onboarding Checklist (Data Access & Security)
|
|
|
|
> **Template status** — fill every `[FILL IN: …]` marker before use.
|
|
|
|
> **Not code-enforced** — this checklist documents HR and operational controls. Access provisioning, policy acknowledgement, and training completion are tracked outside the application codebase by `[FILL IN: HR system / identity provider / ticketing tool]`. The consumer is responsible for integrating this checklist into their onboarding workflow.
|
|
|
|
---
|
|
|
|
## 1. Purpose & Scope
|
|
|
|
This checklist ensures that every new employee, contractor, or third-party with access to `[FILL IN: organisation name]`'s systems completes the required security, privacy, and data-access steps before handling personal data.
|
|
|
|
**Owner:** `[FILL IN: role — e.g., HR / People Ops + Engineering Lead]`
|
|
|
|
---
|
|
|
|
## 2. Before First Day
|
|
|
|
| # | Task | Owner | Done |
|
|
| --- | ---------------------------------------------------------------------------------------------------- | --------------------- | ---- |
|
|
| 1 | Role-based access list agreed with hiring manager | `[FILL IN: e.g., HR]` | ☐ |
|
|
| 2 | Identity-provider account created (IdP: `[FILL IN: provider name]`) | `[FILL IN: e.g., IT]` | ☐ |
|
|
| 3 | Device provisioned and MDM-enrolled (see [`device-policy.template.md`](./device-policy.template.md)) | `[FILL IN:]` | ☐ |
|
|
| 4 | NDA / data-processing agreement signed | `[FILL IN: e.g., HR]` | ☐ |
|
|
| 5 | Emergency contact and DPO contact shared with new hire | `[FILL IN: e.g., HR]` | ☐ |
|
|
|
|
---
|
|
|
|
## 3. Day 1 — Security & Privacy Orientation
|
|
|
|
| # | Task | Owner | Done |
|
|
| --- | --------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | ---- |
|
|
| 1 | Complete data-protection / GDPR awareness training: `[FILL IN: course name / platform]` | New hire | ☐ |
|
|
| 2 | Read and acknowledge: Acceptable Use & Device Policy (see [`device-policy.template.md`](./device-policy.template.md)) | New hire | ☐ |
|
|
| 3 | Read and acknowledge: Password & Authentication Policy (see [`password-policy.template.md`](./password-policy.template.md)) | New hire | ☐ |
|
|
| 4 | Set up MFA on IdP account: `[FILL IN: MFA method + instructions URL]` | New hire + IT | ☐ |
|
|
| 5 | Access production systems: `[FILL IN: systems list]` granted at minimum-privilege level | `[FILL IN: e.g., IT / Lead]` | ☐ |
|
|
|
|
---
|
|
|
|
## 4. First Week — System Access Provisioning
|
|
|
|
| # | System / tool | Access level | Approver | Done |
|
|
| --- | -------------------------------------- | ------------------------------------- | ----------------------------- | ---- |
|
|
| 1 | `[FILL IN: e.g., GitHub org]` | `[FILL IN: e.g., member / write]` | `[FILL IN: engineering lead]` | ☐ |
|
|
| 2 | `[FILL IN: e.g., Payload CMS admin]` | `[FILL IN: e.g., editor / admin]` | `[FILL IN:]` | ☐ |
|
|
| 3 | `[FILL IN: e.g., cloud console]` | `[FILL IN: e.g., read-only / scoped]` | `[FILL IN:]` | ☐ |
|
|
| 4 | `[FILL IN: e.g., monitoring / Sentry]` | `[FILL IN: e.g., member]` | `[FILL IN:]` | ☐ |
|
|
| 5 | `[FILL IN: e.g., HR / payroll system]` | `[FILL IN:]` | `[FILL IN:]` | ☐ |
|
|
| 6 | `[FILL IN: any other system]` | `[FILL IN:]` | `[FILL IN:]` | ☐ |
|
|
|
|
---
|
|
|
|
## 5. First 30 Days — Compliance Acknowledgement
|
|
|
|
| # | Task | Done |
|
|
| --- | ----------------------------------------------------------------------------------------------- | ---- |
|
|
| 1 | Confirm receipt of this organisation's privacy notice (staff version) | ☐ |
|
|
| 2 | Complete any role-specific data-handling training: `[FILL IN: e.g., PCI / HIPAA if applicable]` | ☐ |
|
|
| 3 | 30-day check-in with manager on access requirements (reduce if not needed) | ☐ |
|
|
|
|
---
|
|
|
|
## 6. Record-Keeping
|
|
|
|
Completed checklists are stored in `[FILL IN: location — e.g., HR system / personnel file]` and retained for `[FILL IN: e.g., the duration of employment + 2 years]`.
|
|
|
|
---
|
|
|
|
## 7. Review Cycle
|
|
|
|
This checklist is reviewed `[FILL IN: frequency — e.g., annually or when systems change]`. The next scheduled review is `[FILL IN: YYYY-MM-DD]`.
|