Control of the Week #9 - Employee Handbook and Code of Conduct, and Code of Ethics
This week’s controls are on the Employee Handbook and Code of Conduct, and Code of Ethics. Jose Costa (CISO at Tugboat Logic), Harpreet Shergill (Senior Manager, IS Risk & Compliance at Tugboat Logic), and Chika Nwajagu (Senior Security Analyst at Tugboat Logic) explain why these common HR documents can be important to your audit.
Why these controls are important
"OM3.4 - Employee Handbook and Code of Conduct - The organization has established an employee Handbook outlining requirements on the Code of Conduct, acceptable usage and confidentiality commitments which is reviewed/updated on an annual basis by executive management. All employees are required to sign off on acceptance and acknowledgement of the employee handbook as part of the formal onboarding process and to re-sign in the event of any significant revisions."
"OM4.2 - Code of Conduct and Ethics - The organization has defined a Code of Conduct and Ethics and reviews them annually."
Let’s be honest. In most cases, handbooks, codes of conduct, terms of service, codes of ethics and other similar documents are only skimmed at best unless you are scouring them for a specific piece of information. However, while they aren’t the most entertaining reads, they’re extremely important for laying the groundwork for your organization’s policies and procedures.
The key takeaway here is setting expectations, outlining the rules up-front, and giving employees an idea of what is and is not acceptable in your organization. Not only are you setting these expectations internally, but you’re showing your customers, partners and businesses you work with that you won’t misuse their data or assets.
An organization that doesn’t have a solid Code of Conduct and or Code of Ethics is a huge red flag! Note a Code of Conduct states how your company expects employees to behave, whereas a Code of Ethics states the moral standards and expectations your company has of employees.
How to implement these control for your audits
These controls boil down to having the documentation prepared, and ensuring that your employees read and sign off on them. This can be accomplished in the greater onboarding process. The documents themselves can be separate, or all part of one comprehensive Employee Handbook.
In a lot of large organizations, entire departments can be dedicated to any one of the documents covered by these two controls. A smaller organization may have a single owner for all this documentation, which is easy enough to enforce until they reach a large enough size.
- The types of assets and information your organization handles.
- The values you want your organization and employees to exhibit.
- How your organization will handle any disputes or issues that arise.
- Standards of conduct and ethics in your country or region of operation (as well as the places you do business with).
If at any time your Code of Conduct (which in some companies is included in the employee handbook) is updated, you will need to repeat this process and have your employees acknowledge that they have read the changes.
One last thing: if you happen to have a Code of Ethics either as part of or separate from the Code of Conduct, then you can use the guidelines from the Tugboat platform to implement a Code of Ethics. Here’s what you need to consider:
- An outline of the rules involved and how to execute them.
- What the professional standards of ethical conduct are.
- Expectations around how employees should communicate in the workplace.
- How to resolve conflicts should they arise between employees.
- How to report misconduct when it occurs.