Control of the Week #10 - Employment - Performance Evaluation and Developmental Needs
This week’s controls are on the Performance Evaluation and Developmental Needs. Jose Costa (CISO at Tugboat Logic), Harpreet Shergill (Senior Manager, IS Risk & Compliance at Tugboat Logic), and Chika Nwajagu (Senior Security Analyst at Tugboat Logic) explain why these common HR documents can be important to your audit.
Why this control is important
OM3.7 - Personnel Performance Evaluation and Development Needs- The organization has a process in place to evaluate the competency of employees on an annual basis.
Hiring a qualified person is only half the battle when ensuring that your employees know all of your security requirements and follow through on them. A lot of people can talk the talk, but you need to make sure they also walk the talk.
As an organization and management control, the risk lies in not doing periodic evaluations and appraisals to confirm that employees are performing their job to satisfaction and are aware of the elements required to perform that job. Essentially, an organization is confirming that the employee still fits the requirements of the job, and if not, whether training and development can correct any shortfalls.
Another important detail to note is that there are two elements of this control. One, the Performance evaluation, which determines whether the employee is still doing the job they were hired to perform, and two, Development Needs, which involves training and competency to continue performing their job effectively. Important things to keep in mind are changes in technology, new requirements, new product modules, etc. How are you making sure that you are meeting your contractual agreements and commitments to your customers?
How to implement this control for your audits
Many organizations perform these tasks as a part of their HR quota. The evaluations and appraisals capture what training is required (therefore, both the Performance Evaluations and Developmental Needs are closely linked). These tasks can be completed either manually or with automated tools.
However you choose to complete this control, auditors are looking for evidence that the training was done, that records are kept for all employees in the organization (e.g. not just the technical team), and that the evaluations were performed by the appropriate supervisors. The key thing they are searching for, however, was that an evaluation was performed and a record was kept.
Having a defined evaluation process also helps conduct regular evaluations and ensure that they are completed. This can be as often as you would like (e.g. quarterly or yearly), but make sure they’re done effectively. Don’t do them for the sake of doing them!