Vanta policy template instructions

This Vanta policy template represents a complete, compliance-ready policy with placeholders for company specific text. Each policy section represents a policy-specific topic that you should consider and/or modify to match your company’s practices.

For each policy section

Consider if this section and its corresponding risks applies to you. If it does not, remove it and/or replace it with your organization’s corresponding practices.
Replace any highlighted text in angled brackets < >¹ with your own language
Rewrite the policy language such that it reflects the practices of your organization

Policy completion checklist

Use Find to make sure that all text in angled brackets is replaced
Proofread your policy for spelling and grammar mistakes
Confirm that the policy’s content reflects your organizations practices
Add any company-specific letterhead, branding, and formatting
Remove this instructions page
Export this document as PDF — File > Save As > Change “File Format” to PDF
Upload the PDF to Vanta at https://app.vanta.com/policies

More questions?

A good rule-of-thumb is to keep your language high enough level such that it stays representative for at least a year. If you have more questions about how to use this template, please reach out to support@vanta.com or your auditor for additional guidance.

Human Resource Security Policy

Policy Owner: <Policy owner>

...

Owner: Managing Director

Effective Date: 2023-03-21

Anchor
purpose
purpose
Purpose

To ensure that employees and contractors meet security requirements, understand their responsibilities, and are suitable for their roles.

Anchor

...

scope

...

scope
Scope

This policy applies to all employees of <Company Name>CloudCard, consultants, contractors and other third-party entities with access to <Company Name> CloudCard production networks and system resources.

Anchor

...

policy

...

policy
Policy

Screening

Background verification checks on <Company Name> CloudCard personnel shall be carried out in accordance with relevant laws, regulations, and shall be proportional to the business requirements, the classification of the information to be accessed, and the perceived risks. Background screening shall include criminal history checks unless prohibited by local statute. All third-parties with technical privileged or administrative access to <Company Name> CloudCard production systems or networks are subject to a background check or requirement to provide evidence of an acceptable background, based on their level of access and the perceived risk to <Company Name>CloudCard.

Competence & Performance Assessment

The skills and competence of employees and contractors shall be assessed by human resources staff and the hiring manager or his or her designees as part of the hiring process. Required skills and competencies shall be listed in job descriptions and requisitions, and/or aligned with the responsibilities outlined in the Roles and Responsibilities Policy. Competency evaluations may include reference checks, education and certification verifications, technical testing, and interviews.

All <Company Name> CloudCard employees will undergo an annual performance review which will include an assessment of job performance, competence in the role, adherence to company policies and code of conduct, and achievement of role-specific objectives.

...

Company policies and information security roles and responsibilities shall be communicated to employees and third-parties at the time of hire or engagement, and employees and contractors are required to formally acknowledge their understanding and acceptance of their security responsibilities. Employees and third-parties with access to company or customer information shall sign an appropriate non-disclosure, confidentiality, and appropriate code-of-conduct agreements. Contractual agreements shall state responsibilities for information security as needed. Employees and relevant third-parties shall follow all <Company Name> CloudCard information security policies.

...

Information Security Awareness, Education & Training

All <Company Name> CloudCard employees and third-parties with administrative or privileged technical access to <Company Name> CloudCard production systems and networks shall complete security awareness training at the time of hire and annually thereafter. Management shall monitor training completion and shall take appropriate steps to ensure compliance with this policy. Employees and contractors shall be aware of relevant information security and data privacy policies and procedures. The company shall ensure that personnel receive security and data privacy training appropriate to their role and data handling responsibilities².

In order to maintain a robust level of security awareness, the company will provide security-related updates and communications to company personnel on an on-going basis through multiple communication channels as needed.

Information security leaders and managers shall ensure appropriate professional development occurs to provide an understanding of current threats and trends in the security landscape. Security leaders and key stakeholders shall attend trainings, obtain and maintain relevant certifications, and maintain memberships in industry groups as appropriate.

...

Anchor

...

termination-process
termination-process
Termination Process

...

Employee and contractor termination and offboarding processes shall ensure that physical and logical access is promptly revoked in accordance with company SLAs and policies, and that all company issued equipment is returned.
...
Employees and third-parties who violate <Company Name> CloudCard information security policies shall be subject to the <Company Name> CloudCard progressive disciplinary process, up to and including termination of employment or contract.

Anchor

...

exceptions

...

exceptions
Exceptions

Requests for an exception to this policy must be submitted to the <role responsible for approving exceptions to this policy, e.g., Chief Human Resource Officer (CHRO)> for Managing Director for approval.

...

Anchor

...

violations-and-enforcement
violations-and-enforcement
Violations & Enforcement

...

Any known violations of this policy should be reported to the <role responsible for receiving notifications of violations to this policy, e.g., CHRO>. Managing Director. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company policies up to and including termination of employment.
Version
Date
Description
Author
Approved by
<1
1.
0>
0
<29
2023-
Apr
03-
2020>
21
<First Version>
<OWNER>
<APPROVER>
¹ All fields in this document marked by angled brackets < > and highlighted must be filled in.
² Training appropriate to roles added for v2
...
First Version
Ryan Heathcote
Luke Rettstatt

Versions Compared

Old Version 1

New Version 2

Key

Human Resource Security Policy

Anchor
purpose
purpose
Purpose

Anchor

scope

scope
Scope

Anchor

policy

policy
Policy

Screening

Competence & Performance Assessment

Information Security Awareness, Education & Training

Anchor

termination-process
termination-process
Termination Process

Anchor

exceptions

exceptions
Exceptions

Anchor

violations-and-enforcement
violations-and-enforcement
Violations & Enforcement

Page Comparison

Versions Compared

Old Version 1

New Version 2

Key

Human Resource Security Policy

AnchorpurposepurposePurpose

Anchor

scope

scopeScope

Anchor

policy

policyPolicy

Screening

Competence & Performance Assessment

Information Security Awareness, Education & Training

Anchor

termination-processtermination-processTermination Process

Anchor

exceptions

exceptionsExceptions

Anchor

violations-and-enforcementviolations-and-enforcementViolations & Enforcement

Anchor
purpose
purpose
Purpose

scope
Scope

policy
Policy

termination-process
termination-process
Termination Process

exceptions
Exceptions

violations-and-enforcement
violations-and-enforcement
Violations & Enforcement