Personnel Management

Search

Understanding personnel statuses & scoping

Overview

Secureframe uses personnel statuses for you to understand the state of the personnel you’ve onboarded onto the platform and any actions that you as the admin, or the personnel needs to take within the platform. 

Status Definition Action required by admin Action required by personnel
Uncategorized Before personnel can be invited to Secureframe, they must be categorized as employee or contractor Categorize personnel N/A
Not Invited This personnel has not been invited to the Secureframe employee dashboard to complete their tasks. Invite personnel  N/A
Incomplete tasks

This status is displayed when the personnel has not completed one or more of the following tasks (as applicable):

  • Accepted all required policies
  • Completed necessary training
  • Background check
  • Secureframe agent
 Remind personnel Complete employee dashboard tasks
Overdue tasks

This status is displayed when the personnel has not completed one or more of the following tasks before the required time(as applicable):

  • Accepted all required policies
  • Completed necessary training
  • Background check
  • Secureframe agent
 Remind personnel Complete employee dashboard tasks
All tasks completed All tasks completed by personnel and admin N/A N/A
Offboarded This personnel has been detected as terminated in the system in one or more integrations connected to Secureframe Mark as Inactive N/A
Active Account(s) We detected this user has active accounts. Please ensure these accounts are deactivated. Review Associated Accounts N/A

Categorize personnel

Personnel must be categorized before they can be onboarded to Secureframe.

In order to categorize personnel:

  • Navigate to the personnel page
  • Click on “Categorize Personnel” under the column header “Type” for any uncategorized personnel
  • Choose a category for personnel:
    • In scope employee
    • In scope contractor
    • Out of scope contractor
  • Alternatively, you can also bulk categorize personnel by: 
    • Multi-select personnel 
    • Click “Property”
    • Clicking “edit type”
    • Choose employee or contractor
    • Click “Apply to personnel”

For more information on how to determine if the personnel is in or out of audit scope, please read this article

If the record in the personnel table is not an employee or contractor, you can categorize them as follows:

  • Non personnel - we recommend using the Non Personnel category for any email addresses used as aliases and for every email address that does not fall under the Employee and Contract types, such as service accounts.
  • Auditor - mark auditors who have access to the platform. Once marked, auditors will appear under the dedicated Auditors tab on the Personnel page.
    • To categorize as an auditor, follow the steps below:
      • Click the three-dot menu on the right hand side of the record
      • Click Mark as auditor

To categorize as non personnel for auditor, follow the steps below:

  • Click three dot menu on the right hand side of the record
  • Click mark as non personnel or mark as auditor

Invite Personnel

One the personnel is categorized, you can invite the personnel by following the steps below:

  • Navigate to the Personnel page
  • Click not invited status
  • Click invite

To bulk invite personnel:

  • Multi-select the personnel you want to invite
  • Click invite in the bulk action bar at the bottom

Remind Personnel

If the personnel has incomplete or overdue tasks, you can remind personnel by clicking on the status, e.g. either incomplete tasks or overdue tasks and clicking the bell icon.

Mark offboarded personnel as inactive

When a personnel is in the “offboarded” status, it means that this person has been detected as terminated in the system in one or more integrations.

Follow the steps below to address personnel with “offboarded” status:

  • Review the personnel by clicking on their name in personnel page
  • Click on the “Accounts” tab
  • Review the accounts that the user has access to, if there are any accounts that the offboarded personnel still has access to, ensure access is removed in source system

  • The next step is to mark this personnel as “Inactive” in Secureframe, to do so:
    • Click on the offboarded status
    • Click “Mark as Inactive”

  • Click “Mark as inactive” on the confirmation screen

  • You can also mark the personnel as Inactive by clicking on the three dot menu and then clicking “Mark as inactive”

Bulk change personnel to inactive

If you would like to bulk change personnel status for all offboarded personnel at once, follow the steps below:

  • Navigate to the Personnel page
  • Create a filter for Status is exactly offboarded
  • Click the check box to select all offboarded personnel
  • Click the three dot menu in the bulk action bar at the bottom of the screen
  • Click Mark as inactive

 

Preset filters - In Compliance, Medium Priority and High Priority

In order to assist you, Secureframe provides a list of preset filters on the personnel page to understand the state of compliance amongst your workforce. The three preset filter views can be found on the top of the personnel page next to the search bar.

Below is a description of each of these preset filters:

Preset filter State of Personnel Admin action required:
In Compliance

Personnel under “In Compliance” includes all in scope personnel who have:

  • Completed all relevant training
  • MFA set-up for system(s)
  • Accepted all relevant policies 
  • Secureframe agent is enabled (if applicable)
 None
Medium Priority

Personnel under medium priority includes all Active(e.g. current employed personnel) who are either:

  • Uncategorized
  • Not invited
  • Have Incomplete tasks (could include any of the following tasks being incomplete:
    • Completing all relevant training
    • Setting up MFA for system(s)
    • Accepting all relevant policies 
    • Enabling Secureframe agent (if applicable)

Categorize personnel

Invite Personnel

Remind Personnel
High Priority

Personnel under high priority includes Active (e.g. currently employed personnel) - who have overdue tasks e.g. a task that is past its due date, such as:

  • Completing all relevant training
  • Setting up MFA for system(s)
  • Accepting all relevant policies 
  • Enabling Secureframe agent (if applicable)


 

Personnel will change from Medium Priority flag to High Priority only if any of the specific tasks that the personnel has to complete is past its due date. Here is an example:


 

  • Jessica was onboarded on June 1 and has 30 days to complete new hire training
  • Jessica has completed all her tasks except for her new hire training which is due within 30 days of onboarding 
  • You view the personnel table on June 15 and Jessica has still not completed her new hire training, she will be flagged under “Medium Priority”
  • You view the personnel table on July 1st and Jessica still has not completed new hire training, she will be flagged as high priority because the new hire training is past its due date
 Remind Personnel
High priority Personnel under high priority can also include - Inactive personnel who have an “offboarded” status Mark offboarded personnel as inactive

Which Personnel are in audit scope?

Who is in audit scope?

Every employee and/or contractor who has access to customer data, production, and/or develops code should be considered in scope and should go through employee onboarding. Contractors may fall outside of scope if they do not have access to customer data or any source code.

The scope of an audit is based primarily on the relevant customer data. Something or someone is in scope if they handle, have access to, or deal with the relevant data in any way, shape, or form.

Relevant data will be de dependent based on the frameworks in play. Relevant data for SOC 2 & ISO 27001 are customer data. PCI cares about cardholder data. HIPAA & HITRUST care about PHI. GDPR, CPRA, ISO 27001 all care about personal data.

Contractors

Contractors will be in scope if they have access to customer data and/or source code.

Outsourced employees

In the cases where a businesses’ primary service is to provide staffing services (people) for other businesses, those personnel are not considered in-scope employees of the business’ that is providing that service.

Example: Secureframe hires company x to provide additional personnel resources. Company x’s personnel work solely for Secureframe - they have access to Secureframe’s systems, have a Secureframe email, etc.

These personnel would not be in scope of company x’s audit, and they should be treated as a vendor. Secureframe is responsible for ensuring proper third-party diligence and controls are implemented for these contractors.

Frequently Asked Questions (FAQ)

So for SOC 2, what should I consider the most important for employee scope?

  • For SOC 2 and ISO, the most important factor is Customer Data. 

How do I know who is in scope when it relates to Personal Data?

  • When it comes to Personal Data, GDPR, CPRA, ISO are all relevant.

We have several contractors who are no longer very active and never had significant access to our systems or a high level of security clearance. When I onboarded them, I initially marked them as 'in-scope.' Can I simply update their designation to 'Contractor: Out of Scope,' or is additional documentation or procedural work required to support this change?

  • If they are indeed out of scope for your particular framework, then yes you can mark them out of scope.
  • It's important to also have documentation or evidence to explain why these users are out of scope, should an auditor inquire about this during a future audit.

If contractors are marked "out of scope," should they still be receiving onboarding tasks?

  • If Contractors are in a group that is assigned to policies/training, yes they would be notified to complete tasks.
  • In this scenario, the company may still want them to be properly trained and or accept company policies regardless of their scope. 

I accidentally changed a user to be an auditor and need them to be an employee instead, but now I can't find them?

  • Any users that are marked as auditor are placed in the Auditors tab of the Personnel page. Users marked as non-personnel are placed in the Non-Personnel tab.
  • To mark them as an employee again, simply find the user, click the 3-dot menu on the right, and select Mark as Employee.

If a employee is detected as Offboarded in Secureframe, is there anything specific I need to do?

  • If an employee is detected as Offboarded in Secureframe, it's suggested that the admin reviews the user's connected services to ensure access to other tools and accounts is deprovisioned. Once this is confirmed, the admin can mark the user as inactive.
  •  Secureframe will also provide a Active account(s) status, which means we detected this user has active accounts. Please ensure these accounts are deactivated.

What does non-personnel mean? What is the difference between non-personnel an inactive personnel?

  • Non-personnel typically refer to service accounts, like fax@domain.com or contact@domain.com. These are not real people, but emails attached to applications. 
  • Auditors who have access to your instance for the purpose of an audit are managed separately under the Auditors tab on the Personnel page. Like non-personnel, they are not subject to employee or contractor tasks.
  • The difference between inactive and non-personnel is that inactive employees are real personnel who may not longer work for your organization, non-personnel are typically service accounts.  Depending on your look back period, or framework objective, you may still required to account for compliance against employees who are no longer employed. 

 

 

Was this article helpful?

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.