Overview:
The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
Action Items:
1) Create new employee hiring policies and procedures and publish these to the company intranet for all employees to access and review.
2) Create, document, and maintain position descriptions for all employment positions in the company.
3) Create an employee training and security awareness policy and related procedures and publish these to the company intranet for all employees to access and review.
4) Inspect the new employee hiring policies and procedures to determine that new employee hiring procedures are in place to guide the hiring process and include verification that candidates possess the required qualifications to perform the duties as outlined in the job description.
5) Inspect the documented position descriptions for a sample of employment positions to determine that documented position descriptions are in place for each employment position sampled to define the skills and knowledge levels required for the competence levels of particular jobs.
6) Inspect completed training documentation for a sample of current employees and employees hired during the review period to determine that employees are required to complete security awareness trainings upon hire, and on an annual basis thereafter, to understand their obligations and responsibilities to comply with the company's corporate and business unit security policies for each employee sampled.
Related Documents:
1) Employee hiring / HR policy
2) Documented descriptions for all employment positions
3) Employee training and security awareness policy
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Establishes policies and practices: Policies and practices reflect expectations of competence necessary to support the achievement of objectives.
2) Evaluates competence and addresses shortcomings: The board of directors and management evaluate competence across the entity and in outsourced service providers in relation to established policies and practices and act as necessary to address shortcomings.
3) Attracts, develops, and retains individuals: The entity provides the mentoring and training needed to attract, develop, and retain sufficient and competent personnel and outsourced service providers to support the achievement of objectives.
4) Plans and prepares for succession: Senior management and the board of directors develop contingency plans for assignments of responsibility important for internal control.
5) Considers the background of individuals: The entity considers the background of potential and existing personnel, contractors, and vendor employees when determining whether to employ and retain the individuals.
6) Considers the technical competency of individuals: The entity considers the technical competency of potential and existing personnel, contractors, and vendor employees when determining whether to employ and retain the individuals.
7) Provides training to maintain technical competencies: The entity provides training programs, including continuing education and training, to ensure skill sets and technical competency of existing personnel, contractors, and vendor employees are developed and maintained.
Article ID: 219
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-attracting-developing-and-retaining-competent-individuals-principle-4-cc1-4-219.html