WorkAxle Trust Center

Below is a list of all related controls for this domain. A status of green means compliant, yellow means partially compliant, and red means non-compliant.

A Bring Your Own Device (BYOD) Policy is established to regulate the use of personal devices for business purposes on company-owned or managed networks and systems

This policy sets forth security requirements and acceptable use guidelines to protect organizational data, outlining the responsibilities of both the employer and employees. The BYOD policy helps reduce risks associated with using personal devices, ensuring data security, privacy, and compliance with applicable regulations.

Implementation Guidance:

Define which types of personal devices are permitted and the conditions for their use within the organization's environment.
Implement security measures such as mandatory device encryption, strong password protection, and mobile device management (MDM) solutions.
Require users to install antivirus software and keep their devices updated with the latest patches.
Establish clear guidelines on acceptable use, data storage, and restrictions on accessing sensitive information on personal devices.
Outline the responsibilities of employees, including reporting lost or stolen devices and adhering to the organization’s security standards.
Include provisions for periodic reviews of the BYOD policy to address evolving security threats and technological changes.

A clear process checklist for employee role transfers ensures access permissions, responsibilities, and training align with the new position while maintaining organizational security and compliance.

A structured role transfer process checklist ensures employees transitioning to new roles receive the necessary support, information, and resources to succeed. This includes knowledge transfer, updated training, clear performance expectations, and alignment with new responsibilities.

Implementation Guidance:

Adjust system and physical access permissions to align with the employee’s new responsibilities.
Provide role-specific training and orientation to support a smooth transition.
Update personnel files to reflect the role change, and notify relevant teams.
Ensure all changes are documented and securely stored for compliance and audit purposes.

A defined offboarding process checklist ensures the secure and consistent removal of access, recovery of company assets, and compliance with legal requirements when employees leave the organization

An offboarding process checklist ensures departing employees transition smoothly and securely while protecting organizational interests. This includes knowledge transfer, retrieval of company assets, revocation of access, exit interviews, and compliance with legal and organizational policies.

Implementation Guidance:

Revoke access to all systems, networks, and physical premises immediately upon termination.
Recover company-issued assets, including laptops, mobile devices, and ID badges.
Review non-disclosure and non-compete agreements, and remind departing employees of ongoing obligations.
Conduct exit interviews to gather feedback and identify areas for improvement.
Securely store records of the offboarding process for audit purposes.

A standardized onboarding process is implemented and maintained to ensure personnel transitions are managed consistently, securely, and in compliance with legal and regulatory requirements

A structured onboarding process checklist ensures new hires receive the necessary information, tools, and resources to become productive team members. This includes orientation, training, job performance, and behavior expectations.

Implementation Guidance:

Provide access to systems, tools, and facilities required for the role.
Conduct orientation sessions on job expectations, security protocols, and organizational policies.
Ensure initial training on compliance, security, and role-specific responsibilities is completed.
Collect signed agreements, such as confidentiality and code of conduct acknowledgments.
Verify proper documentation and securely store personnel records.

A structured Training and Awareness Program is established, maintained, and enforced to ensure that all employees, contractors, and vendors receive ongoing education to develop and maintain the necessary skills, technical knowledge, and security awareness

The program focuses on raising awareness of security best practices and providing guidance on how to identify and respond to potential security incidents. Topics covered include phishing, social engineering, password security, data protection, and incident reporting. Additionally, training records are maintained to track completion of training programs, ensuring compliance and monitoring the effectiveness of the organization's security training initiatives.

Implementation Guidance:

Develop a curriculum covering essential security topics tailored to various roles and access levels.
Schedule regular refresher training sessions to keep personnel updated on emerging threats and evolving security practices.
Incorporate interactive components like simulations, quizzes, or phishing tests to reinforce learning.
Require training completion for all new hires, with periodic refresher courses for existing staff and third-party personnel.
Maintain detailed records of training completion, including dates, topics covered, and participants.
Periodically review and update the training program to reflect changes in the threat landscape, regulatory requirements, or internal policies.

Carbide provides security awareness training to help organizations educate personnel on key security topics and best practices.

For more details, refer to the Carbide Awareness Training Module.

A structured workforce competency assessment process is implemented and maintained to evaluate employee skills, knowledge, and performance, ensuring alignment with organizational goals and ongoing improvement

This process helps identify areas for improvement, support career development, and guide decisions on training, hiring, and promotions. Regular assessments ensure a capable workforce ready to meet evolving business needs.

Implementation Guidance:

Skill Gaps Analysis:

Define the essential skills and competencies required for each role in alignment with business objectives.
Use tools such as surveys, assessments, performance reviews, and manager feedback to evaluate current skill levels.
Identify gaps between existing competencies and required skills, prioritizing those critical to business performance.
Develop action plans to address gaps through training programs, upskilling initiatives, or targeted recruitment.
Periodically update the analysis to reflect emerging technologies, industry trends, and organizational changes.

Performance Reviews:

Establish a structured process with defined frequency (e.g., annually or semi-annually) and consistent evaluation criteria.
Combine quantitative metrics (e.g., goal achievement) with qualitative insights (e.g., teamwork, problem-solving skills).
Encourage discussions on career development, goal setting, and performance improvement plans.
Document review outcomes to maintain a record of employee progress and areas for growth.
Provide managers with training on delivering constructive feedback and addressing sensitive topics effectively.
Regularly review the evaluation process to ensure fairness, consistency, and alignment with organizational priorities.

A termination process checklist ensures that employee separations, whether voluntary or involuntary, are handled consistently, securely, and in compliance with regulatory requirements.

A structured termination process checklist ensures that employee separations are handled professionally, consistently, and in compliance with company policies. This includes finalizing documentation, securing company assets, revoking access, and adhering to legal and regulatory requirements.

Implementation Guidance:

Confirm and document the reason for termination, ensuring compliance with legal and internal policies.
Notify relevant departments, such as IT and HR, to initiate access removal and asset recovery.
Conduct final reviews of agreements, such as NDAs, and issue any required reminders.
Facilitate final paycheck processing and benefits resolution in accordance with employment law.
Document the termination process securely for recordkeeping and future reference.

An organizational chart is documented to visually represent the company’s structure and hierarchy

This chart clarifies reporting lines, relationships, and roles among employees, departments, and management levels. It supports clear communication, efficient decision-making, and streamlined workflows by helping employees understand their positions and responsibilities within the organization. Additionally, an updated organizational chart fosters accountability and transparency.

Implementation Guidance:

Clearly define and illustrate reporting lines, departmental structures, and management hierarchies.
Update the organizational chart regularly to reflect changes due to promotions, new hires, or departmental restructures.
Make the chart accessible to all employees to promote understanding of the organizational structure and reporting relationships.
Use the chart to guide onboarding, clarify roles, and support workforce planning and resource allocation.
Maintain confidentiality when documenting sensitive roles related to security, finance, or compliance functions.
Periodically review the organizational structure to align it with evolving business goals and operational needs.

Effective communication practices are established to ensure clear, timely, and reliable information sharing across the organization

By using appropriate communication channels tailored to specific audiences and situations, these practices help personnel receive the information necessary to fulfill their responsibilities. This includes guidance on reporting issues, sharing organizational goals and changes, promoting security awareness, and conveying critical information related to system operations and procedures.

Implementation Guidance:

Identify appropriate communication channels (e.g., email, instant messaging, meetings, or internal platforms) based on the urgency and audience.
Establish protocols for communicating essential updates, such as policy changes, security alerts, and operational procedures.
Provide clear guidelines on reporting issues or incidents, including whom to contact and how to escalate concerns.
Promote open lines of communication for sharing objectives, team goals, and feedback to enhance collaboration and transparency.
Regularly train employees on communication best practices, emphasizing confidentiality and security when discussing sensitive information.
Review and adjust communication strategies periodically to align with organizational needs and evolving technologies.

Employee agreements and workplace policies are established, maintained, and enforced to define the terms and conditions of employment, outline behavioural expectations, and ensure the responsible use of company resources

These frameworks establish a foundation for clear communication, security, and compliance while fostering a safe, inclusive, and productive work environment.

Implementation Guidance:

Employee Contracts:

Include details such as job responsibilities, compensation, work schedules, and employment status.
Address security, confidentiality, intellectual property, and data protection requirements.
Require contracts to be signed before employment begins and securely store them for compliance with data privacy regulations.

Acceptable Use Policy (AUP):

Define acceptable and prohibited use of company resources, including email, internet, and mobile devices.
Outline consequences for misuse and regularly update the policy to reflect new technologies or threats.
Ensure users acknowledge the AUP, confirming their understanding of its terms.

Employee Handbook:

Cover employment terms, benefits, leave policies, workplace behavior, and security expectations.
Define a code of conduct and disciplinary procedures, promoting consistent understanding of company policies.
Provide accessible, up-to-date versions and require acknowledgment from employees.

Clean Desk Policy:

Encourage a clutter-free workspace, securing sensitive documents and devices when not in use.
Require systems to be logged out and screens locked before leaving workstations.
Include periodic compliance checks and provide training on safeguarding information.

Remote Work Policy:

Establish security measures, such as secure Wi-Fi, VPNs, and strong authentication methods.
Define eligibility criteria and performance expectations for remote roles.
Offer secure collaboration tools and provide regular training on remote work best practices.

Code of Conduct:

Set behavioral expectations aligned with organizational values, such as respect, integrity, and accountability.
Address workplace harassment, conflicts of interest, diversity, and confidentiality.
Require acknowledgment from employees and contractors upon hiring and during periodic refreshers.

Employee screening requirements are in place to verify the backgrounds of prospective and current personnel, ensuring the security and integrity of the organization

This screening process helps identify potential risks by validating an individual’s education, employment history, criminal record, and other relevant details. Screening enables informed decisions regarding hiring, promotions, or granting access to sensitive information, thereby mitigating insider threats and maintaining a trustworthy workforce. Management is responsible for determining the appropriate level of screening required for each role based on the position’s risk profile.

Implementation Guidance:

Use a risk-based approach to define screening requirements for different roles, focusing on the level of access to sensitive data or critical systems.
Conduct screenings that may include verification of education, employment history, criminal records, credit checks, and references, based on the role’s sensitivity.
Ensure that screening processes comply with relevant legal and regulatory requirements, including data privacy and labor laws.
Document screening results securely and restrict access to authorized personnel to protect confidentiality.
Periodically review and update screening procedures to reflect changes in legal standards, industry practices, and internal risk assessments.
Require re-screening for employees moving into roles with higher access privileges or after a significant change in responsibilities.

Roles, responsibilities, and authority levels are defined to ensure that tasks are developed and decisions are made by the appropriate individuals or groups

A clear definition of roles, responsibilities, and authority levels is essential for effective governance, accountability, and operational efficiency. By assigning responsibilities based on expertise, position, and organizational structure, the organization ensures that qualified individuals make decisions and that tasks are executed without ambiguity. This clarity helps prevent overlaps, gaps, or conflicts in duties, reducing the risk of errors, fraud, or unauthorized actions. Management is responsible for establishing, communicating, and periodically reviewing role definitions and authority matrices to reflect organizational changes and risk considerations.