People

Estimated reading: 19 minutes 100 views

People are an essential part of security, privacy, and compliance. Without involvement from your employees and contractors, maintaining a secure organization is nearly impossible.

People need to be involved at several different levels – the foundation of this is understanding security and ensuring they are aware of best practices. This takes the form of HR-1 Security Awareness Training (SAT) as well as HR-14 Policy Acknowledgement. Employees and eligible contractors need to sign and attest to their adherence to applicable company policies and procedures as required. Some of these are HR-13 Employee Handbook/Code of Conduct, Bring Your Own Device, AI Tools and Usage, etc.

TrustCloud allows organizations to build, host, and share policies with their entire workforce. You can capture who, what, and when within the platform, allowing you to streamline security and ensure all your audit related evidence is in one place.

The following screenshot shows the “People” page in TrustCloud.

People

Who is this for?

Several standards, like SOC2, require organizations to collect proof that their employees and eligible contractors have signed off on the employee handbook, as well as other policies like acceptable use, asset management, etc. TrustCloud allows organizations to build, host, and share policies with their entire workforce. You can capture who, what, and when within the platform, allowing you to streamline security and ensure all your audit related evidence is in one place.

User Records – View Eligible Employees and Contractors

The “People” page gives you the overall employee list with details like name, email, role, type, date joined and their compliance status to help you monitor and remind them to complete their compliance tasks to meet a particular standard.

You can take appropriate action depending on the employee’s status and whether he/ she is required for compliance or excluded from compliance cycle. You can view the policy attestation information of an employee, invite and include or exclude a particular employee.

People in TrustCloud are segregated into two categories: “Required for Compliance” and “Excluded from Compliance.”

  1. Employees or people required for compliance:
    Compliance within organizations relies on a dedicated team of professionals spanning various roles. Compliance officers oversee program management, while legal counsel interprets laws and regulations. Risk management identifies and mitigates compliance risks, while audit teams ensure program effectiveness. HR ensures employment law compliance, and finance manages financial regulations. Data protection specialists safeguard privacy, and operations assure product quality and safety. Training specialists educate staff on compliance. Lastly, executive leadership sets the compliance tone. Together, these employees uphold ethical standards, mitigate risks, and ensure adherence to regulations, fostering a culture of integrity and accountability within the organization.
  2. Employees or people excluded from compliance:
    Not all employees directly engage in compliance activities within organizations. Frontline staff, maintenance, and cafeteria personnel, administrative assistants, non-executive line managers, and temporary workers typically fall outside direct compliance roles. Also, employees who have left the organization may or may not be excluded from compliance, depending on their employment termination date and the audit observation period.

Compliance status

Each employee is marked with compliance status, as follows:

People

  1. Compliant: The employee has attested to all the policies
  2. Non-Compliant: The employee has not attested to all the  policies
  3. Invitation Not Accepted: An invitation to attest policy has been sent but the employee has not accepted it, i.e. they haven’t checked their email
  4. Not Invited: The employee is not been invited to attest to the policy

Each employee record is marked with either of these statuses. This helps admins monitor and take appropriate action.

People who are required for compliance:

All employees within an organization contribute to compliance efforts by following established policies and procedures, adhering to regulatory requirements, and reporting any potential violations or concerns. Every employee plays a role in maintaining a culture of compliance. Such employees who are or were part of the policy attestation workflow during their employment are included in the particular compliance cycle.

Who can be excluded from compliance?

Certain individuals may be excluded from compliance, such as contractors, who often fall outside the scope. Additionally, former employees or those who have been no-shows require exclusion from policy attestation workflows. This exclusion, justified by business needs, enables auditors to access relevant data autonomously. Moreover, it provides comprehensive visibility into policy attestation across the organization.

In these cases, you can exclude these users with the business justification of exclusion so that your auditors can self-serve that data. This also allows you to have visibility on policy attestation across your entire organization.

In TrustCloud, when an employee is moved to the “Excluded” category, it means that they are no longer active participants in the compliance process. Their acknowledgement and sign-off on policies are preserved within the system, but they are essentially disabled from ongoing compliance requirements. This approach ensures that a comprehensive history is maintained, documenting the employee’s acknowledgement of policies during their time with the organization.

Moving employees from included to excluded and vice versa:

In certain scenarios, individuals may take short-term leave or transition from contractor to full-time status. During these instances, it’s necessary to temporarily exclude them from policy attestation reviews, and then re-include them in the subsequent cycle.

Getting Started

Once you have finished your on-boarding process, make sure you’re a compliance admin and that your policies are uploaded and approved in trust-ups before you get started. Please refer to our videos and policy approvals before diving into policy at a station.

  1. Navigate to your TrustCloud
  2. Click on “My TrustCloud” and select “Tasks.”
    The following screenshot shows the tasks for compliance admin.
    image3 2

Manage policies in TrustOps 

A policy is frequently used in conjunction with other types of documentation, such as standard operating procedures. These documents work together to help the organization achieve its compliance, security, and privacy goals. The policy defines the overall strategy and stance, with the other documents helping build the structure around that practice. You can think of a policy as answering the “what”, “why,” and some part of the “how”, while procedures, standards, and guidelines answer the “how” in great detail.
Please refer to the Policies in TrustCloud to understand managing policies better.

Navigate to TrustCloud My Tasks

  1. Navigate to your TrustCloud program.
  2. Click on “My TrustCloud” and select “Tasks.”
  3. You will see four tasks for you to complete to be compliant with the standard. They are, namely:
    1. Bring employees into TrustCloud
    2. Select policies for attestation
    3. Customize new hire email
    4. Set policy attestation period for employees

You can see the compliance status as “Non-Compliance” at the top-right corner of the page. In order to be compliant, you need to complete all four tasks.

Admin Tasks

Bring employees into TrustCloud / set up Employees

This self-service workflow will walk you through bringing your employees into TrustCloud with Okta. You can select Google Workspace or Microsoft 365, depending on which integration you use to maintain employee data.

  1. Click on the “Complete Now” button in front of the “Bring employees into TrustCloud” task.
  2. Click on the “Pull Data’ button in front of Okta, Google Workspace or Microsoft 365 (depending on which integration you use to maintain employee data) to fetch all employee data into your TrustCloud program. The screenshots are taken from an account that has been set up with OKTA.
    The following screenshot shows how to pull data from Okta.
    image26
    Note: It is recommended to bring in data through identity or online systems to ensure that data is accurately maintained and correct accounts are being pulled in from a policy attestation perspective.
    You can exclude certain service accounts, like billing or support, or employees who are no longer part of the organization or the compliance cycle. Make sure that you only focus on the employee records that are part of the current compliance observation period. As a general practice, include employees who are part of your observation period. For example, if your observation period lasted for the last six months, make sure that you include employees who were part of it, as their attestation records are still important.
    image20 1
  3. Select the employee or records you want to exclude and click on the “Yes, exclude” button.
  4. The list of all employees pulled from integration is displayed in the “Required for Compliance” tab.
    image1 5
  5. The excluded records or employees are displayed in the “Excluded from Compliance” tab.
    The following screenshot shows the list of excluded employee records.image11 1
  6. Click on the “Finish” button.
    The following screen is displayed on successful completion of the employee records import.
    image12 1Now all your employee records are successfully imported into TrustCloud.
  7. From the left-hand side menu, select “People.”
    The following screenshot shows the list of all employees on the “People” page.
    image30

NOTE: Any employee who will be added to Okta will be automatically added to this employee list.

Manually import employee list

If you are not using any integration tool to maintain your employee records, you can manually upload the list.

To manually import employee list,

  1. Click on the “Complete Now” button in front of “Bring employees into TrustCloud” task.
  2. Click on the “I don’t see the tool I use in this list” button.
    image33
  3. Download the TrustCloud employee data template by clicking on “Download Template” button.
  4. Fill out your employee directory in the spreadsheet template.
  5. Upload the template.
  6. Click on the “Import” button.
    All your employee records are imported into your TrustCloud program.

Select Policies for Attestation

Once you have finished importing employee records, the next step is to attest policies. TrustCloud pre-selects all the policies that your employees should attest to, you can remove policies that you think are not relevant.

You can remove any of them or add more policies.

  1. Click on the “Set Policies for Attestation” button.
    The following screenshot shows the list of pre-selected policies.
    image7 1
  2. You can view each policy, edit the highlighted points (key salient points of the policy) or remove policy from the list.
  3. Click on the “Mark as Done” button.

Customize new hire email

The next step is to customize a new hire email. This is the email all new hires will receive when they join your company.

  1. Navigate to your TrustCloud program.
  2. Click on “My TrustCloud” and select “Tasks.”
  3. Click on “Complete Now” button in front of “Customize new hire email” task.
    image4 2
  4. You can set the name of the sender, the subject line and the body of an email.
  5. Click on the “Mark as Done” button.

Set policy attestation period for employees

Most organizations attest their policies once a year, so you can pick a date that’s about a month away from the setup period to ensure that you can sufficiently test the process.

  1. Navigate to your TrustCloud program.
  2. Click on “My TrustCloud” and select “Tasks.”
  3. Click on the “Complete Now” button in front of the “Set policy attestation period for employees” task.
    The following screenshot shows how you can set the policy attestation period.
    image17 1
  4. You can set automatic reminders on to automatically send reminders to non-compliant employees to complete their pending compliance requirements.
  5. Select your policy attestation start date as per your attestation or audit period.
  6. Select the attestation completion period as a month, 3 months, 6 months or a year.  Provide the employees with, ideally, a three-month period within which they need to complete all of these actions. Align this period with your audit period to ensure that, as part of your next audit, all these records are successfully attested and all the employees have completed their tasks.
  7. Click on the “Mark as Done” button.By following these first steps, you have completed all admin tasks that will enable people in your organization to perform their trust obligations. Your tasks page will now list the trust obligations you need to fulfil.

Inviting Employees

You can send bulk invitations to your employees, regarding their policy attestation activities.

  1. Navigate to your TrustCloud program.
  2. From left-hand side menu, select “People”.
  3. Select the employees to whom you want to send invitations.
  4. Click on “Send Invitations” link.

The selected employees will receive an invitation regarding their policy attestation activities. Clicking on the provided link in the email will take them to the TrustCloud login flow and they will be presented with a view that allows them to attest to and sign each policy.

Note: We recommend sending invitations to a few test employees before sending them to your entire company to ensure a copy of the email and the workflows are properly working.

View policy attestation information

Admins can also view the policy attestation information of any employee.

  1. Navigate to your TrustCloud program.
  2. From the left-hand side menu, select “People.”
  3. Click on the three-dot menu in front of the employee.
  4. Click on “See Policy Attestation Info” link.
    The following screenshot shows the compliance status and details of policies assigned for the attestation of a particular employee.
    image6 2
  5. You can also send reminders to the employee directly from here rather than wait till the attestation period has expired by clicking on the “Send Reminder” link.

NOTE: If you include a policy during an active attestation cycle, it will only be reflected in the next cycle. Not the existing one. So, please make sure your policies are accurate before you invite employees.

Dashboards and monitoring compliance

The TrustCloud dashboard gives you a birds eye view of your overall compliance status, depending on the post-onboarding tasks for your SOC2 preparation.

The main three steps involved in post-onboarding activity are

  1. Automate your program
  2. Review Scope
  3. View My TrustShare
    The following screenshot shows the TrustCloud dashboard.
    image22
    You can view all your completed and pending tasks for your audit preparation from the dashboard and take action accordingly.

Adding New Employees or Contractors 

  1. Automatic Refresh
    If you have added a new employee or employees, click the refresh records link, and it will sync the employee list from your integration tool. A newly created employee record or records are added to the list and excluded employees will remain as is.

    1. Go to “People” page.
    2. Click on the “Refresh Record” button to sync existing as well as newly added employees.
      people
  2. Manual Additions 
    1. Go to “People” page.
    2. Click on “+ Add People.”
    3. Enter name, email, role, type, manager and date joined.
      image19
    4. Click on the “+ Add People” button.
    5. A new record is now added to the employee list on the “People” page.
  3. Updating Records
    If you wish to update any record or records

    1. If you are using any tools like Google or Okta, then updates must be made to the tool you are using. Use the “Refresh Record” button to sync the updated records.
    2. If are using manual upload, you can update the record or records manually and  upload a new file with the same email to ensure the records are updated.
    3. If you wish to update an email, then use the “Contact Support” link.
  4. Deleting Records
    If you wish to delete any employee record, you need to click on the “Contact Support” button provided on the “People” page.
    NOTE: If you delete an employee, their attestation record is still valid evidence for your audit. It is possible that they were still active employees during the observation period.

Employee settings

  1. Go to the “People” page from your TrustCloud program.
  2. Click on the settings icon at the top of the page.
  3. In “General Settings” tab, you can choose to send automatic invitations.
    The following screenshot shows the “General Settings” tab.
    People
  4. In the “Reminders” tab, you can choose to send automatic reminders and set the policy attestation start date and attestation completion period.
    The following screenshot shows the “Reminders” tab.
    image13 1
  5. In “New Hire Email” tab, you can customize the sender, subject and content of the email to send.
    The following screenshot shows the “New Hire Email” tab.
    image29
  6. In “Policies for Attestation” tab, you can view all the required policies for attestation to be compliant.
    The following screenshot shows the “Policies for Attestation” tab.
    image27

To include policy,

If you wish to include some more policies in your program, follow these steps.

  1. Go to the “People” page from your TrustCloud program.
  2. Click on the settings icon at the top of the page.
  3. Go to “Policies and Attestation” tab.
  4. Click on the “Include Policy” button.
  5. Search and select the policy to include, then click on the “Include Policy” button.
    image32

To view policy,

  1. Go to the “People” page from your TrustCloud program.
  2. Click on the settings icon at the top of the page.
  3. Go to “Policies and Attestation” tab.
  4. Click on the eye icon next to policy.

To edit highlighted points,

It is nearly impossible to read the entire set of policies, which is why TrustCloud gives you the ability to highlight points for each policy. It enables you to quickly and easily understand the policy.

  1. Go to the “People” page from your TrustCloud program.
  2. Click on the settings icon at the top of the page.
  3. Go to the “Policies and Attestation” tab.
  4. Click on the edit icon next to the policy.
    image24
  5. Click on the “+ Add Highlighted Point” button, enter your points and click on the “Update” button.

To delete policy,

If you wish to delete any policy, follow these steps:

  1. Go to the “People” page from your TrustCloud program.
  2. Click on the settings icon at the top of the page.
  3. Go to “Policies and Attestation” tab.
  4. Click on the delete icon next to the policy.

Editing Policies

TrustOps offers an Edit Policy menu option to customize existing text, write your own, or bring in the contents of an existing policy by pasting its text. This editor enables you to format your policy, choose whether or not (and where) to insert its approval log and related control list, and add TrustCloud control texts. TrustOps also supports smart variables—dynamic, auto-updating values representing key attributes of a policy, such as its owner—which you can use when composing your policy.

Please refer to the documentation for Policies in TrustCloud to understand editing policies better. You can also view the “How to Edit a Policy” video.

NOTE: If changes are made, they will be factored into next year’s attestation cycle unless you manually decide to re-invite employees. Removing policies will still preserve their records. We don’t recommend changes; that’s what the setup period is for.

Employee experience – what will your team see?

Each employee that is required to comply receives an email invitation to set-up compliance activities.
The following screenshot shows an email received to set-up compliance activities.
image15 2

  1. Click on the “Get Started” button. This will take you to your TrustCloud program “ “Tasks” page, with a list of policies to attest.
    image14 1
  2. Click on the “Complete Now” button in front of each policy to attest to the assigned policies.
    image18 1

  3. Read the policy document carefully and click on the “I’ve read and understand this policy” button.
    image28
  4. Click the checkbox and click on “Confirm.”
  5. Complete all your TrustCloud tasks to attest to the different policies of your organization and be compliant.

Actions

The People Dashboard gives you an overview of the compliance status of all your employees. As an Admin, you can take the following actions.

To view employees who contribute to compliance,

  1. Go to the “People” page from your TrustCloud program.
  2. By default, the “Required for Compliance” tab is displayed, along with the total number of employees along with their status and employee count for that particular status. Also, the list of all employees with their details is displayed below.
    The following screenshot shows the employee count, status and list of employees that are required for compliance.
    image21

To view employees who are excluded from compliance,

  1. Go to the “People” page from your TrustCloud program.
  2. Click on the “Excluded from Compliance” tab.
    The following screenshot shows the employee count and list of employees who are excluded from compliance.
    image11 2

You can take appropriate action depending on the employee’s status and whether he/ she is required for compliance or excluded from compliance. You can view the policy attestation information of an employee, invite and include or exclude a particular employee.

For the employees required for compliance,

  1. Go to the “People” page from your TrustCloud program.
  2. Go to the “Required for Compliance” tab.
  3. Click on the three-dot menu in front of an employee.
    The following screenshot shows the actions you can take for required employees.
    image10 1
  4. Click on “See Policy Attestation Info” to view the policies that are attested and not attested by the employee.
    image6 2
  5. Click on “Send Invitation.” This will send an email to the employee to set up employee compliance activities.

  6. Click on “Exclude” to exclude a particular employee that is no longer required for compliance.

For the employees Excluded from Compliance,

  1. Go to the “People” page from your TrustCloud program.
  2. Go to the “Excluded from Compliance” tab.
  3. Click on the three-dot menu in front of an employee.
    The following screenshot shows the actions you can take on excluded employees.
    image2 3
  4. Click on “See Policy Attestation Info”, to view the the policies that are attested and not attested by the employee.
  5. Click on “Include” to make that employee required for compliance and move to the other list.

To take bulk action,

You can bulk select employees and send invitations or exclude them 

  1. Go to the “People” page from your TrustCloud program.
  2. Select multiple employees.
  3. Click on “Send Invitation” or “Exclude” button.
    The following screenshot shows the bulk selection and actions.
    image34

Adding People/ or employees

  1. Go to the “People” page from your TrustCloud program.
  2. Click on the “Add People” button.
    image19 1
  3. Enter details about the employee, like their full name, email address, role, type, manager and date of joining. Click on the “+ Add People” button. This employee will appear on the “Required for Compliance” list.

Filter and Sort

You can view a list of employees by applying filters like status, role and type.

  1. Go to the “People” page from your TrustCloud program.
  2. Select the desired tab.
  3. Click on “Filters” and select status, role or type.

You can sort the list of employees by employee name, email ID, role, type, date joined and status.

  1. Go to the “People” page from your TrustCloud program.
  2. Select the desired tab.
  3. Click on employee name, email ID, role, type, date joined and status tags to sort.
    The following screenshot shows the sorting of the employee list.
    image9 2

Want to learn more about GRC?
Explore our GRC launchpad to gain expertise on numerous compliance standards and topics.

Ready to save time and money on audits, pass security reviews faster, and manage enterprise-wide risk? Let’s talk!

Join the conversation

You might also be interested in

Whitelisting

Whitelist these IPs so that TrustCloud can gain limited access to your instance...

Documentation Templates

Documentation Templates are documents that provide a content outline to meet certain documentation needs....

Risk Register

The Risk Register Page displays all your risks in a table view where you...

Defining roles and responsibilities effectively

In today’s dynamic business landscape, clearly defined roles and responsibilities are the cornerstones of...

Backup policy template – Download for free

The Data Backup Plan template helps you document in detail the data backup needs...

Host hardening documentation: a comprehensive guide

Host hardening documentation is an essential tool in demonstrating an organization's commitment to security,...

HR-13 Employee Handbook/Code of Conduct

HR-13 Employee Handbook or Code of Conduct communicates the organization’s values and ethics. It...

Chrome Extension

Chrome Extension A Chrome extension is a small software program that extends the functionality...

ON THIS PAGE
SHARE THIS PAGE

SUBSCRIBE
FlightSchool
OR