What is a company/employee handbook?
A company handbook is a document which has all the key information that an employee, and others associated with the company might need for compliance and for understanding the companies vision, policy and procedures for general operations and data protection etc.
It helps having a central document easily accessible by all key members etc.
We have built our handbooks over 15 years now adding policies as and when required for compliance purposes or when gaps were revealed during audit.
Some tips from our experience.
- Break the handbook into 3 parts. One for all employees and suppliers and contractors which cover up a variety of topics from your vision to data protection. 2nd a separate HR handbook which is meant only for employees. And the 3rd one meant for top management which will include management related responsibilities. This way eg employees are not harassed by too much information on topics not relevant to them.
- Always keep version information at the end including what changes were put across. Notify all people about the changes when you do.
- Instead of unordered list, have ordered list. This way it’s easy to reference a specific topic. Like 6.3 Internet usage policy which makes it easier to refer.
- The document can be overwhelming and hence it’s good that once in 6 months some key topics are explained via a training session. We have a training system for taking the employees through some of the topics.
- Don’t try to include everything at one go. Rather focus on your key requirements build processes around that. And then add more over time.
Common handbook: list of content.
- About this document, us and key suppliers
- Principles
- Roles and responsibilities
- Divisions and compliance officers (includes suppliers)
- Emergency contacts
- What to do if there is a Security Incident?
- Data protection
- Data Classification
- Confidentiality agreement
- Encryption protocols and tools
- Account/Access Management
- Internet usage policy
- System/equipment use
- Other data protection responsibilities
- Physical security
- Visitor policy
- Portable media policy
- Password policy
- Remote/work from home guidelines
- Software Development Standards
- Secure coding practice
- Project environment
- Charset/collation
- Software architecture
- Database System
- Admin
- Front-end
- Images
- Caching methods
- Authentication and Authorization
- Logging and Monitoring
- Extra security steps
- Passwords
- Third-Party code
- Captcha
- Sessions
- Lockouts
- Web page optimization
- Testing/Quality control
- Additional checks when going live
- Project documentation
- Converting designs
- Problem/Change Management Policy
- Server Update / Patches / Change
- Server Hardware Change (if applicable, not applicable on cloud)
- Configuration management
- Security Awareness Training Policy
- Anti-bribery and Anti-corruption Policy
- Disciplinary action
- Software licence and anti piracy
- Work from home policy guidelines
- External accounts
- Stress At Work Policy
- Women grievance redressal
- Performance appraisals and increments
- Data confidentiality – definitions and legislation
- Password manager policy
- Tips on Travel to a foreign country
- Email etiquette
- Estimates/Letterhead
- Template
- Spelling and grammar
- VERSION MAINTENANCE
- Things to add
- Version history
Top management handbook: list of content.
- Important checklist and dates
- Exceptions
- Important notes
- About this document, us and key suppliers
- Key suppliers
- Account Management
- User entitlement
- Compliance management
- Risk management
- Business continuity plan
- Business continuity team
- Security/Critical/Disaster Incident
- Security group
- Emergency contacts
- Handling security incident
- Ideal backups of the servers (both local and external)
- Asset management
- Environment/Physical security audit
- Software licenses and anti-piracy guidelines
- Employee onboarding and exit
- Handling subject access requests (SAR) and similar requests
- Modern Slavery Policy
- Version history
How can we help companies in their paperwork
From a simple single policy to conducting audits sapnagroup and sapnasecurity offers
- Reviewing your processes, and even conducting an audit.
- Create a risk register and help close compliance or security gaps
- Create documents and processes for the company.
- Training staff on key issues for compliance.
- Security incident management.
Please contact us at [email protected] for your compliance and security documentation related needs.