S 3.1 Well-regulated familiarisation/training of new staff with their work

Initiation responsibility: Head of Personnel, Top Management

Implementation responsibility: Personnel Department, Supervisor

New employees do not only need to be familiarised with their new tasks, they also must be informed of the internal regulations, customs, and procedures. Without corresponding instruction, they will not know who to contact regarding questions relating to information security, which security safeguards must be implemented, and which security strategy the government agency and/or company is pursuing. This may lead to malfunctions and cause damage to the organisation. For this reason, well-regulated familiarisation of new employees has a correspondingly high importance. The experienced employees should be made aware accordingly so that they support the new employees, and therefore help reduce security problems in advance to a minimum. A more experienced colleague should be available for new employees to answer any questions they have.

The familiarisation and/or instruction should cover the following aspects at a minimum:

• all new employees should be trained and/or instructed regarding the use of the most important IT systems and applications they will use at their workplaces. In addition, all new employees should be made aware of and receive training for all relevant security safeguards (see also module S 1.13 Information security awareness and training). New employees should be allocated adequate time for familiarisation with their work.
• the new employees should be introduced to all contact persons, especially those available to answer questions relating to information security and data protection.
• the new employees should be informed of the security objectives of the government agency and/or company. All internal rules and regulations for information security must be explained. The codes of conduct and reporting paths for all types of potential security incidents must be explained.

A batch card or a checklist may be helpful for familiarising new employees with their work, containing information on the individual activities and on the current familiarisation status.

Review questions:

• Do new employees receive proper, well-planned training in the area of information security?
• Is every new employee informed of the relevant IT security regulations?