Maintaining momentum with evaluation

Evaluation and Developmental Needs: Maintaining the Momentum

Control of the Week #10 – Employment – Performance Evaluation and Developmental Needs

This week’s controls are on Performance Evaluation and Developmental Needs. Jose Costa (CISO at Tugboat Logic), Harpreet Shergill (Senior Manager, IS Risk & Compliance at Tugboat Logic), Jitendra Juithani (Senior Manager, IS Risk & Compliance), and Chika Nwajagu (Senior Security Analyst at Tugboat Logic) explain why these common HR documents can be important to your audit.

Why this control is important

OM3.7 – Personnel Performance Evaluation and Development Needs- The organization has a process in place to evaluate the competency of employees on an annual basis.

Hiring a qualified person is only half the battle when ensuring that your employees know all of your security requirements and follow through on them. A lot of people can talk the talk, but you need to make sure they also walk the talk. 

As an organization and management control, the risk lies in not doing periodic evaluations and appraisals to confirm that employees are performing their job to satisfaction and are aware of the elements required to perform that job. Essentially, an organization is confirming that the employee still fits the requirements of the job, and if not, whether training and development can correct any shortfalls. 

Another important detail to note is that there are two elements of this control. One, the Performance evaluation, which determines whether the employee is still doing the job they were hired to perform, and two, Development Needs, which involves training and competency to continue performing their job effectively. Important things to keep in mind are changes in technology, new requirements, new product modules, etc. How are you making sure that you are meeting your contractual agreements and commitments to your customers?

How to implement this control for your audits

Many organizations perform these tasks as a part of their HR quota. The evaluations and appraisals capture what training is required (therefore, both the Performance Evaluations and Developmental Needs are closely linked). These tasks can be completed either manually or with automated tools. 

However you choose to complete this control, auditors are looking for evidence that the training was done, that records are kept for all employees in the organization (e.g. not just the technical team), and that the evaluations were performed by the appropriate supervisors. The key thing they are searching for, however, was that an evaluation was performed and a record was kept. 

Having a defined evaluation process also helps conduct regular evaluations and ensure that they are completed. This can be as often as you would like (e.g. quarterly or yearly), but make sure they’re done effectively. Don’t do them for the sake of doing them!   

Related Articles

Security Awareness Training: Montage Optional

Security Awareness Training: Montage Optional

Creating a plan for Security Awareness Training is only half the battle. Implementing and ensuring that your employees follow that plan regularly is the key to implementing this control. Also, investing in training and security awareness programs is vital for sustainable business growth and success.

read more
Employee Training Plan: Good Plans Go A Long Way

Employee Training Plan: Good Plans Go A Long Way

How you train your employees will largely determine their effectiveness and adherence to company policies. While many practices can be common sense and their skills catered specifically to the job they were hired to perform, a training plan can go a long way to ensure that elements of your organization stay safe, secure and run as smoothly as possible.

read more

0 Comments

Submit a Comment

Pin It on Pinterest

Share This