Joiners and leavers checklists are simple practices that cover multiple information security practices supporting your CDR accreditation.

The Consumer Data Right gives Australian’s control of their data. That enables innovation in new products and services to those consumers. To participate as a data recipient, there are five governance requirements and 24 information security requirements. These are independently audited by a qualified firm like AssuranceLab, and included in an assurance report for accreditation.

The Joiners and Leavers Checklists support one of the 24 information security requirements; Access Security. These checklists form a standard way of onboarding and offboarding your employees, including the access control related to those movements. They support cross-functional areas of the business, so the checklists are almost a necessity to ensure all required tasks are completed appropriately by the multiple parties involved.

From a Consumer Data Right (CDR) perspective, the relevance of these practices is ensuring access to systems, data, and the CDR Environment as a whole, are appropriately authorised before being provided and removed or adjusted when no longer required.

These checklists are organisational specific. You can start with an example or template but it needs to be aligned with your teams' responsibilities, the systems and access that are relevant to your environment, and the specific steps related to your control activities.

The new joiner checklist often includes background checks, candidate approval, executing an employment contract, acceptance or sign off on the Acceptable Use Policy and Code of Conduct, approval of the system, data access, and office access, and any system and documentation updates required for the new employee like payroll and the organisation chart.

The leavers checklist is about removing all of what was set up in the joiners checklist. There are two critical objectives of this; (a) ensuring all systems, data and physical location access is removed, and (b) ensuring any “data” in the form of printed documents, removable media, BYOD devices the employees retain, or even knowledge the employee has from their role, are returned, destroyed, or otherwise attested to the ongoing confidentiality of that data beyond termination. 

The CDR Perspective

The joiners and leavers checklist relates to the access security requirements of the CDR Schedule 2. The “Movers” process should follow elements of the Joiners and Leavers checklists as they apply based on the nature of the role change. The CDR includes requirements for:

Joiners: Access rights to a system should be provided in line with the personnel's specific responsibilities. These rights should be approved by an appropriate person with sufficient knowledge of the system. 

Movers: When a user moves to a different role that requires different access rights, that user's previous rights are revoked and new rights are provisioned in line with their responsibilities and approved by an appropriate person with sufficient knowledge of the system.

Leavers: When a user leaves the organisation, all access rights previously provisioned to them should be revoked in a timely manner. This includes access to applications, databases, infrastructure, and the network. A timely manner is at the discretion of the organisation, however in general should not exceed 2 weeks.

About AssuranceLab

AssuranceLab is a modern cybersecurity audit firm that provides assurance reports (ASAE 3150, SOC 1/2). We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.

Example Joiners Checklist

Example Leavers Checklist