Onboarding Policy

Owner: Security Officer · Approved by leadership · Version 1.0 · Effective 27 May 2026 · Next review 27 May 2027

1. Purpose

This policy defines what happens before, on, and after a new workforce member's first day with Glassbreak. It ensures that every new joiner is properly vetted, equipped, trained, and granted the access they need — and no more — to perform their role.

2. Scope

This policy applies to all workforce members joining Glassbreak in any capacity: employees, contractors, advisors, and interns. Some sections (for example, formal background checks) apply only to roles with production access; the relevant scoping is called out in each section.

3. Pre-employment

3.1 Right-to-work verification

Right-to-work documentation is verified for every joiner before an offer is finalised. Verification records are retained for the period required by applicable employment law and at least 3 years post-termination.

3.2 Background checks

For roles with production access, a background check is completed before access is granted. Acceptable forms include: a current police certificate (basic or enhanced as appropriate to jurisdiction), a UK Disclosure and Barring Service check, or an equivalent recognised national check.
For roles without production access, a lighter verification (identity, employment history) is acceptable.
Records of completion are retained in the workforce file. Findings are reviewed by the hiring manager and, for material findings, the Security Officer.

3.3 Reference checks

At least two references are obtained for every joiner, contacted directly by the hiring manager.

3.4 Contracts and acknowledgements

Every joiner signs an employment or contractor agreement that includes a confidentiality clause covering Glassbreak information, customer data, and intellectual property, surviving termination.
Every joiner acknowledges, in writing, that they have read and will comply with:
- the Information Security Policy,
- the Incident Response Policy,
- the Sanctions and Disciplinary Policy,
- this Onboarding Policy and the Offboarding Policy.
Acknowledgements are recorded in the workforce file and repeated on any material revision of the policies.

4. Day 1

4.1 Device provisioning

A managed workstation is provided with full-disk encryption enforced, OS-managed firewall enabled, automatic updates configured, and screen-lock timeout set to 5 minutes.
An MFA-capable hardware key is provided where the role requires it.
Personal devices are not used for production access.

4.2 Account provisioning

A unique organisational account is created. Shared accounts are prohibited.
Multi-factor authentication is required on every account on the first login, before any access is granted to a sensitive system.
Access is granted on a least-privilege basis: only what the role requires for the first 30 days. Additional access is requested explicitly and approved by the access owner.
An entry is added to the access register for every account and every system grant, with the grant date and reviewing approver.

4.3 Security briefing

On Day 1, the new joiner is given a security briefing covering:

The zero-knowledge model and what that means for what the workforce can and cannot see.
The classification of Glassbreak information and the handling rules that apply to each class.
How to recognise and report a security incident (security@glassbreak.io).
The use of MFA, hardware keys, password managers, and end-to-end-encrypted channels for sensitive communication.
The clean-desk and clear-screen expectations.
Acceptable use of company devices and accounts.

5. First 30 days

Complete the formal security awareness training programme.
Read and acknowledge each published policy.
Complete role-specific training (for engineering roles: the architecture overview, the secure-development standard, and the incident-response runbook walk-through).
Mandatory pairing with an existing workforce member on any production-affecting action.
30-day check-in with the line manager to confirm expectations, access, training, and any blockers.

6. First 60 days

Access review: the joiner's grants are reviewed against actual usage; excess access is removed.
Independent action permitted on production tasks within the joiner's scope, with peer review.
Completion of any role-specific certifications required (for example, the in-product incident-commander accreditation for on-call rotation members).

7. First 90 days

Probation review with the line manager and the Security Officer.
Final access review.
Annual cadence begins: training completion is renewed at least annually thereafter; access is reviewed at least quarterly.

8. Training

Security awareness training is mandatory on joining and annually thereafter. Completion is recorded.
Role-based training is mandatory before independent action on the relevant system class.
Incident-response responders complete a tabletop exercise within their first 90 days.

9. Access management

The access register lists every workforce member, the systems they hold credentials for, the role granting each credential, and the most recent review date.
Quarterly reviews confirm every grant against the member's current role; surplus grants are revoked.
Production access requires MFA at every authentication.
Privileged actions (administrative changes, key rotation, impersonation) are logged in the admin-action audit log.

10. Records

Right-to-work and background-check records: retained per employment-law requirements and at least 3 years post-termination.
Signed acknowledgements: retained for at least 5 years post-termination.
Access-register entries: retained while the grant is active plus 12 months after revocation.
Training completion records: retained for at least 5 years.

11. Review

This policy is reviewed at least annually and after every material change to onboarding practices. The next scheduled review is 27 May 2027.

12. Related documents

Counter-signed PDF copy available on request to compliance@glassbreak.io.