Are new employees informed about basic security and data protection expectations?

When you hire a new person, do you tell them about your company's basic rules for protecting customer data, passwords, and confidential information? This means making sure they understand what they can and cannot do with sensitive information from day one.

⚡

Why This Matters to Your Business

Without clear guidance, new employees may accidentally share customer data, use weak passwords, or fall for phishing emails that expose your entire network. A Delhi-based logistics startup lost ₹12 lakhs when a new hire unknowingly shared access credentials with someone claiming to be IT support, leading to a ransomware attack. Customers may leave you if their data is breached, auditors will flag this as a serious gap, and in worst case you could face penalties under the Digital Personal Data Protection Act.

📊

What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You have no formal onboarding for security. New employees sit at a desk and figure out security rules by watching others or asking questions when problems happen.

Level 1
Initial

You mention security once during hiring but there is no written checklist. New employees may receive a verbal warning about passwords but nothing is documented or consistent.

Level 2
Developing

You have a basic written security checklist that new hires sign. It covers passwords and confidentiality, but it is generic and not specific to your actual business data or systems.

Level 3
Defined

You have a structured one-hour security orientation for every new hire that covers your actual systems, data types, and incident reporting process. Documentation is kept and reviewed annually for gaps.

Level 4
Managed

Every new hire completes a recorded security training module with a quiz, receives a personalized checklist based on their role, and their manager signs off on their understanding. Training materials are updated twice yearly based on new threats.

Level 5
Optimised

Security onboarding is automated: new hires complete risk-based training before their start date, receive role-specific guidance on day one, and complete refresher modules quarterly. Compliance and understanding are tracked in your HR system with alerts if training lapses.

🚀

How to Move Up — Practical Steps

Step	What to Do	Who	Effort
0 → 1	Write a one-page security checklist covering passwords, confidentiality pledge, and incident reporting. Have each new hire sign and date it; file in their personnel folder.	HR Manager or Owner	1 day
1 → 2	Create a 2-3 page security orientation document specific to your business: list your key data types (customer records, financial data, trade secrets), explain who they can share with, how to report a suspected breach, and basic password rules. Print and hand to every new hire on day one.	IT Person or Owner with HR Manager	1 week
2 → 3	Conduct a 45-minute in-person or recorded security session for every new hire in their first week. Cover your document, show them how to lock their computer, where to report an issue, and quiz them. Document attendance with dates.	IT Person or designated Security Champion	2-4 weeks (to roll out for existing team, then ongoing)
3 → 4	Build a role-based training module (use Google Forms, YouTube, or free LMS). Separate tracks for office staff, admin, field workers. Add a short quiz (5-10 questions). Track completion in a simple spreadsheet with hire date and completion date.	IT Person with input from managers	1-2 months
4 → 5	Integrate security onboarding into your HRIS or HR checklist system (even a shared Google Sheet). Auto-email security module link on hire date, set reminders for managers to verify completion, run quarterly refresher for all staff, and measure training effectiveness with brief annual survey.	IT Person and HR Manager	Ongoing (quarterly refreshes and monitoring)

📁

Evidence You Should Have

Documents and records that prove your maturity level.

Signed security acknowledgment or confidentiality pledge from every current and recent employee, dated and filed
Copy of your security orientation document or checklist that is given to new hires
Onboarding checklist or process document that includes a security training step with assigned owner and due date
Training attendance or completion log (spreadsheet, email, or HR system record) showing which employees completed training and when
Dated training materials (slides, video transcript, written guide, or quiz) that cover password rules, data handling, and incident reporting specific to your company

🔍

What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

"Walk me through what happens when a new employee joins your company. What security information do they receive and when?"
"Can you show me examples of signed acknowledgments or training completion records for at least three recent hires?"
"What specifically are new employees told about handling customer data, passwords, and reporting security incidents?"
"How do you ensure that every new hire, regardless of their role or hiring method (permanent, contractor, temporary), receives the same security orientation?"

🛠

Tools That Work in India

Purpose	Free Option	Paid Option
Create and track onboarding checklists with sign-off	Google Forms + Google Sheets (no cost)	BambooHR ₹3,000-8,000/month or Zoho People ₹1,500-3,000/month
Deliver video training and track completion	YouTube (upload unlisted) + Google Classroom (no cost)	Teachable ₹2,000-5,000/month or Coursera for Business (custom pricing)
Create quick quiz to verify understanding	Google Forms or Typeform (free tier with up to 100 responses)	Qualtrics or SurveySparrow ₹5,000+/month

🛡

How This Makes You More Resilient

When new employees understand security expectations from day one, they are far less likely to accidentally expose data, click malicious links, or share passwords. This dramatically reduces the chance of a breach in the critical first months when employees are still learning your systems. Your team becomes your first line of defense rather than your biggest vulnerability.

⚠️

Common Pitfalls in India

One-time verbal orientation only: you mention security during their first day but nothing is documented, so there is no proof for auditors and new hires forget most of it by week two.
Generic corporate template: you copy security orientation from a large company or template online without customizing it to your actual data, systems, and business context, making it feel irrelevant to field staff or sales teams.
Skipping contractors and temporary staff: you only train permanent employees, but contractors and temporary workers handle the same data and pose the same risks, then leave without any accountability.
No follow-up or refresh: you do orientation once and never revisit it; employees gradually forget rules and new threats (phishing, ransomware) emerge that they are not aware of.
Treating it as a compliance checkbox: you have employees sign a form to tick a box, but there is no real assessment of whether they understand or remember what they signed.

⚖️

Compliance References

Standard	Relevant Section
DPDP Act 2023	Section 8 (consent and notice); organizations must ensure data handlers understand their obligations
CERT-In Guidelines 2022	Clause 3 (Security Practices & Procedures); awareness and training mandatory for all personnel handling sensitive data
ISO 27001:2022	Clause 6.3 (Awareness) and A.6.2 (Information Security Awareness, Education & Training)
NIST CSF 2.0	Govern (GV) and Protect (PR) functions; specifically PR.AT-1 (All users receive awareness and training)

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →