24. Human Resources Security Policy

Luma is committed to ensuring that employees, contractors, and third-party users are suitable for the roles for which they are being considered, to reduce the risk of theft, fraud, or misuse of facilities.

24.1 Employee Onboarding

Luma ensures that employees, contractors and third party users agree to the terms and conditions concerning information security appropriate to the nature and extent of access they will have to Luma’s assets and systems. Access privileges are not granted until the terms and conditions and other relevant agreements have been signed.

The terms and conditions of their employment contract shall include but are not limited to:

  1. Responsibilities as it pertains to information security;
  2. Responsibilities as it pertains to Luma’s IT assets;
  3. Management of organizational assets associated with information systems and services handled by the employee, contractor, or third party user;
  4. Management of information received from other companies or external parties;
  5. Responsibilities of the employee for the handling of all covered information;
  6. Actions to be taken if the employee, contractor, of third party user disregard the security requirements, as described in §19.2; and
  7. Responsibilities as it pertains to the intellectual property of Luma, including information created as a result of, or in the course of, employment with Luma

24.2 Employee Offboarding

Logical and physical access to systems and equipment are reviewed, updated, or revoked when there is any change in responsibility or employment within at minimum 24 hours. This is tracked with a Tangelo ticket opened by the Human Resources representative. Upon opening a ticket, admins for the apps that the user has access to will be automatically notified of the termination and will be prompted to terminate access. The organization formally addresses:

  • Terminating access when the access is no longer needed or;
  • Assignment of responsibility for removing information system and/or physical access; and
  • Timely communication of termination actions to ensure that the termination procedures are appropriately followed;
  • Ensure any covered information for which terminated employees had prior access remains confidential
  • Termination process includes the return of all previously issued software and hardware.
  • In cases where an employee, contractor or third-party user uses their own personal equipment, all relevant information is transferred to the organization and securely erased from the equipment.

24.3 HR Security Roles and Responsibilities

It is the duty of the Human Resources representative to understand and commit to the following roles and responsibilities:

  • Implement and act in accordance with the organization’s information security policies;
  • Protect assets from unauthorized access, disclosure, modification, destruction, or interference;
  • Execute particular security processes or compliance activities;
  • Ensure responsibility is assigned to the individual for actions taken;
  • Report security events or potential events or other potential security risks to the organization;
  • Designate a level of risk to each position, where appropriate, to be reviewed on an annual basis and tracked with a ClickUp ticket;
  • Conduct background verification checks on all candidates for employment, contractors, and third-party users in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risks.
  • This can include but is not limited to:
  • Character references (e.g., 1 business, 1 personal);
  • A check;
  • Confirmation of academic and professional qualifications; and
  • Independent identity check (e.g., passport or similar document)
  • Track progress for all new workforce members, including contractors, on assigned security training.

24.4 Security and Compliance Requirements

Luma’s security awareness and training program is given to new employees to be completed within the first 30 days of employment to introduce the organization’s security and privacy policies, state and federal laws, and expectations before access to information or services is granted. New employees, contracts, or third-party users are also subject to an agreement which clearly defines the expectations for Luma’s IT assets (e.g., laptops, monitors, softwares).

24.5 Background Check Process

All full-time employees and interns within the organization are required to undergo a formal background check. The standardized background check involves a national and state background check, employment verification, and education verification. Finance employees undergo an additional credit check.

The background check process is as follows:

  1. HR is notified of a candidate who has accepted their job offer and adds their information to the shared Google Calendar invite
  2. HR initiates a background check utilizing Granite
  3. The candidate will receive an email from Granite requesting their information
  4. HR will review the completed background checks and follow up on flagged items with the candidate, if deemed necessary

All candidates are subject to the most thorough background screening possible.

24.6 Performance Review Process

All full-time employees who have been employed at least 6 months at time of the organization-wide annual performance reviews will undergo the process.

The performance review process is as follows:

  1. HR will communicate when Annual Performance Reviews will be scheduled and an entry to the shared Google Corporate Calendar will also be made
  2. HR will assign self reviews for all employees utilizing Culture Amp for annual performance reviews
  3. Employees will complete a self-reflection which will be reviewed by their manager
  4. Managers have 30 days to examine the employee’s reflection, write comments, and meet with the employee for a 1:1
  5. After 30 days, HR will follow-up with managers who have not yet completed the review

24.7 Workforce Sanctions & Disciplinary Records

This policy applies to all Luma employees and is designed to be positive and corrective. Employee discipline is considered a serious action that is undertaken with care, objectivity and full consideration for the rights and interests of the employee. Discipline shall be administered in a judicious manner that strives to be corrective and appropriate to the offense rather than punitive.

Sanctions are fairly applied to employees following violations of the information security policies. Luma documents personnel involved in incidents, steps taken, and the timelines associated with those steps, steps taken for notification, the rationale for discipline, and the final outcome for each incident. A list of employees involved in security incidents is maintained in the HR Google Drive.

The process for disciplinary action is as follows:

  1. Manager consults with HR and provides the applicable and necessary details
  2. If the violation is an employee security incident, HR will contact the Director of Information Security and Compliance to identify the indiviual and the reason for the sanction
  3. Manager completes a Performance Improvement Plan
  4. Manager sets up a meeting with employee and HR to conduct the performance review
  5. The performance review and expectations are applied for an agreed-upon period of time and the manager will communicate weekly feedback with the employee
  6. If an employee succeeds and meets expectations within the period of time, the Performance Improvement Plan is kept on file in HR Google Drive
  7. If an employee fails to meet expectations, they will be terminated