Truvara is in Beta.
truvara
Back to ResourcesPlaybooks
10 min read

New Employee Security Onboarding Checklist & Playbook

Version: 1.0 | Owner: Security Operations | Review Cycle: Quarterly

Lead

This playbook provides a structured, day‑by‑day process for onboarding new employees onto an organization's security posture from day one through the first 30 days. It is executed by HR, IT, and the employee's manager in coordination with the security team. Trigger this playbook for every new hire, internal transfer, or returning employee after a break in service exceeding 90 days. The goal is to ensure consistent security awareness, appropriate access provisioning, and device compliance before the employee begins productive work, reducing insider risk and configuration drift.

Prerequisites

  • HRIS entry created for the new hire with correct start date, role, department, and manager
  • Approved headcount and position description on file
  • Security team notified of new hire at least 5 business days before start date
  • IT asset inventory has available laptop/mobile device configured to baseline standard
  • Access request workflow (e.g., ServiceNow, Jira Service Management) is active and mapped to role‑based access control (RBAC) matrices
  • Security awareness training platform (e.g., KnowBe4, Cofense) is provisioned with licenses
  • Buddy or mentor assigned from the same department (optional but recommended)

Phase 1: Pre‑Start (T‑5 to T‑1 Days) – New Employee Security Onboarding

Action: Send pre‑onboarding security packet
Rationale: Sets expectations early, reduces first‑day confusion, and allows the employee to complete prerequisite training before accessing systems.

  1. HR sends welcome email containing:

    • Acceptable Use Policy (AUP) and Data Classification Handbook (links to latest versions)
    • Instructions to set up multi‑factor authentication (MFA) via the corporate identity provider (IdP)
    • Link to mandatory security awareness module (≈30 minutes) with deadline of day 1
    • Contact information for IT security helpdesk (phone, ticket portal, Slack channel)
    • If remote: VPN client download links and device shipping schedule

  2. IT Security provisions:

    • Corporate email alias (pending activation)
    • Placeholder user account in IdP with disabled login
    • Asset tag for assigned laptop and records expected serial number
    • Adds employee to relevant distribution lists (e.g., all‑staff, department‑specific)

  3. Manager confirms:

    • Workspace readiness (desk, monitor, peripherals if on‑site)
    • First‑week calendar includes security orientation (30 min) and team introductions
    • Buddy is briefed on security responsibilities (e.g., tailgating, badge sharing)

Decision Point: If the employee declines to complete pre‑start MFA setup or training,
Escalate to manager and security lead for discussion;
Do not provision any system access until completed.

Phase 2: Day 0 (Before First Log‑In) – New Employee Security Onboarding Checklist

Action: Finalize identity and device readiness
Rationale: Ensures a clean, auditable state before granting any access, aligning with least‑privilege principles.

  1. IT (or IT Security):

    • Activates IdP account and sets password to force‑change at first login
    • Enrolls device in Mobile Device Management (MDM) or endpoint detection and response (EDR)
    • Applies baseline configuration: full‑disk encryption, approved antivirus, automatic OS updates, screen lock after 5 minutes
    • Installs required software: VPN client, password manager, approved collaboration tools (e.g., Slack, Teams)
    • Records device asset number, MAC address, and assigned user in CMDB

  2. Security Operations:

    • Runs automated check for known compromised credentials via breach monitoring service
    • Verifies that the user is not a former employee with lingering access (cross‑check HR termination feed)
    • Adds user to monitoring scope for anomalous login behavior (e.g., impossible travel, brute force)

  3. HR confirms:

    • Signed AUP and confidentiality agreement received (electronic signature acceptable)
    • Emergency contact and next‑of‑kin information on file

Decision Point: If device fails baseline compliance scan,
Remediate (re‑image or replace) before issue;
Log exception and track to resolution within 24 hours;
Do not ship or allow pickup until compliant.

Phase 3: Day 1 (First Hours) – New Employee Security Onboarding – First Login

Action: Secure setup and initial training
Rationale: The first login is a critical control point; pairing technical setup with immediate training reinforces security habits.

  1. Employee (with IT/Buddy support):

    • Logs into corporate device using temporary password; forced to change to a strong, unique password (minimum 12 characters, no reuse)
    • Registers for MFA (push notification or authenticator app; SMS discouraged)
    • Enrolls password manager with corporate vault access
    • Joins corporate Wi‑Fi (SSID: CORP‑SECURE) using certificate‑based authentication where possible
    • Launches VPN and confirms split‑tunneling configuration (if applicable)

  2. IT Security delivers (live or recorded):

    • 15‑minute security orientation covering: phishing reporting (e.g., phish@company.com), badge/visitor policy, incident response basics, and where to find policies
    • Walkthrough of how to report a lost device or suspected compromise

  3. Manager reviews:

    • Role‑specific access needs against RBAC matrix
    • Submits formal access requests for any systems not auto‑provisioned by role (e.g., admin consoles, financial systems)

Decision Point: If MFA enrollment fails or employee cannot complete setup,
Pause further access grants;
Escalate to IT security for alternative authentication methods (e.g., hardware token);
Document accommodation and review with compliance officer if needed.

Phase 4: Days 2‑5 (Access Provisioning) – New Employee Security Onboarding – Staged Access

Action: Grant least‑privilege access in batches
Rationale: Staggered access reduces overload and allows validation at each step, aligning with the principle of separation of duties.

  1. Day 2:

    • IT provisions corporate email, file‑share access (department folder), and ticketing system access
    • Security logs successful login times, MFA challenges, and any failed attempts
    • Buddy shows how to encrypt sensitive emails, use DLP‑approved file sharing, and classify documents

  2. Day 3:

    • IT provisions role‑specific SaaS applications (e.g., CRM, HRIS, design tools) based on approved requests
    • Security reviews just‑in‑time (JIT) access requests for privileged accounts (if any) and ensures approval workflow is followed
    • Employee completes role‑based security training module (e.g., handling PCI data, GDPR basics) with 80 % pass threshold

  3. Day 4‑5:

    • IT provisions access to development environments, CI/CD pipelines, or production support tools as required
    • Security validates that no excessive permissions have been granted (e.g., no domain admin for standard users)
    • Manager conducts informal check‑in on security comfort and clarifies any policy questions

Decision Points:

  • If a requested access violates segregation of duties (SoD) rules, → Deny and document compensating controls; → Escalate to SoD committee for review.
  • If an application lacks SSO or SCIM provisioning, → Use service account with credential vault rotation; → Do not share individual passwords.
  • If the employee expresses discomfort with monitoring tools, → Explain purpose (protect employee and company) and privacy safeguards; → Involve HR or legal if concerns persist.

Phase 5: Days 6‑14 (Reinforcement and Validation) – New Employee Security Onboarding – Ongoing Learning

Action: Blend access completion with continuous learning
Rationale: Security onboarding is not a one‑time event; early reinforcement builds lasting habits.

  1. Day 6‑7:

    • Employee completes phishing simulation (baseline) and advanced module on social engineering
    • Security reviews simulation results and provides personalized feedback if click rate > 0 %
    • Buddy conducts desk‑side check for physical security (locked screen, clear desk, badge visible)

  2. Day 8‑10:

    • IT runs automated access review script to compare provisioned access against role baseline
    • Security investigates any discrepancies and works with managers to de‑provision excess access
    • Employee attends live Q&A session with CISO or security architect (optional but encouraged)

  3. Day 11‑14:

    • Manager completes formal 30‑day review checklist (see Post‑Completion Checklist below)
    • Security updates user risk score in UEBA platform based on login patterns and training completion
    • HR records completion of all mandatory security onboarding items in HRIS

Decision Point: If access review shows over‑privileging, → Revoke excess permissions immediately; → Document reason for original grant and update RBAC matrix if gap identified; → Retrain requestor on least‑privilege principles if pattern repeats.

Phase 6: Days 15‑30 (Transition to Steady State) – New Employee Security Onboarding – Long‑Term Integration

Action: Shift from onboarding to ongoing security engagement
Rationale: After foundational controls are in place, focus moves to integrating security into daily work and career development.

  1. Day 15‑21:

    • Employee selects one security community of practice to join (e.g., blue team, AppSec, GRC) based on interest
    • Security invites employee to next tabletop exercise or red‑team/blue‑team collaboration day
    • Manager discusses security goals for upcoming performance cycle (e.g., complete certification, lead a security awareness talk)

  2. Day 22‑30:

    • IT executes first periodic access recertification (if role requires monthly/quarterly)
    • Security reviews any policy exceptions requested during onboarding and ensures they are documented and time‑bound
    • Employee completes annual security awareness refresher (if not already due) and signs updated AUP

Decision Point: If the employee requests elevated access for a short‑term project, → Require formal JIT request with manager approval and expiration date; → Monitor usage closely and revoke automatically at end date; → Log in privileged access management (PAM) system for audit trail.

Escalation Path

  • Level 1 (Immediate): IT Security Helpdesk (phone: +1‑XXX‑XXX‑XXXX, Slack: #it-security-help) – for access issues, MFA problems, device loss, suspected compromise.
  • Level 2 (Business Hour): Security Operations Center (SOC) Lead (email: soc‑lead@company.com) – for policy exceptions, SoD conflicts, or repeated access requests.
  • Level 3 (Executive): Chief Information Security Officer (CISO) (email: ciso@company.com) – for unresolved escalations, suspected insider threat, or compliance violations.
  • HR Partner: For onboarding process issues, accommodation requests, or policy acknowledgment delays (email: hr‑onboarding@company.com).
  • Legal/Data Protection Officer: For questions about data handling, privacy notices, or cross‑border transfer restrictions (email: dpo@company.com).

Escalation should be attempted via the lowest appropriate level first. Document all escalations in the employee’s onboarding ticket (e.g., ServiceNow ID) for audit.

Post‑Completion Checklist

Confirm all items are marked complete in the onboarding tracking system before closing the ticket.

  • Signed AUP and confidentiality agreement recorded
  • MFA enrolled and verified
  • Baseline device compliance confirmed
  • All role‑based access granted and documented
  • Security awareness training completed with required score
  • Buddy/mentor sign‑off on physical security practices
  • Manager’s 30‑day review completed
  • HRIS updated with onboarding completion date

Key Takeaways

  • Start early: Send the security packet at least five days before the start date to give the new hire time to complete MFA and awareness training.
  • Enforce least‑privilege: Provision access in stages (Days 2‑5) and run automated reviews to catch over‑privileging quickly.
  • Blend tech with training: Pair each technical setup step with a short, focused training moment—this reinforces good habits from day 1.
  • Use a buddy system: A peer mentor speeds up cultural integration and provides a safety net for physical‑security checks.
  • Document everything: Every decision point, escalation, and access change should be logged in the ticketing system for auditability.

Conclusion

A well‑orchestrated security onboarding experience protects the organization, reduces the risk of accidental breaches, and sets new employees up for long‑term success. By following this 30‑day playbook—pre‑start preparation, day‑0 identity finalization, staged access provisioning, continuous learning, and a smooth hand‑off to steady‑state security engagement—you create a repeatable, auditable process that aligns with compliance requirements and the principle of least privilege.

Next steps for teams:

  1. HR: Integrate the pre‑onboarding checklist into the existing hire workflow and ensure the security packet is dispatched automatically.
  2. IT/Security: Automate device enrollment, baseline compliance scans, and access‑review scripts to reduce manual effort.
  3. Managers: Assign a buddy within the first week and schedule the security orientation on the new hire’s calendar.

Implementing these actions now will tighten your security posture from day one and foster a culture where every employee understands their role in protecting company assets.