+HR-01.02B

1. Übersicht

HR-01.02B

The competency and integrity of all internal and external personnel to which these roles are assigned is verified prior to employment. The verification considers the following measures, to the extent permitted by local legislation and regulation and as considered appropriate by the cloud service provider to mitigate risks related to inappropriate access to the respective data type:

1. Verification of the person's identity via identity card or passport;
2. Verification of professional experience through the CV;
3. Verification of academic titles and degrees;
4. Request for a certificate of good conduct, police clearance or other national equivalents; and
5. Evaluation of susceptibility to blackmail.


This criterion applies to both existing and newly hired personnel. External personnel in the sense of the criterion is that which performs activities in accordance with the processes and procedures of the cloud service provider and that has potential access to cloud service customer data or cloud service derived data. Personnel of service organisations that performs activities according to the service organisation's own processes and procedures is not covered by this criterion.

Permissible verifications of competency and integrity are governed by applicable local laws and the roles of the personnel. In some jurisdictions, the collection, processing, or disclosure of such information is fundamentally restricted or even prohibited, meaning they may be unable to be obtained at all or only in a very limited form. Where permitted, explicit consent by the personnel may be required depending on the nature and scope of the checks. These legal constraints also apply to any analyses concerning blackmailing.

The verification of qualification and trustworthiness can be supported by specialised service providers or be based on voluntary self-disclosure of the personnel. Depending on national legislation, national equivalents of the German certificate of good conduct ('Führungszeugnis') may also be permitted. Assessing the vulnerability of potential personnel to blackmail can involve evaluating their creditworthiness. However, this assessment may only be legally permissible for positions with significant financial responsibility, depending on local regulations.

Risks related to inappropriate access to cloud service customer data may be mitigated by the use of encryption or monitoring system access for suspicious events. Although such measures are not supposed to completely substitute the above-mentioned verification measures, the extent of such measures may be reduced.

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen

3. Related Regulations

Regulations
Impressum