During your compliance journey, an important step is ensuring all personnel linked to your company (employees, contractors, etc.) meet compliance requirements. You can monitor your employees, devices, and access through Vanta's Personnel hub and ensure your company is compliant and secure.
What is the Personnel Hub?
The personnel hub groups pages related to your employees, assets, and level of access users have to systems.
- People Page: Assign compliance tasks to your employees and track their completion
- Computers Page: Monitor computers and ensure they are configured properly
- Access Page: Track that your employees have access to only the systems they’re supposed to
Getting Started in the Personnel Hub
First, you need to import your employees into Vanta so that we have a full list of your company's employees. After this step, your People Page will accurately represent your company's employees.
1. Import Personnel
a. Connect your Identity Provider
Vanta imports your list of employees from Identity Providers (IdPs). This information is critical to keeping track of their compliance requirements. You can connect your IdP from the Integrations Page
- Learn more about IdP integrations in Vanta
- Connect your IdP: Google, Okta, Office 365, OneLogin, JumpCloud
- Connecting multiple IdPs
Once you import your employees, you should scope out any employees unrelated to your audit. You can scope employees by finding any integrated IdP on the Integrations Page and selecting Configure Scope.
- Configure scope: Google, Okta, Office 365, OneLogin, JumpCloud
If you cannot integrate your IdP with Vanta, you can manually add employees
b. Connect your HRIS
Vanta uses human resources information systems (HRIS) to track more information relevant to compliance and security. HRIS systems enable us to track who your current employees are when employees go on leave, team managers, and more.
- You can connect your HRIS from the Integrations Page.
- Learn more about HRIS integrations in Vanta
Vanta will automatically link accounts in your HRIS to employees in Vanta based on matching emails and names. If we can’t automatically link employees, we’ll show a banner on the People Page, through which you can manually link HRIS accounts to employees.
c. Manage Employees
After connecting your IdP/HRIS, review the People Page to ensure the information is accurate. You can take the following steps:
- Mark as “not a person”: You can mark service accounts or other non-human accounts as Not a person. These accounts can still be accessed but will not be assigned tasks.
-
Scope out employees: You can scope out anyone on your People Page who isn’t relevant to your audit.
- Learn more about resource scoping.
- Mark on leave: If someone is on leave, you can mark them as such, and all their tasks will be paused.
2. Assign tasks to your personnel
A task is a requirement assigned to a person in your company that must be completed. Tasks can serve different purposes, such as ensuring people have background checks, have accepted policies, or have installed a device monitoring tool onto their computer. See the full list of tasks here. Tasks are assigned to people through groups. When a task is assigned to a group, it is assigned to all the people in that group
- Default group: New Vanta accounts automatically have a default group with no tasks assigned. This group includes all your company’s personnel; any new people will automatically be added. This group can assign tasks that apply to all the people in your organization. We recommend assigning the following tasks to the default group if you want to keep things simple.
-
Create additional groups: If you’d like to assign additional tasks to specific groups of people, you can create additional groups and assign tasks to those groups.
- For example, some customers only need their full-time employees to accept policies, not contractors. In this scenario, they would create a group for full-time employees, add their full-time employees, and assign the policy acceptance task to that group.
- If you plan to create more than five groups, we recommend importing groups from your IdP. This way, you’ll be able to manage all your groups in one place and not need to manage group membership manually within Vanta.
We recommend following this guide if you’re unsure what tasks to assign.
How do tasks relate to tests?
- Tasks feed directly into tests, which is how your auditor will know you’ve kept your security commitments. When a task is assigned to a person, the corresponding test will fail until the task is completed. See here to learn more about which tasks map to which tests.
Check out our in-depth article on tasks, groups, and checklists.
a. Background checks
A background check is a process through which employers leverage private and public information to screen prospective or current personnel. There are different background checks, but common ones include criminal history checks, employment verifications, and education verifications. Most compliance frameworks require that you screen your personnel. Running background checks is usually the easiest and most automated way to fulfill this requirement. You typically don’t need to run background checks on existing personnel, just going forward on new personnel.
Set up background checks with Vanta
You can run background checks directly from Vanta through our built-in tool if you don't have a background check provider. If you already have a background check provider, you can integrate it with Vanta on the Integrations Page. Once connected, Vanta will pull all the background checks and automatically link them to your personnel based on name and email.
- Sometimes, we can’t auto-link background checks because they are run using personal emails that are not in Vanta (Vanta fetches personal emails from HRIS tools when feasible). If this occurs, you can manually link background checks to your personnel or upload URLs that link to a person’s background check.
Assign background check tasks to personnel
- Add the background check tasks to the relevant group(s). If you want to run background checks only on people who joined your company after a specific date, select Effective Date.
When in doubt, we recommend assigning background check tasks to all personnel.
b. Policy Acceptance
By this point, you should have your company’s policies created through the Policies Page (if not, we recommend doing so before assigning this task). Once your company’s policies are in Vanta, your personnel must agree to these policies.
Assign policy acceptance tasks
- Add the policy acceptance task to your personnel by adding the task to the relevant group(s). In the task, you can select which policies the people in a group must accept. Once people are assigned a policy acceptance task, they will be notified to log into Vanta and prompted to read and accept those policies.
- We recommend selecting all policies within the policy acceptance tasks
c. Device monitoring
To build a strong security and compliance foundation, organizations need to be able to view, manage, and secure devices such as laptops and desktops. Through Vanta, you can monitor your company’s computers, ensure every person has a monitored computer, and ensure that your computers are secure. For more information, view this article.
Set up device monitoring with Vanta
If you don’t already have a device monitoring solution, you can leverage the Vanta Agent, a lightweight software that your personnel can install onto their computers to monitor them for compliance requirements. Once your personnel installs the Vanta Agent onto their computers, the computers will appear on the Computers Page.
- Learn more about the Vanta Agent
- What does the Vanta Agent query
If you already have an MDM, integrate it with Vanta on the Integrations Page. Once connected, Vanta will pull all the computers from the MDM and automatically link them to your personnel based on name and email. These computers will appear on the Computers Page.
Assign device monitoring tasks
Assign the device monitoring task to your personnel by adding the “Device monitoring” task to the relevant group(s). The following steps depend on whether you’re leveraging the Vanta Agent or an MDM:
- Vanta Agent: Select “Ask personnel to install Vanta Agent.” If this is selected, people with this task will be required to install the Vanta Agent onto their computer. Once they do so, the computer will appear in Vanta, and the task will be completed.
- MDM: Unselect “Ask personnel to install Vanta Agent.” If this is selected, people with this task will be required to have a computer monitored by your MDM, and they will not be able to download the Vanta Agent.
d. Security & privacy training
Security and privacy training is training (often through videos) that your personnel must complete to meet compliance requirements.
Set up training with Vanta
Vanta offers a built-in training video library covering all the topics your personnel need to meet compliance requirements. We recommend that you leverage this library. Learn more about Vanta’s built-in security and privacy training.
If you have a learning management system (LMS) that you leverage for personnel training, you can integrate it with Vanta on the Integrations Page and link the pieces of training to compliance requirements. Learn more about integrating third-party LMS tools with Vanta.
Assign device monitoring task
Assign security & privacy training tasks to your personnel by adding the “Training” task to the relevant group(s) for the training that applies to the group. The following steps depend on whether you’re leveraging Vanta’s built-in library or a third-party tool:
- Built-in videos: Click the “Vanta training” option for each video. Once assigned, people with this task can log into Vanta and watch these training videos. Once they watch the videos, the tasks will automatically be completed.
- External/custom videos: If you’re leveraging an LMS integrated with Vanta, the “Custom training” option will be auto-selected. People with this task will need to watch the training in your LMS, and the task will auto-complete once they do. If your LMS is not integrated with Vanta, you can provide your personnel with a custom URL and instructions. Once assigned, they can log into Vanta, be redirected to those trainings, and verify that they completed them. Learn more.
e. Custom tasks
You can create additional custom tasks within Vanta to track requirements for your personnel that Vanta may not support. These tasks can be for admins or include screenshots or text entries that people must sign in to Vanta and complete.
Set up custom tasks
- Go to any group, click “Custom onboarding task” or “Custom offboarding task”, and click “Create a custom task”. Learn more.
Assign custom tasks
- Assign custom tasks to your personnel by adding a custom task to the relevant group. Learn more. You can select whether this task is for admins or personnel and optionally add custom instructions. For personnel custom tasks, you’ll also be able to set optionally:
- File upload requirements: If set, the person must upload a file to complete the task.
- Text submission requirements: If set, the person must submit a text answer.
3. Turn on notifications for your employees
We highly recommend turning on automatic notifications. Customers with notifications enabled are more likely to have their employees successfully complete their tasks.
Once you assign tasks to your employees, turn on notifications. Once notifications are turned on, Vanta will automatically notify your employees when they have incomplete tasks to complete in Vanta. Turn on notifications by going to your Company Settings and enabling the toggle next to “Employee reminders.” You can notify your employees through email, Slack, or both.
4. Monitor task completions
You can monitor your employees’ progress toward completing their tasks on the People Page.
- You can filter the People Page by “Tasks due soon” and “Tasks overdue” to see all your employees with incomplete tasks.
- Click on an individual employee to view their tasks (both incomplete and complete). From this drawer, you can also take action depending on the types of incomplete tasks.
- Employee task: If the incomplete task requires action by the employee, they must sign in to Vanta to complete the task. Make sure you have notifications enabled. You can also send a one-time reminder from the drawer.
- Admin task: If the incomplete task requires admin action, such as linking a background check to the employee, you can take that action directly from the drawer.
Once your employees’ tasks are complete, the corresponding tests on the Tests Page will pass