GV.RR-04: Cybersecurity is included in human resources practices

GV.RR-04 requires you to embed cybersecurity into HR lifecycle processes so security expectations are enforced through hiring, onboarding, role changes, and offboarding, not handled only by IT. Operationalize it by assigning HR/InfoSec owners, updating HR policies and workflows, and retaining evidence that security steps ran for every worker type. ¹

Key takeaways:

• Treat HR workflows as security controls: screening, onboarding, access changes, termination, and disciplinary paths.
• Define owners, outcomes, and measurable indicators so you can prove the controls operated. ²
• Keep an “evidence bundle” per review cycle with metrics, exceptions, and remediation actions. ²

The gv.rr-04: cybersecurity is included in human resources practices requirement is a governance requirement with operational teeth: it forces security into the people processes that create most access pathways and many insider-risk scenarios. If HR runs independently from security, you get gaps like contractors onboarded without training, delayed deprovisioning, inconsistent background checks for privileged roles, and unclear accountability when employees violate security rules.

For a Compliance Officer, CCO, or GRC lead, the goal is simple: make cybersecurity a standard part of HR’s “how work gets done,” then document that it actually happens. This page gives you requirement-level implementation guidance you can execute quickly: what policies to change, what workflows to instrument, what metrics to track, and what artifacts to retain for audits, customer due diligence, and internal assurance.

NIST CSF 2.0 is a framework, not a law, but it is commonly used as the control backbone for regulated programs and customer security expectations. That means examiners and assessors will still expect objective evidence that the HR/security integration exists and works as designed. ¹

Requirement: GV.RR-04 (HR practices include cybersecurity)

Operator intent: HR is part of the cybersecurity control environment. People-related processes must drive consistent security behavior and enforce access hygiene across employee and non-employee populations. ¹

Regulatory text

Excerpt: “Cybersecurity is included in human resources practices.” ¹

What this means for operators: You must hardwire cybersecurity requirements into HR policies and workflows across the worker lifecycle. That includes:

• pre-hire (role risk classification, screening requirements, offer-letter/security acknowledgments),
• onboarding (identity proofing, training, acceptable use acknowledgments),
• in-role changes (access review triggers, privileged access handling),
• offboarding (timely deprovisioning, asset return, reminders of ongoing obligations),
• conduct management (disciplinary process for policy violations),
• and third-party workforce management (contractors, temps, interns, outsourced service staff). ¹

Plain-English interpretation

If HR can hire, transfer, or terminate someone without security steps firing automatically, you likely fail GV.RR-04 in practice. This requirement expects security to be a defined part of how HR does business: HR owns parts of the process, InfoSec defines requirements and monitors outcomes, and IT/IAM executes technical steps with auditability.

Who it applies to

Entities: Any organization running a cybersecurity program mapped to NIST CSF 2.0 (including organizations adopting CSF to meet customer requirements). ¹

Operational context (where the control must work):

• Employees (full time, part time)
• Contractors/consultants (your company-issued identities or third-party identities with access)
• Interns/temporary staff
• Privileged users (admins, developers with production access, security admins)
• Remote and hybrid staff
• M&A or rapid growth environments where onboarding volume spikes

What you actually need to do (step-by-step)

1) Set ownership and outcomes (make it auditable)

1. Name accountable owners for HR-side execution (HR Ops) and security-side requirements (InfoSec/GRC).
2. Define implementation outcomes in control language, for example:
   • “All new joiners complete security training and accept AUP before receiving production access.”
   • “All departures trigger access removal and asset return steps tracked to closure.”
3. Define measurable indicators you can report monthly/quarterly (examples below). ²

Practical tip: Make HR the “process owner” and InfoSec the “control owner.” That split matches how HR systems work and prevents “security owns everything” programs that fail operationally.

2) Map the HR lifecycle and insert mandatory security gates

Create a single workflow map from “request to hire” through “post-termination.” Add security gates where failure blocks progress.

Minimum lifecycle controls to implement

• Pre-hire / role setup
  • Role risk tiering (standard vs privileged vs high-risk data access).
  • Screening requirements by tier (what is required, who approves exceptions).
• Onboarding
  • Identity established in authoritative HR system.
  • Account provisioning tied to HR start date and manager approval.
  • Training and policy acknowledgment captured (AUP, password/MFA expectations, reporting obligations).
• Transfers / role changes
  • Trigger IAM updates on department/manager change.
  • Privileged access requires additional approvals and time-bounded assignment.
• Leave of absence
  • Define when access is suspended vs reduced.
• Offboarding
  • Immediate notification workflow from HR to IAM/IT for involuntary terms.
  • Asset return tracking.
  • Access removal verification and closure evidence.
• Disciplinary process
  • HR policy explicitly connects security violations to HR actions (up to termination).
• Third-party workforce
  • Contract language requires compliance with your security policies when accessing your systems/data.
  • Sponsorship and end-date enforcement for non-employees.

3) Update HR policies and templates (make security “part of HR”)

Update or create the following documents so they explicitly include cybersecurity requirements:

• Employee handbook / Code of Conduct: security responsibilities, reporting expectations, consequences.
• Acceptable Use Policy acknowledgment process embedded in onboarding.
• Background screening policy with role-based tiers and documented exceptions.
• Remote work policy: device rules, secure connectivity expectations, incident reporting path.
• Termination/exit checklist that includes deprovisioning confirmation and asset return.

4) Instrument systems so HR events trigger security actions

You need repeatability. Manual emails from HR to IT are fragile and hard to prove.

Implement:

• HRIS as the system of record for worker status.
• IAM workflow triggers based on HRIS events (hire, transfer, terminate).
• Ticketing integration for asset retrieval, mailbox/data retention actions, and physical access changes.

If you cannot automate immediately, define a controlled manual process:

• a standard HR offboarding ticket template,
• required fields (termination type, effective time, systems used),
• SLA targets (define internally) and escalation rules.

5) Run periodic reviews and manage exceptions

Operate the control like a program:

• Hold a recurring review with HR, IAM, and InfoSec to look at metrics and exceptions.
• Track exceptions with owners, remediation plans, and due dates. ²

Common exceptions you must document

• urgent hires where training completes after day one,
• delayed deprovisioning due to legal hold or investigation needs,
• contractor extensions without updated end dates.

6) Maintain an evidence bundle per review cycle

Build a consistent, assessor-ready package that proves operation, not intent:

• metrics snapshots,
• sample transactions (onboarding/offboarding packets),
• exception log with closure evidence,
• meeting notes/decisions and follow-ups. ²

Daydream (as a workflow system for controls and evidence) is a natural fit here when you need a repeatable evidence bundle and exception tracking without chasing spreadsheets across HR, IT, and security.

Required evidence and artifacts to retain

Use this as your “audit folder” checklist:

Governance and design

• HR/security RACI (owner assignments)
• HR policies updated to include cybersecurity requirements
• Role risk tiering standard and screening requirements
• Documented onboarding/offboarding procedures and checklists

Operational proof

• Completed training and AUP acknowledgments (export or system reports)
• Identity and access provisioning records tied to HR events
• Offboarding records: deprovisioning confirmation, asset return confirmation
• Samples covering employees and contractors

Oversight

• Control performance review notes and attendee list
• Metrics and KPI/KRI reports
• Exception register with approvals, remediation plans, and closure
• Evidence bundle index (what was collected, for what period) ²

Common exam/audit questions and hangups

Assessors usually press on “prove it” gaps:

• “Show me how HR events drive access changes.” Expect to demonstrate HRIS → IAM/ticket triggers or a controlled manual workflow with timestamps.
• “How do you handle contractors and outsourced staff?” They will look for sponsorship, end dates, and termination notice handling.
• “Where is the disciplinary link for security violations?” They want written HR policy language and at least a documented process.
• “How do you ensure privileged roles have stronger checks?” Show risk tiering, approval workflow, and screening/training deltas.
• “What happens during urgent terminations?” Walk through the path and evidence for speed and completeness.

Frequent implementation mistakes (and how to avoid them)

1. Policy-only compliance. Fix: require system evidence from HRIS/IAM/ticketing that the steps executed.
2. Employees covered, contractors ignored. Fix: treat non-employees as first-class identities with sponsors, end dates, and offboarding controls.
3. No trigger for transfers. Fix: manager/department change must initiate access review and privileged access re-approval.
4. Training tracked, acknowledgments missing. Fix: capture AUP/security policy acceptance with a system record tied to identity.
5. Offboarding closes the ticket without verification. Fix: require deprovisioning confirmation (screenshots/log exports) and asset return closure artifacts.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page does not cite specific actions.

Risk-wise, GV.RR-04 is where insider risk, unauthorized access, and data mishandling often originate operationally: weak onboarding creates excessive access; weak offboarding leaves accounts active; inconsistent screening and training increases the chance of negligent or malicious behavior. The business impact is usually incident response cost, customer trust loss, and audit findings that expand scope into IAM and security awareness controls.

Practical 30/60/90-day execution plan

First 30 days (stabilize and define)

• Assign HR and InfoSec owners; publish a short RACI.
• Map the HR lifecycle and identify security gates that are missing.
• Update the offboarding checklist first (highest risk, easiest to prove).
• Start an exception register and define what requires exception approval.
• Define measurable indicators for onboarding/offboarding and training completion. ²

By 60 days (implement and start collecting evidence)

• Implement role risk tiering and align screening/training requirements to tiers.
• Embed AUP/security policy acknowledgments into onboarding.
• Implement transfer/role-change triggers for access review.
• Stand up monthly control performance review with HR/IAM/InfoSec; capture minutes and actions. ²

By 90 days (operationalize and harden)

• Integrate HRIS events with IAM/ticketing where feasible; document the workflow either way.
• Build the standard evidence bundle and run an internal “mock audit” sample test.
• Close aged exceptions; document remediation and residual risk sign-off.
• Present metrics and issues to the appropriate governance forum and record decisions. ²

Frequently Asked Questions

Does GV.RR-04 require background checks for everyone?

The text does not prescribe specific screening types. Implement role-based screening tiers so higher-risk roles have stronger requirements, and document exceptions with approvals. ¹

Do contractors count under “human resources practices”?

Yes in operational effect, because they still create identity and access risk. Extend onboarding/offboarding, training, and end-date controls to non-employees through procurement and workforce management workflows. ¹

What is the minimum evidence an auditor will accept?

Policy and procedure documents are necessary but rarely sufficient. Keep system-generated records for onboarding training/acknowledgment, access provisioning/deprovisioning tied to HR events, and a periodic review packet with metrics and exceptions. ²

How do we handle acquisitions where HR systems differ?

Define an interim manual control with required fields, approvals, and a central evidence folder while HRIS/IAM integrations are rationalized. Track exceptions explicitly for acquired entities until they are on the standard workflow.

What if we can’t automate HR-to-IAM triggers yet?

Document a controlled manual process that is mandatory, time-stamped, and verifiable through ticketing and IAM logs. The key is repeatability and evidence that the process ran for each lifecycle event.

Who should run the control performance review for this requirement?

GRC or InfoSec should run the review cadence and reporting, while HR Ops owns day-to-day execution. Keep minutes, exception decisions, and follow-ups in a single evidence bundle. ²

Footnotes

1. NIST CSWP 29

2. NIST CSF 1.1 to 2.0 Core Transition Changes