Onboarding of a Contractor Procedure

Purpose

Contractors may be engaged by Vaxa to provide services that are not part of the core business. This procedure sets out the steps to onboard a contractor at Vaxa, including the documentation required and the process for setting up access to systems and facilities. This is important to ensure we’re consistently implementing requirements/controls placed upon contractors e.g. under our Security Policy.

Scope

The scope of this procedure is limited to contractors engaged by Vaxa, usually on a day-rate or similar arrangement. It doesn’t include employees or vendors providing a product. It also doesn’t include the accounting or payment process for contractors e.g. setup in Productive/Xero etc.

Roles & Responsibilities

Procedure

Contractor Engagement

A suitable contractor must be found; the process for finding and engaging a contractor is outside the scope of this procedure. However, in selecting a suitable contractor, one must consider:

1. The contractor’s experience and qualifications
2. The contractor’s availability
3. The contractor’s reputation
4. The contractor’s cost
5. The contractor’s ability to meet the requirements of the role

Consider whether an NDA is required prior to sharing any sensitive information with the contractor regarding the job.

You should get verbal approval from the contractor on these matters before proceeding to the next step.

Screening

Under our Personnel Security Policy, we are implementing requirements for screening of contractors. Generally, most contractors we engage are classified as Level 1, and so have limited screening requirements.

At the time of writing this procedure, we haven’t implemented checks for Level 2 and above contractors. We endeavour to make this change soon.

Document Exchange

Contract

The first step here is to sign contracts. To do so, we require the following information:

• Contractor details
  • If a sole trader:
    • Full name
    • Phone number
    • Email
  • If a company:
    • Company name
    • Signatory and witness details for the contract
      • Name
      • Position
      • Email
      • If no witness is available, then we require a mobile phone number of the signatory
• Contract specifics
  • Proposed job title for use in Vaxa systems
  • Fees, including specification on structure e.g. fixed fee, daily/hourly rate, and GST inclusive/exclusive
  • Scope of Works
  • Start and end date
  • Any required insurances, otherwise standard insurances will be required
  • Optionally, a custom restraint period otherwise 3 months will be applied
  • Optionally, place of work otherwise we’ll assume their office/as directed by Vaxa
  • Optionally, key personnel / designated personnel
  • Optionally, headshot photo for use in Vaxa systems
• Internal signatory/witness details
  • In line with Vaxa policy, signatories must be a Director; specify the Director who will sign the contract
  • Any client SharePoint sites the contractor will be working on
  • Any project budgets the client will need access to in Productive (usually to track time/expenses against)
  • Who the contract will report to i.e. who is the Manager

Provide this information the Legal team, who will issue the contract. The contract shall be sent to Vaxa’s internal signatory/witness first for vetting, and only once signed will it be sent to the contractor for signing.

Remember, signed contracts are automatically filed away into the Contract Register via the Vaxa Link integration.

Insurances

The contractor must provide evidences of the required insurances.

If this was customised in the contract, then defer to the contract. Otherwise, the standard insurances required are:

• Public liability insurance @ $10m
• Professional indemnity insurance @ $2m
• Workers compensation for the contractor’s employees (if applicable)

Vaxa requires copies of these insurances to be provided before the contractor can commence work.

IT Setup

IT setup cannot commence until contracts are signed, per our Security Policy.

Once the contract is signed, Legal shall inform the IT team will be notified to set up the contractor in the required systems. The IT team will reference the contract and onboarding information to set up the contractor in the required systems.

Entra / M365 accounts

The first step is to create a new user in M365/Entra. This will take the format of:

• Name: as defined in contract/onboarding information
• Position: as specified in contract
• Phone number: as specified in contract
• Email: first.last@vaxagroup.com
• License: M365 Business Basic
  • This provides basic access to email, Teams, SharePoint, and online Office apps (but not desktop apps).
  • This is sufficient for most contractors, but if they require more access, then the IT team will need to be informed.
  • By default, we won’t issue access to any Client Sites, so if the contractor requires access to a Client Site, then the IT team will need to be informed.

We first create the account within the Admin portal:

1. Visit admin.microsoft.com and log in with an admin account
2. In the left-hand menu, click on Users , then Active Users
3. In the toolbar, click Templates and select Contractor (Business Basic) or Contractor (Business Premium) depending on the level of licensing required
4. Fill in the details like first name, email, etc, then at the bottom of the pane, click Add user
   • This will automatically issue a license to the user, but you may need to double check we have enough licenses purchased.
5. Find the newly created user in the list of Active users, and select it.
6. Assign the contractor’s manager (usually the Onboarding Lead).
7. In the pane that appears, under Groups click Manage groups
8. Use the Assign memberships button to assign access to OS_x_Contractors group at a minimum, and any other required groups.

We then need to setup authentifaction for the contractor within Entra:

1. Visit entra.microsoft.com and log in with an admin account
2. In the left-hand menu, click on Users , then All Users, and click on the newly created contractor user
3. Click on Authentication methods in the left-hand menu, then Add authentication method
4. In the pane that appears, select the Temporary access pass method and configure it as follows:
   • TAPs are limited to up to 24 hours. You should make it as short as possible, but long enough for the contractor to receive the email and set up their account.
   • You can delay the start time if the contract isn’t due to start for a while but make sure you communicate this to the contractor.
   • One-time use is OK, but generally not required; usually we leave it set to No.
5. Click Add to finalise the TAP creation.
6. Save the TAP code into a Bitwarden Send and copy the link.

We then need to inform the contractor of their new account and how to set it up. To do so:

1. Fetch the contractor’s personal email address (not the Vaxa one) and draft a new email to them using the below template.
2. Send the following email to the contractor, and CC the Onboarding Lead and IT team.

Subject: Setting up your Vaxa account

Hi [Contractor Name], welcome aboard.

Your Vaxa account has been setup and just requires a few final setup steps from you, stepped out in these instructions. Please note this is a time-sensitive process so please complete it as soon as possible.

Your Temporary Access Pass is available here: [Bitwarden Send Link]

Once you’ve setup your account, you can access Productive (our time tracking and project management tool) via Cloudflare Access here: vaxagroup.cloudflareaccess.com. Simply sign in with your new Vaxa account, then click the tile called Productive.

We’ve also provided you access to:

• [List any other systems the contractor has access to e.g. client site]

If you have any issues, please contact reach out to me directly.

Warm regards,

The contractor will receive an email with the onboarding instructions, temporary access pass, and IT’s contact details. The temporary access pass cannot be issued for more than 24 hours.

IT will assign the contractor to the OS_x_Contractors group in M365. This provides basic levels of access to SSO-linked systems, and some Sharepoint sites etc.

Productive

By being assigned to the OS_x_Contractors group, the contractor will automatically be given access to Productive. This is our project management tool, and the contractor will be able to log their time and expenses here. IT will provide instructions on how to use Productive.

Accounts in Productive are only issued upon first sign-in, so the contractor must sign in, then IT will be able to assign them to the correct projects. These instructions will be provided in the onboarding email.

Other systems

The contractor will be advised of our Cloudflare Access portal for apps at vaxagroup.cloudflareaccess.com. This is where they can access other systems including Productive.

Noted limitations

By default, the contractor will not have access to:

• Client Sharepoint sites (except those specified)
• BitWarden
• Production IT environments (e.g. Google Cloud, AWS)
• Scheduling software (e.g. Cal.com)
• LMS

Exceptions

Some contractors may require different onboarding procedures. If this is the case, the Onboarding Lead should work with the contractor to determine the best course of action. This should be documented in the onboarding documentation.

Compliance & Monitoring

The Onboarding Lead is responsible for ensuring this procedure is followed for each relevant contractor.

We don’t yet have artifacts in place to monitor compliance with this procedure. This is a gap we need to address.

References

• Personnel Security Policy
• Information Security Policy
• Acceptable Use of Technology Policy