Human resources departments typically have some of the biggest collections of sensitive data in any organization. But even if companies have corporatewide security measures in place, HR staffers are particularly vulnerable to data leaks because of their departments' vast holdings. The nature of the HR job, which requires nearly constant collecting and sharing of data, presents further challenges.
1. Keep track of inconsistent legal requirements.
Companies often keep employee information in one global HR system because it's efficient, says Rena Mears, a partner in the security and privacy services unit at Deloitte & Touche LLP. Yet labor and privacy laws vary from country to country, she says. Data that's considered sensitive and must be encrypted in Europe might need to be more readily accessible for employee-employer transactions in the U.S.
IT's response: Assign ownership and responsibility. Companies must bring together stakeholders -- HR executives, the chief privacy officer (if there is one), the chief security officer and IT architects -- to sort through the complex requirements, develop processes for handling data, and design applications that include appropriate safeguards, such as encryption and restricted access, for each location.
2. Don't collect unneeded information.
The University of Nebraska, like many organizations, once used Social Security numbers to identify employees. But this practice increased the chances for sensitive data to fall into the wrong hands, says Joshua Mauk, the university's information security officer.
IT's response: Pare down the amount of information that is collected. Mauk says the university looked at the information it was gathering and determined where it could forgo the use of Social Security numbers. IT developed a process that now allows HR to assign workers unique numbers known as NUIDs that can be used on forms and records.
3. Protect sensitive data in every location.
Today, personnel data exists not only on paper, but also in electronic files that can reside in multiple locations. What's worse, many of those locations may be orphaned -- and left unsecure. "HR people in the field can have a bunch of information which may never make it back to a centralized HR office," Mauk says, "but that information has to be protected as much as the organization's ERP."
IT's response: Seek, monitor and manage all personnel data. Organizations must adopt records retention policies that specify what documents are kept where and by whom. The policies must also say how those documents should be stored and for how long.
The University of Nebraska uses an application that scans files and servers for sensitive data, allowing Mauk to find information residing in unauthorized or unmanaged areas.
4. Secure your paper files.
Improper handling of paper files is an ongoing problem, according to a number of security experts. "We still use paper a lot, but we focus so much on technology that we have a tendency to minimize paper," says Howard A. Schmidt, security strategist at International Information Systems Security Certification Consortium Inc., or (ISC)², and a former government and corporate security executive.
Moreover, Schmidt says, because data protection often falls under the purview of the IT department, policies addressing the protection of paper files can fall through the cracks.
IT's response: Assign ownership of updated paper management policies. Companies need to implement policies on how to secure paper records and when to dispose of them. They should also provide ongoing training to HR staffers to underscore why those policies are needed and improve compliance reviews to ensure that the policies are followed.
5. Share information -- carefully.
HR professionals often need to share sensitive and legally protected information with colleagues inside and outside the company. That sharing, however, creates opportunities for data leaks, says Brad Johnson, a vice president at SystemExperts Corp., an IT compliance and network security consulting firm in Sudbury, Mass.
IT's response: Use automated and multilayered protections. Automatic encryption will help safeguard any data that's being electronically transmitted. And Johnson points out that automatic log-outs and session timeouts can help ensure that sensitive information doesn't remain visible on PC monitors when workers step away from their desks.
Pratt is a Computerworld contributing writer in Waltham, Mass. Contact her at firstname.lastname@example.org.