5 things your HR people should know about your company's data security
Huge stores of personnel data make this department a target for thieves.
Computerworld - Human resources departments typically have some of the biggest collections of sensitive data in any organization. But even if companies have corporatewide security measures in place, HR staffers are particularly vulnerable to data leaks because of their departments' vast holdings. The nature of the HR job, which requires nearly constant collecting and sharing of data, presents further challenges.
1. Keep track of inconsistent legal requirements.
Companies often keep employee information in one global HR system because it's efficient, says Rena Mears, a partner in the security and privacy services unit at Deloitte & Touche LLP. Yet labor and privacy laws vary from country to country, she says. Data that's considered sensitive and must be encrypted in Europe might need to be more readily accessible for employee-employer transactions in the U.S.
IT's response: Assign ownership and responsibility. Companies must bring together stakeholders -- HR executives, the chief privacy officer (if there is one), the chief security officer and IT architects -- to sort through the complex requirements, develop processes for handling data, and design applications that include appropriate safeguards, such as encryption and restricted access, for each location.
2. Don't collect unneeded information.
The University of Nebraska, like many organizations, once used Social Security numbers to identify employees. But this practice increased the chances for sensitive data to fall into the wrong hands, says Joshua Mauk, the university's information security officer.
IT's response: Pare down the amount of information that is collected. Mauk says the university looked at the information it was gathering and determined where it could forgo the use of Social Security numbers. IT developed a process that now allows HR to assign workers unique numbers known as NUIDs that can be used on forms and records.
3. Protect sensitive data in every location.
Today, personnel data exists not only on paper, but also in electronic files that can reside in multiple locations. What's worse, many of those locations may be orphaned -- and left unsecure. "HR people in the field can have a bunch of information which may never make it back to a centralized HR office," Mauk says, "but that information has to be protected as much as the organization's ERP."
IT's response: Seek, monitor and manage all personnel data. Organizations must adopt records retention policies that specify what documents are kept where and by whom. The policies must also say how those documents should be stored and for how long.
The University of Nebraska uses an application that scans files and servers for sensitive data, allowing Mauk to find information residing in unauthorized or unmanaged areas.
4. Secure your paper files.
Improper handling of paper files is an ongoing problem, according to a number of security experts. "We still use paper a lot, but we focus so much on technology that we have a tendency to minimize paper," says Howard A. Schmidt, security strategist at International Information Systems Security Certification Consortium Inc., or (ISC)², and a former government and corporate security executive.
Moreover, Schmidt says, because data protection often falls under the purview of the IT department, policies addressing the protection of paper files can fall through the cracks.
IT's response: Assign ownership of updated paper management policies. Companies need to implement policies on how to secure paper records and when to dispose of them. They should also provide ongoing training to HR staffers to underscore why those policies are needed and improve compliance reviews to ensure that the policies are followed.
5. Share information -- carefully.
HR professionals often need to share sensitive and legally protected information with colleagues inside and outside the company. That sharing, however, creates opportunities for data leaks, says Brad Johnson, a vice president at SystemExperts Corp., an IT compliance and network security consulting firm in Sudbury, Mass.
IT's response: Use automated and multilayered protections. Automatic encryption will help safeguard any data that's being electronically transmitted. And Johnson points out that automatic log-outs and session timeouts can help ensure that sensitive information doesn't remain visible on PC monitors when workers step away from their desks.
Pratt is a Computerworld contributing writer in Waltham, Mass. Contact her at email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts