5 things your HR people should know about your company's data security
Huge stores of personnel data make this department a target for thieves.
Computerworld - Human resources departments typically have some of the biggest collections of sensitive data in any organization. But even if companies have corporatewide security measures in place, HR staffers are particularly vulnerable to data leaks because of their departments' vast holdings. The nature of the HR job, which requires nearly constant collecting and sharing of data, presents further challenges.
1. Keep track of inconsistent legal requirements.
Companies often keep employee information in one global HR system because it's efficient, says Rena Mears, a partner in the security and privacy services unit at Deloitte & Touche LLP. Yet labor and privacy laws vary from country to country, she says. Data that's considered sensitive and must be encrypted in Europe might need to be more readily accessible for employee-employer transactions in the U.S.
IT's response: Assign ownership and responsibility. Companies must bring together stakeholders -- HR executives, the chief privacy officer (if there is one), the chief security officer and IT architects -- to sort through the complex requirements, develop processes for handling data, and design applications that include appropriate safeguards, such as encryption and restricted access, for each location.
2. Don't collect unneeded information.
The University of Nebraska, like many organizations, once used Social Security numbers to identify employees. But this practice increased the chances for sensitive data to fall into the wrong hands, says Joshua Mauk, the university's information security officer.
IT's response: Pare down the amount of information that is collected. Mauk says the university looked at the information it was gathering and determined where it could forgo the use of Social Security numbers. IT developed a process that now allows HR to assign workers unique numbers known as NUIDs that can be used on forms and records.
3. Protect sensitive data in every location.
Today, personnel data exists not only on paper, but also in electronic files that can reside in multiple locations. What's worse, many of those locations may be orphaned -- and left unsecure. "HR people in the field can have a bunch of information which may never make it back to a centralized HR office," Mauk says, "but that information has to be protected as much as the organization's ERP."
IT's response: Seek, monitor and manage all personnel data. Organizations must adopt records retention policies that specify what documents are kept where and by whom. The policies must also say how those documents should be stored and for how long.
The University of Nebraska uses an application that scans files and servers for sensitive data, allowing Mauk to find information residing in unauthorized or unmanaged areas.
4. Secure your paper files.
Improper handling of paper files is an ongoing problem, according to a number of security experts. "We still use paper a lot, but we focus so much on technology that we have a tendency to minimize paper," says Howard A. Schmidt, security strategist at International Information Systems Security Certification Consortium Inc., or (ISC)², and a former government and corporate security executive.
Moreover, Schmidt says, because data protection often falls under the purview of the IT department, policies addressing the protection of paper files can fall through the cracks.
IT's response: Assign ownership of updated paper management policies. Companies need to implement policies on how to secure paper records and when to dispose of them. They should also provide ongoing training to HR staffers to underscore why those policies are needed and improve compliance reviews to ensure that the policies are followed.
5. Share information -- carefully.
HR professionals often need to share sensitive and legally protected information with colleagues inside and outside the company. That sharing, however, creates opportunities for data leaks, says Brad Johnson, a vice president at SystemExperts Corp., an IT compliance and network security consulting firm in Sudbury, Mass.
IT's response: Use automated and multilayered protections. Automatic encryption will help safeguard any data that's being electronically transmitted. And Johnson points out that automatic log-outs and session timeouts can help ensure that sensitive information doesn't remain visible on PC monitors when workers step away from their desks.
Pratt is a Computerworld contributing writer in Waltham, Mass. Contact her at firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts