By: Ron Arden
When you think about an HR Department, you think about potential applicants, the interview process, an information repository for all employees or your own engagement with the company. Of course during the first week of November you consider HR to be the keeper of all things benefits — open enrollment and all of the paperwork that entails. The HR Department must keep all of this information confidential while also handling the external client roster, circulation of company policies and a wide array of interoffice communications. This poses a unique security challenge for any organization, regardless of size, which needs to prevent unauthorized internal users from accessing employee information, including PII (personally identifiable information), but needs to share employee information with external benefits providers and accounting. The environment calls for a solution with the flexibility to protect against insider threats and destroy files automatically, while enabling secure sharing.
Where to start?
Most if not all of the information going in and out of the HR department needs some level of security, and so the first task is to inventory and classify the types of data the department handles. Two tiers work best, with tier 1 being the highest and warranting automatic security policy and encryption on creation. Tier 1 data includes intellectual property, executive compensation, Board of Director files, customer lists, financial data and employee personnel files. Tier 2 includes policy manuals, interoffice correspondence and pre-release public files.
HR Data Security – 5 Examples
We take a look at five distinct functions of an HR department to evaluate the types of policy controls a security solution needs to support the specific access and permission requirements for each type of information.
1. Encrypting received resumes
Resumes from qualified candidates are intellectual property and highly valuable to a company. Just think of the detriment of a leaked resume to a competitor. Once received, resumes require an automatic security policy and encryption upon saving the file to a server, HR information system or document repository. Because secure sharing may be required to evaluate these potential employees, the policy defines access controls for HR personnel and select executives and managers. Any document containing employee PII should be limited to HR access only to prevent unauthorized internal users from accessing sensitive employee information.
2. Locking down files when an employee gives notice
Once an employee gives notice, it is vital to immediately lock down access to any classified information the employee could use. An automatic destruction policy can be implemented for highly confidential information as well. When an employee gives notice, their files can be destroyed or disabled.
3. Maintaining Client Confidentiality
Outside of employee relations, HR handles client information and both external and internal financial information. Client contracts mandate confidentiality of the information shared with its contractors and third-party agencies. Policies must be implemented to allow access of specific files and information while maintaining the highest level of security.
4. Protecting Intellectual Property
A company’s business depends on the product or service it sells, which all traces back to the intelligence used to design the product or service. If this information is compromised, so is the business. Employees need to collaborate on projects while in the office and travelling, so it is best to set a travelling or off-line policy that limits copy and paste depending on the viewer and watermarks pages when viewed. This provides security and visibility for shared information.
5. Circulating Policy Manuals In-House Only
Everyone in the company needs to access employee rules and regulations so this is considered “tier 2” information, requiring less protection for more visibility. Best practices for securing this type of data are an employee discretionary security policy and encryption.
Remember, your HR department is the front door to your organization. Implementing and enforcing security policies in this department will guard the most important information in your business.
Ron Arden is Vice President of Fasoo, Inc. and a regular contributor to the Fasoo blog. He has over 30 years of strategic planning, marketing, sales, business development, consulting and technical experience in the information technology and security industries. Prior to Fasoo, he was Vice President of Strategy and Marketing at eDocument Sciences, LLC, where he drove document security, cloud and collaboration strategies and solutions. Ron has held executive, management and technical positions at numerous organizations, including IKON Office Solutions, Digital Equipment Corporation and Wang Laboratories.
Throughout his career, Ron has participated in industry forums, speaking engagements and written articles for industry publications. He holds a B.S. in Electrical Engineering from the University of New Hampshire.Published by Conselium Executive Search, the global leader in compliance search. Conselium also publishes Corporate Compliance Insights, the Web's premier source for GRC news, opinion, jobs and events.