HR Data security 101
Most of the time folks only care about data security when there’s a problem. When PII (Personally Identifiable Information) was leaked. Or someone had access to some payroll or other key data that they shouldn’t have seen. Oops.
Indeed, if you’re like many people, when you start a data integration or analytics projects, you focus on the data you or other folks in your company need. You don’t think about security.
Which can create problems. Thus, tHR data Security 101. This is designed for business users. But we’ll start with a basic distinction of responsibilities:
IT Security vs Software Access Security
While this post is focused on business users, we want to start by explaining the fundamental split in responsibilities between the business and the IT department.
IT is responsible for technically securing the data. This includes (but is not limited to):
- Data Encryption on every physical piece of hardware you own.
Well encrypted data means that if a laptop is stolen, it’s much harder to get to the data
- System Access
Only employees and known others should have access to your systems. If someone leaves, their access is shut down ASAP to all systems.
- Network Protection
That none of your key resources are directly exposed to the internet.
- Data transmission
Every mid-sized and larger company integrates their HR data with multiple system and outside vendors. When you send and receive data between systems, it must be encrypted. So even if it’s stolen in route, it’s hard to read.
As an HR or HRIS person, you most likely won’t be able to control any of this. I include this so that you remember that keeping your access setup straight doesn’t mean that your data is secure.
Software Access Security
IT makes sure that only the right folks can access your systems.
But clients often find that leaks aren’t caused by IT.
Because IT isn’t responsible for deciding who should have access to what data.
That’s a business decision. The business knows who supervises whom. The business knows what data needs to be protected and what can be widely distributed.
As the business person responsible for this kind of access, here are a few key questions you should ask yourself and/or your team.
- Do you know every single system that consumes or reports on HR data?
Let’s assume you hired a consultant. And you wanted a review. The first thing that person would need would be a list of all your systems, partners and vendors.
If your like many companies, you may have had a list like that when you implemented or upgraded your systems. But is it up to date? Are you sure you really know?
- Do you a single point of security truth?
We often talk about a single source of truth in data. Or a controlling system.
For example, an employees start data are kept in the HCM or payroll system. And any other system that needs the start date should get the data from that system.
And that’s pretty straight forward. Or at least understood.
But somehow, security is often not handled the same way. So, the HCM system may know that Jane can see data about her 3 direct reports Bob, Alice and Sue. But that same security may not apply as data moves to different systems.
- Who is responsible for granting access each system?
Ideally, you will automate your security setup. You do it once in a single system and push it to all your other systems.
In reality, this may not happen.
But whether you automate or not, someone still need to have responsibility for each system. For knowing how that security works. For knowing how to check that security.
- How is that access reviewed and how often?
If you’re like many folks, security gets your attention when someone can’t do something.
But it’s rare that you’ll hear when someone can do too much or see too much.
Which means you need to review your security on a regular basis. Especially if you have multiple systems.
- Have you scanned your system for PII and other data that needs to be secured?
You know that lots of data sits in Excel and other documents.
Do you ever scan to see if critical data is sitting some place it shouldn’t be?
As data integration and analytics consultants, we want your data to be secure. If you have more questions, let us know.