Question

(TCO 7) With technology comes a new form of security. Information is just one of a company’s valuable assets. Employee information must be protected. Describe how you would protect employee information that is now stored in an HRIS system. Explain the process you would follow if employee information were breached.

Answer 1

HRIS stands for Human Resource Information System, which refers to a management system that is used to collect and store employee's information. It can work on the company's own technical infrastructure or can be implemented as cloud-based. HRIS also helps in performance management, recruitment, and training & development process. But the main objective of the HRIS system is data management related to company employees.  

It is one of the important and essential responsibility to protect your employee private data that is secured in the HRIS system. Employee data is key information for any organization and people around the world want to hack this data because employee data can give a lot of information about the organization. All countries have separate laws that require an organization to protect employee's private data that has been stored in the HRIS system in the organization.

Before implementing the HRIS in the organization, we should check the security measures of the system vendor. We should not compromise the quality and security measures of the HRIS system. Post-implementation there are so many steps should be taken to protect employee information. We will discuss those steps in the following points,

a. Security and timely maintenance: Employee private information should be secured properly and the system that is being used to secure the data should be secure itself in terms of technology, protecting from unauthorized access, data should be encrypted, password-protected and it should be maintained on a secured security system. The HRIS system should be updated on time to time in terms of new technologies and virus protected systems. Implementation of a secured system in all aspects is the main step to protect security breaches to leak key information of employees.

b. Develop policies and procedures: Each and every information collect separate kinds of data for the organization's purpose. The organization should develop better policies and standards in terms of the security of employee's data. The policy should define the process and purpose of collecting the data and also what kind of data the company will collect from employees. Everyone in the organization should follow the guidelines suggested by these policies and standards.

c. Compliance according to laws: Each country have their own recordkeeping and privacy laws that require all employers to follow to make sure that the data that are being collected are protected and the organizations can keep employees information as long as it is required. Employers should follow the guidelines suggested by these laws.

d. Access restriction: This is an important step to protect employee data. It is a history that many security breaches happened due to internal employees in the organization. Because this is an expensive data of the organization. So the organization should make sure that the access is given to the right employees and it should be limited to what information they need.

e. Disposal of records when not required: Employee data should be disposed of when it is not required by the organization. When an employee quit the organization, the data is not required by the organization, at that time the data should be disposed in a secured manner so that no one will be able to reconstruct the data again.

f. Training and development: All employees and managers should be trained on data security as it is everyone's responsibility to protect data from stealing from inside or outside people. They should be trained on procedures and processes to protect data and what steps need to follow when they aware of someone is trying to steal the company's employee data.

Even after following the above processes by the organizations, data breaches occur regularly that can affect the organization very badly in the future. Because whoever was responsible for a data breach, would have some plans to use that sensitive data of the employees. So the employer should take immediate steps to protect the employees and organization in the future. The employer should follow the below steps when they face any employee data breaches,

a. Report the data breach: It is the duty for the employer to report the data breach because keeping quiet is an illegal offense as per the federal policies. It is the right of an employee to know if someone has stolen their private data because it can cost them financially or socially. The employer should report the data breaches to legal authority as per the government laws and seek their help to track the data breach.

b. Secure the system with higher technology: If you have faced the issue of employee data breaches, it may happen that they can hack your other systems as well. So first priority is to secure other systems with higher technologies. We can seek help from technical experts from outside the organization to protect future data breach situations. We have to protect the HRIS system as well because it might happen that the hacker team was just trying to enter into the system and could not get the complete data, they can try again.

c. Find out who is responsible: The next step would be to find out the person inside the organization or outside of the organization who was responsible for the data breach. Many times internal employees steal employee's data to sell the data at a large amount. So tracking that person will help to protect the data going outside the organization. This is useful also if the person who has stolen the data from outside to track him on time. It might be possible that the person has not used the data yet and can secure the data by tracking them on time.

d. Find out what kind of data was stolen: There are different data of employee that organization store in separate files such as compensation plans, medical history, training & development policies, personal data, etc, so find out the kind of data that was stolen can give some idea on how those persons can use the data. What could be the consequences of that data?   

e. Security Audit: Security audit is a necessary time to time to check the effectiveness of the HRIS systems used by the organization and what additional security function the system needs. It may be we have failed to protect the data but security audit is useful to keep the HRIS system protected and safe in the future. It can confirm if we need to change the vendor who has failed in providing security to protect the data or any other kind of additional security is required.

f. Strengthen Security passwords and other parameters: Sometimes weaker passwords are each to crack and hackers can easily hack the system and steal important employee data. Because companies give lesser preferences to Employee data and this cost them huge when data is stolen. So periodically we should change the passwords of the system and other parameters that can be used in cracking the passwords.

g. Hire expert team: All kind of data is important and when it comes to employee data, it is more important because it can give more information when the data hacked. So employers should hire an expert team to maintain the security system. The team should be experienced and able to protect the system from these fraudulent activities in the future.