Security in Human Resource Management
Systems (HRMS)
The
data that is managed in the Human Resources area are of greater interest
internally than externally-beyond the fact that a direct competitor may be
interested-, however, both fronts must be taken care of.
Access
to Human Resources information
The
data contained in management tools (Human Resources Management
Software, databases, Excel spreadsheets, etc.) have the possibility of
being accessed by personnel with technical knowledge and with special
permissions on them, such as network administrators, database administrators,
etc.
The
point is to determine what the person authorized to access it can do with the
data, in order to try to design preventive actions. Knowledge can be
transmitted to the competition, used to negotiate internally or simply to
disclose information that internally could cause operational or social damage,
since Human Resources information not only has monetary reports but also softer
but very sensitive such as medical reports, company knowledge management,
performance reports, action plans, objectives, etc., very important data for
the development of the company.
Security
in the Corporate Network
The network, both local and external, and the Internet must be strictly analyzed by specialists and continuous monitoring must be carried out on accesses and attempts to access confidential information. Today it is impossible - or almost impossible - for operational reasons, to isolate a server from the networks, and if it is done, it is necessary to analyze other types of risks to which it will be subjected by not being on the network, such as back-up, updates, etc. There are cases in which the Human Resources Management System server is isolated; then the administrator sits across from him to give him updates; finally, it makes a back-up that is stored in an accessible place or an e-mail is sent with a detailed and analyzed spreadsheet, with which all the isolation carried out - with its complications - is a useless effort. Applications must allow their security to be integrated with network security, such as Microsoft's Active Directory, in this way security policies are applied centrally and are expanded to the rest of the applications. In general, the networks have tools to guarantee the security of the resources they manage, the important thing is that they are correctly configured and monitored by the corresponding area.
Access
controls to the Human Resources application
One
of the main security keys is determined by the access control levels to the
central HRMS
application, since all employee information is stored in its database and
displayed in a friendly way. The control levels must not only be carried
out at the level of the application log-in (entry) but also of the accesses from
outside that application, by report generators, programming tools with
connection to databases and administration tools from the database. Within
the application, access profiles must be defined duly restricted and with
activated auditing in order to be able to trace the modified data.
The
Database as a repository of the Human Resources application is one of the
central places to protect, but it is clear that it is not the only thing, since
the information that Human Resources users extract from the database and
analyze by storing the result on the file server or on the local disk of your
workstation, where that data is highly vulnerable, even after
erasure. Today, databases like SQL-Server and Oracle provide numerous
tools to protect data. SQL-Server in its 2008 version has incorporated
many security and encryption improvements. For its part, with Vault,
Oracle offers a whole security environment that limits the total control of the
Database administrator (DBA).
On
the other hand, we must not forget to protect the back-up of the databases or
the “testing” or “development” environments, which usually have replicas of the
production databases without data treatment and, in general, without all the
security that goes into production environments. The "testing"
and "development" environments have unlimited access to both internal
and external technical personnel, who have the knowledge and tools to extract
the information.
Encryption
for access through the Internet and e-mails
Access
to Internet-based applications must be well analyzed with regard to the
security of the encrypted traffic, site certificate and analyze, if possible,
certificates at the workplace.
E-mail
is a subject that does not escape the concern of those who work in
security. It is important to note that there is a large amount of
information theft through e-mail, both internally and externally. E-mail
can be intercepted and the information contained is easily
visible. Attachments between high-ranking recipients can be viewed, so the
sent information must be encrypted. Do not forget that the administrator
controls the incoming and outgoing e-mail queues, as well as the
back-ups. Try not to use public email systems as their accounts are often
"hacked" and more so if they have an associated chat system with the
same password.
Temporary
File Storage and Back-up
The
output files of the Human Resources management systems become vulnerable once
they have been exported and remain in public or temporary folders on the
disk. In general, these files are flat, type TXT, legible and
modifiable. We refer to files for bank accreditation, legal, transfer to
AFIP systems or Excel files. It is recommended to determine secure folders
and with strict cleaning policies for them. Sending these files by e-mail
must be encrypted.
The
management of the Back-up, both of the databases and of the files of users and
workstations of the personnel of the Human Resources area, must be treated in
encrypted form since all the precautions that are taken in the network can be
compromised if someone takes the unencrypted back-up and restores it to another
computer where they are the administrator, then they will have full control of
it. Usually, the back-ups are usually kept in safe places outside the
company and are transported by internal or external cadetry, it is not the
first time that someone is stolen -or not- and loses our backup. At first
glance it would not seem serious, and it is so in the case that it had not been
planned, otherwise, all the information will be in the wrong hands.
About
printing documents
Printing
information from the Human Resources area is a key issue; the area must have
printers with restricted physical access and should have limited the
possibility of printing to public printers on the network. The destruction
of confidential information both on paper and on storage media such as pen
drives, CDs or DVDs, must be considered and make the area staff aware of the
risk of not doing so.
Summary
of Security Considerations
For
greater general security in the Human Resources sector, the following aspects
must be taken into account:
·
Stricter
and centralized security policies. If necessary, consult IT Security
specialists.
·
Information
encryption policies.
·
Information
traffic encryption policies.
·
Access
control and surveillance circuits over the area.
·
Maintain
the databases externally.
·
Audit
security regularly.
·
Confidentiality
contracts with all staff.
·
Confidentiality
contracts with service providers linked to information that we want to protect
and, likewise, require that the provider have it with its employees.
·
If
you use encryption, encrypt EVERYTHING, if not, it is easily traceable where
the important information is.
Summary
of Vulnerabilities:
·
Access
to Human Resources
Management Software.
·
The
Human Resources Application Database.
·
The
net.
·
The
e-mails.
·
Exported
or temporary files.
·
Testing
and Development Environments.
·
The
Back-up.
·
Printing
of confidential information.
·
Destruction
of confidential papers.
A
report on a survey conducted in 2009 in the United States by Symantec and
Ponemom Institute, reveals that:
·
59%
of former employees admit having stolen information from the company they work
for.
·
53%
of the employees who took information admit that they did so on CD,
DVD; 42% did it with a USB drive and 38% sent files via email.
·
79%
of respondents took data without permission from the employer.
·
82%
of respondents said that their employers did not carry out an audit or document
review before the respondent left their job.
·
24%
of those surveyed had access to their employer's system or network after
leaving the company.
The
survey has had a great impact and is a red flag that should cause us to take
all possible precautions regarding the protection of confidential information
that exists in electronic form in the company.
With
the reference to this report we want to show that there is a dangerous
combination between internal interest in the data and now an ex-employee, where
the research also shows that 61% of those surveyed showed an unfavorable
opinion of their ex-employer. It is very important to take care of this
vulnerability in the possible leakage of information.
The
Human Resources area is the first to know that an employee is going to be
incorporated or terminated, that is why it should be the area that takes action
in this regard. Generally, nowadays, the Human Resources area is limited
to requesting the IT or IT Security area to take the actions. A very interesting
approach is the integration and automation of these tasks linked to the human
resources management system, in such a way that there is no possibility of
maintaining active access to systems once an employee has been terminated.
No comments:
Post a Comment