The Rock
Mirroring the Security Measures of Alcatraz in an HRIS
Published in IHRIM.Link, October/November 2006
By: Sybll K. Romley
Alcatraz prison is famous for its internal security. With the exception of a few questionable escapees, the prison was a virtual fortress. Alcatraz deployed many security tactics including tool–proof bars and iron windows, cemented tunnels, elevated gun–galleries and guard towers, strategically placed teargas canisters, electromagnetic metal detectors, skilled guardsmen, scanning of personalized items, and, of course, who can forgot, the icy bay waters. Still, after all the security prevention measures put in place, there were still loopholes to The Rock.
As much as we do not like to admit it, there will always be creative, criminal masterminds who attempt to break out of prison or penetrate the security forces deployed to protect the human capital data in an HR system—even if they have to die trying. However, Alcatraz has shown us that the better the security structure, the better the chances of protecting society, or in HR’s case, its workforce.
Iron–Tight Structure
When it comes to HR system security, the security measures have to be double that of The Rock—we have to prevent criminals from breaking into confidential workforce data and from extracting information from the system.
The first step in designing HR system security is to form a solid plan. There are several questions that must be addressed in the plan. Who has access to information such as social security numbers, benefit information, salaries and disciplinary notes? What security testing has been completed on the HR system? Are there reports, and checks and balances that can help with new federal regulations regarding fair and ethical business practices? What happens if there is a natural disaster? Will the system be available in the event of loss of power? Once the answers to these questions are covered in a plan, policies can be set and integrated into the HR system and its operative environment.
HR systems encompass several features that help to protect confidential information. The most basic security measures control who can get into the system. Anyone with access to the system must be able to input a valid user name and password. The password should enforce alpha, numeric, and special characters, and be difficult for another person to guess. By setting up HR system password complexity requirements, organizations take the first step toward increasing system security. Organizations can further protect workforce data by locking users out of the system after a certain number of invalid log on attempts, which prevents hackers and automated scripts from penetrating the system.
Beyond ensuring the system can handle various forms of passwords, employees must be educated on what makes a good and a bad password. Often times, people choose a password that is easy to remember, such as a child or pet name. This type of password is a poor choice, as anyone may be able to guess the password—giving anyone access to the system. Employees should be educated on the reasons why not to use a guessable password and the risks associated with these types of passwords.
Most systems today use role and row level security to further protect data. Role–level security determines the types of pages, reports and tasks a user can see. Row–level security determines which records a user can see. For instance, one person may see all records; another may only see applicant records; while a manager may see only departmental direct reports. Further security measures can prevent unauthorized users from viewing codes that are not applicable to them. For instance, an HR manager in Seattle would not be able to access the benefit codes for the office in Houston.
Today’s technology enables organizations to automate many of the processes that were once handled on paper. A common concern with automating processes is a lack of control, missed approvals and information not getting to the right people. As more and more people trust and learn how to use technology, this automated process is becoming a standard business process. Instead of going through the typical written signature process, organizations now have the ability to accomplish these tasks using electronic routings in the HR system and can further ensure security using electronic signatures. Electronic signatures verify that the correct person made the change. The system electronically routes the request back to HR for processing if the signature is valid. An electronic signature typically is a question that the authorized person already selected that no one else in the workplace would know such as, “What was the name of your junior high school mascot” or “What is name of your all–time favorite athlete”.
Another way to maintain a secure HR system is by using checks and balances system. This is absolutely mandatory for all business processes today. With an audit trail, databases can undergo the same scrutiny as do financial systems. Most companies use the audit database to determine data changes, who made the changes, the computer used to make the change, and the time the change was made in the system. HR can monitor this information by generating reports that identify this information. The audit database can help identify the user who gave unauthorized pay raises to a select group of people by identifying the computer used to make the change, the user name, and the date and time the change took effect.
>By deploying specific strategies such as user level access, role–level security, row–level security, code–table filtering, electronic signatures, and an audit database, organizations can start to form the foundation of the Alcatraz version of disclosure, internal controls of financial information, increased levels of executive accountability, and heightened oversight of business activities. Although SOX relates more to the financial records of an organization, many feel that the data contained in the HR system is SOX–related. There are several ways an HR system can help businesses comply with SOX requirements.
By ensuring only authorized personnel have access to pertinent information, a business takes the first step toward complying with SOX. This can be accomplished by putting system controls and extra security parameters are in place. Routings can be set up to maintain an electronic trail of approvals. System controls and routings come in handy when making sure salary changes and bonuses fall within company guidelines. These controls can help guarantee that executives do not receive more compensation than what the board approved. As discussed earlier, the audit database, role–level security, and row–level security are all ways that can help businesses comply with SOX requirements.
Another way to maintain compliance is by using technology that monitors training and development activities, customizations, and reports. The HR system should have the capability of tracking who completed compliance training and who still needs to be trained. When it comes to making system customizations or applying hot fixes, companies need to track when these items were made to the system. As we all know, reporting is a major component of compliance. The HR system can help businesses track time worked, paid time–off, benefits and 401(k) contributions, which helps organizations maintain compliance and privacy standards.
A resounding issue facing HR departments is protecting employee privacy. In years past, social security numbers were used to identify employees. Today, some HR departments prefer to identify employees with unique identifiers that cannot personally be associated with the employee. It is also critical to ensure that only authorized personnel have access to confidential information, such as social security numbers or benefits information.
Automated alerts should be set within the system to notify proper personnel when a critical change has been made in the system such as a salary increase outside of company guidelines.
Systems also need to interface to benefit and payroll carriers to automatically let them know when a change occurs, so every record is kept current. During the electronic interface transfer, it's important to follow best practices to keep data safe. Any time data is transferred, it should be encrypted to prevent interception. Methods such as 128–bit SSL provide secure transparent transport (end to end) that also allow for host identity verification. Another way to protect data is to use network segregation, which isolates and secures information with internal firewalls. IPSEC is another popular way to protect data. IPsec (IP security) allows you to create network security zones, which allow only authorized hosts to access protected systems. For organization's needing to comply with HIPPA, the HR system needs to adhere to 834 Benefit Enrollment and Maintenance Transaction standards. Taking these preliminary steps will help keep your data secure and confidential.
As the evolution of crimes and technology both grow, HR systems need to be able to support all of your compliance and privacy needs.
Disaster Recovery
In recent years, too many businesses have found out the hard way that their disaster recovery plans (or lack thereof) was not enough. When disaster strikes, whether a natural disaster or a terrorist threat, the last thing companies need to worry about is the ability to communicate with employees.
Whether a company decides to self–host the system or outsource application hosting to a third party, businesses need to make sure disaster recovery procedures are in place. Even more, key personnel need to know what steps to take to recover information and communicate with employees. Detailed documented procedures can help ensure quick return to normalcy.
In case of disaster, recovery should be quick and painless. First, be sure to backup systems daily, and store copies in a secure, offsite location. Second, test backups regularly to ensure they are recoverable. Next, store backup media in a fireproof safe. Remember that backup media should be destroyed prior to disposal. Standard information technology procedures such as purchasing hardware warranties, weekly testing, and 24–hour monitoring of critical network resources are also helpful. Many organizations provide these services to organizations that are unable to independently maintain a disaster recover plan.
The HRIS Rock
Taking these steps are the beginning to forming an HRIS Rock. Once the HR system is up and running, there are continual steps that need to be taken to ensure workforce data stays secure. These include monitoring new security patches, using SSL to encrypt data during transit, utilizing an industry standard firewall, installing intrusion detection and prevention software, hardening the server, reviewing server event logs, and making sure the proper people are in place to provide server administration.
These security measures, along with building an iron–tight structure, testing the HR system for security flaws, implementing compliance and privacy initiatives, and forming a strong disaster recovery plan will make any HR system a fortress, just like Alcatraz.
About the Author
Sybll K. Romley, sromley@spectrumhr.com, is president and CEO of Spectrum Human Resource Systems Corporation, a company that provides complete HR systems to organizations in the United States. Sybll brings a distinct combination of vision, strategy, and experience to the human resource technology industry. For over 20 years, she has played an integral role in the vision for how HR technology can bring HR professionals into the board room. As a top level executive and member of the board of directors at Spectrum, she is actively involved in all aspects of the business. Her practical approach to HR systems' stems from being an HR professional. Before joining Spectrum, she worked as a recruiter and human resource specialist for a Big 8 accounting firm. She holds a Bachelor of Arts degree from Occidental College in CA.
Click here for a pdf printable version
|
