Skip to main content

*By Larissa Carvalho

With technological advances, the Human Resources area, regardless of the size and segment of the organization, deals daily with an extensive volume of confidential information, whether in physical or digital media, which are susceptible to a wide range of threats, such as: risks of attacks and information leaks.

However, it is not the sole responsibility. The Human Resources area must work in partnership with the Information Technology (IT) sector to establish and implement well-developed Information Security plans and procedures in line with the organization's needs, whose purpose is to reduce risks.

Why is the Information Security area important to HR?

The Human Resources area centralizes sensitive information such as employee and customer data, job and salary data, benefits, strategic indicators, among others, the leakage of this information could bring financial and reputational impacts to the organization.

Like employees in other areas of expertise, Human Resources professionals must have well-defined roles and responsibilities so that information is not lost and that adequate Information Security controls are implemented to meet demands involving sensitive information that are not accessible to any employee. Some stricter controls, such as the adoption of the “Principle of Least Privilege” must be established to manage the flow of access to information for some professionals in the Human Resources area and mitigate the risk of information leaks in the internal and external context of the organization.

Information Security Tips for the Human Resources area

Information Security controls are much discussed, however, many companies forget to address one of the weakest points in ensuring Information Security. Hiring and retaining people, or the well-known human resource of companies.

To ensure that employees, suppliers and third parties understand their responsibilities and comply with their roles, and to reduce the risk of theft, fraud or misuse of resources", according to ISO 27002, it is necessary to:

Before Hiring:

Roles and responsibilities: The organization must ensure that job applicants understand their responsibilities and agree with roles to reduce the risk of information compromise. Responsibilities for Information Security must be assigned at the time of pre-employment in the job descriptions and in the terms and conditions of employment.

Selection: Candidate profile checks should be more thorough especially when there are high risks involving the position. The controls used to analyze these profiles must comply with current laws, regulations and ethics.

Contracting terms and conditions: In terms and conditions of work, the candidate must know their responsibilities and the organization for Information Security. It is essential that the responsibilities present in these terms and conditions of work prevail after the termination of the contract and the employee's awareness indicates that any breach of one of the contract clauses will be subject to penalties.

During Hiring:

Training and Awareness: in Information Security: The organization must provide employees at least annually with training and awareness in Information Security to inform the best practices, responsibilities, obligations, Information Security policy and when there are significant changes in organizational policies and procedures relevant to their functions.

It is essential to evaluate the effectiveness of this training through tests to ensure that the employee understood the proposed content.

Ideally, mandatory training should be established and implemented, at the beginning and during hiring, in order to correctly perform professional activities.

Disciplinary Process: The organization must establish a formal disciplinary process in place and communicated to take action against employees who have committed an Information Security breach, however this disciplinary process must be fair considering the severity of the incident's impact on the business. After verifying the recurrence of the infraction, an appropriate punishment must be applied, which can range from a temporary suspension of access rights to the immediate removal of the infringer from the organization's premises.

Penalties should be highlighted in the Information Security policy and should be an issue addressed in training and awareness.

Closing the contract:

Closing of activities: Responsibilities for the termination of employment must be defined and assigned in such a way that they are maintained after termination by employees.

Return of Assets: Upon termination of the contract, the employee must return to the organization all corporate equipment used during the performance of professional activities, for example: notebook and cell phone.

The organization must ensure that sanitization procedures are carried out when the equipment is from outsourced employees so that information is not compromised.

Removal of access rights: Communication between the Human Resources and Information Security areas must be effective when a contract is terminated, resulting in the immediate revocation of access rights and privileges to protect information.

Conclusion

Hiring a new employee for your company requires that you make a careful prior analysis, especially if that person has access to critical data of your business. The purpose of this article is precisely to highlight the importance of these controls to prevent fraud, theft or the misuse of resources and information in the organization. And when the employee is working at the company, he should be aware of threats related to Information Security, as well as his responsibilities, obligations and take the acculturation on Information Security beyond the professional environment.

The continuous improvement process must be observed and attended to with the commitment of the Information Security and Human Resources area for eventual actions that help in the improvement of the related processes and procedures.

— Larissa Carvalho is GRC and Information Security Consultant at SAFEWAY

About Safeway:

THE SAFEWAY is an Information Security company, recognized by its clients for offering high added value solutions, through Information Security projects that fully meet the needs of the business. In these years of experience, we have proudly accumulated several successful projects that have given us credibility and prominence among our clients, which largely constitute the 100 largest companies in Brazil.

Today through more than 23 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.

Let's make the world a safer place to live and do business!