HR departments are faced with a unique set of security challenges. The department is responsible for keeping confidential information about internal staff as well as external clients, but a big part of their job is circulating policies and inter-office communications, which everyone needs to access. Added to that, HR departments are responsible for sharing employees’ private and personally identifiable information (PII) with external providers and agencies including health plans, banks and the IRS. Managing who can see sensitive information needs a solution with the flexibility to protect against insider threats, potentially destroying files automatically, while enabling secure sharing.
Fasoo classifies the types of data the department handles into two tiers. Tier one, which includes intellectual property, executive compensation, board of directors’ files, customer lists and financial data, requires the highest level of protection, which includes automatic encryption and assigning a security policy upon creation. Tier two information includes policy manuals, inter-office correspondence and pre-release public files, which is less sensitive.
This slideshow looks at five functions of an enterprise HR department and points to policy controls required of a security solution to support the specific access and permission requirements for each tier of information.
HR Security Challenges
Click through for five challenges faced by enterprise HR departments, as identified by Fasoo.
Locking down employee information
Any document containing employee PII is highly sensitive and should be limited to HR to prevent unauthorized internal users from accessing it. In the most egregious situations, an automatic destruction policy is important for highly personal information.
Keeping Client Confidentiality
In addition to employee relations, HR often handles client information, including external and internal financial information. Client contracts mandate confidentiality, only to be shared with authorized employees or in some cases third-party agencies. With advanced security policy settings, HR can safely share this information with the designated parties through email or cloud-based file sharing services by specifying a validity period for accessing protected attachments and even restricting access to a specific number of devices or views.
Circulating Policy Manuals In-House Only
Company rules and regulations for employees need to be accessed by the whole office and for this reason would be considered “tier two” information. Policy for this class of information requires less protection for more visibility. Best practice for securing this type of data is an employee discretionary security policy and encryption.
Encrypting Received Resumes
Resumes from qualified candidates are considered intellectual property and highly valued to a company. Once received, resumes require an automatic security policy and encryption upon saving the file to a server. The policy defines access controls for HR personnel and select executives and managers. Secure sharing may be required to these employees.
Protecting Intellectual Property When an Employee Gives Notice
A company’s business is dependent on the product or service it sells, which all traces back to the intelligence used to design that product or service. If this information is compromised, so is the business. The HR department in this case is the first line of defense since they are the first to find out the employee is leaving and are ultimately responsible for how and when the organization is notified. Policies for access changes need to be put in place to enable the organization to immediately disable access to sensitive materials.