Human resources security is the process of hiring, training, ensuring the accountability of, and off-boarding employees and contractors who may store, process, or transmit data on your behalf. You should prioritize human resources security in order to mitigate the prospect of an un- or under-trained workforce member causing (or failing to adequately respond to) a security incident.
This document provides a high-level explanation of why human resources management is important; the essentials of an effective human resources security program; and information on how to leverage Aptible’s tools and out-of-the-box policies to manage your workforce.
Human Resources Security is important because workforce members’ misuse of authorized information-system access is a common cause of security incidents, including data breaches. Workforce members can open up your information systems /assets to vulnerabilities because of a lack of training, an inappropriate level of access, or by engaging in malicious activities such as theft or improperly altering data.
A recent study by Shred-it found that 40% of senior executives and small businesses that experience a data breach believed the root case was employee negligence. As you scale you will likely grow your workforce, which means an increasing number of people will have access to your data and information systems. A strong Human Resources Security program is the best strategy to reduce risks stemming from employees and contractors.
When considering how to implement a Human Resources Security program, it’s useful to break your processes into the various phases of a workforce member’s relationship with you: Safeguards that relate to the pre-employment-relations, those that relate to the ongoing relationship, and those that relate to the end of the relationship. Each phase of your relationship with a workforce member has security and privacy obligations.
Your human resources security obligations start before you begin onboarding a new workforce member. As soon as you begin to draft a job description, you should think about human resources security.
Start by including a specific role’s security and privacy obligations in the job description. This allows candidates to determine if they are a good fit and enables you to hold whomever you eventually hire to the requirements outlined in your policies and procedures.
Examples of security and privacy obligations that could appear in job postings include responding to data subject access requests (such as right to access under the GDPR), storage or disposal of sensitive information, training requirements, and ownership of specific domains or policies in your Security Management program.
It’s important that your Human Resources Team communicates with your Security Team about employment-related activities, whether hiring, a transfer, or a workforce separation. Each activity triggers security risks and obligations that the Security Team will need to act on, and communicating this information early-on helps the Security Team prioritize their efforts. For instance, early communication about a new hire could help smooth the process of getting a work-approved device issued to a new workforce member.
Before you hire a potential workforce member, you should perform some kind of background screening on the candidate. Background screening is one tool in your toolbelt for determining a potential workforce member’s competence to handle your data prior to your granting access to it. Moreover, performing some kind of screening activity is often required by audit and regulatory frameworks.
There are two types of background screening that are used in hiring processes today:
criminal background checks, and
professional reference checks.
If you decide to perform criminal background checks, you then need to determine what criminal offenses, if any, will constitute an automatic bar to employment. Criminal offenses that typically preclude employment include violent crimes (assault) and crimes of trust (fraud). To address social justice concerns, some companies escalate applicants with criminal records to senior management for further review, rather than automatically reject them. Either way, an effective background screen is a well-accepted approach to mitigating the risk of hiring careless or ill-intentioned workforce members.
No matter what you decide, consult with your lawyer to ensure you aren’t violating any state of federal employment laws.
Once you hire a workforce member you must ensure they are properly onboarded. Onboarding members of your workforce includes: Providing the workforce member with properly configured equipment, granting access to information systems required for the workforce member’s role, and assigning necessary training.
You should log the completion of each step of your workforce member onboarding to ensure that nothing was missed from a security perspective.
All of your workforce members should be required to complete security and privacy training at least annually. Not only is this required under most audit and regulatory frameworks, but it’s an effective method of increasing security competence and deterring malicious workforce member behavior.
A common–and recommended–practice is to have all workforce members complete Rules of Behavior training (that covers your Security Management program) and general Security Awareness training (that covers general security and privacy topics like MFA, malware, and phishing). On top of that, individual teams should complete role-specific training (for example, Incident Response Training for your Incident Response team; Culture and Security training for your Management Team; etc.).
An illustration of how privacy and security training could work is provided below:
You hire a designer, Alice, to work on website design. Alice has access to cloud-based productivity services like G Suite and Slack, but cannot access anything in production or systems with Sensitive/Regulated Information. Alice should be assigned Security Awareness training and Rules of Behavior training.
You hire an engineer, Bob, to work on back-end systems that handle HIPAA protected health information (PHI). Bob should be assigned the same training as Alice (Security Awareness training and Rules of Behavior training)
additional training based on his role (including, for example, HIPAA for Developers training).
Aptible helps you satisfy your training obligations by including your required training in the app. For more information, check out Aptible Comply.
You should have a policy for sanctioning workforce members behaviors that are inconsistent with your Security Management program. These can vary from warnings to retraining to termination, but they should be commensurate with the violating behavior and be documented, especially if the behavior resulted in a security or privacy incident.
Workforce members should be made aware in their training that improper behavior or carelessness could result in sanctions. When considering sanctions you should consider the possible chilling effect it may have on workforce members reporting security incidents, including those where the workforce member was at fault. Additionally, you should not use sanctions to retaliate against workforce members who have brought to light potential or actual security concerns.
For privacy and security purposes, when a workforce member transfers to a different team within your company, they should be onboarded like a new hire. Specifically, you should assess their current training, equipment, and access to information systems and determine what might need to change. You should then remove the workforce member’s access to data and equipment no longer required and grant them access to new systems and equipment required for their new role.
When your working relationship with a workforce member ends, you have a number of security and privacy tasks to complete, including:
ensure the return of all company-issued devices;
revoke the workforce member’s access to your systems; and
conduct an exit interview with the workforce member (to remind them of their ongoing security and privacy obligations).
It is important to log the completion of all these activities for audit logging purposes.
For the purpose of your Security Management program, the safest way to operate is to treat contractors like full-time employees. From a security perspective, the classification of the workforce member as an employee or contractor is generally less important than specific security requirements you impose on them.