Typically data security is the realm of the IT department, but HR can make a huge difference to protecting vital corporate data with the right procedures in place, discovers Cath Everett.
You might not consider that the average HR professional would have a major role to play in protecting an organisation’s information security activities.
But according to Alan Ryan, director of security practice at security consultancy MTI, HR can make a world of difference simply by creating “open, two-way communications channels” with IT in order to help identify and manage risk.
Key areas in which such risks are highest relate to the processes and procedures involved when employees either join or leave the company, particularly if they depart under a cloud or are made redundant and so might have an axe to grind.
“There need to be strong leavers procedures in place so that IT is made aware when someone has gone and can remove their system access privileges,” warns Ryan. “The issue is that, if leavers are still able to access corporate systems remotely, they can prove to be high risk.”
Position of least trust
Another challenge is dealing with people who are new to the organisation. The problem is that many employers simply assign new joiners the same system access rights as their colleagues without really thinking about whether or not they require them.
“In order to reduce risk, you should take the position of least trust,” says Ryan. “So only give people as much access as they need to do the job and don’t just give them remote access just because others in the department have it.”
To make the process consistent and repeatable, access rights should ideally be assigned to individuals based on their specific job description – something that HR, line managers and IT would all benefit from working on together.
As a result, if someone is demoted, promoted or moved sideways, their access rights would change based on their new job description and in line with their working requirements – rather than simply just keeping everything intact because it has always been that way.
“Most companies make changes after something’s happened, but really prevention is better than cure in terms of risk mitigation,” Ryan says.
“A common, open communications channel between HR and IT would help to identify lots of risk areas and would certainly be more cost-effective than having lots of systems going down.”
