Discussion questions

profileb67
15.pptx

CHAPTER 15

HRIS Privacy and Security

1

WHY PRIVACY IS CRITICALLY IMPORTANT

An HRIS includes a great deal of confidential data about employees, such as Social Security numbers, medical data, bank account data, salaries, domestic partner benefits, employment test scores, and performance evaluations.

It is critical for organizations to understand and pay close attention to what employee data is collected, stored, manipulated, used, and distributed—when, why, and by whom.

Organizations also need to carefully consider the internal and external threats to these data and develop strong information security plans and procedures to protect these data and comply with legislative mandates.

Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.

2

WHY PRIVACY IS CRITICALLY IMPORTANT

However, starting in the 1990s, as computer networks became more common, threats to information security became more involved due to the presence of enterprise-wide systems.

There is a growing concern about the extent to which these systems permit users (both inside and outside of the organization) to access a wide array of personal information about employees. As a result, employees may perceive that if these data are accessed by others, the information contained in their employment files may embarrass them or result in negative outcomes (e.g., denial of promotion or challenging job assignment).

Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.

3

WHY PRIVACY IS CRITICALLY IMPORTANT

Recent research suggests that this concern may be well founded. For example, one report indicated that over 500 million organizational records have been breached since 2005, and there has been a rise in the theft of employment data (Privacy Rights Clearinghouse, 2010).

In view of the growing concern about identity theft and the security of employment information in HRIS, a number of states (e.g., AK, CA, FL, HI, IL, LA, MO, NY, SC, WA) passed privacy laws requiring organizations to adopt reasonable security practices to prevent unauthorized access to personal data (Privacy Protections in State Constitutions, 2012).

Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.

4

WHY PRIVACY IS CRITICALLY IMPORTANT

Despite these new laws, results of surveys revealed that 43% of businesses stated that they did not put any new security solutions in place to prevent the inadvertent release or access to employee data, and almost half did not change any internal policies to ensure that data were secure.

The cost of these data breaches can be large. For example, the average cost of a data breach has increased to almost $7 million per firm.

Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.

5

WHY PRIVACY IS CRITICALLY IMPORTANT

Software vendors, such as Oracle, are aware of the potential for security breaches and offer multiple security models (e.g., Standard HRIS Security and Security Groups Enabled Security) that enable an administrator to set up HRIS security specifically for an organization. This means that the software allows companies to determine the kind of data access and responsibility each employee has.

Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.

6

EMPLOYEE PRIVACY ISSUES

The U.S. Fair Labor Standards Act of 1938 requires employers to maintain basic information on all employees including Social Security number, address, gender, occupation, pay, and hours worked. However, the increased use of HRIS to store these data has prompted concerns about the degree to which these systems have the potential to invade personal privacy.

Information privacy has been defined as the “degree to which individuals have control over the collection, storage, access, and release of personal data.”

Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.

7

EMPLOYEE PRIVACY ISSUES

Unauthorized access to information

Unauthorized Disclosure of Information

The unauthorized disclosure of data accuracy problems

Stigmatization problems

Use of data in social network websites

Lack of privacy protection policies

Despite the widespread use of HRIS and growing concerns about the (a) unauthorized access, (b) unauthorized release, (c) data accuracy, and (d) use of data to stigmatize employees, many companies have not established fair information management policies to control the use and release of employee information.

Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.

8

COMPONENTS OF INFORMATION SECURITY

The McCumber Cube provides a graphical representation of the architectural approach widely used information security. It examines not only the characteristics of the information to be protected but also the context of the information state. The cube allows an analyst to identify the information flows within an HRIS, view it for important security-relevant factors, and then map the findings to the cube. The cube has three dimensions. If extrapolated, the three dimensions of each axis become a 3 x 3 x 3 cube with 27 cells representing areas that must be addressed to secure a modern-day information system.

Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.

9

COMPONENTS OF INFORMATION SECURITY

Desired Information Goals – Ensure that data is kept confidential, has not been manipulated, and is available to those who are authorized to access it

Countermeasures – Identify mechanisms that can be used to protect data

State of Information – Identify the state in which data is currently residing

Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.

10

THE MACUMBER CUBE

Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.

11

SECURITY THREATS: SOURCES

Human error

Disgruntled employees and ex-employees

Other “internal” attackers

External hackers

Natural disasters

Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.

12

SECURITY THREATS: TYPES

Misuse of computer systems

Extortion

Theft

Computer-based fraud

Cyber-terrorism

Phishing

Denial-of-service (DoS) Software Threats

Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.

13

SECURITY THREATS: TYPES

A computer virus is a type of malware that works by inserting a copy of itself onto a computer or device (e.g. smartphone) and then becoming part of another program. It can attach itself to files without the user’s knowledge and duplicate itself by executing infected files. When successful, a virus can alter data, erase or damage data, create a nuisance, or inflict other damage.

Worms are in some ways similar to viruses since they can replicate themselves. However, unlike viruses that require the spreading of an infected file, worms such as Code Red, Slammer, and MyDoom can spread by themselves without attaching to files.

Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.

14

SECURITY THREATS: TYPES

Spyware is software installed on an unknowing user’s computer that gathers information about the user’s activities on the Web (keystrokes, websites visited, et cetera) and transmits it to third parties such as advertisers or attackers. Problems associated with spyware include potential privacy invasion, appropriation of personal information, and interference with the user’s computer operation.

Blended Threats: These threats propagate both as viruses and worms. They can also post themselves on websites for people to download unwittingly.

Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.

15

SECURITY THREATS: TYPES

Trojan is another type of malware that usually hides inside e-mail attachments or files and infects a user’s computer when attachments are opened or programs are executed. Trojans are named after the Trojan horse of Greek mythology in that they appear to be something positive but are, in reality, doing something malicious. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate. Instead, they must be opened on a computer by a user. Some Trojans can work as spyware while others can display a login or install screen and collect personal data such as usernames and passwords, or other forms of identification, such as bank account or credit card numbers. They can also copy files, delete files, uninstall applications using remote access programs on the computers, and format disks without alerting the victim.

Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.

16

SECURITY THREATS: SOFTWARE AS A THREAT

A computer virus is a type of malware that works by inserting a copy of itself onto a computer or device (e.g. smartphone) and then becoming part of another program. It can attach itself to files without the user’s knowledge and duplicate itself by executing infected files.

Worms such as Code Red, Slammer, and MyDoom can spread by themselves without attaching to files.

Spyware is software installed on an unknowing user’s computer that gathers information about the user’s activities on the Web (keystrokes, websites visited, et cetera) and transmits it to third parties such as advertisers or attackers.

Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.

17

SECURITY THREATS: SOFTWARE AS A THREAT

Blended Threats: These threats propagate both as viruses and worms. They can also post themselves on websites for people to download unwittingly.

Trojan is another type of malware that usually hides inside e-mail attachments or files and infects a user’s computer when attachments are opened or programs are executed.

Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.

18

INFORMATION POLICY AND MANAGEMENT

Fair information management policies

To date, there has been legislation restricting the collection, storage, use, and dissemination of employee information in the public sector (e.g., Privacy Act of 1974), but there is no comprehensive federal legislation on employee information privacy in private-sector organizations.

Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.

19

INFORMATION POLICY AND MANAGEMENT

However, one state, California, has recently passed a law that protects the privacy of employee records in private-sector organizations (Privacy Protection in State Constitutions, 2012

In addition, multinational organizations should also consider the privacy practices in the countries in which they operate. The challenge for organizations is that every country takes a different perspective on protecting employee information privacy, and your organization will need to be familiar with all the applicable laws in each country in which you operate.

Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.

20

PROTECTING EMPLOYEE PRIVACY

“There are few laws governing the storage, use, and dissemination of information in HRIS. Organizations may decrease the degree to which employees perceive that HRIS invades their privacy by establishing fair information management policies and practices.”

Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.

21

EFFECTIVE INFORMATION SECURITY PRACTICES

Follow established security standards such as ISO/IEC 27000 series.

Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.

22

EFFECTIVE INFORMATION SECURITY PRACTICES

Several best practices include these:

Adopt a comprehensive information security and privacy policy.

Store sensitive personal data in secure HRIS, and provide appropriate encryption.

Dispose of documents properly or restore persistent storage equipment.

Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.

23

EFFECTIVE INFORMATION SECURITY PRACTICES

Build document destruction capabilities into the office infrastructure.

Implement and continuously update technical (firewalls, antivirus, antispyware, etc.) and nontechnical (security education, training, and awareness) measures.

Conduct privacy “walk-throughs,” and make spot checks on proper information handling.

Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.

24