Focuses on issues of importance to payroll professionals across Canada. It contains news, case studies, profiles and tracks payroll-related legislation to help employers comply with all the rules and regulations governing their organizations.
Issue link: http://read.uberflip.com/i/316524
2 Canadian HR Reporter, a Thomson Reuters business 2014 News June 2014 | CPR June 2014 June 2014 | CPR CPR Data security shouldn't Data security shouldn't just be an IT concern just be an IT concern Payroll and HR have a key role to play in protecting company data Payroll and HR have a key role to play in protecting company data BY ROLAND CLOUTIER On April 8, the Canada Revenue Agency announced its systems were vulnerable to the Heart- bleed bug and removed public access to its online services. This incident raised aware- ness of the issues surrounding security, risk and privacy that the use of technology can create in the workplace. Payroll data can be at particu- lar risk because it is sought after by nefarious individuals and groups. As the keepers of that data, it is important that payroll and HR professionals lead com- pany-wide understanding of the importance of data security. An integrated approach to data security includes not only the IT department, but also pay- roll, HR and operations. Both the organization and the individual employee must take responsibil- ity to help ensure that the com- pany's and employees' confiden- tial information remains secure. All companies, no matter what size, should have a data se- curity plan in place that includes the details of: the organization's responsibilities, the employee's responsibilities and what to do if a data compromise occurs. The organization Company-wide security sys- tems are the first line of defense. Companies can follow the steps below to help implement a more secure data environment. Develop and implement a server plan. Include dedicated practices that ensure computers are patched and managed with the latest anti-malware software. According to Verizon's 2014 Data Breach Investigations Re- port, servers have typically been the top target for a compromise as attackers know that is where the data is stored. Institute basic network securi- ty. Ensure basic network security or perimeter protection, such as firewalls, are up and running. A firewall provides a critical line of defense by limiting access to specific types of Internet traffic going to and from authorized addresses. Review, review, review. Have a dedicated team who regularly examines the usage logs to en- sure that the right people are accessing the right information. The sooner you know if a com- promise occurred, the better. Create an incident response plan. Your company should have a well-defined and proactive in- cident response plan with clearly documented procedures for ef- fectively handling significant events such as unauthorized ac- cess, disclosure of data, denial of service or illegal probes. The plan should include escalation procedures, the identification of the members of the incident handling team and a communi- cation plan based upon the secu- rity incident. If you use a third-party pro- vider for your human capital management systems, its pro- cesses must also be part of your organizational planning. When choosing a service provider or re-negotiating your contract, ensure that data protection is built into the system, the data centre is properly protected and the provider has a contingency plan if a compromise occurs. Ask for references and complete your due diligence. Hold your outsourcing part- ner to high standards. A 2013 Ponemon Institute study spon- sored by Experian identified sig- nificant gaps between the more stringent in-house data security practices to which corporations hold themselves and those to which they hold their various vendors. Know your provider's proto- cols. Run through data security protocols with the provider so you have a full understanding of what is expected of each organi- zation. Insist the provider notify you if a compromise of data oc- curs on its end. Early notification can help you communicate effec- tively to employees and clients. Insist on best practices stan- dardization. Confirm the pro- vider adheres to best practices in security protection through recognized and established stan- dards. Know who you are doing business with, and ask the pro- vider how it will protect data. A benefit of using a third-party provider is that, with the con- tinuous changes in technol- ogy, an in-house security system may quickly go out-of-date. A third-party provider should be constantly improving its data security to be ready for the most malicious viruses and malware. The employee Every individual in your com- pany must take ownership of data security. It is important to remind employees that it is not only the company's data, but also their own personal data — such as banking information — we are all working to protect. No one wants their bank account exposed. All employees should follow best practices such as: Password management. All passwords should be complex and include a mixture of letters, numbers and symbols. Employ- ees must change their passwords regularly and should avoid shar- ing them with others. Be wary of unsolicited links. Do not open links to websites an employee receives from some- one they do not know, or if the link looks unusual. Report any issues. If a virus or malware is detected, stop using the computer and contact the IT department immediately. The best firewall is the "hu- man firewall." Through safe em- ployee data practices, your com- pany can lower its risk. A compromise in data oc- curred, now what do we do? Stop and take a breath. You have prepared for this and have the steps in place. Pull out your incident response plan and ex- ecute each step. The goal is to contain and fix the issue. First, contact law enforcement be- cause a compromise in data is a criminal matter. Next, if the incident involved a compromise of credentials which can be used to access your third-party service provider, contact them so that they may take appropriate steps. You may also want to contact a firm spe- cializing in data security. You must then communicate with employees and provide them with all the details of the situation and the actions that are taking place to fix the problem. Provide employees with a de- tailed description of what is re- quired of them to safeguard their computers and data. If customer data is affected, ex- ecute the communications plan within your incident response plan and give clear details as to actions customers must take. Once again, the goal is to contain and fix the issues as quickly and efficiently as possible. Taking aggressive action to implement data security within your organization will assist in making your company less of a target. As a payroll professional, you must be part of the develop- ment of a plan and must also be a key player of the response team if an incident happens. Your in-depth knowledge of your company's systems can help early detection and assist with fixing an issue if one occurs. Your relationship with employ- ees can also provide an opportu- nity to communicate effectively while executing the incident re- sponse plan. Data security must be a priority and you can take a lead role in helping your busi- ness be more secure. Roland Cloutier is the chief security officer at ADP.