Considerations for HRMS Archiving
By George Florentine, VP of Technology
Given the nature of Human Resource Management (HRM) systems and the amount of personally identifiable information (PII) data contained in these systems, it’s not a surprise that HRMS data security is an essential consideration in their use. To that end, most organizations will have a formal security policy with a purpose like this:
Ensure that company employees and contractors understand their responsibilities and are suitable for the roles for which they are considered, ensure that company employees and contracts are aware of and fulfil their information security responsibilities, and protect other company interests as part of the process of changing or terminating employment.
Furthermore, enforcement and compliance of this policy is usually mandatory as described in this example from a customer’s security policy we helped develop:
Compliance with this policy is mandatory and it is to be reviewed periodically by the Information Security Officer. All COMPANY units (Deanship, Department, College, Section and Center) shall ensure continuous compliance monitoring within their area. In case of ignoring or infringing the information security directives, COMPANY’s environment could be harmed (e.g., loss of trust and reputation, operational disruptions, or legal violations), and the fallible persons will be made responsible resulting in disciplinary or corrective actions (e.g., dismissal) and could face legal investigations. A correct and fair treatment of employees who are under suspicion of violating security directives (e.g., disciplinary action) has to be ensured. For the treatment of policy violations, Management and Human Resources Department have to be informed and deal with the handling of policy violations.
These are standard HRMS data security considerations that all HRM professionals will be comfortable implementing. But what happens when you acquire responsibility for a legacy HRM system through an M&A event? Or your IT and business partners decide to migrate to a new HRM system and not all historical data is migrated to the new system? These types of business events (M&A, technology upgrades) do not excuse the HR department from following HRM security policies and protocols. These same business rules apply to legacy data and a quick scan of a site like DataBreaches.net will show examples where a company’s failure to protect HRM PII data resulted in very serious financial consequences.
Recogizing that HR security policies must be applied to legacy data as well as operational content, we’ve adopted these architectural and process guidelines that have proven effective in meeting the HRMS data security policy requirements of our customers.
Explicit Awareness of Security Policies and Employee/Vendor Training
In many organizations, legacy data archiving and application decommissioning is undertaken as part of an enterprise wide, application rationalization and upgrade initiative. The same team might archive a legacy CAD/CAM engineering system one month, a legacy system for managing physical assets another month and an HR system acquired through an M&A another month. These initiatives may also include the use of 3rd party vendors that specialize in data migrations. It’s important that all these employees and contractors receive training on HR data security considerations and that this training delivery is documented.
In our experience most data breaches can be tied back to lack of training, which results in an employee or vendor engaging in high-risk behaviors that result in the disclosure of PII data.
Our group was brought into an organization after this breach occurred, which factored into our security policy of keeping all our customer’s PII data off of our consulting laptops at all times.
Encryption of Data in Flight and at Rest
Archiving by its very nature involves the movement of data – potentially large amounts of data that will be stored in temporary locations and may cross organizational and managed service providers. This transient data movement may result in vulnerabilities being exposed and exploited – incorrectly configured virtualization environments, default access paths being exposed in new cloud provisioned systems, etc. Part of mitigating these risks is to develop a strong set of devops capabilities, and we also encourage all our customers to encrypt data both in flight and at rest. This reduces the chance that a data breach would result in material harm to the company by making it difficult to decrypt and use PII data even if it is removed/copied from a customer’s environment.
Centralized Authentication and Authorization
One of the advantages of archiving data from a legacy HRM system is that you may have the opportunity to improve the authentication and authorization models and technologies used. For example, the Flatirons Digital Hub product line uses centralized SSO/LDAP based authentication protocols and OAUTH/OAUTH2 for authorization. The software industry has spent years developing these standards, and there is a wealth of tools available to use these protocols safely and effectively.
Defense in Depth
Almost all companies today have firewalls surrounding their software and hardware assets, whether these assets are on premise or cloud based. Assuming that your corporate firewall(s) provide sufficient protection for PII data is generally considered a poor practice and doing so could expose you to legal action in the event of a data breach.
In areas where you have sensitive data such as HRM systems that contain PII data, you should introduce additional security measures. This ensures that a breach of your firewall doesn’t expose your PII to attackers.
Here’s a real-world example – a customer of ours had a firewall breach because a system admin inadvertently got caught up in a phishing scheme and his credentials to the corporate firewall were stolen. In our cyberforensics after action project, we noticed malicious activity in the corporation’s network DMZ but because the HRM systems had additional authorization protocols around access, no PII data was stolen. Flatirons Digital Hub adopts this defense-in-depth strategy by using microservices that leverage OAUTH2 protocols, which provides fine grained protection for PII data.
Conclusions
Data security applies to information on production systems as well as business-complete information sitting in legacy systems. Organizations should consider archiving legacy HRM and other data and extending security protocols to both their archiving systems and training employees who manage them to strengthen their HRMS data security capabilities. Our experience in developing and managing both operational content and archiving systems has led to the development of the Flatirons Digital Hub product line, which provides many of the capabilities described in this article.