role of hrm with it security risks in the ......2014/12/15 · organizations have business purpose...
TRANSCRIPT
© Dan Van Bogaert, J.D.
ROLE OF HRM WITH IT SECURITY RISKS
IN THE WORKPLACE
1
PURPOSE
Acquire understanding of broad variety of IT security risks that impact HRM
Attain competencies needed to train EEs regarding use of social media
Learn how to partner with IT professionals to identifyvulnerabilities related to HRM computer technologies
Gain general understanding of basic IT terms & related legal issues.
2
START WITH VULNERABILITY ASSESSMENT
Identify where risks that relate to HR activities
Threats & problems vary depending upon size of organization & nature of operations
IT professionals may recommendassessments for key HR activities
3
VULNERABILITY ASSESSMENT
Once identified, HR professionals may prioritizedvulnerabilities according to risk levels
Once prioritized, HR professionals need to developaction plans to eliminate, or at least mitigaterisks
4
KEY VULNERABLE HR ACTIVITIES
Using Social Media in the Workplace
Using Software for HR Functions
Maintaining Sensitive Info & Confidential Data
Using Computer Networks
Telecommuting or Working from RemoteLocations
Click here for audio5
HRM BEST PRACTICES: USING SOCIAL MEDIA
Once vulnerabilities identified & prioritized, next step is to develop & implement:
● Social Media Use Policy
● Train EEs on cyber safety standards
● Establish standards of acceptable EEcommunications
6
USING SOCIAL MEDIA IN THE WORKPLACE
• “SOCIAL”: interaction of humans
• “MEDIA” : generally, a method of communication, like a newspaper or radio
• “SOCIAL MEDIA”: popularly refers to all electronic communication primarily intended for social purposes
7
Click here for audio
8
EVOLUTION ofWorkplace Communication
EVOLUTION OF COMMUNICATION ● Not long ago typewriters, carbon paper, mimeographs,
microfiche, & rotary-dial telephones were primary means communication & record keeping
● By 1970’s, however, computer systems started to takeover as the main vehicle for data storage &communication
9
EVOLUTION of Social Media in the Workplace
Today’s era of mobile devices
HRM is able to perform variety of functions with social network sites
Increased exposure to computer related risks & threats
10
HRM USING SOCIAL MEDIA IN THE WORKPALCE
Common uses:
referral programs recruitment campaigns
preliminary background investigations
sharing work-related info & documents
11
USING SOCIAL MEDIA IN WORKPLACEPROBLEMS & THREATS
privacy violations hacking, phising & spear phising misuse of commercial surveillance misplaced or stolen unsecured laptops & flash drives online defamation breaches of sensitive employer data, cyber-bullying,
viruses, worms, malware attacks copyright infringements
12
BRING YOUR OWN DEVICE
EEs like to use own mobile devices for work
Potential “win-win” for most ERs & EEs
Advantages: enhanced productivity, flexibility, reduced equipment costs
Disadvantages: ER lack of control, requiresreimbursement of EE expense
13
BRING YOUR OWN DEVICE
Need to be vigilant protecting privacyrights & guarding against breaches of computer systems
Accessing (remotely or on-site) organization’s databases & communicationsources from mobile device adds topotential problems & threats
14
BYOD APPs
May be vulnerable to spyware & malware attacks, or other risky content susceptible to hackers due to lack of:
preinstalled security software
firewall to limit Internet & connections exposedto intrusion through an unsecured communicationsport
passwords & personal IDs to authenticate users &control access to stored data
encryption15
POLICY DEVELOPMENT
POLICY MUST:
be sufficiently comprehensive to address vulnerabilitiesrelating to use of social media via mobile devices
be clearly communicated to all persons covered,primarily in onboarding & training programs
have HRM share responsibility for implementation require EEs to formally acknowledge receipt &
understanding of policy (usually part of EE handbook)
comply with applicable state social media privacy statutes16
SOCIAL MEDIA POLICY PROVISIONS
● Define scope, purpose, and terms, e.g. “social media”● Define acceptable work-related & personal communications &
etiquette ● Prohibit disclosure of trade secrets, confidential or proprietary
info & posting of ER logos, trademarks, service marks
● Spell out discipline, i.e. what happens when policy violated● Disclose restrictions on use of ER & EE equipment to post
information related to ER or customers, or use during certain work hours
(Caution: restrictions may not constitute an unfair labor practice)17
SOCIAL MEDIAPOLICY PROVISIONS
● Provide reimbursements of related expenses when EE required to use mobile devices for work
● Define privacy expectation limits
● Describe security restrictions & procedures
● Spell out physical security safeguards
● Prohibit posting personal complaints, harassments,promotion of violence
18
SOCIAL MEDIAPOLICY PROVISIONS
Remote access rules to address specialvulnerabilities related use during on-call flex-time periods, e.g. 4/10 programs, & other time off from work periods, e.g. mandated leave
Policy language should be also reviewed by legalcounsel before implemented
(For numerous sample social media policies, visit: http://www.compliancebuilding.com/about/publications/social-media-policies/ )
19
IMPLEMENTATION SOCIAL MEDIA POLICY
Best practices for managing EE’s use of mobile devices are thorough training programs & monitoring (within legal limits*) EEs’ use of social networking sites
Train EEs re cyber safety standards & procedures(Collaborate with IT professionals re program content)
*California, Colorado, Connecticut, North Dakota & New York laws prohibit ERs from disciplining EEs based on off-duty activity on social networking sites, unless the activity shown to damage ER 20
IMPLEMENTATINGSOCIAL MEDIA USE POLICY
● Clearly communicate policy training programs & onboarding
● Comply with applicable state social media privacystatutes
● HRM follow up training to insure proper use of social media by EEs
21
IMPLEMENTATING SOCIAL MEDIA USE POLICY
● Install advanced mobile device “wiping” technology &other software for deleting sensitive data when deviceslost or stolen
● Limit approved mobile devices & software apps
●Use security products that scan devices formalicious apps before allowing them to be connected to organization’s networks
22
Standards for EECommunications
Organizations have business purpose in protecting its reputation & reputation of EEs by:
placing limits on communications, networking sites or photo sharing sites
keeping personal info off the Internet23
Training EEs: Dos & Don’tsDON’T:
● Ignore phising scams
● Install location-tracking apps, unless necessary for ERapproved geographic tracking (GPS)
● Download attachments or software applications from unknown or unapproved sites
● Store ID & password on device, nor have device “remember”such info, especially if authorizes access to ER’s networks
24
Training EEs Do’s & Don’t’s
DON’T’● Reveal personal & private info (including passwords)
to strangers, just-met “friends” or unauthorized 3rd
parties
● Reply to spammers or sites offering “reward” in exchange for contact info
● Use insecure wireless networks
25
Training EEs: Dos & Don’ts
DOs: ● Regularly scan smartphones with up-to-date reliable antivirus products
● Use strong passwords to lock device & for logging into accounts, retrieving e-mail, accessing applications, databases networks, web sites
● Regularly change password per ER standards
26
Training EEs Dos & Don’ts
DOs:● Regularly check browser address bar to ensure logging
in through correct URL
● Download apps or allow automatic updates only fromapproved & trusted developers
● Access ER network only with approved & knowndevice
27
OTHER TIPS:EE USE OF SOCIAL MEDIA
Fix social network privacy settings to control access
Review network's privacy policy regarding posted personal info & info collected on EE visits:
Choose options to control use of info by sites &others with whom they share it
Change privacy settings to “private” so onlyapproved users can view it
28
OTHER TIPS: EE USE OF SOCIAL MEDIA
block advertising cookies through Internet browser’ssettings
only use “clean” work email address for known trusted individuals
be aware of monitoring of EEs’ workcommunications
use e-mail & file encryption software 29
Etiquette & Social Media
HRM implements policy by:
setting standards for Social Media etiquette
controlling EE use of devices in workplace
defining limits on EE expectation of privacy
30
8 Key Etiquette Rules on Use of Social Media
Expected EE behavior on mobile devices:
Be considerate: avoid interrupting face-to-face conversations
Take regular timeouts from use
Avoid anonymous retaliation
Limit indiscriminate photo takingcontinued next slide
.31
8 Key Etiquette Ruleson Use of Social Media
continued:
Check proper text grammar & spelling
Exercise personal safety; do not text while driving
Limit use of e-mails
Avoid “oversharing” (“TMI”) & discourage gossip in workplace
32
Best Practices Mobile Device Software Apps
• Guard against unsuspected malware or virus by ER preapproval of EE devices & app downloads
• Use Activation Lock iOS to remotely erase contents or disable lost or stolen devices; PIN number required to unlock
• Use only reputable app stores
• Use EE mobile “Digital Wallet” app for secure storage of personal info
33
HR SOFTWARE
Problems & Threats Solutions
Click here for audio
34
Software for HR Functions: Best Practices
Best practices needed due to vulnerability to IT security risks (problems & threats)
35
USING SOFTWARE FOR 7 KEY HR FUNCTIONS
1st Partner with IT pros for assistance in developing timeline for implementation & reviewing potential vendors*
HRIS projects, e.g. enrollment, record keeping, & selfservice for EE benefits, payroll & attendance
Applicant tracking & signature (“e.g. “bamboo HR account” )
E-learning, including online training & courses
*[http://www.erp.asia/hr-implementation.asp; http://www.tmcnet.com/voip/0409/ten-steps-to-successful-software-implementation.htm ]
36
USING SOFTWARE FORHR FUNCTIONS
EE communications
E-recruitment methods, including display of career opportunities on web sites & use of socialnetworking sites
Performance evaluation
Succession planning
37
Software for HR Functions: Best Practices
● Study software choices*
● Install anti-virus software
● Keep abreast of social media rulings by the NLRB
● Monitoring EE communications● EE commincations, e.g.“anti-hacker alerts” & security tips, such as not emailing company usernames & passwords
[*Comprehensive vendor list at: http://www.capterra.com/sem/human-resource-software?utm_source=bing&utm_medium=cpc ]
38
Software for HR FunctionsBest Practices
Confirm high functionality, i.e. performs core HRfunctions as required by statute / regulatory authorities
● Adopt EE self service (ESS) / manager self service (MSS)
● Prohibit EEs copying or loading performance evaluationsonto personal devices that are available from software programs
39
DATABASE MAINTENANCE
Problems & Threats Solutions
Click here for audio
40
MAINTAINING SENSITIVE INFO& CONFIDENTIAL DATA
PROBLEMS & THREATS
• “Sensitive” = not legally protected, but should not be made public, e.g. typically maintained by HRM relating to EE records, e.g. dates of hire, pay, & employee benefits
• “Confidential = legal obligation not to disclose, EE SS# or medical history
41
Maintaining Sensitive Info &Confidential Data
HRM BEST PRACTICES: HRM’s duty: raise EE awareness of how their use of computer technologies may compromise workplace security
Secure all employee data Restrict access to sensitive data to EEs with need to know Properly dispose of sensitive data Use password protection Control physical access to business computers
42
Maintaining Sensitive Info &Confidential Data
BEST PRACTICES, continued… Encrypt data Protect against viruses & malicious code (“malware”);
Install anti-virus & anti-spyware software Keep software & operating systems up to date Secure networks with firewalls to prevent outsiders
from accessing network data Restrict remote access to authorized EEs using properly
configured Virtual Private Network (VPN) http://www.virtualprivate-network.com/
Train Ees43
COMPUTER NETWORKS
Threats & Problems SolutionsClick here for audio
44
USING COMPUTER NETWORKS BY HRM
PROBLEMS & THREATS1.Viruses, Worms”, Trojan Horses 2. SPAM3. Phishing4. Packet Sniffers 5. Maliciously Coded Websites6. Password Attacks7. Hardware Loss & Residual Data Fragments8. Shared Computer vulnerability9. Zombie Computers & Botnets
45
Using Computer NetworksBest Practice Tips
1. Keep personal Web browsing at home2. Keep confidential data confidential3. Use secure connections4. EEs to speak up if something wrong with
mobile device or PC5. Make sure EEs know the security policy; then
enforce it6. Lock your computer screen7. Use passwords
46
TELECOMMUTING & WORKING IN REMOTE LOCATIONS
Threats & Problems Solutions
Click here for audio
47
TELECOMMUTING & WORKING FROMREMOTE LOCATIONS
THREATS & PROBLEMS:● Attacks from hackers & identity theft
● phising & spear phising
● privacy violations & Online defamation & cyber-bullying
● Unrestricted “cookie tracking” & misuse of spy software
● SPAM
● Virus, worms & malware attacks48
Telecommuting & Working fromRemote Locations
Provide remote workers with online policy manual, including:
procedures for termination, i.e. immediate suspensionof access to technology & accounts & return of accesscards & ER owned electronic equipment
procedures for checking in (or clock into online time tracker if paid hourly)
Provide telecommuters with secure ER email address & separate IP addresses
49
TELECOMMUTING & WORKING FROM REMOTE LOCATIONSTrain telecommuters how manage data & systems:
Use strong passwords, authenticate with token &password or PIN
Require approved computer equipment, i.e. port protection devices & VPN client software
Monitor files from ER’s LAN
Use “SOHO” Router
50
LEGAL ISSUES: STATUTES & COURT CASES
Click here for audio
51
SELECTED LEGAL ISSUES
•Potential problems when HRM uses social media for recruitment and hiring?When looking at candidates’ social media profiles, HR professionals may learn information they should not have when screening candidates
•Negligent hiring claimsOnline “friending” between managers & EEs may increasechance—should a working relationship turn sour—of added claims in any subsequent employment litigation
52
STATUTES & COURT CASES
17 key federal/CA statutes directlyrelated to IT Security
22 federal/CA court cases
53
Q. & A.
54
CONCLUSION
© Dan Van Bogaert, J.D. Permission granted December 15, 2014 SAHRA Webinar.
*Dan Van Bogaert, J.D. is an adjunct professor who regularly teaches for UCLA Extension HRM Certificate Programsand has also taught graduate and undergraduate courses at Brandman University, and Loyola Marymount University/LA. He can be reached at [email protected]
Copies of comprehensive 50 page best practices guide, Role of HRM with IT Security Risks in the Workplace, is available in March, 2015
Click here for audio
55
THANK YOU FOR YOUR PARTICIPATION
This Webinar presentation, including the foregoing Power Point slides, is intended only for general information purposes; It is not intended for legal advice nor as legal opinion. You should consult your own counsel for any legal advice in this area.
56