Information Security and HR – How should HR play a role in Information Security?
HR has a very important role to play when it comes to information security. Contrary to common believe responsibility for information security does not rest solely with IT. Of course, IT often has a very important role to play making sure that technical controls are designed and implemented. Likewise, HR has a pivotal role to play ensuring policies are based on values of transparency, privacy and security.
Often when things go wrong in Information Security it is because of the human element of the equation. One of the recent interesting cases are for example the supermarket Morrisons breach. According to People Management Magazine Online:
Employers may be liable for confidential data leaks caused by current or former employees, after the High Court found retailer Morrisons vicariously liable for the actions of a worker who exposed 100,000 colleagues’ personal information to the public. The supermarket had denied liability for the actions of Andrew Skelton, a senior internal auditor at its Bradford headquarters, who stole information including the salaries, birth dates and bank details of vast swathes of its workforce in 2014. He then leaked the information via data sharing websites and shared it with several newspapers.
Of course, I am not saying that HR would be able to completely prevent such a breach, but HR can help by ensuring;
- Strong screening controls are in place,
- That staff only have access to data and systems that they need to have access to
- That comprehensive employee contracts that includes information security are drawn up,
- That Information Security is imbedded into induction and awareness training,
- That competencies of staff with key information security roles are determined
- That development plans are implemented so competencies are continuously improved.
HR, of course, would also play a part in when staff are leaving ensuring that staff leave in a good way with refreshed knowledge of their confidentiality commitments as well as ensuring all the relevant parties are notified about the leaver, so access rights would be removed immediately.
As custodians of employee data HR also have a role to play ensuring that information is stored securely and that GDPR requirements are upheld.
If the organisation is implementing ISO 27001 we also often find that if HR take an active part in the project the result is much better. For example should HR take place in the risk assessment process making sure that staff related risks are reviewed. HR should also review other risks and how they are mitigated. A very recent example was a client that are looking to design a secure network operations centre. Here the risk might dictate that this department should be completely separated (physically in an access restricted room) from the other part of the organisation, but what would that do for team work and culture? HR could in this case bring some other things to the table which had a good impact on the agreed risk mitigation.
In JSC Consultant our approach is:
- All our Senior Consultants have an extensive background in business
- They also have many years of ISO 27001 training, assessment and implementation experience
- No project is the same and hence time is spent understanding the specific situation of the client
- Projects typically include a thorough gap analysis and risk assessment as input for the system design
So, if you are considering ISO 27001 call us now (+44 (0)20 8798 9282) to discuss, how we can help you design and implement a great ISO 27001 compliant Information Security Management System and avoid all the pitfalls.
For further information that might be of interest please also see:
- GDPR and ISO 27001
- GDPR and why encryption is important?
- What is ISO 27001, Information Security and why should you use it?
- Designing ISO 27001 for Business
- ISO 27001 Implementation Checklist
- What is ISO 27001 and why should a company adopt it?