CHAPTER 15

WHAT ARE SOME OF THE BEST PRACTICES TO MANAGE INFORMATION SECURITY AND PRIVACY IN
TERMS OF PROCEDURAL, TECHNICAL, AND PHYSICAL CONTROLS?

Managing information security and privacy requires a comprehensive approach that includes
procedural, technical, and physical controls. Here are some best practices for each category:

Procedural Controls:

 Develop and Enforce Policies: Establish clear and comprehensive information security and
privacy policies that outline the rules, responsibilities, and guidelines for protecting sensitive
information.
 Employee Training and Awareness: Provide regular training sessions to employees to educate
them about information security best practices, such as password hygiene, phishing awareness,
and data handling procedures.
 Access Control: Implement strong user access controls, including the principle of least privilege,
to ensure that employees have access only to the information necessary for their job roles.

Technical Controls:

 Strong Authentication: Implement robust authentication mechanisms such as multi-factor

authentication (MFA) to prevent unauthorized access to systems and data.
 Encryption: Use encryption to protect sensitive information both at rest and in transit. This
includes encrypting data stored on servers, laptops, and portable devices, as well as encrypting
communication channels.
 Firewalls and Intrusion Detection Systems (IDS): Deploy firewalls and IDS to monitor and
control network traffic, detect and block unauthorized access attempts, and identify potential
security incidents.
 Data Backup and Disaster Recovery: Regularly back up critical data and develop a disaster
recovery plan to ensure business continuity in the event of data loss or system failure.

Physical Controls:

 Secure Facilities: Implement physical security measures such as access control systems, video
surveillance, and security guards to protect data centers, server rooms, and other critical areas.
 Equipment Protection: Physically secure computers, servers, and networking devices to prevent
unauthorized access or theft. Consider using cable locks, secure cabinets, and surveillance
cameras.
 Proper Disposal of Media: Establish procedures for securely disposing of physical media, such as
hard drives, tapes, and printed documents, to prevent data leakage.
 Environmental Controls: Implement measures to protect equipment from environmental
hazards such as fire, water damage, and power outages, including fire suppression systems and
uninterruptible power supply (UPS) units.
 Types of Threats
 Misuse of computer systems: One of the predominant internal security threats is employees’
unauthorized access to or use of information, particularly when it is confidential and sensitive.
 Extortion: The perpetrator tries to obtain monetary benefits or other goods by threatening to
take actions that would be against the victim’s interest.
 Theft: The value of information can be much higher than the price of hardware and software.
With contemporary advances in technological developments, a relatively small computer chip
(e.g., a USB device) can easily store over 100 GB of data.
 Computer-based fraud: There is growing evidence that computer based fraud is widespread.
Over 90% of companies have been affected by computer-based fraud, such as data processing
or data entry routines that are modified.
 Cyber-terrorism: Cyber-terrorism is the leveraging of an information system that is intended to
intimidate or cause physical, real-world harm or severe disruption of a system’s infrastructure.
Cyber-terrorists often send a threatening e-mail stating that they will release some confidential
information, exploit a security leak, or launch an attack that could harm a company’s systems or
networks.
 Cyber-espionage: As more and more information is available via networked technologies; cyber-
espionage has come up as a legitimate threat to corporate networks. It entails the use of
dangerous and offensive intelligence measures in the cyber realm.
 Phishing: Victims usually receive e-mail messages that appear to come from an authentic source
with which the victim does business. The official appearance of the message and the website
often fool victims into giving out confidential information. According to Gartner the estimated
annual cost of phishing is around $2 billion (Moore & Clayton, 2007).

WHY ARE INFORMATION SECURITY AND PRIVACY IMPORTANT CONSIDERATIONS IN THE DESIGN,
DEVELOPMENT, AND MAINTENANCE OF AN HRIS?

Information security and privacy are crucial considerations in the design, development, and
maintenance of a Human Resources Information System (HRIS) for several reasons:

 Protection of Employee Data: HRIS systems typically store and process sensitive employee data,
including personally identifiable information (PII), financial information, and confidential HR
records. Ensuring the security and privacy of this data is essential to protect employees'
personal information from unauthorized access, identity theft, or misuse.
 Legal and Regulatory Compliance: Many countries have strict data protection laws and
regulations, such as the General Data Protection Regulation (GDPR) in the European Union and
the California Consumer Privacy Act (CCPA) in the United States. Organizations that fail to
comply with these regulations may face severe penalties and legal consequences. Incorporating
robust security and privacy measures into the HRIS helps organizations meet their legal
obligations.
 Safeguarding HR Operations: HRIS systems play a critical role in managing HR processes and
functions, such as recruitment, onboarding, performance management, and payroll. Any
 compromise in the security or privacy of the HRIS can disrupt HR operations, compromise the
accuracy and integrity of data, and impact employee trust and satisfaction.
 Mitigating Insider Threats: HRIS systems often contain sensitive employee information that is
accessible to HR personnel and managers. Insider threats, whether intentional or unintentional,
pose a significant risk. Implementing appropriate access controls, segregation of duties, and
audit trails within the HRIS helps mitigate the risk of insider misuse or unauthorized access to
sensitive data.
 Data Integrity and Availability: Ensuring the integrity and availability of HR data is vital for
accurate reporting, decision-making, and operational continuity. Robust security controls, data
backups, and disaster recovery plans within the HRIS help safeguard data against unauthorized
modifications, accidental deletions, or system failures.
 Protection against External Threats: HRIS systems are potential targets for external cyber
threats, including hacking, malware, and ransomware attacks. Implementing strong security
measures, such as network firewalls, intrusion detection systems, encryption, and regular
security updates, helps protect the HRIS from these threats.