The relation between IM, Information Security and HRM - Essay Example

?The Relation between IM, Information Security and HRM Information is a very valuable resource in every organization and must be safeguarded from attacks from within and outside the organization. Secure management of information becomes crucially important in information intensive organizations and departments such as Human Resource. Information Security like any other field has seen a number of developments in the last few decades due to changes in the security environment. In this paper, we discuss the current issues and trends in Information security and ways to effectively counter the increased risk in the information security environment. Some of the trends that have had an influence on the environment and can easily be identified are best practices, certification and the measurement of information security. Factors such as new technology and security risks have increased the need for information security for all organizations and both the human resource and information security departments have certain commonalities as both share the common goal of – security of the organization and its customers and staff. Given that an increasing number of organizations are plagued by cases of identity theft, data loss/corruption thefts which lead to misuse of data, information, employee information, salaries and benefits, it’s critical that the HR and information security departments collaborate to protect the interest of stakeholders. It is in the nature of the Human Resource department to deal with confidential information on an everyday basis; the information department plays a key role in not carrying out security measures but carrying out non-threatening internal audits of security best practices, organize training programs to raise awareness about data security concerns and improve the entire security culture in the organization. This paper discusses the use of such methods and how they had been assisting organizations in keeping information secure and what is the potential for their increased effectiveness. Another one of the methods holding great significance discussed in this paper is Certification, the stakeholders of the company tend to place their trust in companies which are certified in information security by public entities, thereby making Certification another important tool in the Information security. Software assurance is another aspect of information security. Software vulnerabilities can jeopardize intellectual property, consumer trust, business operations and services, thus the use of any software by the organization has to be in conjunction with the information security department, and these among others are some of the key roles information security plays in the safeguard of information in the Human resource departments. The paper also emphasizes the involvement of the top management in making information security an important part of the organization culture, need to establish a clear and effective information security policy and guidelines for employees. The absence of information security measures not only lead to theft, but the organization could suffer damage with minimal legal redress against the individuals concerned. In the end the paper discusses the need for an accurate measurement system and a continuous improvement policy to ensure the organization is abreast with the dynamic nature of the issue and is prepared to meet newer security concerns. Introduction Information management is a very vast concept; it includes a cycle of processes that supports firm’s learning activity by identifying, organizing, storing, processing and acquiring information (Choo, 1995). Information is one the most fundamental resources of an organization, one that needs to be managed like any other resource, like plant, equipment or people.  Forward-looking companies consider information as a strategic asset that can be leveraged into a competitive advantage in the markets served by the company (Karim & Hussein, 2008). Information, being such an important resource in an organization, needs to be safeguarded from attacks, both from within and outside the organization. Information security becomes crucial in information sensitive organizations and departments such as human resource. Organizations employ various methods to safeguard information; this paper discusses the use of such methods and how they had been assisting organizations in keeping information secure and what is the potential for their increased effectiveness. This paper will also discuss the role of Information management and security in human resource management. Information Management perspective on Information Security If you look from a management’s perspective securing information does not result in the generation of income, protecting information resources has no direct return on investment. The value of a firm’s investment in information security can be measured by examining the stock market investor’s behaviours towards firms IT security investment announcements. In examining the current business environment and the risks associated with it, it is important to include the role of Internet. The internet is one of the most critical infrastructures of a modern business. Firms have to take into account the broader picture when it comes to information security. Management of information in an effective manner is the only way to secure information. Board involvement is an absolutely critical issue and the top management should always play an active role in the formulation of the information security policy. Most of the times, the board members are not up to speed with the technology systems being used in the organization and what kind of attacks the company is vulnerable to. The board needs to be updated on the information security systems at least on a quarterly basis so that adequate measures can be taken to upgrade the systems, with the fast changing technologies; it has become imperative to remain in constant touch with the risks that the changing technological environment possesses (Neikerk & Solms, 2010). Comprehensive information security policies are well written, responsibilities are assigned and roles well outlined. Human resource department is responsible for managing human capital of an organization. The human resource department also holds sensitive information about employees as they are responsible for hiring and recruitment of employees, and have the resume of employees. It is really essential that the department focusses on electronic as well as non-electronic aspects of information security. Non electronic aspect of information security is the one that many organizations do not consider. An example would be of records management firm that lost personal information of 600,000 US based employees (Caterinicchia, D, 2005). In the wake of such cases it is important to have a customer information sharing questionnaire, which can help assist the organization place a weight on the risk of particular information and assign responsibility in securing such information accordingly. Certain banks assign risk ranks to particular information, in terms of the volume and nature of information it contains. It is important to identify who has access to such information and by what means. Identify threats such as hacking, viruses, data corruption and business interruption that could threaten the security, accessibility or integrity of system information. The risk of threats should also be rated as either “high”, “moderate”, or “low”. In the end the information security policy should identify all kinds of steps taken whether administrative, physical or technical in order to reduce the likelihood of threat occurrence and potential exposure. Hulme (2008) states that secure information security tools are available for all organizations to use, but the information security risks are no different than the risks organizations face securing their physical networks every day. Success in securely introducing these basic practices is only half the battle; security success has always included the right mix of smart people, good implementation and good technologies. Most Human resource departments are facing increased risk of attack from organized crime and other malicious attackers, the only question that arises in such a case is the choice of the right information security system for the organization. Additionally, administrators have no way of comparing the effectiveness of a security system, the only way they come to know is when the system is under attack or has already been hacked(Harrison & White, 2010). The factors can positively contribute towards keeping the information secure in a department are restrictive access and information security software. The factors between the IM and information security / IT divisions of an organisation One of the key factors that lead to secure information management in an organization are the people or employees of the organization, thus it becomes imperative that a culture of information security is fostered in the organization, this can be achieved through several mechanisms, one of them being training of employees. In recent years, information security has received much attention from various business areas, companies and governments (Eminagaoglu et al. 2009).Much of this increased attention can be attributed to the number of security breaches leading to major losses being suffered by these organizations. All organizations also had elaborate security measures in places, but in most cases they were not properly implemented or not properly understood by the employees. Most managers and security experts now understand the importance behind training employees and now consider the employees to be the critical line of defences. The “human factor” has become increasingly important and information security training, awareness and education have become a must for all employees. Every employee in the organization must contribute to, comply to and exercise control over information security rules in order to achieve a successful level of information security. In order for the employees to contribute in such a way, they need to be provided with proper education and training on a regular basis. The human involvement must also be carried out in a systematic manner. Firstly, a detailed plan must be laid out for the training of all the employees, then a comprehensive audit of all the security procedures need to be implemented in order to ensure adherence of the rules. It has been realized that Information security is not just a technological problem, there has been much written about the human touch in information security. Another important aspect to note is the perception of people about information security, it is the perception of a threat for It users makes them respond accordingly. For a common user of internet, information security may mean being able to work on the computer without being attacked by viruses, and being able to do business online without worrying about his credit card numbers being stolen. Different individuals have different perceptions of information security. Overestimates of risk can prevent use of the application completely whereas; under estimation of the risk can lead to people indulging in insecure practices. Education and training is one of the most effective and powerful mechanisms for minimizing information security risks (Eminagaoglu et al. 2009). Access control or restrictive access has been associated with a secure environment, organizations or departments with a greater control over access have had fewer security incidents than departments which provide a more liberal access to all employees. The employees with a greater access to information were reported to have had a larger number of security incidents than employees who were given access for only job related activities, thus there exists a direct correlation between the amount of access granted and the number of security concerns. Simple procedures such as leaving computers on and unexpected shutting down of computers can lead to loss of information. The next aspect of technology use also has a direct correlation with the number of security incidents as the number of people using a technology tool or having experienced a security incident are less likely to be affected by it again. On the other hand, people who have not experienced a security failure are less likely to use the technology tools and are more prone to incidents of security failure. (Ryan, J, 2004). A number of best practices frameworks are also available for departments to assess their security risks. Of the various frameworks available one of the most comprehensive approach is based on the implementation of international information management security standard (Saint- Germaine, 2005). It has been increasingly clear that compliance frameworks are one of the most important standards as they cover a wide gamut of risks, a number of organizations are opting for certifications from third party organizations. Certification enables an organization to meet the increasing demands from financial institutions to meet security audit requirements, the stakeholders of the company tend to place their trust in companies which are certified in information security by public entities, thereby making Certification another important tool in the Information security. The goal of information security is not only to keep the information secure but also ensure business continuity; a department such as human resource has an extensive client base and they would want the security that their information is in a secure place and that they have taken all necessary measures and controls that will minimums these risks. Proper security results in minimizing business damage. In sum, a certification standard allows a department or organization to manage information security as a business risk and not merely as an approach which focuses on technical aspects or computer infrastructure. Some of the most common security domains in a certification standard are asset classification and control, communications and operations management, access control and compliance. All these can be attributed to safeguarding information in an organization. The current state of information security in most departments can be said to be sketchy at the best. Some employees refrain from using even basic spyware or anti-virus software. Advertisements, cultural influence, availability or ease of use may be some of the determinants in this case. With increased education regarding all information security issues and the ease of availability, the penetration of more effective information security policies in even the smallest of businesses is more likely. The Relation between IM, Information Security and their role in HRM The Human Resource department has to deal with confidential information on an everyday basis and the information technology department plays a key role in protecting and safeguarding all sources of information in an organization. Inter departmental communication and cooperation plays a key role in not only carrying out security measures but also carrying out non-threatening internal audits of security best practices, organizing training programs to raise awareness about data security concerns and improve the entire security culture in the organization. It has generally been recognized that information has overtaken capital and labor as the most important asset in an organization, and the organization that values its information assets is the one that will survive in the global information environment (Olalla & Castillo.2003). Information transfer and processing is a major hazard in today’s organization and organization’s resources are being wasted, much of it being attributed to irrelevant and inaccurate information. Information management begins with the process of information identification, maintenance of information and later security of information. Information security is all but a small part of information management (Corbitt, 2003). Employees routinely give the HR department their whole life history in terms of a bio data, their personal contact; the employees expect the HR department to keep the information safe. Someone from the HR department should lead the process of information security that is familiar with the processes and the nature of the sensitive information. The next phase begins by understanding the data flow and that involve personal employee information. Information security needs to be practiced right from the collection of personal information, right through to disposal. The person responsible for the job for securing in house information in the HR department should also be aware of the legal obligations and redress that a company might have to face if the information is misused, stolen or corrupted. Proper classification of employee information is also paramount while processing, storing, electronic collection, management and ultimately destruction of the information. The life cycle of employee information in an HR department can be divided into three stages- namely data input, storage and disposal. Data Input – The HR department can have information for a very large client base so it is important that immediately after the collection of the information, it is classified appropriately according to confidential and non-confidential information so that when the time comes it can be disposed of properly (Caterinicchia, D, 2005). Storage of Data: Access Issues – In order to limit access to data, it is important to decide who gets access to information in the HR department like temporary employees and employees who are not part of the HR team should not be given access to confidential information (Caterinicchia, D, 2005). Employees who are granted access to the data should also be screened by the HR department. Restricting access through electronic means is also a major part of the information security policy. All data must be safeguarded using firewalls, intrusion detection software and limiting who has the authority to assign passwords (Caterinicchia, D, 2005). Storing of Data – Technological issues - To keep confidential electronic data from prying eyes, businesses should encrypt as much of this data as possible. Encryption translates the data into a secret code that can be unlocked only by using a key or password and to protect information from being by outside users or through the internet; companies should software which helps in Outbound Content Control (Caterinicchia, D, 2005). It is always recommended to keep the data secure in multiple ways rather than to rely on one option working perfectly. Software vulnerabilities can jeopardize intellectual property, consumer trust, business operations and services, thus the use of any software by the organization has to be in conjunction with the information security department, and these among others are some of the key roles information security plays in the safeguard of information in the Human resource departments (Caterinicchia, D, 2005). Data Disposal – HR department are required to keep employee records for a certain number of years for audit purposes, when electronic data and paper are waiting to be destroyed they should be placed in a secure area. Disposing of digital data is never a foolproof job, but certain measures such as wiping the disk clean can prevent anyone from recovering deleted data (Caterinicchia, D, 2005). Threats to information not only deal with information theft but can also lead to identity theft, where individuals are millions of dollars’ worth of merchandise using someone else’s personal information. Information threat is a very real concept these days and it is important for everyone to be vigilant in providing information whether it is to the human resource department of a major firm or to a government agency (Caterinicchia, D, 2005). Information intensive organizations and departments are the ones that need to face the challenge and figure out means which are beneficial in terms of cost to the organization and satisfaction in the case of the stakeholders. Given that an increasing number of organizations are plagued by cases of identity theft, data loss/corruption thefts which lead to misuse of data, information, employee information, salaries and benefits, it’s critical that the HR and information security departments collaborate to protect the interest of stakeholders. (Caterinicchia, D, 2005). Conclusion Information security continues to play an integral role in today’s global information environment and the success of an organization will soon depend on the value and significance it places on its information assets and the safeguard of such assets. Information technology has seen immense technological advancements in the past few years itself, but in the changing technological an organization can never be fully confident of the security of its knowledge base; the main reason being that the risks associated with the business environment have also increased manifold. Despite all organizations having formal processes in place, a staggering percentage of them admit to having processes which are far from fully competent. Despite the economy showing signs of improving, the market is still unstable and the risk of having a security breach remains a threat for many organizations. The biggest threat for all information lies not in threat from spyware of malicious attackers, the biggest threat comes from complacent and unaware employees. One single hard drive unprotected or one vulnerable computer in the network can lead to loss of information from a whole network and lead to information losses all throughout the company. To conclude, we can say that information security is paramount and organizations should take all steps possible to preserve their information assets, but all of the efforts will be in vain if the employees using the information are not adequately trained to keep the information secure. References Caterinicchia, D. (2005). Safeguarding HR Information. HR Magazine, 50(11): 54-59. Retrieved from http://web.ebscohost.com.ezp01.library.qut.edu.au/ehost/pdfviewer/pdfviewer?sid=23ff05a7-b5b6-4f77-9de1-03153ef86d3d%40sessionmgr15&vid=2&hid=12 Choo, C. W. (1995). Information Management for the Intelligent Organization: Roles and Implications for the Information Professions. Paper presented at the 1995 Digital Libraries Conference, Singapore. Retrieved from http://choo.fis.utoronto.ca/fis/respub/dlc95.html Corbitt, T. (2003). Information management. Management Services, 47(3): 20-20-21. Retrieved from http://search.proquest.com/docview/234299263?accountid=13380 Eminagaoglu, M. Ucar, E & Eren, S. (2009). The positive outcomes of information security awareness training in companies – A case study. Information Security Technical Report, 14(4). Retrieved from http://www.sciencedirect.com.ezp01.library.qut.edu.au/science/article/pii/S1363412710000099 Harrison, K. & White, G. (2010). An Empirical Study on the Effectiveness of Common Security Measures. 2010 43rd Hawaii International Conference on System Sciences: 1-7. Retrieved from http://doi.ieeecomputersociety.org/10.1109/HICSS.2010.51 Hulme, G. V. (2008). The right security tools. InformationWeek. 1186: 55-55. Retrieved from http://search.proquest.com/docview/229176945?accountid=13380 Karim, N.S.A. & Hussein, R. (2008). Managers’ perception of information management and the role of information and knowledge managers: The Malaysian perspectives. International Journal of Information Management, 28 (2):114–127. Retrieved from doi:10.1016/j.ijinfomgt.2007.08.003 Niekerk, J, F. & Solas, V, R. (2010). Information security culture: A management perspective. Computer & Security, 29(4): 476-486. Retrieved from 10.1016/j.cose.2009.10.005 Olalla, M., & Castillo, M. (2002). Human Resources Audit. International Advances in Economic Research, 8(1): 58. Retrieved from http://web.ebscohost.com.ezp01.library.qut.edu.au/ehost/pdfviewer/pdfviewer?sid=931f5fca-7be8-45c7-85fc-2b6e5f7c0369%40sessionmgr14&vid=2&hid=12 Ryan, J. J. C. H. (2004). Information security tools and practices: what works? IEEE transactions on computers, 53(8): 1060-1063.Retrieved from doi: 10.1109/TC.2004.45 Saint-Germain, R. (2005). Information Security Management Best Practice Based on ISO/IEC 17799. Information Management Journal, 39(4): 60-66. Retrieved from http://web.ebscohost.com.ezp01.library.qut.edu.au/ehost/pdfviewer/pdfviewer?sid=9c0a3e61-cee3-42d8-9245-a15966e9c003%40sessionmgr4&vid=2&hid=12 Read More