Areas for a security assessment in your records and information management plan

by on July 6, 2009 · 0 Comment POSTED IN: HR Info Center

A highlight of some of the problem areas you want to think about with security in your records and information management plan.

Collecting information over the Internet can be a major problem for your company’s records and information plan.
What types of information are you collecting? Are you collecting Social Security Numbers? And if so, are you doing that in compliance with the Social Security Number Laws? Are you requesting other types of information subject to Breach Notification Laws, such credit numbers for instance. And if so, what steps are being taken to protect that data in transit and after it’s on your network?

Employee access and your records and information plan.
Now, it’s said the true that most data theft is actually committed or facilitated by employees. They’re mostly inside jobs and not a hacker or some outside parties we often think of. An important step in your records and information policy is to limit the access to data on a need-to-know basis. Now your materials contain an article that we wrote about employees being the most overlooked component of data security. And it describes these concepts in more detail and I don’t have time to it cover today. But I encourage you to take a look at that.

What is your storage and disposal procedure in your overall records and information management plan?
Really don’t overlook paper records. There’s really a focus that seems to occur with computerized data mostly because of the Breach Notification Laws. Paper records are definitely vulnerable as well. Are the valuable paper records kept in locked files? What’s done with the documents to be shredded? Whether are they left in open bin or locked bin, and if you use outside storage, what is your contract provide in terms of the data security the vendor needs to comply with?

Hardware and software disposal in your records and information management plan
We’ve already covered as well disposal of discs and hard discs. There’s definitely an issue and we see it come up frequently where somebody thinks that the data has been complete removed from the computer and it hasn’t. What steps are taken to make sure that the hard drives you’re disposing of are not readable in any form? And a related question here is do you ever let employees keep their work laptop computer for instance?
Are you really sure that they could not, if they really were enterprising, recover the information that you think has been removed from those computers?

Poor training creates major problems in records and information management plans
If you have the best-written records and information management program, it is no good if employees don’t follow it. And in fact, from a litigation standpoint and a lawyer’s standpoint, it can be worse to have a program that is not followed rather than no program at all. If you have a program or written policy describing lots of absolute rules that you must always do this and always do that and policy is not actually followed or enforced, that looks like actual disregard of data security. It is not viewed that you haven’t reach the level of sophistication to have a policy.

So, really be careful in preparing your information security policy and records and information management program. And we try to avoid having absolute statements in records and information management plans

Edited remarks from the Rapid Learning Institute webinar: “Identity Theft: What HR Can Do To Protect Sensitive Employee Data” by Christine E. Lyon, Esq.

Leave a Reply

Close

Request a Free Demo

We'd love to show you how this industry-leading training system can help you develop your team. Please fill out this quick form or give us a call at 877-792-2172 to schedule your one-on-one demo with a Rapid Learning Specialist.