When someone leaves the organisation, all access to
exploit the easy target that is an orphan
(inactive) account.
This can be remedied through better
linking HR processes and IT governance, she
explains: “IT governance needs to be
integrated with HR systems so that when a
person’s employment is terminated by HR it
starts a workflow to IT that will kick out their
access – not tomorrow, not in two weeks,
but immediately.”
The same should apply where staff are
switching jobs within the same organisation.
“Have basic security practices in terms of data
masking and role-based access to data,” says
Shah. “When you are moving role in the
organisation, you shouldn’t have access to the
previous role’s data.”
Conduct active testing on
HR systems
With both new and existing HR systems, a
clear testing and compliance strategy should
be put in place to actively monitor them,
particularly those that sit in the cloud,
advises Shields.
“It starts with penetration testing to identify
the vulnerable points in the HR
infrastructure,” agrees Prasun Shah, partner in
the people and organisation practice at PwC.
He explains that this involves controlled
hacking attempts by specialists.
Rizkallah points out that the most
vulnerable systems are typically the peripheral
ones because they are often overlooked.
“Sometimes the main HR system is very
secure and has been tested, but then when you
start putting other tech over it – like
compensation software, for example – it may
not be. Those little systems that are peripheral
to the main system could be the entry door to
systems needs to be revoked
the main system, no matter how secure the
main system is,” she says.
Link HR processes and IT
governance
Other tests include an internal software audit
on HR systems to see who has accessed
sensitive or personal data over the past year,
says Herold. With recent research from
SailPoint finding that 47% of employees who
leave a job still have access to their former
organisation’s data, HR must also carry out
audits of this, Herold adds.
“When someone leaves the organisation, all
access to systems needs to be revoked,”
Rizkallah says, pointing to the risks posed by
disgruntled ex-employees and by hackers who
hrmagazine.co.uk October 2019 HR 23
/hrmagazine.co.uk