Data Security, SOX compliance & HR

What does Human Resources have to do with data security or Sarbanes-Oxley compliance? More than many may realize.

Does your company utilize IT or Finance Contractors whom have almost unlimited access to confidential customer and company information?

These have security clearance that exceeded that of many executives. Companies typically have an expensive security system in place at every door as well as security guards, not to mention server servicing and backups yet if they fail to consistently apply security procedures to consultants, these security measures may be undermined. If these contractors are being paid through accounts payable they may not be subjected to typical HR screenings.

Be careful to review staffing agency contracts to ensure they require the agency perform background and/or drug screenings in advance of placement. Further, don't take it for granted that the agency will ensure these are executed. Please inspect what you expect.Failure to do so poses significant risk to employee safety as well as data security.

Data security has increasingly become a major threat to US companies with recent breaches at multiple government agencies, Home Depot, Target, Anthem, Ashley Madison, JPMorgan, Ebay and Sony Pictures just to name a few and the associated costs is easily in the billions.

Make sure your SOX audit catches any worker vulnerabilities. The audit must ask the right questions and connect all the opportunities for risk.

• Companies should avoid falling into the trap of profiling by believing that educated, professionally dressed white collar workers are less risky to an organization than front line, low-wage workers when in fact they can be far more dangerous.
• Ideally, Human Resources should be managing all recruitment and staffing needs, including temporary and consultant staffing. This is a core function of HR that otherwise limits the roles value to being a payroll or administrative paper-pusher. When this responsibility is farmed out to the business units, the balance of controls may be infringed upon. Regardless, if an organization elects this process, it must ensure a process is in place to mitigate the risk to data security and workplace safety.
• Companies must ensure that contractors are subjected to appropriate screenings even when staffing agencies are utilized. Companies should not be placated with having a contractual clause requiring the agency execute the screenings but rather validate that the screenings were actually executed prior to providing the contractor with access.
• Contracts need to be audited and reviewed on an annual basis to ensure language and clause consistency as well as to measure service levels among multiple providers.

HR, know your business and actively participate in data security. It has become as much a life-blood of big business as any KPI (key performance indicator).