Data security began when man realized he needed to protect his information and pass it down from generation to generation. One of the best ways man kept his information safe was by storing it in caves or walls.
By Pablo Morales, Chief Information Security Officer at Framework Science
In the Middle Ages, information was passed on through the church and the libraries. It was stored in archives or secret vaults. Man wanted to record his story in paintings, books, and even poetry and riddles (remember Nostradamus?). And eventually, security systems have been generated to maintain and secure that information.
Digital data security began in the 70s with the appearance of the first virus called Creeper from a digital point of view. The virus sent a message saying, “I’m the creeper, catch me if you can!” Creeper was propagated through ARPANET, the progenitor of what we know today as the Internet, and thus cybersecurity was born.
In the 80s, data security assumed more importance when the first computer enthusiast clubs were established. Hobbyists created viruses just for experimentation or to show off their skills, with no intention of causing severe damage.
It is essential to understand that information is integrated and protected under security measures to keep the organization’s data linked to its shareholders, managers, workers, and clients — safe.
Information security is made up of a set of methodologies and processes aimed at controlling the data that is handled within an organization, to ensure that they do not leave the system without authorization. This is established by a group of professionals and an internal committee, who protect the data in the system, and ensure that only authorized personnel have access to it.
Information security must respond to three essential qualities:
- The first must be “critical” because the organization must carry out its actions without assuming too many risks.
- The second must be “valuable” since the data that is handled is essential for the organization’s development.
- The third must be “sensitive” since only authorized people can access it.
- Protect all the organization’s data.
- Reduce the risks of handling (input and output) of member data and resources of members of the organization.
- It is necessary to understand that the information is found in different ways:
- In digital form, in the cloud, or on physical servers or files on electronic media.
- In physical form, written or printed on paper.
- It is also necessary to understand that the information is stored, processed, or transmitted in different ways:
- In written electronic form or in videos.
- In written or printed messages.
From a digital point of view, computer security is aimed at protecting systems and equipment for information processing, while data security is aimed at the protection of automatic information processes.
Data security is supported by methodologies, standards, policies, organizational structures, and technologies, among other instruments.
Additionally, apart from protecting the data under any circumstance, the security of information must continue to give life support and continuity to the organization.
Data security requires good administration to manage your process, that is, good planning, organization, management, and, of course, strict controls that protect your data against any circumstance and risks that threaten its confidentiality.
Data Security in Human Resources
Human Resources are an organization’s most valuable asset. Stability and growth depend on human capital, which is why an excellent administration of these resources is required. HR helps maintain harmony and motivation in all personnel and all hierarchical levels to achieve objectives.
A human resources information system must record, store, process, and provide information on the organizational structure in terms of its administrative division, hierarchical levels, and functions. A human resources information system must record, store, process, and provide information on the description of the positions that make up the organization in terms of their objectives and goals; functions, activities, and requirements.
A human resources information system must record, store, process, and give information on human resources’ behavior.
A human resources information system must record, store, process, and provide managers with information for decision-making. This is additional to being the base and pillar for good administration within the organization.
Many organizations do not carry out staff evaluations to know the degree of their commitment, tolerance, and frustration — or if the staff is displeased with the organization, managers, or their colleagues. Timely evaluation helps the security department and human resources to identify a breach, possibly caused by a disgruntled employee. And this alertness is far more critical than having highly secure systems, hardware, and security personnel.
Human Resources should know technology to help the security department identify any risk while sourcing, hiring, training, and during the time the employee is committed to the organization. Training for recruiters is a must because they will be the first ones to get information from the candidate.
Reflections on Data Security in Human Resources
Managers must carry out an inventory of the organization’s information to know the processes and the various departments through which this information passes.
This information in your reception or delivery flow will allow us to identify what part of the process is carried out in each position. Therefore, we can identify the type of information handled by a specific profile.
It is also essential for managers to be familiar with the profiles of various personnel in the organization. An organization’s success depends on fair recruitment and selection of the personnel they will hire. Above all, it ensures the quality and control of the information.
It is necessary for managers to generate an inventory, methodology, and policies that allow them to prioritize the information that is handled within the organization and identify the flows through which it runs and the organizational stations where it is processed.
Few organizations attach importance to information security and pay little attention to the recruitment and selection of personnel to fill the available vacancy. One must apply psychometric, socio-economic trust, and background tests.
It is a challenge for the security department to know employees’ backgrounds in advance since this department is not involved in the hiring process.
Likewise, in public or private organizations, the people who oversee security and the general personnel are not well paid. This can cause a security breach when someone tries to obtain information.
Amid COVID-19, this has been a challenge for companies, governments, and those who generate information, especially when hiring people has to be done remotely. It is a challenge to established if candidates are capable and committed.
In the end, one of the most critical departments in any company or government should be Human Resources, so that we can prevent a security breach; however, just a few companies and governments understand this.
To conclude, it is worth highlighting and reflecting on a few more points about information security:
- Network – Involves monitoring the network to detect any suspicious packets or movements.
- Email – Apart from preventing spam and viruses, it is necessary to keep strict control of what leaves the company through analysis and constant changes of passwords, personnel training, and encryption.
- Physical Security – Involves keeping the premises secure through different layers of security such as cameras, controlled access, security guards, fire prevention, etc.
- Encryption – Involves encrypting information from the moment it is generated until it is delivered to the recipient.
- Mobile Data Security – Refers to keeping all company mobile devices safe by following all the established protocols.
There must be a company commitment to apply all security protocols and hardware, but this commitment has to come from the employee, and this is the key to data security. If there is no commitment from the employee, all the processes and hardware that we have won’t prevent a security breach.
About the Author
Pablo Morales is the Chief Information Security Officer at Framework Science in Tijuana Baja California. He has over 20 years of experience in the IT industry. He came from being a developer to identifying and understanding possible company risks and providing feasible solutions.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.