By Kevin Doyle, CISSP, CISA, CISM

Introduction
Myth: data security is a function of just the Information Technology Department of an organization, right? Fact: data security is a function of many stakeholders.  This whitepaper explores one key stakeholder – HR – and why it is a critical member of the security team.
Problem Statement
There has been phenomenal growth in our dependence on technology. Not only has the volume of information generated increased exponentially, but storage capabilities have drastically changed. The amount of data stored has expanded in ways that could not even be imagined previously.
Technology has also radically changed the communications landscape. Twenty years ago, data that was written, typed or spoken was either not retained and stored at all, or could easily be part of a destruction schedule. If we stored a written letter or memorandum, it would be eventually purged as part of a cleanup. All of this has changed now, thanks to our good friend technology.
Letters and memos are stored on network drives, client desktops, or other storage media. What we don’t really see (virtually stored communications) doesn’t get in our way and is now retained for a much longer period of time.
Even verbal communications are often stored, thanks to new voice technologies. In the past few years, voice communications have found their way into electronic mailboxes, and are archived along with written communications.

Previous Options
Enormous storage capacity, coupled with complex records retention laws prompted organizations (especially those that were regulated) to think that the safest storage strategy was to keep everything. Tapes and media that now fit in one box can contain the equivalent of basements full of paper, and is Evolving E-Discovery cases have shown in reality, there is great risk in  the “save everything” type of retention strategy.

Supporting Reasons
All of this leads to the argument that Human Resources should play a critical stakeholder role in the information security governance of an organization.  Following are three supporting reasons why this is important.

Data Classification
Much information generated and retained by Human Resources, by its nature, should be protected at an elevated level.  Laws such as the Health Insurance Portability and Accounting Act (HIPAA), Family and Medical Leave Act (FMLA) and the confidential nature of salary information, background checks, drug testing results, and information related to disciplinary actions require organizations to place security requirements on these types of records.
Information technology is the custodian of the electronically stored records, but it is not the owner of the information. By its nature, HR is the owner of this data. According to the ISO 27000 (International Standard on Information Security Requirements), the term ‘owner’ identifies an individual or entity that has approved management responsibility for controlling the production, development, maintenance, use and security of the assets.

Records Retention
Nowhere is it more evident that Human Resources play a role in retention of records than in the world of electronic mail. We live in a litigious society. Employee disciplinary actions, especially terminations, can generate a lawsuit and kick in the Federal Rules of Civil Procedure as it relates to Electronically Stored Information (ESI), namely, E-Discovery. The Legal Department and Human Resources Department are key stakeholders in this process.
The Sedona Conference is a meeting of expert jurists, lawyers,  academics, and others and sets the standard for establishing reasonable policies and retention of ESI. Their number one guideline in the Sedona Commentary on Email Management is that retention policies should reflect the input of functional and business units through a team approach and should include the entire organization.  The key word is “reasonable” throughout. Retaining everything is not a reasonable approach. However, an organization must develop a documented and repeatable strategy for retaining ESI that protects both employees and the organization. HR has a critical consulting role in defining that strategy.

Security Policies and Incidents
Technology plays a critical role in virtually all organizations. Technology also can be used in an inappropriate and time-wasting manner by staff. HR should have a voice in the acceptable use of technology tools that organizations provided to employees. HR also serves a critical organizational role in ensuring that security incidents and violations are handled consistently and in line with the disciplinary strategy of the organization. This also involves setting ground rules for using technology to monitor staff, working with Information Technology to remove and change access necessary for staff moving and leaving the organization, scheduling information security awareness training, etc.

Conclusion
ISO 27000 sets forth an entire set of controls to Human Resources security as it relates to information security management. Senior management must work to ensure that the person assigned to coordinate and manage Information Security in their organization include appropriate team members. If your organization chooses to keep HR from a seat at the Security Team table, it is important for you to build the case that your department needs to be represented. Without the department’s knowledge and input, the security team may fail, thus causing further issues as it relates to ESI, policies, and potential incidents.