Case Study › Human Resource Security Policy

Human Resource Security Policy

Subject: Human Resource Security Policy

Effective: For All Divisions on July 1, 2000

Objective: To ensure that human resource information is protected from accidental or intentional unauthorized modification, destruction, or disclosure.

Issuing Officer(s): Vice President ‑ Personnel

Contact(s): Vice President ‑ Personnel/Operations

Vice President ‑ Administrative Planning

Vice President ‑ Internal Audit

Vice President & Treasurer ‑ Financial Control

Cross Reference(s): None

Purpose

Our purpose in establishing a data security policy is to ensure that human resource information is protected from accidental or intentional unauthorized modification, destruction, or disclosure. Further, due to the sensitive and confidential nature of this information, it is critical that access to it be highly restricted.

Policy

Our Human Resources Security Policy defines the information to which the policy applies, who has proprietary rights to the information, individual accountability, responsibility for procedures, and outlines specific responsibilities within the organization.

Scope

This policy applies to all human resource information created or maintained within the corporation and its subsidiaries. Information includes data recorded on physical documents and on automated devices. The policy also applies to automated procedures and facilities (source code, job control, load modules), because these are the means through which the data can be accessed, altered, or destroyed.

Proprietary Rights

Human resource information is the property of the Profit Center responsible for the data.

The corporate personnel/payroll function is the custodian of the data and will centrally process all maintenance to human resource data.

For all Profit Centers except Central Office. The authority to grant access to the data resides in the personnel function within the appropriate Profit Center. Requests for access to the data must be channeled through the corporation personnel function only with the approval of the appropriate Profit Center personnel representative.

For Central Office. Central Office is the repository of the data and is thus ultimately responsible for its protection. The corporate personnel/payroll function has complete access to data for all Profit Centers without the approval of the Profit Center personnel function, because they are responsible for corporate‑wide processing of the data. Only the corporate personnel/payroll function may fully access production information. Each Profit Center may access its own production information.

None of the foregoing shall preclude Internal Audit from having access to the data needed to fulfill their responsibilities as detailed next.

Accountability

Any individual who is involved in unauthorized disclosure of human resource information, procedures, or facilities used to extract information is subject to punitive action or dismissal.

Procedure

Each functional unit named within this policy will maintain comprehensive procedures to support the Human Resource Security Policy.

Responsibilities

The corporation, in its role as an employer of people, has a legal responsibility as well as a moral obligation to strictly limit access to human resource information. Specific responsibilities with regard to human resource security within the corporate organizations are detailed below.

• Human Resource Security Committee
  • To approve any amendments to the Human Resource Security Policy.
  • To review all human resource procedures developed to support the Human Resource Security Policy. It is understood that the scope of this committee relates only to human resource security matters and not to other areas which are the responsibility of the other involved departments.
  • To meet at regular intervals to review all aspects of the Human Resource Security Policy and its associated procedures.
• Personnel
  • To validate and process approved modifications to employee personnel information in a secure manner.
  • To process and distribute reports and other personnel information in a secured manner to appropriate field personnel or other approved recipients.
  • To recommend security policies governing the nature and format of employee records of the Profit Centers.
  • To monitor and audit the performance of the Profit Centers in the administration of approved security policies, plans and practices.
  • To monitor and coordinate the Profit Centers' compliance with employee‑related legal requirements and to act as liaison with the corporation's Legal Department.
  • To secure the Personnel area to maintain the confidentiality of all employee information under their control.
  • To approve requested modifications to human resource procedures and facilities which are under their control and to ensure that these modifications comply with human resource security provisions.
• Payroll
  • To process the payroll for all approved corporate organizations in a secure manner.
  • To validate and process approved modifications to employee payroll information in a secure manner.
  • To distribute checks, reports, and other payroll information in a secured manner to appropriate field personnel or other approved recipients.
  • To secure the Payroll area to maintain the confidentiality of all employee information under their control.
  • To approve requested modifications to human resource procedures and facilities which are under their control and to ensure that these modifications comply with human resource security provisions.
• Benefit Plans Accounting
  • To process the employee savings plan system for all approved corporate organizations in a secure manner.
  • To validate and process approved modifications to employee savings plan information in a secure manner.
  • To distribute reports and other savings plan information in a secured manner to appropriate field personnel or other approved recipients.
  • To secure the Benefit Plans Accounting area to maintain the confidentiality of all employee information under their control.
• Profit Center Personnel Function
  • To ensure that any request for extraction of human resource information is granted on a “need to know” basis. Access is only granted to data which an individual requires to perform an authorized function. It is understood that no Profit Center may have access to the human resource information of any other Profit Center, unless a reporting relationship exists.
  • To maintain a security policy for the protection of human resource information that is consistent with the Human Resource Security Policy.
• Financial Systems
  • To ensure that any request made to Financial Systems for extraction of human resource information has been made through approved channels.
  • To secure any Financial Systems area allowing access to human resource information or documentation.
  • To approve requested modifications to human resource procedures and facilities which are under their control and to ensure that these modifications comply with human resource security provisions.
• Internal Audit

  Internal Audit has complete access to human resource information consistent with overall audit responsibilities. These responsibilities as they relate to human resource security include:

  • to serve in a review and advisory capacity with respect to human resource security measures to ensure compliance with responsibilities as defined by the policy.
  • To review individual Profit Center security policies for adequacy and adherence.
  • To review requested accesses to human resource information on a periodic basis for adherence to this policy.
  • To perform any audit involving human resource information in a responsible and secure manner. Internal Audit will be accountable for any information gained during the course of an audit.
  • To secure any Internal Audit area allowing access to human resource information or documentation.
• Human Resource Systems
  • To maintain the automated procedures and facilities capable of accessing human resource information which comprise the human resource application in a secure manner.
  • To ensure that access to automated facilities capable of accessing automated human resource information is restricted to members of Data Center Human Resource Systems, approved user personnel, and approved Data Center Operations personnel.
  • To implement only approved modifications to human resource procedures and facilities.
  • To secure the Data Center Human Resource Systems area to restrict access to automated procedures and facilities.
• Data Center‑Operations
  • To execute all human resource automated processing in a secure manner by authorized Data Center‑Operations personnel only as requested by authorized user personnel.
  • To ensure that the distribution of human resource systems output is made only to authorized personnel.
  • To secure specified areas of Data Center‑Operations to maintain confidentiality of human resource information while it is under their control.
• Data Center‑Technical Services
  • To ensure that any access to human resource information, procedures or facilities as required by the nature of their responsibilities be done in a secure and responsible manner.
  • To ensure that the security system software is maintained in a secure manner since this software is the basis for protection of automated human resource information, procedures and facilities.