This article contains a sample security policy.
Required roles: security administrator, systems programmer |
---|
SUBJECT | Human Resource Security Policy |
---|---|
EFFECTIVE | For all Zones on July 1, 2008 |
OBJECTIVE | To ensure that human resources is protected from accidental or intentional unauthorized modification, destruction or disclosure. |
ISSUING OFFICERS | Vice President - Personnel |
___________________________ | |
Authorizing Signature | |
Vice President - Personnel/Operations | |
Vice President - Administrative Planning | |
Vice President - Internal Audit | |
Vice President and Treasurer - Financial Control | |
CROSS REFERENCES | None |
PURPOSE
Our purpose in establishing a data security policy is to ensure that human resource information is protected from accidental or intentional unauthorized modification, destruction, or disclosure. Further, due to the sensitive and confidential nature of this information, it is critical that access to it be highly restricted.
POLICY
Scope
This policy applies to all human resource information created or maintained within the corporation and its subsidiaries. Information includes data that is recorded on physical documents and on automated devices. The policy also applies to automated procedures and facilities, such as source code, job control, and load modules, because these are the means through which the data can be accessed, altered, or destroyed.
Proprietary Rights
Human resource information is the property of the Profit Center responsible for the data.
The corporate personnel/payroll function is the custodian of the data and centrally processes all maintenance to human resource data.
Access Responsibility
For all Profit Centers except Central Office
The authority to grant access to the data resides in the personnel function within the appropriate Profit Center. Requests for access to the data must be channeled through the corporation personnel function only with the approval of the appropriate Profit Center personnel representative.
For Central Office
The Central Office is the repository of the data and is ultimately responsible for its protection. The corporate personnel/payroll function has complete access to data for all Profit Centers without the approval of the Profit Center personnel function because they are responsible for corporate-wide processing of the data. Only the corporate personnel/payroll function may fully access production information. Each Profit Center may access its production information.
None of the foregoing shall preclude Internal Audit from having access to the data needed to fulfill their responsibilities as detailed below.
Accountability
Any individual who is involved in unauthorized disclosure of human resource information, procedures, or facilities that are used to extract information is subject to punitive action or dismissal.
Procedure
Each functional unit that is named within this policy maintains comprehensive procedures to support the Human Resource Security Policy.
Responsibilities
The corporation, in its role as an employer of people, has a legal responsibility and a moral obligation to strictly limit access to human resource information. Specific responsibilities regarding human resource security within the corporate organization are detailed below.
Human Resource Security Committee
To approve any amendments to the Human Resource Security Policy.
To review all human resource procedures developed to support the Human Resource Security Policy. It is understood that the scope of this committee relates only to human resource security matters and not to other areas that are the responsibility of the other involved departments.
To meet at regular intervals to review all aspects of the Human Resource Security Policy and its associated procedures.
Personnel
To validate and process approved modifications to employee personnel information in a secure manner.
To process and distribute reports and other personnel information in a secure manner to appropriate field personnel or other approved recipients.
To recommend security policies governing the nature and format of employee records of the Profit Centers.
To monitor and audit the performance of the Profit Centers in the administration of approved security policies, plans and practices.
To monitor and coordinate the Profit Centers' compliance with employee-related legal requirements and to act as liaison with the corporation's Legal Department.
To secure the Personnel area in order to maintain the confidentiality of all employee information under their control.
To approve requested modifications to human resource procedures and facilities which are under their control and to ensure that these modifications comply with human resource security provisions.
Payroll
To process the payroll for all approved corporate organizations in a secure manner.
To validate and process approved modifications to the employee payroll information in a secure manner.
To distribute checks, reports and other payroll information in a secure manner to appropriate field personnel or other approved recipients.
To secure the Payroll area in order to maintain the confidentiality of all employee information under their control.
To approve requested modifications to human resource procedures and facilities which are under their control and to ensure that these modifications comply with human resource security provisions.
Benefit Plans Accounting
To process the employee savings plan system for all approved corporate organizations in a secure manner.
To validate and process approved modifications to employee savings plan information in a secure manner.
Distribute reports and other savings plan information in a secure manner to appropriate field personnel or other approved recipients.
To secure the Benefit Plans Accounting area in order to maintain the confidentiality of all employee information under their control.
Profit Center Personnel Function
To ensure that any request for extraction of human resource information is granted on a “need to know” basis. Access is only granted to data which an individual requires to perform an authorized function. It is understood that no Profit Center may have access to the human resource information of any other Profit Center, unless a reporting relationship exists.
To maintain a security policy for the protection of human resource information that is consistent with the Human Resource Security Policy.
Financial Systems
To ensure that any request made to Financial Systems for extraction of human resource information has been made through approved channels.
To secure any Financial Systems area allowing access to human resource information or documentation.
To approve requested modifications to human resource procedures and facilities which are under their control and to ensure that these modifications comply with human resource security provisions. Internal Audit
Internal Audit
Internal audit has complete access to human resource information consistent with overall audit responsibilities. These responsibilities as they relate to human resource security include:
To serve in a review and advisory capacity with respect to human resource security measures to ensure compliance with responsibilities as defined by the policy.
To review individual Profit Center security policies for adequacy and adherence.
To review requested accesses to human resource information on a periodic basis for adherence to this policy.
To perform any audit involving human resource information in a responsible and secure manner. Internal Audit is accountable for any information gained during the course of an audit.
To secure any Internal Audit area allowing access to human resource information or documentation.
Human Resource Systems
To maintain the automated procedures and facilities capable of accessing human resource information which comprise the human resource application in a secure manner.
To ensure that access to automated facilities capable of accessing automated human resource information is restricted to members of Data Center Human Resource Systems, approved user personnel, and approved Data Center Operations personnel.
To implement only approved modifications to human resource procedures and facilities.
To secure the Data Center Human Resource Systems area in order to restrict access to automated procedures and facilities.
Data Center-Operations
To execute all human resource automated processing in a secure manner by authorized Data Center-Operations personnel only as requested by authorized user personnel.
To ensure that the distribution of human resource systems output is made only to authorized personnel.
To secure specified areas of Data Center-Operations in order to maintain the confidentiality of human resource information while it is under their control.
Data Center-Technical Services
To ensure that any access to human resource information, procedures or facilities as required by the nature of their responsibilities be done in a secure and responsible manner.
To ensure that the security system software is maintained in a secure manner since this software is the basis for protection of automated human resource information, procedures and facilities.
Sample Security Policy and Maintenance Form