Data breaches make headlines daily and organizations are working harder than ever to secure customer data. PCI Compliance has become a burdensome obsession for most CIOs, often overriding innovation opportunities, overtaxing IT staff and consuming otherwise valuable resources.     

As traditional HR and payroll systems, now commonly referred to as human capital management or talent management, quickly move from premise-based deployment to the cloud, control and security of important employee data is also moving out of the enterprise. However, the CIO is still responsible for the security of this data.
   
While customer credit cards have been the primary target of hackers and represent significant financial gain, employee records can be a far more valuable and compelling target. With typical data such as social security number, bank account, birth date and address, hackers can apply for credit cards and loans, create fictitious insurance claims, and sell identities, all at profits much higher than credit card data alone.
 
As far as customers are concerned, a credit card data beach undermines confidence in the brand and creates inconvenience as credit cards are canceled and credit has to be monitored. The brand may be facing steep fines and significant remediation costs.  However, credit cards can easily be replaced, but an employee Social Security card cannot.  A breach in employee records may in fact be far more damaging to the brand. Exposure of staff performance data, reviews and disciplinary records, all of which traditionally reside in HCM and talent management systems could disrupt the brand’s entire workforce and lead to a wholesale exodus of staff and an especially onerous PR nightmare.
   
HR departments are becoming the de-facto support teams for these deployments but are typically not trained to the same level of systems security awareness as IT organizations. This typically includes password and user security, integration to premise-based timekeeping and ERP systems, interfaces, employee self-service portals and the like.  All of these connections are potential vectors for data loss and are likely not being properly scrutinized for security.

CIOs are intimately familiar with the PCI standard as a baseline security recommendation. HCM systems should be subjected to the same standard of security and the same practices associated with PCI card holder data.

What CIOs should do:

• Insist on reviewing all contracts for HCM systems regardless of who may be ultimately responsible for support or management. Clearly understand what kind of data is being stored in these systems and how it is being managed and secured.
• Is employee data fully encrypted at rest and in transit? This includes both inside the corporate network as well as across any public network.
  - If HCM data is being accessed via HTTP or a Web portal, is the data secure (HTTPS) across port 443 and not port 80?
  - Are social security (SSN), bank account, driver’s license and passport numbers properly masked when displayed, even on portals displayed inside the corporate network?
• Is your company data sufficiently separated from other customer data and not co-mingled? What kind of “Chinese wall” exists to prevent crossover?
  - Would a breach of another customer’s data cascade into a similar breach across the application and affect your data?
• Are user ID and password tables sufficiently secured across the application and between customers?
• Who will be responsible for managing employee user IDs and passwords? Will the same level of security be applied to this system as with your POS systems? (i.e., complex passwords, 90-day expirations, forced lockouts, new users never being given a common default password, random password generation for new users)
• Will the HR team be trained properly on managing and resetting employee and administrative passwords to avoid possible social engineering?
• Who will manage administrative user credentials and rights? Will sufficient standards be applied to limit administrative capabilities? Will the vendor confirm that it does not use the same system admin. user IDs and passwords to access multiple customer databases?
• Who will be remotely accessing your premise data? Will access be properly managed and limited (i.e., for VPN credentials: limited hours of access, credential lockout/expiration, no shared user IDs)? 
• Where does your company data live? Are servers and data centers in countries where your company has legal rights and jurisdiction? Does this include production, test and development data as well as all backups?
• What is your exit strategy? What happens to employee data upon termination of your contract?  
• Are you certain that your employee data cannot be mined, sold, aggregated or otherwise used by any third party in any way and do you have language to specifically prohibit such usage?
• Who is responsible for the security and vulnerability testing of pubic-facing portals and employee or manager self-service websites? Such sites and servers should be added to your vulnerability and penetration testing cycle just as for all in-scope PCI systems.
  - Portals should be tested for XSS, SQL injection and other vulnerabilities, and the vendor should immediately be made aware of any deficiencies.
• Will a production server in your secure environment require an API or other connection that is accessible by the public Internet? Has sufficient work been done to properly secure such connections – i.e., proxy servers, DMZ and VLAN separation, explicit ACLs, HTTPS, secure VPN or other means? Who is responsible for assuring these are secured and tested on a regular basis? 

- Sidebar information provided by Paul Major, managing director of IT for Aspen Skiing Company

© 2014 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.