Ira Winkler, president of Secure Mentem, said it ought to be obvious that, “HR should inform IT when people are leaving. HR has very specific purposes in ensuring the appropriate separation of employees.”
Charles Choe, product marketing manager for Guidance Software, agreed. He said while data loss prevention (DLP) technologies focus on data-in-motion, “they are often turned off due to the high rate of false positives that effectively hinder effective business operations.”
It is HR’s responsibility to properly educate employees that any work produced during employment legally belongs to the organization.
Charles Choe, product marketing manager, Guidance Software
So, he said, it is important for HR to notify IT when employees are leaving, even when the separation is planned and amicable, so the activities of those employees can be more closely monitored. “It is also HR’s responsibility to properly educate employees that any work produced during employment legally belongs to the organization, and not the individual, at least in the United States,” he said.
Dana Simberkoff, chief compliance and risk officer at AvePoint, said HR and IT should be “joint partners” both in training and supervision of employees – especially those who are transitioning out of an organization.
At a minimum, she said, organizations should enforce policies that require when employees are leaving that, “the data they are removing is reviewed and approved before they go, and their access to systems with customer data on them is limited and supervised.”
Do you need to put the same security protocols around protecting pictures from your company picnic as your … employees’ benefits information?
Dana Simberkoff, chief compliance and risk officer, AvePoint
Trevor Hawthorn, CTO of Wombat Security Technologies, said HR, “needs to closely coordinate with IT to communicate when employees are leaving, if they are a security risk, and ensure that an ‘off-boarding’ checklist is followed. For employees that are moving within the organization, a strong IAM capability will allow the organization to audit user rights and privileges.”
And Steve Conrad, managing director at MediaPro, said he thinks many breaches, including those at the FDIC, are a result of multiple problems – among them training and data classification.
“Data of different classifications seemed to have been comingled and the (FDIC) employee didn’t readily identify PII was at risk,” he said. “This breach may have been stopped with a more effective security awareness program. HR could definitely help IT design a better training experience that produces better overall results.”
Nobody disputes that all departments in an organization need to work together, and that this may be especially true of HR and IT. But some experts say when it comes to breaches like those at the FDIC, the greatest responsibility lies with IT.
Sign up for CIO Asia eNewsletters.