In 2004, Royal Bank of Scotland found itself and its email policy under scrutiny when an employment tribunal found in favour of an ex-employee.
The individual concerned had been dismissed after an investigation into several staff members who had been using the company email system to send pornographic images.
Around 30 employees were identified as having been the worst offenders and wheels were put in motion. However, RBS soon found itself with problems over how its policy was implemented.
An issue had arisen with a matrix that was used as part of the investigation. This matrix graded material from one to five, each category of which had an associated level of discipline attached.
Also included in the matrix were factors such as what action personnel took after receiving the material, who the source of the material was and how long was spent handling it. Such information was all used to come to the final decision that the employee had committed gross misconduct and would, therefore, be summarily dismissed.
However, this element of the policy had not been explained to the staff member concerned and, as a result, she had no means of knowing on what basis that her case was being decided. (Royal Bank of Scotland vs. Miss JS Goudie 2004).
What appeared to be a fairly cut-and-dried case of gross misconduct had become a costly error for RBS due to the way that its policy had been implemented.
But avoiding such confusion and maintaining clarity is a vital part of getting information security right. Understanding how to implement a difficult policy is just as vital.
The role of HR in this area is key to an organisation’s security health, which is why the International Standard ISO:27001/2 has a section dedicated to all matters HR.
It not only outlines possible information security controls, but also includes vital implementation guidance in each of its sections related to the employment lifecycle, providing advice in relation to pre-employment, employment and post-employment activities.
1. Pre-employment phase
The pre-employment section covers areas such as screening or vetting and contracts/terms and conditions.
As an example, as part of the step-by-step guidance on screening, it includes information on how to establish what criteria and limitations should be used for checks and for handling sensitive data such as personal financial information. It also covers how best to identify who is eligible to carry out such checks.
2. Employment stage
During employment, all staff members have a duty of care towards their organisation’s information assets.
To this end, an organisational security policy is put in place to ensure that, in the course of their normal work, they do not pose a threat to these assets, but are properly trained and updated in how to conduct themselves and understand what their responsibilities are.
The IT department is usually expected to take care of security but, in fact, it takes care of IT security. The scope of an organisation’s information assets are much broader, however, and are subject to a great many higher risks than IT can reasonably be expected to cover.
It is generally accepted that around 80% of organisational data breaches are caused by people rather than technical failure. This may be the result of staff using USBs to carry data that perhaps they shouldn’t be.
Medical information going missing on laptops and other drives is another frequent issue to hit the headlines. But it begs the question of whether it is necessary and/or appropriate for employees to carry this kind of personal information around on a regular basis?
To understand the answer to this question, the risk would need to be adequately assessed.
3. Post-employment period
The post-employment period is a very risky one in terms of organisations’ information security. They can end up being the target of malice – as happened in the US ‘Hacker Mum’ case.
In this instance, a disgruntled ex-employee who was previously responsible for issuing user names and passwords for school staff, used several user names to explore and change grades on her children’s school records and take a leisurely look through the school’s HR records too.
Such a situation constituted a policy failure on several levels. The person in question had been a school secretary. So was she the right one to be issuing usernames and passwords in the first place?
If the answer was ‘yes’, all of the passwords should have been temporary ones that had to be changed upon receipt. But clearly this didn’t happen. Moreover, she was also able to access the system remotely in order to invade the school’s network, even though she was no longer employed by the organisation.
More recently, the headlines were full of the activities of a disgruntled former MI6 employee who downloaded a huge amount of international intelligence.
While not every organisation would face the same level of threat over losing protectively marked data, the Information’s Commissioner’s Office is very keen to show its displeasure over such incidents these days – and with possible fines of up to £500,000, a serious data breach could actually close some businesses.
But again the ISO:27002 standard offers clear guidance on suitable policies and procedures for the termination process, which includes advice on how staff should return assets and on how best to remove their access rights. It also offers clear guidelines on how to implement such policies.
The role of HR
As to what the role of HR is in all of this, the function has a vital role to play not only in writing and implementing policies, but also in informing and educating the workforce.
While ISO:27001/2 may cover both roles and responsibilities when it comes to HR and information security, making sure that the message is heard and understood effectively is an area in which HR professionals should have particular expertise.
Ensuring that information security policies and procedures are on everyone’s agenda will result in everyone taking responsibility – and HR is perfectly placed to enable this shift.
Therefore, using the controls and implementation guidance offered by ISO:27001/2, not only can HR processes be improved, but also the security of the organisation’s information assets.
Mike Gillespie is director of information security consultancy, Advent IM.
