PART V

Part V Special Topics

in

HRIS

Chapter 16 Information Security and Privacy in HRIS Yuk Kuen Wong and Mohan Thite

EDITORS’ NOTE This chapter expands on the information security and privacy issues in HRIS described in Chapter 3 (system considerations) and Chapter 10 (HR administration). Many organizations mistakenly believe that the biggest threat to information security is from outside. This chapter explains how present and past employees can pose a greater threat in the light of the emergence of collaborative and convergent technologies, and what HR managers can do to safeguard information security and privacy in collaboration with IT departments. It describes the importance, legal aspects, and best practices in maintaining and promoting safe information-handling procedures.

CHAPTER OBJECTIVES After completing this chapter, you should be able to describe • The importance of information security and privacy in today’s technology-intensive and information-driven economy • The important components of and threats to information security • The legal requirements pertaining to information security and privacy • Best practices in safe information-handling procedures

518

Chapter 16 Information Security and Privacy in HRIS

HRIS IN ACTION In an article “Why security matters now,” Brenner (2009) identifies the following technology trends and how they impact information security using data from the 7th annual Global State of Information Security Survey conducted by CIO and CSO magazines and PricewaterhouseCoopers: •• The promise and peril of social networking: In the last few years, social networking sites, such as Twitter, Facebook and LinkedIn, have become a way of life for people both at work and away from work. What worries firms is the ease with which users could share customer data or sensitive company activities that might be subject to phishing scams. While firms do not want to block access to these sites because of their potential business benefits, they are struggling to find the right balance between security and usability. Nearly a third of respondents in the survey monitor what employees are posting to external blogs and social networking sites. Firms mainly use Web content filters to keep data behind the firewall, the most secure version of Web browser and security products that are compatible with Web 2.0. Some experts believe that social networking security problems are more cultural than technological. Therefore, educating employees about what is appropriate to share is crucial. •• Jumping into the cloud, sans parachute: Cloud computing services, such as software as a service (SaaS), and the virtualization technology that enables them offer many benefits (see Chapter 17); however, any attempt to get into the cloud should follow a well-considered security strategy. The key security risks of cloud computing, as identified by survey respondents, relate to fears about vendors in terms of their ability to enforce security policies, inadequate training and IT auditing, access control at the provider site, ability to recover data, and ability to audit the service providers. Both clients and providers of cloud services need to address the risks associated with the technical, operational, and organizational changes that could result as a consequence of the implementation of these technologies. Sometimes, if the physical and cloud-based assets are poorly configured, the flaws can be easily found and exploited by attackers. Because there are many clouds that are not federated, security in the cloud is a matter of managing a variety of risks across multiple platforms. •• Insourcing security management: Attacks on data have increased faster than any other security exploit, and the top targets include databases, file-sharing applications, laptops, removable media, and backup tapes. Thirty-one percent of respondents rely on security outsourcers, such as managed security service providers (MSSPs); however, the trend today is to manage security in-house by taking control of application firewalls, encryption

519

520

P A R T V S P E C I A L T O P I C S I N H R I S

management, and patch management. One reason for this trend is that there is lot of chaos in the security market, with security vendors experiencing a seeming avalanche of corporate mergers and acquisitions. •• New corporate commitment: With the increasing realization that security can’t be ignored, more companies are investing in security technologies and hiring chief information security officers (CISOs). Cybercrime and security breaches cost firms an average of US $833,000 per year, and the results are serious: a compromised corporate brand or reputation, stolen intellectual property, defaced Web pages, and direct financial losses, through fraud, for example. Firms are responding with multiple initiatives and a renewed commitment to information security.

INTRODUCTION The history of information security can be traced back to World War II (Kizza, 2007, pp. 101–116), when the physical protection of information, with barricades and armed guards controlling access, was introduced in the military. Today, with the rapid growth of and advancements in information and communication technologies, most organizations can afford to deploy powerful computers in their workplaces to conduct their business (Pfleeger, 2006). The Internet and mobile technologies have enhanced the interconnectivity of many computers and information systems. With the widespread use of electronic data processing, online processing, and data exchange through the Internet, mobile technology, wireless access points, and home computers, there is an urgent need for better control mechanisms to protect company information (Dhillon, 2004; Freeman, 2007). For the past two decades, it has been argued that an information revolution is taking place that is having a significant impact on all aspects of company life (Neuberger, Andrew, & Levetown, 2004). If applied effectively within strategic human resource management, information can result in the realization of significant corporate benefits; indeed, it has been contended that “information is the lifeblood of the company” (Confederation of British Industry, 1992, p. 2). It can be argued that information is vital to the success of the business, as it contributes directly to the employee’s performance and the company’s operational performance and financial health (Kotulic & Clark, 2004). However, information will only be recognized as a vital organizational resource if employees can readily gain access to the information they require. Many employees are desperate to gain access to the information they need. Unfortunately, as a consequence of the high incidence of security breaches, many companies are failing to provide consistently the information resources that their employees require (Von Solms & Von Solms, 2004).


Enterprise resource planning (ERP) systems seamlessly integrate application systems of different business functions, such as finance, HR, logistics, and customer relationship management. The major risks of these systems, particularly when they are Web enabled, are the security risks occasioned when confidential enterprise data is handled. With regard to an HRIS, sensitive information includes employee personal details, pay and benefits history, medical records, and disciplinary records. Firms have to pay close attention to what employee data is collected, stored, manipulated, used, and distributed—when, why, and by whom. This attention is necessary to address information security as well as privacy concerns and to comply with legislative safeguards. Many organizations, including governments, financial institutions, hospitals, and private businesses, amass a great deal of confidential information about their employees, customers, and suppliers (Dhillon, 2004). These data are stored electronically and transmitted across networks. Human resource managers must make every effort to ensure that their information resources maintain data integrity, confidentiality, and availability. However, the increasing integration of HRIS both within and among companies, coupled with the growing value of corporate information resources, has made information security management a complex and challenging undertaking (Gerber, Von Solms, & Overbeek, 2001). Indeed, it is estimated that “security breaches (internal and external) affect 90% of all businesses every year, and cost some $17 billion” (Austin & Darby, 2003, p. 121). Moreover, protective measures can be very expensive: “The average company can easily spend 5% to 10% of IT budget on security” (Austin & Darby, 2003, p. 3). One increasingly important mechanism for protecting corporate and employee information, in an attempt to prevent security breaches, is the formulation and application of an information security policy in HRIS (Gordon & Loeb, 2004; Hone & Eloff, 2002). Information security in HRIS means protecting information in the HRIS from unauthorized access, use, disclosure, disruption, modification, or destruction. The objectives of information security are to ensure confidentiality, integrity, and availability of information (Pfleeger, 2006).

COMPONENTS OF INFORMATION SECURITY Three main principles of information security are to achieve confidentiality, integrity, and availability of data (see Figure 16.1) within an HRIS. The HRIS is composed of three components—hardware, software, and communications—as mechanisms of protection in a client-server architecture design at physical, personal, and organizational levels (Freeman, 2007; ISO, 2000; Lippert & Swiercz, 2005). Security procedures and policies are essential, as they provide

521

522


Figure 16.1 Components of Information Security

Pro

(P ducts

hysical Sec urity )

Communications

I eg

alit

y Information

Int

al S son

Availability

are

(Per

rdw

Ha

People

Secu rity)

nti

u ec

ga niz atio nal

de

rity

are

nfi

ftw

Co

So

C

A du re s

(O r

y) rit

e oc Pr

SOURCE: Wikipedia (2007).

guidelines to employees on how to use the HRIS to ensure security of information within the organization (Doherty & Fulford, 2003).

Confidentiality Confidential information must be accessed, used, or disclosed only by authorized users (Lippert, & Swiercz, 2005; Townsend & Bennett, 2003). Confidentially is


important but not sufficient by itself for maintaining the privacy of the employees’ personal details. See Chapter 10 for an extensive coverage of privacy laws.

Integrity Integrity refers to safeguarding the accuracy and completeness of information and processing methods by ensuring that data cannot be modified without authorization (Sadri and Chatterjee, 2003).

Availability Information availability means that authorized users must be able to process and access the information when required (Ashbaugh & Miranda, 2002). Employees need to fulfill their obligations to the contract for using the HRIS. Common techniques such as digital signatures and passwords are used to establish authenticity and non-repudiation in HRIS (Townsend & Bennett, 2003).

LEGAL REQUIREMENTS FOR INFORMATION SECURITY Governments, at various levels, in most of the developed countries have enacted several laws and regulations to safeguard information security and data protection. Some of these legal requirements from Europe and North America are listed below (Kizza, 2007; Townsend & Bennett, 2003; Wikipedia, 2007): •• Personal Information Protection and Electronics Document Act: The act was enacted in Canada to support and promote electronic business by protecting personal information that is collected, used, or disclosed in certain circumstances. •• California Security Breach Information Act, SB 1386: This law in the state of California requires organizations to notify customers or employees when unencrypted personal information has been compromised, stolen, or lost. •• Computer Misuse Act, 1990: The act was proposed to make computer crime (e.g., hacking or cyber-terrorism) a type of criminal offence in the United Kingdom. •• The European Union Data Protection Directive (EUDPD): This directive requires that all EU members must adopt national regulations to standardize the protection of data privacy for citizens throughout the European Union. •• Health Insurance Portability and Accountability Act: This act requires health care providers, insurance companies, and employers to safeguard the security of health information. It sets national standards for electronic health care transactions.

523

524


THREATS TO INFORMATION SECURITY When confidential information about employees, business partners, or customers falls into the hands of competitors, such a breach of security could lead to business losses, law suits, or even bankruptcy (Townsend & Bennett, 2003). Protecting organizational information is an essential element of a company’s security policy (International Organization for Standardization [ISO], 2000), and, in many countries, it is also a legal requirement and part of corporate social responsibility (Ball, 2001). The following are the common security threats: •• Human error: When an HRIS is not well designed, developed, and maintained and employees are not adequately trained, there is a high potential threat of security breaches. Research suggests that human errors, such as incorrectly entered data or accidental destruction of existing data, constitute security threats to the availability, accessibility, and integrity of information. •• Damage by employees: One of the concerns overlooked by HR managers is that information may be damaged by disgruntled employees. A recent survey suggested that a third of companies felt that their information security was at risk from disgruntled employees (Ernst & Young, 2003). •• Misuse of computer systems: One of the predominant internal security threats is employees’ unauthorized access to or use of information, particularly when it is confidential and sensitive. •• Theft: The value of information can be much higher than the price of hardware and software. With contemporary advances in technological developments, a relatively small computer chip (e.g., a USB device) can easily store up to 120 GB of data. •• Computer-based fraud: There is growing evidence that computer-based fraud is widespread. Over 90% of companies have been affected by computer-based fraud, such as data processing or data entry routines that are modified (Garg, Curtis, & Halper, 2003). •• Viruses, worms, and Trojans: These are common external security threats and often come in e-mail attachments (De Campeaux, 2002). They have the capability to replicate themselves automatically across systems and networks, as well as typically delivering mischievous functionality or damaging data. •• Hackers: Another significant threat is the penetration of organizational computer systems by hackers. A hacker is defined as someone who accesses a computer or computer network unlawfully. Such attacks, often termed “intrusions” (Austin & Darby, 2003, p. 122), can be particularly dangerous because, once the hacker has successfully bypassed the network security, he


or she is free to damage, manipulate, or simply steal data at will. Related to this aspect of security threat is cyber-terrorism, incorporating, for example, unlawful attacks designed to intimidate (Austin & Darby, 2003). Cyberterrorists usually send a threatening e-mail stating that they will release some confidential information, exploit a security leak, or launch an attack that could harm a company’s systems or networks. Cyber-terrorism—leveraging of an information system, particularly via the Internet—is intended to cause physical, real-world harm or severe disruption of a system’s infrastructure (Hinde, 2003). A person with high computer and network skills is hired to break into a specific computer or computer network to steal or delete data and information. •• Natural disasters: Most typical forms of natural disasters are floods, earthquakes, fires, or lightning strikes, which destroy or disrupt computing facilities and information flow. Managing these security threats, risks, and vulnerabilities requires a proactive information security plan (Lippert & Swiercz, 2005). Organizations must address the blurring of the security perimeter and seek to develop a security-conscious culture in employees, a culture supported through the leadership of senior executives, including HR managers.

ROLE OF HR IN INFORMATION SECURITY Information security issues are no longer solely the domain of the IT department and IT managers. To have effective information security in place, HR managers need to align information security with their HR objectives. To do this, they must eliminate the hierarchical layers between the functional managers, who have historically viewed information security as a technology issue and not an HR issue. Having the active involvement of senior management in security-related decisions is crucial in establishing this alignment. Companies need to back up their talk about the importance of protecting their valuable organizational and employee information (digital assets) by investing in information security. Too often, it requires a security breach, a competitor being attacked, or a regulatory mandate for the HR department to take action. Even then, core HR objectives are ignored, and a temporary fix is applied to the problem. Measured, proactive spending is less costly in the long run than reactive spending, which is often overspending in response to an incident. Many HR managers still tend to think that security threats refer to external security breaches (e.g., virus outbreaks or malicious hackers). However, HR managers should focus more on the less obvious threats, such as those posed by

525

526


disgruntled employees and ex-employees by network links to business partners who don’t have proven or trustworthy systems, by employee misuse of computers by, and by insecure network access points set up by employees. These may not only cause serious damage but also destroy a company’s reputation and increase its long-term costs. The growing complexity of employees’ profiles (part-time, casual, and full-time employees; contractors; ex-employees; and employees of business partners) makes the problem even worse. Wipawayangkool (2010) suggests that, with organizations enabling the more strategically active role of HRM through a combination of selection, training, and pay practices, they could more effectively handle people issues in information security management (ISM), particularly security awareness and insider threats, and possibly sustain their competitive advantage. The best practices for handling information in HRM/HRIS include the following (Canavan, 2003; David, 2002; Tansley & Watson, 2000): •• Adopt a comprehensive information security and privacy policy. •• Store sensitive personal data in secure HRIS and provide appropriate encryption. •• Dispose of documents properly or restore computer drives and CD-ROMs. •• Build document destruction capabilities into the office infrastructure. •• Conduct regular information security practice training for all employees. •• Conduct privacy “walk-throughs,” and make spot checks on proper information handling. Kovach, Hughes, Fagan, and Maggitti (2002) and Grundy, Collier, and Spaul (1994) suggest the following additional measures: •• The careful selection of staff with due regard to their honesty and integrity •• The raising of information security awareness among staff and ensuring that employees know and understand the company’s security policies •• Measures to address the personal problems of employees, such as gambling and drug addiction, which might lead them to indulge in computer abuse for financial gains •• Access to effective grievance procedures, since the motivation for much computer abuse is retaliation against management

INFORMATION SECURITY MANAGEMENT FOR HRIS A well-known information security management standard is ISO/IEC 27002 (ISO, 2000), as stipulated by the International Organization for Standardization


and the International Electrotechnical Commission (Dresner & Wood, 2007; Freeman, 2007). This security management process consists of administrative/ procedural, logical/technical, and physical controls (see Table 16.1) and constitutes a best practice recommendation (Department of Broadband, Communications and the Digital Economy [DBCDE], 2007; Freeman, 2007).

Information Privacy Privacy is a complex construct and is influenced by a variety of disciplines, such as ethics, economics, management, and law. Privacy comprises ethical, moral, and legal dimensions and has assumed greater importance with the increased adoption of the Internet and Web 2.0 technologies. The ethical aspect of privacy includes the issue of electronic surveillance. An important consideration in the understanding of privacy is the “centrality of the issue of control . . . specifically, the individual’s need to have control over . . . personal information” (McParland and Connolly, 2008, p. 118). For the individual, information security has a significant effect on privacy, which is viewed very differently in different cultures. Trust is important in ensuring privacy in the sense that individuals need to feel confident that their personal information will not be used without their consent and not given to third parties. Privacy is a human value consisting of four elements (Kovach & Tansey, 2000): •• •• •• ••

Solitude: The right to be alone without disturbances Anonymity: The right to have no public personal identity Intimacy: The right not to be monitored Reserve: The right to control one’s personal information, including the methods of dissemination of that information

There is a tenuous relationship between employee privacy concerns and organizational needs (Ball, 2001; Kovach & Tansey, 2000). Fair information policies suggest that employees have the right to know how their personal information is used, to prevent the use of personal information by other parties (e.g., governments, insurance companies), and to take reasonable precautions to prevent misuse of their personal information (Camardella, 2003; Kovach & Tansey, 2000). The human resource literature mainly focuses on invasion of privacy perceptions and procedures for handling information about the hiring process, from job application to hiring decision (Kovach et al., 2002). An important element in the success of managing this personal information is the HRIS, a database of personal information about each employee and job applicant. Because of the authority given to them to access and use HRIS information, HR managers must be aware of the ethical and legal issues associated with both the

527

528


Table 16.1 Information Security Program for HRIS Information Security

Descriptions

Control types

To mitigate a risk, it is recommended that the following control strategies be used in designing an HRIS:

Administrative

• Administrative control (also known as procedural control) consists of policies, procedures, standards, and guidelines. An administrative control is developed from the information security framework for managing people and organizational operations. Some of these policies, procedures, and guidelines are regulated by laws. Examples of administrative controls include the corporate security policy, password policy, hiring policies, and disciplinary policies.

Logical

• Logical control (also referred to as technical control) regulates access to information in HRIS. For example, passwords, network- and host-based firewalls, network intrusion detection systems, access control lists, and data encryption are logical controls. The common problem of logical controls is access privileges when an employee’s job duties change or he or she is transferred to another department. The access privilege required by the new role is frequently added onto his or her already existing access privilege, which may no longer be necessary or appropriate.

Physical

• Physical controls refer to the physical environment, such as computer facilities in the workplace. Separation of duties ensures that an individual cannot complete a critical task by himself or herself. For example, an employee who submits a reimbursement request should not also be able to authorize payment. An HR manager who manages the employees’ database should not manage the finance database—these roles and responsibilities must be separated from one another.

Security classification for information

• An important aspect of information security and risk management is recognizing the value of information and defining appropriate procedures and protection requirements for it. Classification of information to be assigned should take into account how much value that information has to the organization. All employees in the organization must be trained in the classification schema and should understand the required security controls and handling procedures for each classification. The HR department plays a significant role in the process.

Access control

• Access to protected information must be restricted to people who are authorized to access the information. Control techniques such as identification and authentication are important for the HRIS. The most common access control technique is user name and password. HR managers need to ensure the obligations of employees using the HRIS.

Cryptography

• Cryptography is a computer technique to ensure that sensitive information is only read and used by authorized employees. There have been significant academic research and technological developments in cryptography.

Defense in depth

• To fully protect the information during its lifetime, each component of the information processing system must have its own protection mechanisms. The building up, layering on, and overlapping of security measures is called “defense in depth.” The strength of any system is no greater than its weakest link. When using a defense-in-depth strategy, should one defensive measure fail, there are other defensive measures in place that continue to provide protection.

SOURCE: Department of Broadband, Communications and the Digital Economy (2007).


creation and use of personal information in the HRIS (Kovach & Tansey, 2000; Sadri & Chatterjee, 2003). The information privacy concerns related to HRIS include (1) what types of employee information can be collected and stored in the system and (2) who can access and update the information (Noe, Hollenbeck, Gerhart, & Wright, 1994; Sadri & Chatterjee, 2003). It is recommended that organizations should only collect and store information based on sound and valid business reasons (Hubbard, Forcht, & Thomas, 1998). Because organizations are accountable and liable for their information practices and procedures, it is prudent to ensure that the collection, maintenance, use, and dissemination of personal information is necessary, lawful, current, and accurate (Camardella, 2003). By focusing on the purpose for and amount of data collected, HR managers can minimize privacy-based litigation in their organizations while maintaining high ethical standards. There are a number of common privacy violations, including violation of Internet usage, intentional misuse of information, interception of information, and information matching. As the HRIS is integrated with many other information systems, Web sites, and databases, employees can use the information-matching technique to generate the specific information they want. The difficulty with information matching is that no one may know what the profiles built from the matched information will be used for and by whom. In recent times, governments have moved to enact legislation to protect an individual’s right to privacy. You may recall that Chapter 10 provides a detailed description of U.S. federal and state laws on privacy, with particular reference to HRIS. The major privacy concerns include determination of what types of employee information should be stored on the system and who can access and modify information in the HRIS databases (Camardella, 2003). Following are some of the best practices that HR managers should consider to secure information security and privacy (Noe et al., 1994; Pfleeger, 2006): •• Train users on how to securely use and handle the equipment, data, and software. •• Train employees to “log off” personal computers after they are through using them. •• Do not allow passwords to be shared. Change passwords frequently. •• Run software through a virus detection program before using it on the system. •• Ensure that backup copies, data files, software, and printouts are used only by authorized users. •• Make backup copies of data files and programs. •• Ensure that all software and mainframe applications include an audit trail (a record of the changes and transactions that occur in a system, including when and who performed the changes).

529

530


•• Use edit controls (such as passwords) to limit employees’ access to data files and data fields. •• Have employees take responsibility for updating their employee records themselves via the self-service system. Another critical issue with regard to workplace privacy is employee monitoring, including electronic surveillance. This practice can involve monitoring employee use of the telephone, Web, computer, electronic mail, and video. In using various electronic gadgets, employees leave “digital footprints,” and surveys indicate that a majority of employers will monitor these footprints. Please refer to the Web site of the Privacy Rights Clearinghouse (http://www.privacyrights.org) for more on the nature of employee monitoring and its legal and ethical ramifications.

SUMMARY The chapter begins with establishing the need for security, particularly with the emergence of new technologies that offer exciting possibilities but also bring with them considerable risks to information security and privacy. It describes the main components and principles of information security, namely confidentiality, integrity, and availability. The legal requirements to maintain information security are briefly discussed. Various threats to information security, both from within and outside the organization, are identified. The HR professionals have an important responsibility in ensuring information security in terms of recruitment, training, and employee monitoring. Some of the best practices in this regard are highlighted. A robust information security program needs to consider administrative, logical, and physical controls, using information classification, access control, cryptography, and defense in depth as effective tools. The concept of privacy in an organizational context is then presented, and some of the best practices in this regard are highlighted.

KEY TERMS availability of information

integrity of information

confidentiality of information cryptography

managed security service providers (MSSPs)

defense in depth

privacy

electronic surveillance employee monitoring

security breaches

information security in HRIS

security threats


531

DISCUSSION QUESTIONS 1. Why are information security and privacy important considerations in the design, development, and maintenance of HRIS? 2. List and discuss the major information security and privacy threats to organizations. 3. What are the important goals and considerations of information security? 4. Identify the important legal provisions governing information security and privacy in your country. 5. What is the role of HR professionals in information security and privacy management? 6. What are some of the best practices to manage information security and privacy in terms of procedural, technical, and physical controls?

CASE STUDY: PRACTICAL APPLICATIONS OF INFORMATION PRIVACY PLAN XYZ University is a medium-sized tertiary education provider in the state of Queensland, Australia. In undertaking its normal business of teaching, learning, and research, the university collects, stores, and uses “personal information,” that is, anything that identifies a person’s identity. With respect to students, this information may include, among other things, records relating to admission, enrollment, course attendance, assessment, and grades; medical records; details of student fees, fines, levies, and payments, including bank details; tax file numbers and declaration forms; student personal history files; qualifications information; completed questionnaire and survey forms; records relating to personal welfare, health, equity, counseling, student and graduate employment, or other support matters; records relating to academic references; and records relating to discipline matters. The bulk of this information is retained in the student management information systems and in the file registry. Academic and administrative staff, at various levels, have access to these records only as required to carry out their duties. Portions of the information held in university student records are disclosed outside the university to various agencies, such as the Australian Taxation Office; the Department of Education, Employment and Workplace Relations; other universities; consultant student services providers; Department of Immigration and Citizenship; and overseas sponsorship agencies. The university has a well-documented information privacy policy in accordance with the community standard for the collection, storage, use, and disclosure of personal information by public agencies in Queensland. The policy relies on the 11 principles

532


developed in the Commonwealth Privacy Act of 1988. These principles broadly state the following: •• Personal information is collected and used only for a lawful purpose that is directly related to the collector’s function. •• Before the information is collected, the individual concerned should be made aware of the purpose, whether it is required by law, and to whom the information will be passed on. •• Files containing personal information should be held securely and protected against loss; unauthorized access, use, modification, or disclosure; or any other misuse. •• Personal information can only be disclosed to another person or agency if the person concerned is aware of it and has consented and the disclosure is authorized or required by law. •• Personal information should not be used without taking reasonable steps to ensure that it is accurate, up to date, and complete. Presented below are three scenarios in which you need to decide how to apply the privacy policy and principles. The following scenarios were sourced from the Griffith University Privacy Plan (http://www.griffith.edu.au/about-griffith/plans-publications/ griffith-university-privacy-plan/pdf/privacy-training-guide.pdf). The link to the privacy plan itself is www.griffith.edu.au/ua/aa/vc/pp. A complete statement of the relevant privacy principles can be found at www.dva.gov.au/health_and_wellbeing/research/ ethics/Documents/ipps.pdf.

Scenario 1 Roger, a photocopier technician, has been asked to repair an office photocopier that just broke down while someone was copying a grievance matter against an employee of the agency. The officer who was copying the file takes the opportunity to grab a cup of coffee and leaves Roger in the photocopy room while the photocopier cools down. While waiting, Roger flicks through the file and realizes that the person against whom the grievance was made lives in the same street as he does.

Scenario 2 Tom telephones a student at home about attending a misconduct hearing. The student is not at home; however, the student’s partner, Christine, answers the phone. She states that she knows all about the misconduct hearing but asks for clarification of the allegations. When pressed, Tom provides further details. Tom feels comfortable about providing this information to Christine because she is the student’s partner, and she has already told Tom that she knows all about her partner’s misconduct hearing.


533

Scenario 3 Brad works in a student administration center, and Janet is a student. They know each other as they used to attend the same high school. Occasionally, they get together at the university to have a coffee and a chat about mutual friends. Brad knows that Janet’s birthday is coming up because Janet happened to mention that she’ll be another year older in the near future. Brad decides to access the student information system to find out Janet’s date of birth and home address. A few weeks later, Janet receives a birthday card from Brad sent to her home address.

Case Study Questions With regard to the above scenarios, you need to decide 1. what information privacy principles (IPPs) have been breached, 2. how, and 3. what you would do to address the situation.

REFERENCES Ashbaugh, S., & Miranda, R. (2002). Technology for human resources management: Seven questions and answers. Public Personnel Management, 31, 7–20. Austin, R. D., & Darby, C. A. (2003, June). The myth of secure computing. Harvard Business Review, 81(6), 121–126. Ball, K. S. (2001). The use of human resource information systems: A survey. Personnel Review, 30(6), 677–693. Brenner, B. (2009, October 16). Why security matters now. CIO. Retrieved September 30, 2010, from http://www.cio.com.au/article/322362/why_security_matters_now/Camardella, M. J. (2003). Electronic monitoring in the workplace. Employment Relations Today, 30(3), 91. Canavan, S. (2003). An information security policy: A development guide for large and small companies. Bethesda, MD: SANS Institute. Retrieved March 20, 2011, from http://www.sans .org/reading_room/whitepapers/policyissues/information-security-policy-developmentguide-large-small-companies_1331 Confederation of British Industry. (1992). IT: The catalyst for change. London: Author. David, J. (2002). Policy enforcement in the workplace. Computers and Security, 27(6), 506–513. De Campeaux, D. (2002). Taking responsibility for worms and viruses. Communications of the ACM, 45(4), 15–16. Department of Broadband, Communications and the Digital Economy. (2007). Secure your information: Information security principles for enterprise architecture. Retrieved February 23, 2008, from http://www.dbcde.gov.au/__data/assets/pdf_file/0017/70622/Secure-YourInformation_CIOCSO.pdf Dhillon, G. (2004). The challenge of managing information security. International Journal of Information Management, 24, 3–4.

534


Doherty, N. F., & Fulford, H. (2003, May 18–21). Information security policies in large organisations: Developing a conceptual framework to explore their impact. In M. KhosrowPour (Ed.), Information technology and organizations: Trends, issues, challenges and solutions (pp. 1052–1053). Hershey, PA: Idea Group. Dresner D. G., & Wood, J. (2007). Operational risk: Acceptability criteria. In Proceedings of the Third International Symposium on Information Assurance and Security (pp. 301–306). Los Alamitos, CA: IEEE Ernst & Young Security Survey. (2003). Global Information Security Survey 2003. Southampton, UK: Author. Freeman, E. H. (2007). Holistic information security: ISO 27001 and due care. Information Systems Security, 16(5), 291–294. Garg, A., Curtis, J., & Halper, H. (2003). Quantifying the financial impact of information security breaches. Information Management and Computer Security, 77(2), 74–83. Gerber, M., Von Solms, R., & Overbeek, P. (2001). Formalizing information security requirements. Information Management and Computer Security, 9(1), 32–37. Gordon, L. A., & Loeb, M. P. (2004). Economics of information security. New York: Springer. Grundy, E., Collier, P., & Spaul, B. (1994). Auditing personnel: A human resource approach to information systems control. Managerial Auditing Journal, 9(6), 10–16. Hinde, S. (2003). Cyber-terrorism in context. Computers and Security, 22(3), 188–192. Hone, K., & Eloff, J. H. P. (2002). Information security policy, international security standards say? Computers and Security, 21(5), 402–409. Hubbard, J. C., Forcht, K. A., & Thomas, D. A. (1998). Human resource information systems: An overview of current ethical and legal issues. Journal of Business Ethics, 17, 1319–1323. International Organization for Standardization. (2000). Information technology: Code of practice for information security management, ISO 17799. Geneva, Switzerland: Author. Kizza, J. M. (2007). Ethical and social issues in the information age. London: Springer-Verlag. Kotulic, A. G., & Clark, J. G. (2004). Why there aren’t more information security research studies. Information & Management, 41, 597–607. Kovach, D. K. A., & Tansey, K. (2000). The balance between employee privacy and employer interests. Business and Society Review, 105(2), 289–298. Kovach, K. A., Hughes, A. A., Fagan, P., & Maggitti, P. G. (2002). Administrative and strategic advantages of HRIS. Employment Relations Today, 29(2), 43–48. Lippert, S. K., & Swiercz, P. M. (2005). Human resource information systems (HRIS) and technology trust. Journal of Information Science, 31(5), 340–353. McParland, C., & Connolly, R. (2008). Technology-related privacy concerns: A critical assessment. The Business Review, 9(2), 117–124. Neuberger, M. J., Andrew, S., & Levetown, A. S. (2004). Special employment considerations to ensure the security of your IT department. Employment Relations Today, 31(1), 35. Noe, R. A., Hollenbeck, J. R., Gerhart, B., & Wright, P. M. (1994). Human resource management: Gaining a competitive advantage. Burr Ridge, IL: Irwin. Pfleeger, C. P. (2006). Security in computing. Englewood Cliffs, NJ: Prentice Hall. Sadri, J., & Chatterjee, V. (2003). Building organisational character through HRIS. International Journal of Human Resources Development and Management, 3(1), 84–98. Tansley, C., & Watson, T. (2000). Strategic exchange in the development of human resource information systems (HRIS). New Technology Work and Employment, 15(2), 108–122.


535

Townsend, A. M., & Bennett, J. T. (2003). Human resources and information technology. Journal of Labor Research, 24(3), 361–363. Von Solms, B., & Von Solms, R. (2004). The ten deadly sins of information security management. Computers and Security, 25, 371–376. Wikipedia. (2007). Information security. Retrieved February 17, 2008, from www.wikipedia.org Wipawayangkool, K. (2010, August 12–15). Strategic role of human resource management in information security management. Paper presented at the 16th annual Americas Conference on Information Systems, Lima, Peru.