Process Documentation for releasing HR data to IT 1656
Corden last edited by
I would like to set up a process in which IT will be required to complete a form or follow a standard pratice in order to release any HR data to third party vendors.
Currently IT meets with the businesses and they develop extract files via informatica etc. But, there is no formal process followed in which they reach out to HR for approval to release the information.
Can someone provide a copy of a process they may be using or provide some feedback as to how I can handle this very political issue.
milan last edited by
This was on the internet and I am not sure of the source, but seems to e appropriate to your request…
89. Technical Staff Privileges and Production System Change Control
Policy: Beyond that which they need to do their jobs, computer operations staff must not be given access to–or permitted to modify–production data, production programs, or the operating system.
Commentary: This policy is a specific manifestation of the separation of duties, as reflected by a typical mainframe shop. Because adequate separation of duties related access control mechanisms may not be available, the policy may not be practical for smaller systems such as microcomputers (PCs) or workstations.
As client/server software and local area network operating systems become more sophisticated, the policy will become increasingly applicable to the small systems environment. The intention of the policy is to clearly indicate that computer operations staff should not be given ‘carte blanche’ (universal) access to production data, production programs, and the operating system. Because this control is so often ignored in data processing shops, a specific policy may be required to clarify exactly what should be done. Also see the policies entitled ‘Privilege Restriction Based on the Need-to-Know’ and ‘Separation of Duties and Control Over Company X Assets.’
You can probably tweak the language and substitute ‘production data’ with ‘HR Data’, define what is meant by HR Data in the definitions section ot the Policy and Procedure, and use a standard process flow for access to sensitive information.
It might be helpful to conduct a high level data classification exercise to determine the sensitivity of data and categorize information types. The results can be used to idenitfy other data also, that should be restricted based on user need.
It is more than likely that an exact policy and procedure and related process flow exists, but such a policy is typically not shared/posted online for obvious reasons.
Hope this helps,
harrywaldron last edited by
Hi - I agree with Milan’s good points The following would be beneficial:
- Information Security Policy – A high level policy should be place to ensure sensitive and confidential information is properly protected. It should clearly prohibit any transfer of information outside the company unless it is approved by the data owner.
- Data Classification Project – Some application systems contain information that is highly sensitive and confidential in nature. These types of risks should be evaluated and documented for each of your key application systems.