5 Reasons Why Employee Information Management is Hard

1. HR, Finance and IT All keep their own Databases 

Employee information is kept by many groups within a company. It starts with information gathered by HR during the recruiting and hiring process. Finance also maintains employee information for payroll or equity information, and IT keeps employee information for user credentials for email, single sign-on (SSO), employee notifications, and other core IT services. These groups all maintain their employee information for different reasons and in different systems. 

Most of the information, though, is redundant and often incomplete. This quickly leads to a drift in information accuracy as the information in the systems are inevitably not maintained in the same way and same time. 

2. The data is sensitive to store and access 

Employee information is inherently sensitive and private, whether it is medical, financial, phone numbers, personal email, or home address. Employees expect a certain level of privacy in the way their information is handled by their employer. If the data is not stored and shared properly, this can lead to an unhappy employee at best and a legal and financial issue at worst.  

3. No Single Group Owns Employee Information 

Like a lot of information of other types within a company, no one completely “owns” employee information. HR is the logical owner of a lot of employee information, but IT is usually information security so it owns employee credentials to all or most systems and applications within the company. Similarly, finance also maintains sensitive stock ownership information that logically belongs with them. This creates complexity in how and where employee data is maintained. Mobile numbers and personal emails, for instance, are typically stored in every system that asks for employee information. When conflicts inevitably arise, which data is correct? 

4. Employee information changes rapidly 

Every time an employee moves, changes banks, changes their personal email, works on a new customer, gains a new certification or skill – their information changes. As employees come and go from a company, their information needs to be added and removed also. The number of small changes per employee and across all employees adds up quickly and different systems get of out sync rapidly. Traditional approaches create multiple portals or web forms for “Change of Address”, “Bank Change”, “Password change” – employees get overwhelmed with too many places to update the same information and usually only update what is easy and necessary. 

5. Regulations and compliance are tough to navigate 

There are a number of other regulations that govern employee data including the Health Insurance Portability and Accountability Act (HIPAA), the Americans with Disabilities Act, the Fair and Accurate Credit Transactions Act (FACT Act) and the Fair Credit Reporting Act (FCRA). Most people think of General Data Privacy Regulation (GDPR) and California Consumer Privacy Act (CCPA) are privacy regulations for consumer data but they apply to employee data also. There are also regulations covering employee data privacy that are in the law-making process in state governments across the U.S. Tracking these regulations and implementing the information systems that follow the regulations puts tremendous pressure on updating all the disparate systems and services used by a company. 

What to do? 

Companies need to declare an owner of the employee information repository and the rules for which groups have access to what parts of the repository data. This reduces the cost complexity of maintaining the information and can enable the ROI of applications that are important but hard to justify – such as an employee mass notification system. 

Technically, implementing a hybrid integration layer (HIL) that consolidates data and applies dynamic transformations and security policies provides the basic infrastructure needed to put the company policies and processes into operation. An effective implementation includes connectors to all the systems used by HR, IT, finance, and any other group using the employee information. It also should provide the capability for employees to review and update their own information, while also enabling others within the company to securely and privately access data to enable better collaboration and information sharing across the company. 

Remote Workforce Business Continuity

Ensure your Business Continuity Plan Secures your Remote Workforce

In our last Securing Remote Workers Blog, we discussed how organizations in today’s world must adapt to changing business conditions to ensure a secure remote workforce. Another critical element for securing your remote workforce is ensuring your business continuity and disaster recovery plan includes the ability to support your remote workforce with little or no notice. An organization must be capable of sustaining normal operations due to a power outage, illness, flooding, or similar event, which makes it unsafe for employees to travel onsite. In such an event that disrupts normal business operations, an organization must be capable of rapidly transitioning to a fully remote workforce.

If you already have a business continuity plan, you should consider adding remote workforce security capabilities to your plan, such as:

  • Multifactor authentication
  • Data loss prevention (DLP)
  • Advanced Threat Protection
  • Wireless connectivity

If you do not have a business continuity plan, the Department of Homeland Security provides details on the following four steps:

  1. Conduct a business impact analysis to identify time-sensitive or critical business functions and processes and the resources that support them.
  2. Identify, document, and implement to recover essential business functions and processes.
  3. Organize a business continuity team and compile a business continuity plan to manage a business disruption.
  4. Conduct training for the business continuity team and testing and exercises to evaluate recovery strategies and the plan.

For more information you can download a summary guide here.

 

PSAP Cyber Risks to 911

CISA Report on Cyber Risks to 911: TDoS

A telephony denial of service (TDoS) attack is a specific type of DDoS attack directed towards a telephone system to bring the targeted system down. These attacks can affect anyone, including our 911 infrastructure, and may often include ransomware requests. 

As such, TDoS attacks present a unique risk to public safety communications stakeholders, including Emergency Communications Centers (ECC), Publics Safety Answering Points (PSAP), and other 911 centers. 

In response, the Cybersecurity and Infrastructure Security Agency (CISA) developed the Cyber Risks to 911: Telephony Denial of Service fact sheet to educate the public safety community on TDoS threats. 

Specifically, the fact sheet reviews:

  • The most common TDoS attack vectors
  • Real-world TDoS incidents and impacts
  • Best practices to mitigate TDoS vulnerabilities

One of the key takeaways is for ECC/PSAPs should consider a managed service provider to address two of these migrations:

  • Implement the National Institute of Standards and Technology Cybersecurity Framework to improve cybersecurity posture
  • Conduct cybersecurity assessments, identify capability gaps and vulnerabilities, and determine appropriate cybersecurity standards

Take Action to Prevent Attacks:  Download CISA’s TDoS fact sheet to see the seven steps to prevent cyber attacks.

 

Secure Your NextGen 911 Network

Protecting America’s NextGen 911 Networks 

NextGen 911 systems allow Public Safety Answering Point (PSAPs) and public safety agencies to deliver a more responsive service that saves lives — yet these systems come with increased security risks due to their expanding cyber-attack surface.

Hackers and cybercriminals are increasingly targeting emergency response networks throughout the country. According to recent reports, more than 40 attacks in the last three years have targeted 911 dispatch centers. However, these attacks could increase as traditional 911 networks transition to NextGen 911, which enables receipt of video, text, and other data from the public over various computer networks.

Security risks include denial of service attacks, malware, ransomware, spoofing, and swatting that can overrun the service provider or infrastructure. By securing Message Session Relay Protocol (MSRP) messages, agencies can make their systems more secure and reduce the likelihood that a denial of service, malware, or other cyberattacks occurs. 

Below are the top 4 things you can do to protect against these attacks:

  1. Perform security inspections on MSRP messages before entering in these systems 
  2. Limit the rate of messages as automated solutions can generate signals much faster than a human can type, which can overwhelm NextGen 911 systems and block emergency calls
  3. Implement Denial of Service (DoS) attack prevention software
  4. Implement privileged access management (PAM) software and policies to limit the potential damage from a security breach

Cybersecurity is essential to public safety and ensuring that NextGen 911 system.  To learn more download the infographic.

 

 

4 Tips for Ensuring Compliance in the Cloud in 2020

Cloud Computing is well understood as a great method for increasing the speed of deployment and agility of managing IT infrastructure. For these reasons, the migration to and utilization of Cloud Computing continues to grow in both large enterprises and small businesses. However, this move towards increased use of the cloud – especially public cloud services – has increased the pressure for greater data protection regulations across the globe.

Unless you work for a very large organization that can cost justify developing and maintaining a private cloud infrastructure, utilizing Cloud technologies will mean relying on one or more public Cloud Service Providers (CSPs).39percent-of-IT-Decision-Makers-Consider-Themselves-Responsible

Recent high-profile data breaches have brought the risks associated with storing personally identifiable information (PII) into the limelight (i.e., the 2017 Equifax breach, the 2019 CapitalOne breach). Yet, the question of who is ultimately responsible for regulatory compliance remains a significant area of confusion. According to a recent study, only 39 percent of IT decision-makers considered themselves responsible for the compliance of data stored on cloud services. This is an incredibly dangerous mindset to possess, as by law, the ultimate responsibility for regulatory compliance remains firmly in the hands of the data owner – not the CSP.

Which Compliance Regulations Matter in the Cloud

The cybersecurity and data privacy compliance regulations that affect your company are dependent upon the industries in which you operate. Examples include federal government (FedRAMP), manufacturing (GMP), healthcare (HIPAA), real estate (CFPB), and financial services (FINRA, NYDFS). So, which regulatory requirements do you have to worry about in the cloud? The simple answer is the same ones that apply to your business already. Depending on your company’s industry, geographic location, and business function, this could be a range of compliance regulations, including:

  • National Institute of Standards and Technology (NIST)
  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Financial Industry Regulatory Authority (FINRA)
  • Payment Card Industry Data Security Standard (PCI-DSS)
  • Federal Information Security Management Act (FISMA)
  • Sarbanes-Oxley Act of 2002 (SOX)

It is important to understand how your data and processes within your cloud service are affected by all of the applicable regulations, including data storage and retention policies, user access and password policies, and Most of these compliance frameworks require periodic testing of your IT operations, as well as ongoing monitoring to ensure constant It is important to understand the requirements While the responsibility for maintaining compliance lies solely within your organization, you don’t have to take on this burden completely alone. The good news here is that a consultant or managed IT services provider can guide you through the compliance challenges to meet the necessary laws and regulations.

When it comes to ensuring that your cloud operations will be in compliance with the regulatory requirements of your business, here are a few key tips…’

4 Tips for Ensuring Compliance in the Cloud

1. Realize a Compliant Provider Will Not Make You Automatically Compliant

Depending on which regulation you are subject to, you may be required to use a cloud service provider that is certified with those regulations. But it is important to note that using a compliant provider does not in and of itself make your business compliant automatically. You still have to use the service in a compliant manner; it is your responsibility to ensure the provider maintains regulatory controls on an ongoing basis. And you still have to maintain compliance for your own IT operations which connect to the cloud service provider.

2. Know Where Your Data Will be Stored

Some compliance regulations have geographic restrictions on where certain types of data can be stored and processed. For example, the European Union Data Protection Directive requires personal data to remain within the borders of the EU or a third-party country that offers adequate protection based on their previously defined security standards. This can pose a very large challenge if your CSP operates data centers and stores your data around the world. There is good news here: being aware of this caveat is a large part of the battle. All reputable cloud service providers are aware of this issue and offer geographical nodes that customers can select for their data to reside in as a part of their service offering.

3. Understand Access Control

A large portion of regulatory IT compliance stems from ensuring proper controls are in place over who has access to what data in the system. During a compliance audit, you must be able to prove the level of access that each user has and how those various levels are maintained. Your CSP must be able to provide you with documentation outlining how the implement separation of duties for administrative functions. They must also be able to provide clear documentation showing which users had access to which systems when, and what data and systems were able to be accessed by each user.

4. Know Your Service Level Agreement (SLA)

Regardless of what compliance regulations you are subjected to, don’t assume your CSP’s terms and conditions will satisfy your requirements alone. You should know the details and fine print of your cloud services contract inside and out. Again – the sole responsibility of compliance in the cloud is ultimately up to you, not your provider. Your SLA should be very clear on roles and responsibilities, incidence response execution, and data breach remediation. Everything in the SLA must be in accordance with the regulations governing your business. The finer points of an SLA are able to be negotiated with the service provider before signing. Just don’t wait until you have signed to realize that all your bases are not covered.

The good news about ensuring compliance within your Cloud environment is that legitimate service providers will be able to provide the right service for you to meet your governing regulations. That said, you need to know how to apply the regulations properly to how you are using the cloud service. If you are concerned about your regulatory compliance in the cloud services you are using, we recommend bringing in a 3rd party IT service provider, such as Montra.

Montra’s cloud experts can examine your current cloud operations, navigate you through the best options for establishing full compliance, as well as monitoring your compliance over time.

For more information about how Montra can help with your cloud compliance, contact us today.