Securing Information System

As the HR manager of a large organization, you are planning to implement a new HR system to
streamline employee data management and improve operational efficiency.

However, with the implementation of this system comes the responsibility of ensuring security and
safeguarding sensitive employee information.

Outline the key security measures and safeguards that you would incorporate into the HR system
to protect employee data from potential threats and unauthorized access.

Employee data are sensitive information. Employee data can consist of the name, address, bank
details, phone number, national ID and other personal information, as well as professional
information such as their salary, promotion, contract and so on. Thus, it is vital to safeguard the
employee data from potential threats and authorised access.

There exist numerous threats that can affect employee data

1. Hardware problem – malfunction of hardware which can might lead to breakdowns and or
failure. Consequently, there can be network downtime and also the damage to the
infrastructure could lead to loss of sensitive data if there is not a proper back up. Natural
disasters or man-made disasters pose a threat to the system. In case of a disaster, the data
logged into the system would be lost. As such, the company would incur great costs if there
has been no back up made. Physical damage to the information system would also greatly
affect the company.

2. Cyberattacks hackers
Hackers may attempt to breach into the information system of the organisation by exploiting
the vulnerabilities of the system. They can employ numerous ways to do so as explained
below. After acquiring sensitive information, they can use it to their advantage either by
selling this information to third parties or even demanding money from the company in
order not to leak any information.

Hackers can employ malware (a software intentionally developed to cause disruption in the
computer network – can be used to damage the system or even be used to steal the data
from the system)

a. Viruses – these are malicious programs that attaches itself to other software
program once the host file is executed and will make copies of itself for the purpose
of breaking down the computer system, mainly affecting the file system.

b. Worm – independent stand-alone computer program that copy themselves from one
computer to other computers over a network. Once a worm is found on the system,
it will automatically start spreading itself, and can crash the network through
increased resource usage.
 c. Trojan House – Software programs that appear to be legitimate but instead is a type
of malicious program that can affect the computer. Trojan house usually is used to
steal the user’s information and it may happen that the developer of the malicious
program control certain functions of the computer.

d. Spyware – it is program that is installed on the computer without the user’s

permission or knowledge. The main purpose of spyware to steal data and also to
track the activity of the user. It can monitor Web surfing activity and display more
adware.
e. Key logging – Key logging pertains to the recording of key strokes (alphabets,
numbers, symbols) to monitor the activity of the user on the computer. It can be
used to steal passwords, serial numbers and launch Internet attacks.

f. SQL Injection Attacks – Hackers can use malicious SQL statements to tamper with the
SQL database, and get unauthorised access to information.

3. Insider threats
Internal organisational members may intentionally seek to reveal sensitive information about
the company to third parties. Thus, there can be misuse of their position as a member of the
organisation to get unauthorised access to the data. This will happen if there are not enough
security measures set in place.

There can also be spoofing and social engineering whereby someone will disguise as a
person by using fake email address in order to extract sensitive information from the
employees

4. Other vulnerabilities
There can be denial of service attacks whereby the system is flooded with numerous false
requests which will crash the network. There can be wireless networks that pretend to offer
trustworthy WIFI connections but instead it will be used as a medium to extract data from
the user of the WIFI. This is known as Evil Twin.

5. There can be software vulnerabilities

A software a list of instructions and they need to be regularly updated in order to boost
productivity and also mitigate the risk of information being exposed. Software can contain
flaws that create security vulnerabilities. Zero defects cannot be reached because complete
testing is not possible with large programs. This will why patches are necessary which are
small pieces of software to repair the flaws.

6. Phishing attacks
This pertains to fraudulent emails, messages or websites, that look legitimate but intended
to trick users in providing sensitive information such as their personal information. If there is
not enough security measures, employees may fall victim to phishing as they may think that
the email has been sent by the organisation. Thus, they can unknowingly disclose their
credentials to the attackers. (data compromised). Therefore, the third party can use the
personal information to impersonate the employee (Identify Theft)
Security measures which pertain to policies and procedures implemented to avoid

A. Unauthorised access
B. Physical damage to the Information system
C. Theft

The security policy would need be designed after a risk assessment to determine the level of risk the
firm related to specific activities or processes that need to be controlled. Security goals would need
to be set and the measures to achieve those goals must be implemented.

The security measures are as follows:

1. Identify management
The organisation needs to implement tools such as role-based access control and business
processes to identify users of the system and categorise the different users in order to know
to whom to give authorisation. Such tools will help to authenticate users and also specify
which portion of the HR system the user can access, thereby limiting access to sensitive data
only to authorised persons.

2. User authentication
Strong authentication measures would need to be implemented (passwords, biometrics,
multi-factor authentication). By doing so, users’ identity can be verified before granting
access to the HR system. Also, the management can spread awareness on how to better
protect the system such as through regular password changes.

3. Management information system Audit

An MIS audit would help to examine the overall security environment and the controls
implemented to protect the information systems. Documentation, personnel, procedures
would be reviewed. An audit would help to test the response of the technology, IS staff and
other employees through a disaster stimulation.
The results from the MIS audit would help to identify any potential weakness in the controls
that would need to be rectified. Typically, there will be a list and rank of the risks and all the
control weaknesses, with estimates of their probability of occurrence. This will facilitate
management decision making.

4. Employee training and awareness

Management can spread awareness on how to evade certain risks. Seminars can be
organised or even training can be provided. For example, employees can be educated on
how to better manage their passwords, how to identify phishing and also what to do in case
there are suspicious activities on the computer (such as reporting it immediately to
management)
5. Regular security updates and patch management with the integration of other software
In order to mitigate the vulnerabilities in the HR system which can compromise the security,
it is necessary to regularly update the software. Updating the software with regular security
patches help to resolve known vulnerabilities, therefore reinforcing the existing security
measures. Moreover, it is essential that the organisation integrate other software to protect
the data. Antivirus and antispyware software will check for malware on the computer and
will attempt to eliminate those malicious programs. Intrusion detection systems can monitor
the network and scan for any unauthorised access or suspicious behaviour.

6. Implementation of a firewall
A firewall is a combination of hardware and software that will prevent unauthorised users
from accessing private networks. The firewall is placed between the firm’s private network
and the public internet or another third-party network in order to mitigate the risk of breach
into the network of the organisation. Such technologies include static packet filtering,
network address translation (NAT) and application proxy filtering

7. Disaster recovery planning and Business continuity planning

In case of a disaster such as fire or flood, it is necessary to have a disaster recovery plan.
There should be a back up of the data on the server which would help to recover the
potential lost data from the disaster. The back up can be made on the Cloud system or on
another hard drive. Business continuity plans will focus on restoring the business operations
after disaster. Attention and resources would need to be diverted towards the most critical
systems and this can be analysed through a disaster stimulation.