Document Management Systems and HR Security 1

[KBFINN]

We are in the process of implementing a Document Management System and are concerned about storing confidential HR Documents there. I am interested in hearing how other companies manage this. (1) How many system administrators are there who have full access to the information? (2) Are the admins business users or IT or some of both? (3) What kind of reports, alerts or other controls are there to notify system owners, administrators or other data owners that someone has viewed, downloaded or otherwise accessed information they should not have access to? (4) How is communication handled ?

Thanks for your information.

 

[theoxyde]

When you deal with HR stuff, you start skating on thin ice. HR information can be extremely touchy, especially since many HR departments in the US also handle Worker's Comp claims, which fall under HIPAA regulartions. HIPAA has its own set of security requirements which just changed recently.

If you are buying a commercially available system, then you need to consult with your vendor on this information. If you are building your own system, your HR director and attorney need to be consulted to find out what legal requirements there are on the types of documents you are handling. Those requirments will need to be reflected in your system.

HAVE AN ESTABLISHED SECURITY POLICY AND ENFORCE IT RELIGIOUSLY.

Dealing with highly confidential information is a touchy issue and, frankly, most companies don't get anywhere near the level of security needed to protect that kind of information. I have worked with many document management packages as well, and I have yet to find any that provide even the most basic level of security, IMO.

To address your specific questions, I will try to use our security policy for examples.

How many system administrators are there who have full access to the information?

As few as possible, but never less than two. Don't put all your trust in any one employee, but don't give away the farm, either. Operate under the principle of lowest priviledge, even with admins. Make sure that your admins are qualified and trrustworthy enough to trust with such data.

Are the admins business users or IT or some of both?

That depends on the administrative task. Resetting passwords and adding/removing users are functions that the HR Director has, but not the level of authority that could break the system.

What kind of reports, alerts or other controls are there to notify system owners, administrators or other data owners that someone has viewed, downloaded or otherwise accessed information they should not have access to?

Two words: Full Auditing. Nothing happens on the system that isn't recorded. All data access is handled by stored procedures which log information about: who accessed the data and when; what, if any, changes were made; and what the previous values were when they were changed. A random sampling of the log is checked to ensure nobody is abusing their priviledges.

How is communication handled?

I'm not sure what kind of communication you are referring to. Are you asking how communication takes place between the front and back ends of the system, or between users?

 

[KBFINN]

Thanks for the information. We are implementing a DMS package - Livelink.
What is IMO?
As for communication, I'm interested in what's stated to employees and management to assure them the data is safe; what's stated to the admin and IT personnel to keep them out of the system. (On pain of death???)
I'm in one of those positions that spans IT and the user community, so I'm interested in both sides of this issue.
Again, thanks.

 

[theoxyde]

IMO = In My Opinion

As for what to say: Everything will be audited at random. Abuse or misuse will result in immediate termination.

The level of confidence that management and employees have in the security of the system will reflect their confidence in the people responsible for that system. If the administrative staff or IT department isn't trustworthy, or if management micromanages the system, then getting employees to buy-in will be difficult.

By contrast, if management expresses their confidence in the admin staff and their abilities, and the admin staff is worthy of that confidence, then employees will buy in.

I have not used Livelink, but I also haven't heard anything bad about it either.

 

[KBFINN]

Thanks for you input. It sounds like you have had experience with more than one DMS implementation. What products have you worked with?

 

[theoxyde]

OnBase, OTG, ImageNow, and Optix are the pre-packaged ones I have used. I have had demo's of a few others, but I wouldn't call that "experience", but all have had lackluster impressions on me.

I have only been impressed by one package to date, but it never made it out of beta (company was bought out and the project scrapped). At the time I tested it, the beta version was better than anything else I have used. It didn't even have a name at that point in time, and was just referred to as "1402", its build number.

Anyways, hopefully the package that you are looking at will prove better than the others.

 

[pweegar]

Here are some other considerations to think about. I've been involved with imaging (HR plus an entire organization's paper) for about 6 years now. I've used FileNet and OTG (Legato) products.
First of all, as mentioned, HR is a very touchy subject. In the state of AZ, (and I don't know if it's a federal law or not), We are allowed to keep only ONE copy of most HR paper. That means once paper is imaged, it must be destroyed. Nor only that, you will have more ppl seeing the paper than you think. Not only will the system admins see the paper, but so will: Management, the ppl scanning the paper, ppl preping it, etc.

What we do (I now work for a large international company) is to set up web enabled applications that only a very few ppl have access to. And those that have access to it are the only ones that even know about it. And then ONLY after the VP of HR gives his blessing does a user get access to HR data. BTW, you will have clerks that will need access toa t least some data, esp. if they are answering phone calls concerning an employees's sattus on differentr issues (i.e. 401(K) earnings, payroll deductions, changes in address, etc.)