Lesson 7: Why HR Policies complement Information Security
The perception of most employees to both the HR and Cybersecurity Department is that they exist so they can look for a mistake and punish you. Some say that HR is the principal’s office, while the Cybersecurity team is the surveillance arm. Although most of the time during investigations, the cybersecurity team becomes the expert witness to help either acquit or punish the employee. (This will be discussed in another lesson.)
There is truth in perception and claim. To add to that, a lot of the policies in organizational security (discussed in Lesson 6)have overlapped with HR. This means, either the policy was created by HR or both HR and Cybersecurity teams. For example, the Acceptable Use Policy (AUP) outlines the expected behavior of an employee in the organization. A part of the AUP is the Internet Usage Policy (IUP) and other policies related to the acceptable use of the company issued assets such as laptops, mobile phones to name a few. These policies are created and monitored by the cybersecurity team. The AUP is usually signed by the employee together with his/her job offer/contract prior to onboarding.
Without HR explicitly contributing to information security, they have made an administrative-deterrent control. (Administrative because it’s a policy; deterrent because it discourages people to violate the rules)
Other HR policies that help information security are background checks (administrative-preventive control) because they check whether you are good not only in your CV and mandatory vacations (administrative-detective) to check and audit whether you are doing something not on your job description without you being present in the office.
During operations, HR might have their independent and confidential tasks. But their roles are significant in providing a sound and mature information security environment in the organization.