I’d like (with support of human resources) to build an Awareness session + Document related to the current “data retention of employees records, security and privacy” in my company.
This subject is touchy and can hurt people is only technical aspect is presented to the audience.
The document may contains,
- Introduction, situation, goal.
- The inventory and
- The different measures related.
- The risks and
- The benefits, for employees and company.
The presentation may be a summary of situation, goals, the risk/benefits and their implications. +Q&A
Draw the current situation, and clearly explain that recording of events is not new. It’s a normal day to day process required in different systems and applications.
Giving some examples.
Make them aware that some records are available and can be used (with certain conditions) to :
2.1. 1. Protect the company.
- It can be used in case of legal or security investigation (internal and external).
- It will permit to solve and/or detect breach or incident rapidly.
- It will permit to easily make better diagnostic
- It It will permit to respect some proportionality in case of investigation (employees are aware).
2.2. 2. Protect the employees – This is really important –
- No confusion. It clearly explains them we don’t want to hide some security tools that can hurt their sensibility. Company and management have codes of conduct.
- It will permit employees to protect themselves in case of abuse (harassment (mail, …), accusation) .
1. 1. Assessment/Inventory :
I made and assessment of the different systems that store records related to staff (managers, employees, consultants, workers …) activity or information.
This include (not exhaustive list) :
Physical access and events:
- Access Badges,
- Special access Badges (Parking, Data-centers, Data-rooms, …)
- Desk Phone voice recording (trading),
- Desk Phone call logs (in & out)
- Desk Phone address book.
- PC Startup, shutdown
Logical access and events:
- PC Logon : login success, failure
- Servers and PC system events,
- File servers access.
- Applications logs.
- Internal messaging.
- e-mails in gateways, mail server(s), mail archiving system,
- Web surfing,
- Usb and other removable devices data transfer and connections.
- DHCP / DNS Records.
- Antivirus Records.
- Firewall Logs.
- Backups on tape that keep records.
- Data Replication that keep records.
Specific HR or extra records (Clearly privacy is n°1 here, with security of records).
- Holidays (start/end), Sick,
- Business move (hotel, distance, location, …), expanses,
- Private documents (address, bank account, family situation, age, .. ),
- Contracts (records),
2. 2. C.I.A. & measures in place.
I defined the points to clarify, because many question will pops-up. Some are generic, some need pin-point solution.
- Access to logs – Who has access to logs – Who can request access to events.
- What is done records ? Reports, statistics, screening, nothing.
- What will prevent abuse ?
- Is there notification in case of investigation ?
- 4 eyes controls ?
- Where are the logs stored and
- What will guaranty integrity
- What will prevent fraud
- 4 eyes controls ?
- What is the procedure in case of forensic ? Copy, export, …
- Is it possible, to erase records on demand ? (For privacy or legal reason)
- When logs are recorded ? All day long, 24/24, Business Days, After hours …
- Duration/Retention – how long records are available and kept (one week, one month, archived forever)
- Measures to protect log systems.