HRMS User Security: Defining A Strategy

User strategy is an important topic for any system, but especially important in an HRMS which holds personal data about employees such as home address, date of birth and national IDs as well as confidential job data such as salary. It is a careful balance to allow enough access to employee data to perform job tasks without providing too much detail that access is excessive, and HRMS security is compromised. However, with an appropriate strategy in place, you can focus on using the system and enabling HR to become a top performing function of the organization. There are some key topics that should be included in any security strategy and will provide the framework to get started:

Define Your Data and Categorize It

A first step in an HRMS security strategy is to determine what data you have, where this data is going, what devices need access to the data, and who needs this access. It is easiest if you can define categories of data: ‘confidential’ data such as an employee’s birthdate or salary should require a stronger business reason for access than ‘general’ data such as an employee’s location.

Define Your Roles

Rather than defining HRMS Security for individuals, it is better to establish access control per role. Then, instead of trying to figure out what access ‘Mary, the Payroll Administrator’ needs, it is easier to say that ‘all Payroll Administrators require access to x and y data’ and Mary is automatically assigned that access based on job title.

Document Access Levels and Access to Data

In the event of an audit, one of the first things you will be asked is to provide lists of active users and their access to data. There needs to be a documented user access process and HRMS security administrators need to follow such a policy to ensure compliance. If your user provisioning policy consists of emailed approvals, this can often prove difficult to chase back at a later date.

Perform Regular User Reviews

Often, users will change jobs over time and system access fails to keep up. Therefore it is a good practice to perform regular audits of users on a defined frequency, such as twice per year. Data owners should have an understanding of why an HR employee has access to certain data elements in order to be able to sign off on this access.

Finally, remember that any HRMS security administration should be a manageable process. To pass any audit, one must show compliance to a documented process, therefore, it is important that administrators buy into the process as designed. When choosing an HRMS, be sure to ask prospective vendors about the security features of their product and how it supports efficient user maintenance.