In this work, we sought to document the HR life cycle information related to HR operations as a case of understanding and identifying the best practices for information security in the State administration of Geneva. We started by reviewing the literature, laws, and standards related to this thematic. Then, after careful considerations, we opted for creating a docu-ment to serve as a guideline for all HR departdocu-ments, which was based on the standard ISO/IEC 27002. Finally, we reached the document “Le cycle de vie de l’information des ressources humaines”.
From the literature, we found that the issue concerning the definitions concerning personal data is still current even with the efforts from the data protection law, which will eventually be updated as information technology evolves. Moreover, data quality in the public admin-istration has been confirmed to be fundamental, not only to limit the quantity of data stored on physical supports but also to avoid that HR data are stored unlawfully in the HR infor-mation system. For this purpose, the data collection and treatment should follow each of the seven principles arising from the LIPAD itself in accordance with the GDPR on these aspects. Thus, the principles act as filters, guaranteeing a certain quality of the information collected and treated. For the conception of the HR guideline on security information, the framework of ISO/IEC 27002 was the most suitable since it treats specifically the HR data, could be completed with the LIPAD, as main law, as well as with other related laws and regulations; hence, we could address the issues raised by the IAS. Furthermore, the frame-work structure allowed us to overview the objectives, responsibilities, definitions related to the various aspects of information security systems and data protection. In addition, the guideline regroups all the references associated with HR data, which could allow the em-ployees to use it as a starting point to find more details of the specific topic searched by consulting the documents cited.
The work has several limitations due to the current crisis due to the spread of COVID-19.
Firstly, the inclusion in the guideline of good practices of the different HR departments was limited since the contacts with other people were avoided. Besides, the acceleration of teleworking implementation modified the priorities of the various departments. The con-fusion generated by the crisis contributed to the delay in the completion of the guideline.
As the time allowed for that internship was limited, the final version differs from the one presented initially in this paper. Whereas the guideline was planned to be presented to the various HR departments and the different specialised colleges within that timeframe, the checks and presentation have occurred within the following months. Furthermore, due to the latest elections, the structure of the different departments has changed since last year.
Furthermore, the implementation problem reflects the current limitations of the ISO/IEC 270002 that even after being adapted, it still had a formulation far from the reality of the
awareness of the topic through regular meetings, in which participants share their concerns and good practices and exchange some advice. In the future, especially for new employees and in the view of simplifying the information system, the various regulations, laws and documents should be mapped around a specific topic, thereby facilitating information ac-cess. Another way would be to increase the performance of the internal search engine in the intranet of the Canton.
The State publishes more than a thousand announces each year and receives approximately 55’000 applications, including the documents attachment files, such as CV, diplomas and work certificates. Therefore, considering the large volume of data generated, the increase of data quality, through the destruction of unusable data, would ensure not only major compliance with the law but also a saving in terms of physical storage and energy use, thereby implying the aspect of sustainability in the information security system of the State of Geneva.
R
EFERENCESAccenture. (2017). COST OF CYBER CRIME STUDY 2017 INSIGHTS ON THE SECURITY INVESTMENTS THAT MAKE A DIFFERENCE Independently conducted by Ponemon Institute LLC and jointly developed by Accenture.
Bamakan, S. M. H., & Dehghanimohammadabadi, M. (2015). A Weighted monte carlo simulation approach to risk assessment of information security management system.
International Journal of Enterprise Information Systems, 11(4), 63–78.
https://doi.org/10.4018/IJEIS.2015100103
Chancellerie d’Etat - Genève. (2017a). Chancellerie d’Etat - Nos missions | ge.ch.
Retrieved June 13, 2021, from https://www.ge.ch/document/chancellerie-etat-nos-missions
Chancellerie d’Etat - Genève. (2017b). Organisation de l’Etat | ge.ch. Retrieved June 13, 2021, from https://www.ge.ch/document/organisation-etat
Chidinma, O., Nwadialor, E., & Ifureze, S. M. (2016). Effective internal audit as a tool for improving institutional governance and accountability in the public sector. Advances in Applied Science Research.
Cour des Comptes. (n.d.). Rôle et Mission - Cour des comptes - République et Canton de Genève. Retrieved April 13, 2020, from http://www.cdc-ge.ch/fr/Qui-sommes-nous/Role-et-Mission.html
Davidian, M., & Louis, T. A. (2012). Why Statistics? Science.
https://doi.org/10.1126/science.1218685
Delforge, A. (2018). Comment (ré)concilier RGPD et big data ? Revue Du Droit Des Technologies de l’information, 70, 15–29. Retrieved from https://www.
Département des finances et des ressources humaines (DF) de l’Etat de Genève. (2020).
Département des finances et des ressources humaines - Nos missions | ge.ch.
Retrieved June 13, 2021, from 16 juin 2020 website:
https://www.ge.ch/document/departement-finances-ressources-humaines-nos-missions
Diamantopoulou, V., Tsohou, A., & Karyda, M. (2020). From ISO/IEC27001:2013 and ISO/IEC27002:2013 to GDPR compliance controls. Information and Computer Security, 28(4), 645–662. https://doi.org/10.1108/ICS-01-2020-0004
E. Sanger, D., Krauss, C., & Periroth, N. (n.d.). Cyberattack Forces a Shutdown of a Top U.S. Pipeline. The New York Times. Retrieved from
https://www.nytimes.com/2021/05/08/us/politics/cyberattack-colonial-pipeline.html
Etat de Genève. (n.d.-a). Office cantonal des systèmes d’information et du numérique (OCSIN) | ge.ch. Retrieved June 13, 2021, from
https://www.ge.ch/organisation/office-cantonal-systemes-information-du-numerique-ocsin
Hamilton, R. H., & Sodeman, W. A. (2019). The questions we ask: Opportunities and challenges for using big data analytics to strategically manage human capital resources. Business Horizons, 63, 85–95.
https://doi.org/10.1016/j.bushor.2019.10.001
ISMS.online. (2021). What is an Information Security Management System. Retrieved June 13, 2021, from https://www.isms.online/information-security-management-system-isms/
ISO/IEC. (2013). International Standard ISO/IEC 27002 Information technology — Security techniques — Code of practice for information security controls. Iso/Iec 27002:2013(E), 2013, 1–80.
ISO. (n.d.). ISO/IEC 27001 — Information security management. Retrieved June 13, 2021, from https://www.iso.org/isoiec-27001-information-security.html
ISO. (2018). ISO - ISO/IEC 27000 – key International Standard for information security revised. Retrieved June 13, 2021, from https://www.iso.org/news/ref2266.html ISO. (2019). ISO - ISO/IEC 27701:2019 - Security techniques — Extension to ISO/IEC
27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines. Retrieved June 20, 2021, from
https://www.iso.org/standard/71670.html
ISO 27001 vs. ISO 27002 - What’s the difference? (n.d.). Retrieved May 18, 2021, from https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
IT Governance Uk. (2020). ISO 27000 Series of Standards . Retrieved June 13, 2021, from https://www.itgovernance.co.uk/iso27000-family
Lazarte, M. (2015). ISO - Des organismes à l’abri des cyber-attaques grâce à une boîte à outils de normes sur la sécurité. Retrieved June 13, 2021, from
https://www.iso.org/fr/news/2015/12/Ref2032.html
Linkov, I., Trump, B. D., Poinsatte-Jones, K., & Florin, M. V. (2018). Governance strategies for a sustainable digital world. Sustainability (Switzerland).
https://doi.org/10.3390/su10020440
Mirtsch, M., Kinne, J., & Blind, K. (2021). Exploring the Adoption of the International Information Security Management System Standard ISO/IEC 27001: A Web Mining-Based Analysis. IEEE Transactions on Engineering Management, Vol. 68, pp. 87–
100. https://doi.org/10.1109/TEM.2020.2977815
OECD. (2016). Broadband Policies for Latin America and the Caribbean. In Broadband Policies for Latin America and the Caribbean. https://doi.org/10.1787/9789264251823-en
Purtova, N. (2018). The law of everything. Broad concept of personal data and future of EU data protection law. Law, Innovation and Technology.
https://doi.org/10.1080/17579961.2018.1452176
PWC. (2018). What does the revision of the Swiss Data Protection Act entail, and how does it relate to the GDPR and the ePrivacy Regulation? Retrieved from www.pwc.ch
Secrétariat Général du département des Finances. (n.d.). Département des finances et des ressources humaines (DF) | GE.CH – République et canton de Genève. Retrieved October 16, 2020, from https://www.ge.ch/organisation/departement-finances-ressources-humaines-df
Seipp, T. (2020). The new Swiss Federal Act on Data Protection (FADP) | activeMind.legal. Retrieved June 13, 2021, from
https://www.activemind.legal/guides/swiss-data-protection/
Service d’audit interne de l’Etat de Genève. (2019a). Le Service d’audit interne se présente
| GE.CH – République et canton de Genève. Retrieved July 2, 2020, from https://www.ge.ch/document/service-audit-interne-se-presente
Service d’audit interne de l’Etat de Genève. (2019b). Résumé du rapport d’activité 2018.
Swissinfo (SWI). (2020). Hackers steal wages from Swiss universities . Retrieved June 13, 2021, from
https://www.swissinfo.ch/eng/hackers-steal-wages-from-swiss-universities/46075528
Topa, I., & Karyda, M. (2019). From theory to practice: guidelines for enhancing information security management. Information and Computer Security, 27(3), 326–342.
https://doi.org/10.1108/ICS-09-2018-0108
Ubaldi, B. (2013). Open Government Data: Towards Empirical Analysis of Open Government Data Initiatives. OECD Working Papers on Public Governance.
Ville de Genève. (2012). Directive relative à la protection des données personnelles - dans les structures d’accueil de la petite enfance subventionnées par la Ville de Genève (données concernant les enfants).
Retrieved from www.ville-geneve.ch
Voigt, P., & von dem Bussche, A. (2013). The EU General Data Protection Regulation : Toward. In Springer.
World Economic Forum. (2020). WEF - The Global Risks Report 2020. In World Economic Forum, Davos.
45
A
PPENDIX:
Chapters from the ISO/IEC 27002 standard included in the document
Chapters intro-duced in the HR document
Original chapters of the
ISO 27002 Description References and Related Documentation Figures in the
HR life cycle
l'em-bauche 7.1 Prior to employment Objective: ensure that future employees understand their responsibilities concerning HR data and will be able to do the tasks required for the position
- -
1.1.1. Sélection
des candidats 7.1.1 Screening Checks necessary for the candidates' selection. Data de-struction of non-selected candidates once per year by the OCSIN.
MIOPE 01.01.02 (recruitment, candidate selection and engagement), MIOPE 01.03.03 (documents necessary for engagement), LIPAD
condi-tions of employment The information security policy is communicated to the employees, which includes professional secrecy and re-sponsibility for data classification and data treatment
ROGSIC (art.8), LIPAD (art.35 and 39), MIOPE 01.07.04 (professional secrecy), e-learning on secu-rity information, EGE-10-12 (information classifi-cation), EGE-10-06 and EGE-10-07(organisational resources management)
-
1.2 Pendant la
durée du contrat 7.2 During employment Preview: a significant quantity of data is accumulated dur-ing the employment, includdur-ing events happendur-ing durdur-ing the career and the employees' logs.
- -
1.2.1 Re-sponsabilités de la direction
7.2.1. Management
re-sponsibilities RH departments, OPE and OCSIN, are responsible for
the application of the information security policy. PSI Documentary
Pyramid of the
Employees receive appropriate training and updates con-cerning the information security policy and procedures, proportionally to their role in the State of Geneva
ROGSIC, different modules of the e-learning (eSusi), MIOPE 01.02.01 (welcome of the new em-ployees in the cantonal administration)
-
1.2.3 Processus
disciplinaires 7.2.3. Disciplinary process In cases of information security violation, some
discipli-nary measures are undertaken. MIOPE 01.07.04 (obligation of secrecy), MIOPE 04.05.01 (disciplinary sanction), informative sheet by the PPDT (disciplinary sanction)
-
1.3 Rupture,
Responsibilities for the processes concerning the end of employment are defined. Procedures for the internal change of position is also detailed. In addition, the HR life cycle information concerning the personnel files is described and represented.
RPAC, LIPAD, RIPAD, LArch, EGE-03-02 (per-sonnel files), EGE-10-12 (Archives rules), MIOPE 04.02.01 and following (employees transfer), in-formative sheet concerning information archives and destruction, e-learning (archives discovery)
HR data life
de l'information 8.2 Information
classifica-tion - - -
2.1.1 Classifica-tion des infor-mations
8.2.1. Classification of
in-formation The classification of the HR data is proportional to their value, sensitivity and criticality. Thus, the responsibilities of the various actors involved are defined. The risk ma-trix determines the classification plan and the level of data protection. Additional information is provided re-garding data classification.
ROGSIC, LIPAD, G-EGE-10-12 (information classification guideline), e-learning (Archives’ dis-covery), EGE-10-12 (information classification), EGE-01-04 (risks management), Excel spreadsheet developed by the OCSIN regarding data protection and classification needs, documents management guideline, EGE-08-02 (dematerialization of files with probative value), EGE-10-14 (naming elec-tronic files), additional documents provided by the State Archives
-
2.1.2
Manipula-tion des actifs 8.2.2. Handling of assets Responsibilities of procedures application related to the access to the HR facilities and information systems are shared between the HR departments, OPE and OCSIN.
EGE-10-06 (access control and right to facilities), policy related to access badges, e-learning: Cursus GINA (Access management system)
-
2.2 Manipulation des supports amovibles
8.2.3 Media handling Procedures and controls are implemented in order to avoid non-authorised data disclosures, modifications, de-letion and destruction, which are stored on different types of support.
The document entitled "Media Handling", 15 (tangible and intangible resources), EGE-10-06 (employee responsibilities)
-
3. Contrôle
d'accès 9. Access control - - -
47
and network services Users have access to network and services for which they specifically received authorization. In addition, remote services are secured with strong authentication.
Intranet page explaining the configuration for strong authentication, a document concerning the phones/smartphones preparation for the security policy application ActiveSync
-
3.1.3 Restriction d'accès à l'infor-mation
- Access to HR data and application systems are restricted in order to avoid any unauthorised access. It is based on the users' profiles which depend on their role within the organisation.
- -
3.2 La gestion de
l'accès utilisateur 9.2 User access
manage-ment Objective: Ensure the users' access is authorised and blocked to avoid unauthorised access to services and sys-tems.
de-registration For user’s registration and de-registration, roles are shared between the OCSIN, organizational management and HR departments.
e-learning: Cursus GINA (Access management
sys-tem) -
3.2.2 Maitrise de la gestion des ac-cès
9.2.2 User access
provi-sioning The formal process of attribution and revocation of
us-ers' access rights and related responsibilities are defined. e-learning: Cursus GINA (Access management
sys-tem) -
3.2.3 Gestion des
privilèges d'accès 9.2.3 Management of
privileged access rights The attribution of privileged access is limited and
checked according to the related directives. e-learning: Cursus GINA (Access management
sys-tem) -
Formal processes for the users' password definition and
related systems responsibilities are defined. EGE-10-13 (users accounts and passwords), e-learning: Cursus GINA (Access management sys-tem)
adjust-ment of access rights Access rights are deleted when an employee's contract ends or is adapted in case of a position change within the organisation. Procedures and responsibilities are defined.
EGE-10-13 (users accounts and passwords), e-learning: Cursus GINA (Access management sys-tem)
9.3 User responsibilities User responsibilities are defined for the protection of
their authentication information. Intranet pages related to passwords settings, e-learning: Cursus Gina (Access management system), EGE-10-13 (users accounts and passwords)
-
moni-toring Objective: following electronic records in the HR infor-mation system. An example of records is included. Since they can constitute sensitive personal data, appropriate measures should be taken.
- -
5. Relations avec
les fournisseurs: 15. Supplier relationships Objective: Protect the HR data accessible to the suppliers - -
Sécurité de
- HR information security requirements are defined and documented with suppliers in order to mitigate the risk of external data access. Rules and responsibilities are de-termined.
ROGSIC, MIOPE 01.07.04 (Professional secrecy), annexe 8.7 (Cri-teria for the
in supplier relationships Agreements should be documented by responsible for the HR data treatment to avoid any misunderstanding by the two parties concerning the requirements on infor-mation security. Terms that can be included in a contract are listed.
Objective: avoid legal, regulatory, and contractual
viola-tions related to HR information security. - -
6.1.1
Laws, regulations and framework on which HR
infor-mation security is based are listed. PSI, ROGSIC, LPAC/RPAC, LIPAD/RIPAD, LArch/RArch, RTt, RGR, RCEL, LDA, LACI, LAVS, CobIT, COSO
Privacy and data protection should be guaranteed: related responsibilities are defined. The chapter includes the def-inition of personal data and the treatment of health data
PSI, LIPAD, MIOPE 01.07.10 (employees files), LPD, EGE-09-02 (medical secrecy), EGE-03-06 (Security and health at work in the State of
Ge-LIPAD princi-ples
49
Managers verify the conformity of HR data treatment in accordance with the security information and data pro-tection. Audits by the IAS and Court of Auditors are mentioned. The tasks to do are listed for when a lack of compliance is observed.
compli-ance review The technical conformity of information systems is
un-der the responsibility of the OCSIN. PSI -
7. Sécurité de la
communication 13. Communication
secu-rity - -
7.1. Transfert
des informations 13.2 Information transfer The security of HR data transfers within or outside the State is ensured by implementing directives, procedures and checks.
LIPAD, EGE-09-02 (Professional secrecy), annexe 8.6 (Summary of the
- The files treated by HR and containing personal data should be communicated to the PPDT. The procedures and various responsibilities are defined.
LIPAD, RIPAD
8. Annexes - - - -
8.1. Glossaire 3. Terms and definitions Definition introduced to facilitate the reading of the
doc-ument LIPAD, EGE-10-12, LArch, DF-06-03, MIOPE
01.05.01, LPD, Info document from PPDT, e-learning: Cursus Gina (access management system),
-
- Based on G-EGE-10-12 (guideline of information
classification)
8.3 Acteurs im-pliqués dans le processus de classification
- Based on G-EGE-10-12 (guideline of information
classification)
8.4 Procédures d'accès aux do-cuments et aux données person-nelles pour les membres du per-sonnel
- Based on the informative document from PPDT
and the UNIGE memento
8.5 Procédure pour les données traitées par les RH et OPE
- Info document of the PPDT
Source: Compiled by the authors.