Home / Educational Content / HCM Cloud / Tackle Tough HR Data Privacy and Security Concerns with HCM Risk Management

Tackle Tough HR Data Privacy and Security Concerns with HCM Risk Management

Sherri Bartels of the Oracle Cloud HCM Product Strategy team recently presented the capabilities of the HCM Risk Management solution.

There are a lot of things happening in the world that you are aware of, but you may not be aware of the impact these things are having on security and data privacy. In the last couple of years, there has been a steady uptick in the number of cyberattacks that are occurring worldwide. There are also increased ransomware attacks on software organizations. Quite notably, a time and attendance organization was recently hit with a very severe ransomware attack that took down their system for months.

To illustrate the sheer impact of these attacks, take a look at these numbers:

  • 105% – Surge in ransomware cyberattacks worldwide in 2021
  • 1,885% – Increase in ransomware attacks on governments worldwide in 2021
  • 775% – Increase in ransomware attacks on healthcare providers in 2021
  • $4.2M – Average cost of a data breach with employee data being #1 target
  • 120 – Countries engaged in some form of international data privacy laws

Oracle customers say that they see the problem, but they don’t have the bandwidth or resources to actively monitor and follow up on these threats. Furthermore, a recent survey revealed that 92% of Oracle & KPMG customers said they feel that they have a Cloud security readiness gap, and 87% claimed artificial intelligence is a must-have for security controls.

The team at Oracle believes that AI and humans can work together to close the security gap.

Oracle’s holistic solution is the Oracle Cloud HCM offering, built natively on the Oracle Cloud Infrastructure, as illustrated below:

As a leader in security for more than 40 years, Oracle takes a security-first approach so that their customers, too, can take a security-first approach. The Oracle Cloud Infrastructure provides all of the security capabilities that Oracle Cloud applications leverage. On top of these capabilities are Advanced Controls.

Within Oracle Cloud HCM, there are enough applications to take you across the hire-to-retire HCM life cycle. Throughout the lifecycle, there are opportunities to take advantage of either standard or advanced security controls. Standard security controls in Oracle Cloud HCM are competitive with other HCM apps. However, only Oracle Cloud HCM offers customers the ability to complement core standard controls with fully integrated, automated, AI-driven, Advanced HCM Controls.

One example of advanced controls is the ability to audit 100% of transactions. The AI-driven advanced control is a super team member running in the background. It can look for and flag anomalies. For instance, if someone is accessing the system from an unfamiliar location, advanced controls can catch the anomaly and alert a human to check into the threat.

Standard controls across your Oracle Cloud HCM processes are displayed below:

  • Plan, source & manage candidates – The legal statement templates for consent management help with data privacy.
  • Hire & manage workforce profiles – Leverage Journeys & Experience Design Studio to minimize data exposure. With security, only need-to-know, need-to-transact, or must-have information should be recorded. You can design your processes to minimize data collection and exposure. You can also manage end user rights with self service capabilities provided by Oracle.
  • Plan & manage workforce – Auditing is available across the HCM system so that you can audit transactions. Even Oracle Cloud Time & Labor has change auditing in case you’d like to enforce that users must specify a reason for making a change.
  • Manage compensation – You can audit frequent changes to person details.
  • Manage time & labor – Set location based access or enforce change auditing.
  • Manage payroll – Mask sensitive data and API authentication
  • Terminate employment – Enforce policies like right to erasure and anonymization. You can Mask in Extract Data retention & disposal best practices.

These standard security policies exist in addition to configuring and managing users and roles in the system.

Take your security a step further with the building blocks for effective risk management. This is a complete, AI-driven risk management suite embedded within Oracle Cloud ERP.

Oracle Cloud HCM can provide guidance in terms of your potential Separation of Duties (SOD) issues. It brings to light best practices so that you can avoid certain threats. Additionally, it gives you access to certification and viewing.

AI is continuously monitoring transactions for anomalies. These can be time-sensitive, location-based, monetary, or other anomalies. There is a library of controls and capabilities rules that can be set in place for your organization.

You can take action on the important data being monitored through Cyber Incidents. One way to help with controls and auditing is the Digitize HRIS Control & Audit.

If you get an alert about a potential issue, you can visualize the access controls on the screen:

You could either make changes immediately in the visualization tool, or you can choose to leave it and implement other checks and balances downstream.

For a view of the continuous monitoring of activity, see the image below:

Real-world examples of these Advanced HCM Controls are listed below:

  • Plan, source & manage candidates – Prevent access violation (SOD) – Create job requisition and hire candidate.
  • Manage compensation – Prevent access violation (SOD) – Hire candidate and update compensation. Audit frequent changes to compensation plan.
  • Plan & manage workforce – Audit frequent changes to assignment eligible job.
  • Manage time & labor  – Monitor: Same user creates new hire and manage time cards.
  • Manage payroll – Audit frequent changes to personal payment method and prevent access violation (SOD) – Hire worker and process Quickpay.
  • Manage workforce profiles – Audit frequent changes to person details.
  • Certify Internal Controls – SOX 302/404 certifications; User access certifications.

Key Takeaways

Make AI your newest team member to reduce risk and improve security and privacy. Security and privacy monitoring automates user security analytics to enforce SOD and privacy mandates such as GDPR and CCPA. Payroll and payment fraud detection continuously audit transactions across jobs, salary, time card, expenses and more to manage exceptions. Automated analysis of setup changes monitors for unusual changes to sensitive HCM setups, configurations and master data.