Begin with the ultimate goal—ensuring that all payroll processes are protected. This includes employees’ files, the content and distribution of internal reports to other departments, record retention and “big data,” Gracen said.
Your next step is to assess the ultimate risk—identity theft. How is the risk spread? Gracen noted that employees who bring their own devices to work—personal laptops, tablets and smartphones—automatically ramp up the threat environment, since you have no control over their equipment. If your company allows employees to bring their own devices to work, your policy should cover that too. Wireless and mobile usage should also be covered, she pointed out.
Drilling down. Moving from the general to the specific, Gracen advised the audience to identify and document all the data inputs and outputs that affect payroll data. “Touch points,” as Gracen called them, can be as diverse as the company’s finance department, the general ledger, the company’s budget, HR, benefits, workers’ compensation and third-party payers of sick pay. These touch points are the weakest link because they can change at any time, she added.
Your biggest job will be to classify your data. Best bet: Gracen recommended developing a ranking system, with the most sensitive data (e.g., employees’ Social Security numbers and banking information) receiving the highest ranking. With your ranking system in place, you must assemble your data—include forms, existing policies and data-gathering tools, such as information from your time and attendance system.