In the digital age, even the oldest of industries, Maritime can come under the wrath of cyberattack with the ever-growing use of information technology and satellite communication in the ocean going vessels.
Maritime cybersecurity does indicate the policies, processes, risk elements & architecture, tools, and applications those are used to protect the information/data from risks of any unauthorized access and control in their organization including vessels.
According to the International Maritime Organization (IMO), maritime cyber risk refers to a measure of the extent to which a technology asset could be threatened by a potential circumstance or event, which may result in shipping-related operational, safety, or security failures as a consequence of information or systems being corrupted, lost or compromised.
While the cybersecurity delves deep into operational technology and related areas which caters to network, satellite communication, GPS/navigation etc we will be more focused on the “information security” component and how HR will be enabling the culture of security mindset in an organisation within in the maritime industry.
HR Approach to information security
The role of HR in information security management in general will comprise of
- Understanding the overall risk framework including risk appetite of the organisation
- Providing clearly laid out HR processes to IT for risk assessment
- Understanding and working in tandem with IT to develop security measures in HR department
- Implementing security measures as part of the process
- Ensuring process compliance including audit management
- Creating awareness of security policy and process to all employees
The areas of HR focus on the information security management will be:
Developing Security measures
The objective of developing security measures will be in line with overall information security policy with a view to develop collection and access of information pertaining to employee including but not limited to internal employees but also the third parties as well as contractual employees.
The objective of such policy or clearly articulated process will be to reduce the risk of information collection which are not posing challenge to data privacy regulations or compliances, theft, fraud or inappropriate use of information systems including the data classification as well as control.
For example, e-mail access before joining and after relieving, employee information collection format, storing as well as retrieval control, updating employee information, various external application access & control, etc are defined here.
Implementing security measures
The key to the success of security management is the effective implementation of the policy and procedural elements while also carrying out/participating in security audits periodically. This is the phase that will give enormous information pertaining to challenges in the collection and access of information at varied touch points of the employee life cycle.
Challenges and concerns with respect to the policy and procedural elements are understood to further refine the security measures will become a possibility once the implementation of security measures is completed.
Implementation mostly ascribes the policy violations and non-compliances identified during audits along with the action plans ensuring non-recurrence of such incidents. For example, employee login to access to an external application not being disabled upon change of role of the employee can become a threat to information theft which if not carried out on time will become a non-compliance issue.
Awareness and training
The most important role of HR in addition to creating and managing security measures for the employee-related information for the organization is creating awareness about information security and providing training for all employees on the security measures
The awareness training program aims to make employees aware of responsibilities as well as security procedures that need to be followed including but not limited to use of access to office premises, attendance, network, office mails and communications, external applications etc
The recent changes of employees working remotely need to be given more emphasis from an information security perspective as the chances of cyber-attack or information theft is more prone under these circumstances considering lack of awareness of employee in using systems and processes as per the security policy.
Needless to state the importance of security practices awareness and use in the organization though owned largely by the IT, cannot produce desired results lest HR department works closely with them to create awareness and continuous monitoring to take disciplinary measures. To ensure the employee information is managed and guarded effectively, HR will have to work closely with IT to develop policies and procedures while also imparting training and awareness sessions periodically.