Kindly download the funeral e-Brochure for the late EUGENE SENANU KWAME WEMEGAH onto your smartphones or tablets.
Tap here for loation to GLOBAL EVANGELICAL CHURCH, SHALOM CHAPEL-AKATSI
.png){kind=small}
Organisations are increasingly turning to automation to manage their JML process in an effort to: reduce human error, increase control over access, and to set the foundations of a successful identity and access management strategy.
The JML process is an essential part of an organisation’s HR procedures. However, it can represent a huge headache for organisations. With remote working, the adoption of new technologies, and organisations often operating hybrid or multi-cloud IT estates, the process grows ever more complicated.
In today's rapidly evolving digital
landscape, effective information security management is crucial to safeguard
sensitive data and protect organizations from cyber threats. One critical
aspect of this management is the handling of employee lifecycle events,
commonly known as Joiners, Movers, and Leavers (JML). JML refers to the
processes involved when employees join an organization, change their roles or
responsibilities within it, or leave the organization. These events present
unique challenges and vulnerabilities that need to be addressed to ensure
robust information security practices.
The Impact of JML on Information Security:
Each JML event has its own set of risks and implications for an organization's information security. Let's delve into each phase to understand its significance:
A joiner is a new user that has been
granted access to company data, typically someone who is hired by a company for
the first time. When new employees join organizations, they bring new access
requirements and introduce potential security vulnerabilities. It is essential
to implement a well-defined onboarding process that includes comprehensive
security awareness training, user access provisioning, and adherence to
security policies and procedures. Failure to do so can result in unauthorized
access, data breaches, or misuse of privileges.
A mover is a user who has changed their access, say
in a promotion (which requires heightened permissions to systems and data) or a
shift to a new department (requiring old permissions to be removed and new ones
to be granted for separate systems and data). As employees change their roles or responsibilities within an
organization, their access requirements also change. This presents an
opportunity for potential security gaps, as existing access privileges might
not align with their new responsibilities. Proper role-based access control
mechanisms must be in place to ensure that employees have the necessary
permissions required for their new roles while revoking any unnecessary
privileges. Failure to manage these transitions effectively can lead to
unauthorized access, data exposure, or internal threats.
As the name
suggests, a leaver is a user who has left the company and their access should
be revoked.
When employees leave organizations, their departure can
pose significant information security risks. It is crucial to have a
well-defined offboarding process to ensure the timely termination of user
accounts, revocation of access privileges, and the return of company-owned
devices. Failure to address these issues promptly can result in data leakage,
unauthorized system access, or misuse of resources.
Best Practices for JML and Information Security Management
To strengthen information security management during JML events, organizations should adopt the following best practices:
Implementing JML Processes
It is one thing to understand what your JML processes should be and quite another to implement them successfully. Implementing a successful JML process requires executive sponsorship, buy in from the business and most importantly, support and partnership with your identity providers, and HR.
Project Stakeholders
The following stakeholders are required to ensure the successful implementation of a JML process.
C level sponsorship is essential to the success of the project. Changes to the JML process can be disruptive in the initial stages and changes in business process must be sponsored otherwise pushback from the people impacted means that the most important improvements may never happen.
The CISO or possibly the head of Identity Management must be the lead project sponsor. This is again to ensure the project has the executive power needed to push changes through.
To ensure that any changes required to HR data and processes are supported and delivered, the Head of HR or a Senior Executive must be involved and sponsor the project. Without this, the project will almost certainly fail to be completely successful.
As the business is the area that will be most impacted by changes in the JML Process, sponsorship, and inclusion of key executives in the business is important. They can provide feedback of the approach, changes to processes, areas of concern, while also giving you a vital communication channel to your end users.
Inclusion and sponsorship from IT is important to understand how the access management elements of the process can be completed. They can also play a major role in implementing the technical components of the project.
Conclusion
Joiners, Movers, and Leavers represent critical phases in an employee's lifecycle that significantly impact an organization's information security. By implementing robust practices during these events, organizations can strengthen their overall security posture, minimize the risk of data breaches, and ensure compliance with regulatory and standard requirements. Emphasizing comprehensive policies, role-based access control, and timely offboarding procedures, combined with ongoing security awareness training and regular monitoring, will enable organizations to effectively manage information security risks associated with JML events.
Author: Emmanuel K.
Gadasu
(CEH, CDPS, CIPM, BSc IT, MSc IT and Law*)
(Data Protection Officer, IIPGH and Data Privacy Consultant and Practitioner, Information Governance Solutions)
For comments, contact author via ekgadasu@gmail.com or Mobile: +233-243913077
Source: iipgh.org
Notice is hereby given that: A poll for the election of Past SOSTECH Students’ Association (PASSOSA) executives will be held online (e-Voting) on Saturday 15th July 2023, between the hours of 12:00 O’ clock in the afternoon and 4:00 O’ clock in the evening.
The number of executives to be elected is eleven (11). The names of the Candidates remains validly nominated for election and the names of all persons signing the Candidates nomination paper are as follows:
The situation of election and the description of persons entitled to vote thereat are as follows:
Thank you.
Yes, I agree the mission of the church is to reconcile sinners with God and to bring back the lost sheep into the fold of God. The Church is a legal entity and can sue and be sued in its own name. The church has been law abiding and has complied with many laws of the lands in which it exists. It is only relevant and crucial that the church and especially its leadership understand the scope and application of Data Protection laws in the very jurisdictions it operates in.
“Sorry, our church does not process personal data, so we are exempted from registration with the Data Protection Commission. The ONLY information we collect from our members are their names and phone numbers. I don’t think we are required to register.”
This was the response from a lawyer of one of the churches. Obviously, the learned colleague did not understand the application of the Data Protection Act (Act 843) hence his initial response. When he got the right understanding of the application of the Act, its implementation, its material and territorial scope, his response changed.
Why is the church mandated to register?
Section 91(1) of the Data Protection Act states that: This Act binds the Republic. This means that every entity within the Ghanaian jurisdiction must register! The church (which is a legal entity) is mandated to register! Churches must fully endorse and adhere to the data protection laws and principles in order to be compliant. These principles specify the legal conditions that must be satisfied in relation to obtaining, handling, processing, transmission and storage of personal data. Employees and others who obtain, handle, process, transport and store personal data for and on behalf of their churches must adhere to these principles.
Churches use personal data about living individuals for the purpose of general church administration, welfare and communication matters. All personal data, whether it is held on paper, on computer or other media, is subject to the data protection laws and therefore must be processed with the appropriate security safeguards according to the Data Protection Act. Churches process huge volumes of data, and their activities are heavily reliant on the use of personal data.
What is personal data?
Personal data is any information relating to a living individual (the data subject) who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s (the church’s) possession or likely to come into its possession
The definition includes digital photographs and videos, where images are clear enough to enable individuals to be identified. Other examples of the sort of personal data commonly held by churches are staff/payroll records; membership lists; baptismal records; information relating to pastoral care; information regarding those attending church activities; lists of children/young people attending Sunday schools, youth groups and creches; house visitations; welfare management; testimony recording; cell management; evangelism activities, Bible schools, counselling, marital counselling, naming ceremonies. It also includes records of those for whom the congregation holds contact details for various reasons, including volunteers working with children and young people and others, those attending churches, etc. These are examples only and there may be other types of personal data held. Churches with websites with a facility to collect data, such as a “contact us” form should be aware that the information supplied by any enquirer is personal data and will have to be held by the church in accordance with data protection law. Further, if a church uses cookies on its website to monitor browsing, it will be collecting personal data of that individual. Many activities in the church are handled by different people operating in different departments for different and specific purposes.
As an example, by virtue of being a member of the welfare team or committee, one would have access to personal data such as: the name, phone number, house number, medical information, financial information, next of kin, etc. about an individual. Some of these personal information are classified as special categories of personal data – in the Ghanaian data protection law, whiles other jurisdictional laws refer to them as sensitive personal data. The processing of these special categories requires that the controller (the church) puts in place the appropriate security safeguards to protect these personal data.
Who processes data in the church?
Processing is basically anything at all you do with personal data – it includes collecting, editing, storing, holding, disclosing, sharing, viewing, recording, listening, erasing, deleting etc. Individuals responsible for processing personal information in churches may include the Minister, Catechist, Presbyters, Elders, Deacons and Deaconesses, and other office bearers like treasurers, administrators, group leaders, Sunday school teachers and others.
The right of the data subjects (church members)
The objective of the Data Protection Act is to protect the privacy of the individual (the church member) by regulating organizations that process personal data which includes the church.
Why is data protection important for your church?
Failure to comply with data protection can result in data breaches. It is your legal and moral duty to protect those you hold personal data about (church members). Data breaches can result in emotional, physical, and financial consequences for the affected data subjects. Additionally, the consequences of a data breach on your church could be substantial. Repercussions include damage to your reputation as well as penalties issued by the DPC. Data protection training, and registration with the DPC can help to demonstrate compliance, protect your members (data subjects) and avoid the devastating effects that a data breach could have on your church.
Author: Emmanuel K. Gadasu
(Data Protection Officer, IIPGH and Data Privacy Consultant and Practitioner at Information Governance Solutions)
For comments, contact author ekgadasu@gmail.com or Mobile: +233-243913077
Source: iipgh.org
