Case 1: Kraft Foods Inc.: Protecting Employee Data
Synopsis
Kraft Foods Inc. is the largest food and beverage company in North America and the second largest food and beverage company in the world. It employs a workforce of about 98,000 individuals; approximately 45,000 in the United States, and 53,000 in sixty-five countries around the world, including fourteen European Union (EU) states (Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy, The Netherlands, Portugal, Spain, Sweden, and the United Kingdom).
When the EU Directive on the Protection of Personal Data became effective in 1998, Kraft needed to revise the means by which it collected, processed, transmitted, and stored employee data. Improvements were made to the Unified Personnel and Payroll System (UPPS) to better protect North American human resources (HR) transactions. International HR systems were converted to the SAP HR system. A Data Transfer Agreement was legally established between Kraft and its operating entities in the EU member states, which specified restrictions on personal data and mandatory data protection principles. The position of Chief Information Security Officer was created, and stronger data security policies and practices were developed and implemented throughout the company.
1.a)How does Kraft implement the following access controls: need to know; least privilege; mandatory access control; and role-based access control?
b.dentify at least ten examples of specific HR data that are considered sensitive at Kraft Foods Inc.
Expert Answer
1.a) On the SAP HR system the employee ID is used as user Identification, Kraft is in the progress of changing its North American employee ID’s from SSN numbers to a randomly generated number. Also all users are prohibited from allowing unauthorized users to use their login credentials. Forced password changes occur every 45 days. An unused account for 60 days is automatically locked, and employees leaving the company have their accounts disabled on their date of departure.
Hierarchy & roles have been clearly defined and basis which Kraft could implement access controls on their need base or role based. Access controls would be placed on the employee ID’s. Quarterly reports are generated and shared with all managers to validate the access rights of their employees.
Each user who has access rights to employee data must sign a Human Resources Data Privacy Form, in which the user agrees to comply with Kraft’s data privacy principles. Access is restricted to those users who need to know the data to perform their jobs. In addition users are granted the least privilege necessary to perform authorized tasks. Access is restricted to fewest number of data fields and the shortest time necessary to carry out the job responsibilities.
Code of conduct is available in 29 languages and accessible to its global workforce.
1.b) Examples of HR data sensitive at Kraft are as follows:
1. SSN – Social security number
2. home address
3. home telephone number
4. age / Date of Birth
5. Salary / grade pay information
6. Job performance ratings
7. race or ethnic origin
8. religion
9. gender or sexual orientation
10. criminal records or charges
11. benefit choices (company sponsored savings plan)
12. political opinions
13. trade union membership
14. physical or mental health data
15. photographic images