The NASPP Blog

Stock plan management teams are responsible for handling a significant amount of confidential data. Access control procedures are essential to maintaining an appropriate level of security to ensure that confidential information remains confidential. In creating an access control policy, both inadvertent and intentional access must be considered. There are data privacy laws both in the U.S. and internationally that dictate how data is transmitted. Confirming with your legal team that your company’s practices adhere to privacy laws is crucial. However, there are daily practices and considerations that are easy to overlook and could compromise the integrity of your practices by weakening the controls in place to limit data access. Here are my top three “hidden” areas to focus on when considering your department’s access control practices.

Workspace

Because the stock plan management team will be working with and talking about confidential information, the actual location of the team is crucial to access control. For example, desks should be located in a space where both printed material and computer monitors cannot be easily viewed by other employees and confidential conversations won’t be overheard.

It’s also important to know that access to the stock plan management work area can be prohibited when none of the members of the team are present. In many companies, the stock plan management team shares office space with another department. If this is necessary, it is best that the other employees sharing that space have access to equally sensitive information so that they are familiar with the company’s data privacy practices.

Archives

Administering stock plans can generate a bulk of both hard-copy and electronic documents that need to be retained on site or in archives. Just like the general workspace, the location of these document files is an essential consideration for access control. Both hard copy and electronic documents can be safeguarded not only by locks (or passwords) but also by their location. Access control for hard copy documents stored on location can be maintained simply by placing locked filing cabinets in a room that also can be locked. However, if the volume of hard copy documents requires off-site storage archiving, make sure that there are controls in place for who in the company can request access to the archives.

Electronic documents, especially in the form of spreadsheets, often contain a higher volume of confidential information than do paper documents. In addition, data stored electronically is far more likely to be a part of daily procedures. Access control for archived electronic documents is just as straight-forward as it is for paper documents: they should be password protected and housed in folders and/or servers where access can be limited. With current documents, on the other hand, that are needed for daily processes it is much easier to let access control slip. It’s important to maintain password protection, even on active documents, and avoid saving documents in unprotected locations–especially on a laptop that may be removed from the workspace.

Distributed Materials

Distributed materials present the biggest challenge to maintaining access control. The stock plan management team can’t avoid sharing certain confidential information with external partners or other departments. The key is to establish how to ensure that the shared data doesn’t ultimately become available to parties that should not have access to it. If regular data sharing is required, establish an automated process that transmits data between systems or a protocol for file exchange. It’s best if confidential information never be sent via email, even internally and even if it is password protected.

Your company’s IT and legal teams can help you establish the best protocol for data privacy, but insufficient access controls can undermine those practices. As with all processes, document your access control procedures and make sure that everyone who does have access to confidential information understands the importance of those procedures. For more on internal controls, visit our Internal Controls Portal .
-Rachel