24 Security Questions That Every HRIS Buyer should ask

Security is on everyone’s mind today. No longer is security an IT responsibility alone. All areas of the organization need to be cognizant of security threats. HR can play an important role in securing data by educating employees about their vulnerabilities but also by making sure that whatever software tools HR uses are secure.

If you are in the lookout for new HR software, be sure to include security related questions and evaluation points so you understand how the data will be stored and managed securely. Here are 24 security related questions that you should ask your HR software providers before deciding to buy.

  1. Does the software provide encryption for sensitive and personally identifying data in the organization?
  2. How will users be trained on handling sensitive data and does the vendor provide any of that type of training?
  3. How will data be classified (e.g. restricted, confidential, or public)?
  4. What security controls will be put in place to control, authorize, and audit access to data?
  5. What access and identity management process will be used and who will approve access requests? Can multi-factor authentication be accommodated?
  6. If the system requires access outside of the firewall, which ports are used for access?
  7. Aside from approved users, does the vendor have access to the data and how is this managed?
  8. For cloud solutions, who is considered the owner of any client data stored in the vendor’s data centres?
  9. Is the data centre owned and operated by the software vendor, or outsourced to a third party?
  10. What is the geographical location of the software vendor’s data centre?
  11. Who is liable for any breaches or unapproved exposure of client data?
  12. For SAAS solutions, how does the vendor segment and isolate your data from other customer’s data?
  13. For on premise solutions, how does the vendor access your system to provide support?
  14. What firewalls and Intrusion Prevention Systems are being used to secure data centres from the internet attacks?
  15. When data is transmitted, is it encrypted?
  16. Is data at rest encrypted?
  17. If using encryption, how are keys stored and secured and what encryption technologies are used?
  18. Is the data stored in the software providers’ data centers used for analysis? If yes, what is the approval and notification process?
  19. Is your data shared with other 3rd parties?
  20. What applicable standards or certifications does the vendor comply with and/or hold?
  21. What is the patch frequency and software update release procedures?
  22. What are the HCM provider’s disaster recovery and business continuity practices?
  23. What happens with customer data when the contract is terminated? How is data decommissioned?
  24. What is the incident response process and client notification procedures for security breaches?

In the market for buying a new HR software? Be sure to include these 24 security related questions in your search and read our security white paper to be updated on how HR system and workflows can be used to prevent data breaches in your organization

HR and Data Security - White Paper Download 

marnie_pic_blogAbout the Author:

Marnie Larson is the CEO of StarGarden Corporation and oversees its operations in Canada, US and New Zealand. She has over 20 years’ experience in the software industry and specializes in HCM, Business process automation and Workflow technology.

Follow Marnie on Twitter: @mblarson