Keeping employee data safe and secure is one of the most important roles of the HR team. HR systems are one of the most efficient ways that human resources can ensure the safety of this information with very little effort or monitoring on their part.
Choosing a flexible HR system, especially one that runs on the cloud, can provide that much-needed peace of mind that all sensitive data is secure. However, not all modern HR systems are as efficient as others and with so many on the market, it can easily become confusing and overwhelming when looking for a vendor.
Whether your business is looking to invest in human resource systems or want to make sure your current system is providing the right security, we take a look at the 4 best ways to ensure your chosen provider of a human resource management system is giving you the best security service possible.
By asking the following questions, you should be able to gauge exactly how secure a human resource information system is.
Are they registered with the ICO?
In the UK, it is a legal requirement for any business that is processing personal data to be registered with the ICO. This includes any third party that may be handling and storing this data on their behalf, such as an HR system.
Asking this should always be a top priority and is the easiest question to understand as this will simply be a yes or no answer. It is important to remember that if a vendor is registered, this doesn’t automatically give them a secure status, it merely shows that they are following their legal obligation in regards to this regulation.
Are They Certified?
This is a crucial question, is your chosen HR system provider ISO27001 certified? If they aren’t, you should begin looking for a new provider as soon as possible. International standards are set by ISO27001 for the security management of information. If a provider has managed to obtain this certification, you will know they have gone through the rigorous testing to achieve this.
HR system providers with ISO27001 certification have had to have all their internal systems audited externally to make sure everything is up to standard and even the smallest crack will lead to this certification not being achieved.
There is no registry that you can look up to check if your provider has obtained this. Therefore, it is recommended to ask for a copy of their certificate with a valid date. Once this has been seen, check which body awarded the certificate and ensure they are reputable and follow the correct procedures.
If you want to be particularly stringent, you can call up this awarding body and verify the certificate. While forgeries are rare, it is better to be safe than sorry when it comes to the security of personal data.
Is Data Stored Reliably?
The above questions help you find out if data is being appropriately handled, but they do not cover the HR system provider directly or the cloud or data centre they are using to store your data.
Any data centre used in the process also needs to be ISO27001 certified and you should also check their back procedures. The HR system should be able to provide an insight into this, if they can’t, ask them for the contact details of the centre so you can check with them directly.
They should also be able to provide a comprehensive disaster recovery plan along with full penetration testing that has been implemented. If any of these aren’t produced or don’t seem to be up to standard, you may want to think twice about your provider.
How Regular Is Testing?
As HR systems evolve and security measures are modernised, so are hacking techniques. This is why new updates need to be constantly rolled out to prevent a cybercriminal from being able to access sensitive data.
Penetration tests are crucial to making sure everything is as secure as possible. These tests put pressure on the current system and can provide an insight into any weaknesses in the software that could lead to a hacker gaining access.
These tests should be conducted by an external party, ask your HR system provider to tell you who they are using and how regularly they perform these tests. This external company needs to be reputable and know what they are doing, using an inadequate tester can lead to unsafe results and weaknesses not being detected.
With the above in mind, your business should be able to know what vendor will and won’t work and ensure all sensitive information is stored safely and securely. Even with an HR system storing this data, it is still the responsibility of the business to make sure this is secure, so don’t fall victim to an inadequate provider.
