16 May 2019
When assessing potential HR vendors, don’t rest until you have confidence in their structures and methodologies – because a breach could affect both business longevity and reputation, writes Nick Southcombe
When assessing hosted payroll and HR vendors, it’s important to ensure that they apply industry best practices to the treatment and protection of your organisation’s data. Vendors must be able to demonstrate the steps they take to protect data from security threats, both internal and external.
An essential defence in any vendor’s arsenal is ISO accreditation. One of the main standards for security is ISO 27001, an international standard which should be sought. It shows the vendor has a serious commitment to managing information security, based on risks to the organisation’s information assets.
Besides ISO 27001, vendors should hold ISO 9001 accreditation. ISO 9001 is a quality management standard that requires an organisation to meet its own requirements and those of its customers and regulators. Also seek a vendor that offers ISO 20000, the internationally acknowledged standard for high-quality service management.
Combined, accreditations such as the ones above ensure you are dealing with a vendor that values security-driven processes and controls.
Alongside ISO accreditation, consider requiring successful vendors to offer ISAE/ASAE 3402 compliance. Such compliance means service processes and procedures are to a world standard and are annually assessed.
Ascertaining vendor accreditations is a first step toward vendor selection, but what is also required is a closer examination of the physical security of data.
“Vendors should also be able to demonstrate a commitment to external audits of data security arrangements”
As a minimum, make sure your vendor can satisfy the following requirements:
- World-class data protection and encryption of data
- Built-in solution and database protection designed to prevent unauthorised data access, including layers of redundancy, encryption, network and web firewalls, intrusion detection and user authentication
- Dedicated information security staff, possessing industry evaluated skill sets in information security and best practices.
- A proactive and regularly tested business continuity plan that provides fully redundant power subsystems, protection against fires, natural disasters, power outages, sabotage, theft and/or civil disruption
- Frequent, (every few hours and/or daily) backups of customers’ data sent to an alternate facility
- Continuous, automatic monitoring for viruses
- Live-state heartbeat infrastructure monitoring
- Embedded web application firewall as a core feature to all implementations
- A Security Operations Centre (SOC) and Security Information and Event Management (SIEM) to monitor and analyse potential threats in real time.
Vendors committed to data security should offer controls equivalent to Sarbanes Oxley (SOC) SOC2/SOC3-level to extend and supplement their ASAE 3402 controls. By doing so, they ensure that their system and your data:
- Is protected against unauthorised access
- Is available for agreed operation and use
- Is designated confidential and protected accordingly
- Provides unrestricted, accurate and timely access in adverse conditions
- Is governed by privacy principles that determine how personal data is collected, used, retained and/or destroyed.
“We have noticed that organisations look for a greater emphasis on culture, awareness and value of data and its protection by hosted service providers during the selection process”
Where is your data located?
The next thing to consider is the physical location of your data. Vendors may choose to host data in their own dedicated computer and data storage infrastructure. Others may use a world-class data centre to maintain the quality and security of infrastructure. Vendors should also be able to demonstrate a commitment to external audits of data security arrangements.
Once accreditation, process, controls, audits and physical security concerns have been addressed, you need to consider the vendor themselves a possible source of breach. Consequently, a detailed review of data access controls needs to be undertaken to be clear about who can access your data and for what purpose. Vendors should be able to document and demonstrate an employee-wide commitment to data security, via training and education programs that are rolled out company-wide.
“We have noticed that organisations look for a greater emphasis on culture, awareness and value of data and its protection by hosted service providers during the selection process,” says Victor Miloshis, national technical support manager at Frontier Software.
“We associate this with the increasing focus on laws relating to data privacy and breach management, along with an evolved sensitivity to unwanted and unguarded data exposure.”
Frontier Software offers all the minimum and additional requirements discussed above, securing client data via:
- Data backup and recovery using a tailored multi-point recovery model
- Rapid access data storage via de-duplexing technology
- Hourly, end of day, end of week, end of month archiving and recovery
- Compulsory restoration testing.
- Flexibility in performing point-in-process or point-in-time backup requirement.
- User validation, application-layer governed authorisation
- Network and web application firewalls
- Discrete environment availability and recovery
- Hardware redundancy
- Strong change management
- Geographically dispersed data hosting facilities
- Continuous monitoring of environment to ensure confidentiality, integrity availability and safety.
At Frontier Software our data security is established and trusted by industries spanning both the private and public sectors. When assessing your potential vendors, don’t rest until you have confidence in their structures and methodologies because a breach could affect both business longevity and reputation – not to mention the potential threat to the individual.
Originally published in Inside HR in May 2019