HRMS Buyers Guide
HRlab HR Software Directory Ceridian HR Software Review

Ceridian HR & Payroll Hosting—An HR Software Review


Ceridian Data Center Hosting & Service Level Agreement

Data Center Hosting

Ceridian's has two hosting centers (Atlanta, GA and Louisville, KY) that deliver the hosted HR software, serve as backup for one another, and balance the processing workload. Ceridian uses the web standard 128-bit SSL (Secure Socket Layer) technology for encrypted communications between the browser and the server. Ceridian's hosted servers are stored in secured and monitored (24/7 by both security personnel and video) facilities in unmarked buildings, and physical escorts (plus electronic pass-cards) are required at all times for visitors to the hosting center.

Ceridian includes a data center hardware infrastructure that provides redundancy and disaster recovery on several levels. Namely, database clusters with external storage arrays and Web servers configured in a traditional farm environment enable Ceridian to distribute processing and obtain a high level of web server utilization. This federated approach achieves real-time fail-over and levels processing performance for customers. These features also permit server maintenance without necessarily interrupting online deliverability.

Ceridian data centers are hardened facilities with fully redundant power, multiple UPS (uninterruptible power supply), backup diesel generation (1650 KVA) and traditional data center safeguards such as raised floors, redundant HVAC temperature control systems, separate cooling zones, separately zoned smoke and heat detection, and non-water first response fire suppression systems.

Information Security

The Information Protection department at Ceridian is directed, on a global basis, by the Vice President, Information Protection Services, and is supported by several local information protection offices around the business. The department is responsible for setting policy and creating standards, risk management, governance and compliance. The main focus areas of this group are security, privacy, and business continuity. The security program is supported by the technical expertise of security operations teams within the IT organization which consists of security professionals with a broad base of experience. Indeed, many of the security professionals have obtained the Certified Information Systems Security Professional (CISSP) certification; several staff members hold various SANS Institute certifications, (including several Certified Forensic Analysts); and the company also employees Certified Business Continuity Professionals as well. This level of governance and dedicated staffing is unusual among SaaS HR vendors.

Information security policies are benchmarked against ISO international standards and cover all control areas identified in ISO 27001. Global policies include, but are not limited to, Information Security Policy, Data Privacy Policy, Acceptable Use Policy, Information Security Incident Policy, Business Continuity Management Policy and a Compliance Policy. Corporate policies are reviewed and updated semi-annually. In addition, several other types of assessments are conducted in various areas of Ceridian's business. For example:

  • Annual technical network/application external penetration assessment to identify weakness or exposure in the corporate network infrastructure.
  • For many Ceridian applications, a SAS70 Type II assessment is conducted to help ensure that appropriate internal controls are implemented are operating effectively.
  • Vulnerability assessments are conducted by internal staff on a regular basis.
  • Product assessments to evaluate the security capabilities of individual products are conducted on key product offerings.
  • The independent Internal Audit function conducts several audits each year that focus on IT security programs, provisions and procedures.

Weaknesses identified during these assessments, or those identified via alternate methods, are analyzed and assessed. Remediation plans are built based on the probability, risk and impact of the identified weaknesses. Further, technical safeguards are also in place to help ensure day-to-day operational security. Examples include:

  • Stateful firewalls are in place at all egress points to the external network. Firewalls are configured as default-deny and ports are enabled only as approved business needs require.
  • Tiered security architecture is in place, making use of DMZ and internal secure network zones.
  • Intrusion detection and intrusion prevention technology is in place, and is managed on a 24x7x365 basis. Sensors are deployed at Internet connections and strategic locations throughout the network environment.
  • Antivirus software is implemented on all gateways, servers and workstations, and is configured to automatically update pattern files and scan engines on a regular basis. Files and emails are scanned in real-time and full-system scans are performed on a weekly basis. Further, desktop anti-virus is managed centrally and cannot be disabled by end users.
  • Alerts and vulnerability information from numerous sources, such as CERT, ISS, SANS and technology vendors are provided. An internal review is conducted for these alerts and patches for the identified vulnerabilities and system administrators have a pre-defined schedule and deadline to implement the updates patches and configurations.
  • Content management is in place for all inbound/outbound email as well as web traffic (using a web proxy).

If it seems like an inordinate amount of Ceridian's time and resources are being spent on security you're right; however, it should be noted that this is not an arbitrarily-dedicated initiative. Rather, Ceridian's security efforts are in direct response to charges filed against the company. Indeed, according to a 5-0 ruling by the Federal Trade Commission (FTC) in 2011, Ceridian did not in fact take "reasonable and appropriate measures to protect personal information against unauthorized access" as the company had stated. As such, according to the FTC decision, Ceridian failed to adequately protect the company's network from attacks that were "reasonably foreseeable"—allowing a 35K+ customer data breach to exploit what the FTC ruled as easily identifiable data (including Social Security numbers and direct deposit information). The final FTC order forced Ceridian into an agreement to establish a comprehensive information security program, consisting of:

  • The designation of an employee or employees to coordinate and be accountable for the information security program;
  • The identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to, (1) employee training and management, (2) information systems, including network and software design, information processing, storage, transmission, and disposal, and (3) prevention, detection, and response to attacks, intrusions, or other systems failure;
  • The design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards' key controls, systems, and procedures;
  • The development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent and requiring service providers by contract to implement and maintain appropriate safeguards; and
  • The evaluation and adjustment of respondent's information security program in light of the results of the testing and monitoring required.

Service Level Agreement

Ceridian provides a service level agreement (SLA) that covers:

  • The availability of the network for the use of the HR application, including the database, network, HR/Payroll Web or Latitude, Self Service, and Time modules
  • Payroll Processing and Reruns
  • Payroll Accuracy—Percentage of Paychecks Produced Accurately (Net)

Each of these functional areas for the SLA is entitled to the metrics of 99.5% uptime/accuracy which, if not met, may result in a 3% monthly credit for each month following until the service level is met.

Next - Ceridian Software Pricing & Company Viability Review >>

Ceridian HR/Payroll ReviewCeridian Latitude ReviewCeridian HR Software CapabilitiesCeridian Technology ReviewCeridian SaaS HostingCeridian Software PricingCeridian Strengths & WeaknessesCeridian Best Fit & Competitors



Ceridian Review



Ceridian HR/Payroll Software Review



Share This Article

Follow Us
HR lab
Home   |  HRMS  |  HR Solutions  |  Talent Management  |  Performance Management  |  Channels  |  Resources  |  Blog