The Security Questions HR Software Vendors Don't Want You to Ask

Diving Deep for Data Safety Answers on HR Software

A new study conducted by the Ponemon Institute recently highlighted how much the 2011 average for a data breach would be. The figure? $7.2M...for a single event. While those figures involve the value of proprietary data loss, much of the information that thieves seek in these data breaches has to do with employees. And who houses the bulk of that information? Human Resources. Think about it, human resource information systems (HRIS) house some of the most sensitive information collected anywhere—period. Criminal and Credit Records (for background checks), Social Security #'s, Health Insurance Portability and Accountability Act (HIPAA) data, and bank accounts (for direct deposits) are just some of the many pieces of personally-identifiable information stored for employment purposes. Given the enormity of data that Human Resource departments house, it seems only prudent to ask potential HRIS (or HRMS) vendors some questions about how secure that employee information will be. Some vendors might balk, others certainly won't like it, but at the end of the day, the answers you get to these questions will seriously increase how informed you are for your next HR software purchase.

HR Software Question # 1: What Happens if the Vendor Becomes Insolvent?

Franklin Covey in 7 Habits of Highly Effective People makes the point that we should always "begin with the end in mind". While it may seem a bit morbid to question a new vendor about their untimely demise, that question is fair game, and should absolutely, unequivocally be asked. By taking care of this question up front, essentially you're tackling all the big time questions that need to be asked about issues like data ownership, information transference, and most importantly which one of you will be footing the bill for that data transfer. Of course, licensed and customer-hosted software models aren't in as much trouble initially as Software-as-a-Service (SaaS) solutions, but regardless, if the process is important (i.e. "mission-critical"), you better have the vendor's answers to these questions as well as a plan for how to pick up the pieces.

HR Software Question # 2: What Happens When an Employee Leaves?

The current economy has given organizations a vicious case of "lay-off fever", as core functions are being insulated and pink slips are going out en masse. As this offboarding is taking place though, insider theft is running rampant and a staggering 59% of laid off employees (based on a Ponemon study) are keeping or taking company information with them as they go. Logically then the question needs to be put to any potential vendor—what steps are taken when an employee leaves (either voluntarily or involuntarily) to ensure that information is safe? Automatic de-provisioning is a start, but what other measures will be taken? Further, if faced with the type of lay-off scenario large enough to trigger something like a Worker Adjustment and Retraining Notification (WARN) notice, will the vendor be a part of any security audits, access restrictions, or additional high-priority data protection efforts? Regardless of the vendor's answer to this question, additional security during lay-off periods is extremely important given the troubling statistics from above. While it may not be a deal breaker if a vendor doesn't have security measures in place for employee turnover, organizations still need to be cognizant of what data safety issues are likely to surface in a worst-case scenario workforce reduction.

HR Software Question # 3: What Proactive Security Steps is the Vendor Taking?

Ernst & Young's 2010 Global Information Security Survey found that data safety is an ever-present issue, with 38% of organizations beefing up "awareness activities"; 29% piling on additional encryption; and 39% making policy changes to better support the security need. Given that the overwhelming majority of data security issues stem from human errors, you'll want to know how proactive your prospective vendor is with assessing vulnerabilities and applying solutions. For example, how much presence will the vendor have in helping train employees in system, access, and password set-up? How much effort will the vendor expend in helping with software change management? How will software users be kept abreast of the changing risk landscape or their responsibility in the protection of the system and the data housed therein? These efforts are the proactive pieces of security that let you know the vendor a) takes data safety issues seriously; and b) understands the educational imperative inherent with employee users.

Bottom-line for HR Software Security

Because the acceptability of vendors' answers may vary depending on your organization's unique needs, it's advised that the answers to these questions always be determined before any actual HR selection process begins. Also, as always, a needs analysis for security should be done (prior to selection) so that a solid understanding on the organization's part can be gained of the data security issues that the company is likely to face. This is due to the fact that while faith needs to be placed in a vendor's ability to provide the highest level of data security available, at the end of the day, liability will most likely remain with the organization.

  Categories: HRMS Software Selection

  Tags: HRIS Selection

  Permalink: www.hrlab.com/hr-software-selection-questions.php

 Author: Micah Fairchild

  Share: