6 Security Questions You Must Ask Your HRMS Vendor

The 3Ss: Security, Security, Security. When it comes to your people’s personal information, protecting the data in your HRMS is paramount. Any vendor offering you a new system should be prepared to give robust answers to the following HRMS security questions.

HRMS Security Question #1: Where Will Our Data Be Kept?

This is a question for cloud-based systems. Your data is off-premises and you need to know where the data centre is and how secure that location is (and what its uptime performance is). This issue becomes even more acute when you factor in mobile access – when data is being shared, up- and downloaded to and from multiple devices and locations it’s easy to lose track.

HRMS Security Question #2:What is Your Disaster Recovery Plan?

Again, this is particularly important for cloud data centres. You need to be reassured that they are taking as good care of your data as you would on your own internal servers. Should the worst happen, how long will you be without your system? Ask to see their current ISO27001 or SSAE 16 certification.

HRMS Security Question #3: What Is Your Provider Chain?

Some vendors use a variety of third party suppliers, all of whom will have varying degrees of access to you and your data. Put simply, you need to know who you are dealing with. If you’re buying a cloud HRMS, then the situation may be more complicated with software as a service (SaaS), platform as a service(PaaS), and infrastructure as a service (IaaS) creating the possibility of an entire chain of providers between you and your stored data.

HRMS Security Question #4: How Will You Deal with BYOD?

Mobile use is ever-increasing, part of the current trend of flexible access to HRMS. More and more organisations are implementing bring your own device policies and central control over data security across all devices (personal or company) is essential and any BYOD-friendly system should incorporate or recommend middleware that will give control and peace of mind.

HRMS Security Question #5: What Protection Does the System Afford against Internal Threats?

Sadly, not all security threats come from outside. Whether it’s through carelessness (lost or misplaced devices) or deliberate theft (a disgruntled departing employee?) your own people can pose a threat to data security. What protective measures does the system offer?

HRMS Security Question #6: What Security Awareness Measures Do You Recommend/Offer?

Human error is difficult to factor in to system design. Often such errors occur through the carelessness that comes from being unaware of the risks involved in HR data breaches. Awareness can usually be assessed and boosted during implementation user training. Furthermore, the simpler the security procedures (e.g. single sign-on, password protocols) the easier they are for people to get right.