Human Resources Information System (HRIS) programs are fast becoming the norm for HR administration. Despite the expense, businesses are increasingly jumping onboard with the HRIS benefits for their company and employees. However, only a successful installation justifies the cost. And, some installations fail because of issues relating to data security.
The problem is described with relative ease. Any employer’s data is vulnerable to breaches of security within the company. It worries, too, about invasion or hacking of that data from the periphery. That is, it can be hacked by other data systems with which it communicates, such as that of vendors, customers, and out-placed functions. Software applications purchased from outside sources may bring vulnerabilities with them. And, competitors, individuals, and governments at one time or another have breached just about all systems.
Your part of the job
A simple in-house audit should launder the data before submission. You might check your HR data to see:
- If the count of records matches your expectations
- If there are duplicate records
- If there are obsolete files
- If there are empty data fields
- If data is updated
- If there are incorrect or outdated users
Your HRIS vendor’s security is your problem
If the security of your in-house work were compromised, your HR functions would be severely damaged. If you are going to trust that data to an HRIS vendor, your job is to investigate and verify the vendor’s security thoroughly.
At some point, you have to trust your decision to outsource or purchase software systems. However, to build that trust in cloud-based solutions, you have to pump up your due diligence.
- A SaaS 70 audit is “designed to show that service providers have sufficient control over data.” However, it was created prior to universal cloud roll out, and it may be a weak standard.
- ISO/IEC 27001, on the other hand, specifies international standards on the establishment, implementation, operation, and monitoring of information security systems. It identifies the security controls needed for the individual organization’s customization.
- The dense but thorough Systems Considerations in the Design of an HRIS planning for implementation is necessary reading. The intent is not to overwhelm you but to help you position yourself for what you need to know and the questions you want to ask.
- You must secure all detection capabilities, encryption levels, security documentation, and dedicated security personnel.
- Your CEO and stakeholders share the right and need to have confidence in the system. You need to work with your IT experts and vendor to strike the right balance of security and change.
You do not and should not be the master of this technology, but, between you and your Information Technology chief, you need to know the questions to press on your HRIS vendor. This is especially true of larger companies, global companies, and corporations with many locations and many users. Any security system up to global standards should be the optimum for any HRIS customer.
The link to “Data Security and Employee Confidentiality in HRIS Systems ” goes to the same place as “ISO/IEC 27001”. PLease can you check?
Thanks for the catch!