From recruitment through absence and performance management to processing payroll, HR teams deal with sensitive personal data daily, and keeping that data safe is your responsibility. Chances are, you’ve already got appropriate training and processes in place. But, what about your suppliers? Do you know what steps they’ve taken to protect your data and help you keep it safe?
Under GDPR, the ultimate responsibility for security rests with the organisation that ‘owns’ the data (the controller). Yet, according to the Cyber Security Breaches Survey 2019, only one in five businesses require their suppliers to have some sort of cybersecurity standards or procedures.
Our successful, independent ISO 27001 re-audit provided an opportunity to reflect on how we make security part of our culture – of the way we do things – and why that’s important not just for us, but for every organisation.
ISO 27001 – more than just documentation
At Cezanne HR we place heavy importance on ensuring both our software and business practices are secure. As a team, we all take responsibility for data security, including being alert to intruders in the office. We know it’s our business and our responsibility to keep it safe.
How we make security part of Cezanne HR’s DNA
- Formal onboarding – The first day for all new employees includes data security training.
- Clear documentation – All employees must confirm they’ve read our security policies, know where to find them on file and be prepared to answer questions during the ISO27001 audit.
- Regular re-training – Mandatory training refreshers are carried out throughout the year.
- Appropriate processes and tools – Employees are given the necessary equipment and software to carry out their work securely, e.g. encrypted laptops and data transfer tools.
- Restricted access – Access to software and systems is locked down to reflect individual roles and responsibilities. For example, only our IT team can install software on work PCs or laptops.
Cezanne HR is certified by the British Standards Institutions (BSI), which was the world’s first National Standards Body and is globally recognised as champions of best practice.
Our culture is part of our larger security picture
Our Cloud-HR software suite was developed so our customers can be at ease knowing their data is protected. Here are just some ways we do it:
1. Secure from the start
Cezanne HR’s technology platform was built from the ground up to run securely in the Cloud. We didn’t just take old code and repurpose it for the web. Instead we invested in developing a comprehensive, multi-language, multi-country HR system specifically designed to be accessed across the internet, with robust data security at every level. Our system is constantly monitored for security threats, and subjected to ongoing penetration testing, ensuring the security is independently validated.
2. Regular software updates
As technology continues to advance, cybercriminals also become more creative in how they target and attack businesses. This means that to stay secure, the software must be regularly reviewed, tested and – if necessary – updated to tackle these threats.
HR systems that were developed to be hosted on-site and then migrated to the Cloud are expensive and inconvenient to update. A key benefit of a multi-tenanted Cloud-HR system, like Cezanne HR, is that updates can be made much more quickly – and deployed to all customers at the same time seamlessly, and for no extra cost.
3. Hosted within a world-leading Cloud server
The Cezanne HR suite is hosted within Amazon Web Services, the world’s leading Cloud Infrastructure as a Software provider.
4. Restricted security roles
With configurable security roles, our HR system allows you to maintain transparency across your organisation as needed, while also controlling who can access what data in the system. You can authorise what users can view or edit by allocating them to key roles (HR administrator, restricted HR administrator, line manager or self-service employee), each of which can be further tailored to reflect specific sub-sets of employees.
5. Data Encryption
We use strong encryption to protect customer data (which is stored on an encrypted file system) and communications, including SSL Certification. SSL (Secure Sockets Layer) is the standard security technology for creating an encrypted link between a web server and a browser.
6. Password security
Cezanne HR never stores passwords, only the hashes of passwords – protecting them through sophisticated hashing and salting techniques. Also, customers can set rules in the system to enforce a strong password policy for their users. There is the option of additional user authentication such as Single Sign-On (SSO) or Two-Factor Authentication (2FA) for enhanced security.
You can find full details of our security design and infrastructure here.