5 Questions to Ask a Vendor About Video Interview Security

January 9th, 2020
Kelly McNulty
Video Interviewing
Hiring manager watchingsecure video interview on mobile device

Video interviewing is a popular way for employers to screen job candidates today. Candidates complete the interview anytime, anywhere, and on any device — without missing work or having to travel. Recruiters watch interviews anytime — without any need to juggle schedules. And all candidates are asked the same questions, which can help reduce bias. But, how do you know if the video interviewing solution you choose is secure and confidential?

Knowing is important. Your company has to be mindful of security threats and how proprietary information is handled, stored, and distributed.

No candidate wants his/her interview on YouTube or Facebook. And no employer wants repercussions from inappropriately shared — or leaked — videos. All organizations have to care about data privacy and personal data. Even more importantly, you, as an employer, have to know that in the event of a breach or disaster, you can still access files and information, including stored resumes and video interviews.

But, as you investigate video interview providers, how do you find out if the providers’ solutions — and your candidate’s interviews — are secure?

To start, here are 5 things to ask about video interview security as you — and/or your IT security team — evaluate solution providers.

1. What Is the Provider’s Video Interview Security Policy?

An effective security policy includes:

  • Established security guidelines
  • Formally assigned personnel
  • Documented and practiced procedures
  • Technical and physical fortifications
  • Ample contingency plans

Hosting providers should adhere to industry-established IT service management practices and prove their compliance through third-party audits. Ask for verification in the form of Service Organization Controls (SOC) 2 and/or an ISO 27001 audit from an independent auditor. If you’re a federal agency, ask if the provider meets Federal Risk and Authorization Management Program (FedRAMP) standards.

You want a provider willing to provide a documented summary as part of your initial evaluation or RFP process and willing to share details on its approach when asked.

2. How Does the Provider Handle Permissions for Video Access?

Data in the form of video and audio files, personal information, and reviewer comments and scores should only be available to the individuals who need access and who your company wants to access them. You want a provider whose solution supports roles with different permissions.

Ideally, you want an admin or supervisor role who can create accounts and control who has access to see interviews. Specific access roles, such as collaborator, limited collaborator, hiring manager, evaluator, or candidate, let you easily limit access and level of access based on role.

For example, a collaborator, who might be a recruiter, could create and view open positions, schedule interviews, and evaluate candidates. An evaluator, could not create or view open positions or schedule interviews but could evaluate candidates. Those are just two examples of possible roles and permissions.

3. How Does the Provider Protect Data?

A provider should protect data no matter where it’s stored and as it’s sent from the provider to the candidate’s device and to your device and back. Protection is needed at multiple levels and should include intrusion detection, virus protection at the perimeter, encryption of content while on the server and in transit, and penetration testing by a third party at least annually.

With video, additional protection can also be included at the player level. For example, video can be set to play only on an authorized player for a specific video over a specific port or channel.

4. Where Is the Data Stored?

The range of hosting facilities used by service providers can span from a Linux box in a basement to enterprise-class multiple IT fortresses with a global footprint. Things to consider about where data is stored include:

  • Physical access protections, such as fences, walls, guards, electronic surveillance, etc.
  • Electronic protections, such as encryption and internal, wireless, and perimeter network security
  • Redundant power and network connections
  • Processing horsepower
  • Backup and failover systems
  • Scalability — does protection scale as the number of users scales
  • Human resource security, such as hiring and termination plans for employees

5. How Does the Provider Protect Data During a Disaster or Outage?

You want the provider to have plans in place to restore service as soon as possible if a natural or manmade disaster or network outage occurs. A good disaster recovery or business continuity plan includes multiple contingencies and detailed restoration procedures, alternate locations, backup equipment and personnel, and communication plans. The provider should test disaster recovery and business continuity plans at least annually. You also want a provider that offers verification reports to current and potential customers.

How HireVue Secures Video Interviews

HireVue ensures that strict measures are in place to secure your candidate and company information. HireVue works closely with you to make secure information a reality, with each interview captured with HireVue video interviewing technology.

HireVue works with risk, security, legal and compliance executives at large organizations that have some of the most stringent security measures in place. And HireVue performs recurring third-party audits ISO/IEC 27001:2013, SOC 2 Type 2, and FedRAMP.  The result: HireVue secures the data captured in HireVue video interviews without putting your candidate or company information at risk.

Learn more about HireVue’s approach to enterprise security and compliance on the HireVue website or in a HireVue demo.