How to ensure your HR tech vendor is keeping candidate data safe

Candidates put a great deal of trust in you when they hand over their information. They expect great care to be taken in how you protect their info and who it’s shared with. But did you realize that half of organizations experienced a cyberattack in just the past 12 months? In fact, the recent increase in ransomware attacks year-over-year is higher than the past five years combined. Bad actors are more sophisticated and well-funded than ever, with 4 out of 5 breaches now being attributed to organized crime.

In the world of hiring where candidates are your consumers, it’s imperative that applicants know from their first interaction with your process that you understand this threat landscape and take their privacy seriously. The best way to provide them assurance is transparency in all things data, and partnering with vendors who have the rigorous safeguards in place to keep their information secure.

Understanding which security standards are truly vital can be difficult to navigate, which is why I want to give you an overview of the best three and how you can verify that your next technology partner meets the criteria.

SOC 2 Type 2

A SOC 2 Type 2 report provides both an independent audit and assurances regarding the design and effectiveness of security controls. We recommend asking for a copy of this report–if a company is certified like HireVue, they can provide you with a full copy under NDA.

What does the audit include?

The SOC 2 covers security controls related to specific “Trust Service Principles" that include security, privacy, availability, confidentiality, and processing integrity. The report will indicate which Trust Service Principles are in scope and will include the assessor’s opinion of the effectiveness of assessed controls. These controls include things like:

• Regular information security training for employees;
• Annual penetration testing to identify vulnerabilities;
• Automated network and application vulnerability scanning;
• Data encryption, in transit and at rest.

There’s also something called an SOC 3 report, which essentially shows that SOC audits are performed but won’t include the details of the controls that you will want to see. Another report you may come in contact with is a SOC 2 Type 1, which covers the same controls as a Type 2, but does not ensure that the controls are actually operating effectively over a specific audit period. What you really want to see is an SOC 2 Type 2.

ISO 27001

ISO 27001 covers the cloud hosting environment, personnel, policies and procedures, and systems and networks. The audit includes an Information Security Management System (ISMS) framework that guides a vendor’s selection of relevant security controls.

As a rule of thumb, if a vendor claims this type of certification, they’ll have a copy they can provide that includes their name (you can see HireVue’s certificate here). Without the vendor’s name on the document, it could be a sign that they’re missing a key component of what it takes to keep candidate data safe.

What does the audit include?

An ISO 27001 audit certifies that the framework or information security management system (ISMS) has been implemented appropriately and that appropriate controls have been selected and properly implemented. Put simply, an ISMS is a risk management process for people, processes, and IT. It provides a systematized approach to managing data security with regular risk assessments, and helps vendors comply with information security regulations and legal requirements.

FedRAMP certification

This government-wide program provides the standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services, and certification is a critical decision-making factor if you’re hiring in the public sector. A FedRAMP Authorization To Operate (ATO) is now federally mandated for any use of SaaS by any Federal agency.

In 2019, HireVue became the first and only FedRAMP-authorized video interviewing and assessment platform. Now, 8 of the 10 largest US Federal Departments use the HireVue platform, which has allowed them to transform the way they find, engage, and hire diverse, top tier talent.

What does FedRAMP authorization mean?

At its heart, the FedRAMP certification process is about creating transparent standards and processes for security while reducing cost inefficiencies that arise when agencies are vetting the security of cloud-based products. Products and services that are FedRAMP authorized, like HireVue, can be found in the FedRamp Marketplace. Here, you’ll find the authorization type, date of issue, contact information, and the name of an independent assessor. Vendors who have approval are easy to find, and prospective customers can see a full list of the agencies already using a given service.

One last thing

With all three of these essential frameworks, many companies out there will call out that they host their services in a place that’s certified, such as Amazon Web Services and Microsoft Azure. That’s certainly great, but covers little more than the physical environment. It says nothing about how the company itself protects your data. So make sure to evaluate your vendors on whether they have these certifications for themselves—and not just for their hosting provider.

Still have questions about how we protect your candidate’s data? Schedule a demo.