HR Technology Security Checklist – iBTR

HR Technology Security Checklist

December 13, 2023

We all know that safety and security are primary goals of the HR world. The HR technologies deployed across your organization are no exception to that rule. But how can you be sure your HR Technology meets industry standards?

The first step is to ASK – inquire about your service provider’s security policies, practices, and audit outcomes. Consider how they compare to industry benchmarks and regulations. Here are three key questions you can ask your service provider today:

1. “How do you validate your security practices?

Exploring how the service provider adheres to standards as well as implements each practice will reveal their priority for security. Solution providers with strong security practices will have a high-level standard, which will be evident in their response.

2. “What is your track record with breaches?”

Review publicly available intel on security incidents, litigations, and legal proceedings related to their services to see how the service provider handles security issues. Specifically asking about previous security breaches will showcase their ability to support your team in the event of a security issue.

3. “Do you have insurance policies in place to cover cybersecurity losses?”

This is a crucial component to ensure your data, confidentiality, and PHI will have a recovery strategy in place in the event of security breach. This includes coverage for identity theft cases and is a key factor in identifying that your solution provider is serious about protecting client privacy.

After asking these important questions, iBTR recommends stepping through a Cybersecurity Evaluation. A successful evaluation should result in security details that will satisfy regulatory requirements as well as your organizational requirements. Apply these evaluation steps to your solution provider’s security practices to see how they measure up.

Cybersecurity Evaluation

  • Formal, well-documented cybersecurity program
  • Conducting prudent annual risk assessments
  • Reliable annual third-party security controls audit (such as ISO audit)
  • Clearly defined and assigned information security roles and responsibilities
  • Strong access control procedures
  • Ensuring appropriate security reviews and assessments for data in the cloud or managed by third-party providers
  • Periodic cybersecurity awareness training
  • Implementation and management of a secure System Development Life Cycle (SDLC) program
  • Effective business resiliency program covering continuity, recovery, and incident response
  • Encryption of sensitive data in storage and during transit
  • Implementation of robust technical controls aligning with best security practices
  • Appropriate responses to any past cybersecurity incidents.

So, how did your solution provider do?

It’s always better to be safe than sorry. Internet Hackers and ne’er-do-wells are continually getting craftier in how they steal data and PHI. iBTR always recommends a thorough review of security practices with any solution provider to keep ahead of security issues and to ensure a plan for recovery.

Need help evaluating your solution provider? iBTR can help! Email us at to get started with your project today.


Michael Bond is an HR Technology Project Manager for iBTR’s Consulting division, helping clients with HR technology selection, management, and more. Michael has several years’ experience in the industry, analyzing business needs and more. He is committed to making every interaction count by improving the overall workforce experience through partnership with employers and brokers.