Some might mistake this engagement as a simple consulting arrangement. However, HR firms are almost always dealing with sensitive data (your employee data). As such, those HR firms must meet or exceed the same information security and privacy protection standards for which your company would be held accountable. I would suggest obtaining documents detailing Information Security and Privacy, including:
- Attestations or certifications for security controls, processing integrity, confidentiality, and privacy of their data systems. These certifications might include an SSAE SOC2 Type II, ISO/IEC27001 Certifications, Penetration Testing reports, or other Third-Party Audits.
- Information Security Program Documents, including policies and a list of controls
- Technical and procedural measures for network protection through a firewall
- Data Security policies that cover:
- Data classification and encryption methodologies
- Data loss prevention
- Data retention and destruction
- Documented incident response policy, standards, and processes
- Data security and confidentiality protections against threats or hazards
- Data privacy and confidentiality
Additionally, to create an effective AAP (Affirmative Action Plan) process, HR Firms must follow robust compliance requirements. A significant reason to pursue an AAP would be to enable regulatory reporting, such as an OFCCP (Office of Federal Contract Compliance Programs) report. I would want to review an inventory of the regulations they will consider for the AAP, making sure they are up to date.
I would also request a recent copy of their general compliance policy and employee compliance training plan. The compliance policy and training plan should have been reviewed and or updated within the last 12 months.
Those are my thoughts. Does anyone have anything to add?