Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Proper vetting for HR tools such as Salary.com

    Posted 12-21-2022 11:37 AM
    Hello, 

    What do you guys think about Salary.com? Is this a company that you would typically put under your Vendor Management process or exclude from it?
    I am still waiting for more information on what services we will receive; however, these are some of the ones posted online: 
    I am wondering, with the information below, does it seem like a subscription or a consultant?

    For Employers

    Empower your team with integrated compensation data and technology solutions.

    CompAnalyst® 

    Make smarter compensation decisions that keep you competitive.

    Surveys & Data Sets 

    Add critical pricing intelligence to your compensation data library.

    JobArchitectTM 

    Simplify the process of creating job descriptions and price jobs accurately.

    Consulting 

    Discover data-driven solutions to today's top total rewards challenges.



  • 2.  RE: Proper vetting for HR tools such as Salary.com

    Posted 12-28-2022 09:42 AM

    Regarding subscription data services such as the ones mentioned above, it seems quite possible that they should be out of scope for your TPRM program. Even so, it is hard to provide a definitive answer without knowing how your organization intends to use these data services (or the functionality of each system). You can generally exclude these HR/Salary subscription data services from your program, provided they do not access, transmit, process, or store employee data.

    If the service requires you to provide access to employee data, the vendor must be in scope for your program. That means conducting due diligence to ensure they can protect employee information. Regularly reassessing the risk and monitoring the vendor.

    Please note that this recommendation is specific to the HR/Salary data providers you mentioned. Regulatory requirements apply to other subscription data services, such as credit bureaus, which use the data to determine customer creditworthiness, and, therefore, would be in scope.

    I hope that helps, but I would love to hear from other members on this topic.




  • 3.  RE: Proper vetting for HR tools such as Salary.com

    Posted 12-28-2022 09:51 AM
    One additional point related to Hilary's post...  IF you use subscribed data as part of your own service workflows (think of market data or interest rate services as examples) then there is a cybersecurity element to the due diligence standard of care that must be applied to the provider(s).  Risks to the confidentiality of such data may not be paramount but the need for data integrity and availability is essential.

    ------------------------------
    L. Beachy
    ------------------------------

    Original Message


  • 4.  RE: Proper vetting for HR tools such as Salary.com

    Posted 12-28-2022 02:36 PM

    Thank you so much! That is very helpful.

     

    Warm Regards,

     

     

    Isabel Guerrero, MPH, CCSA

    Compliance & Audit Manager

     

     

    Text Description automatically generated

     




    Original Message