Regarding subscription data services such as the ones mentioned above, it seems quite possible that they should be out of scope for your TPRM program. Even so, it is hard to provide a definitive answer without knowing how your organization intends to use these data services (or the functionality of each system). You can generally exclude these HR/Salary subscription data services from your program, provided they do not access, transmit, process, or store employee data.
If the service requires you to provide access to employee data, the vendor must be in scope for your program. That means conducting due diligence to ensure they can protect employee information. Regularly reassessing the risk and monitoring the vendor.
Please note that this recommendation is specific to the HR/Salary data providers you mentioned. Regulatory requirements apply to other subscription data services, such as credit bureaus, which use the data to determine customer creditworthiness, and, therefore, would be in scope.
I hope that helps, but I would love to hear from other members on this topic.
Original Message:
Sent: 12-21-2022 12:36 PM
From: ISABEL GUERRERO
Subject: Proper vetting for HR tools such as Salary.com
Hello,
What do you guys think about Salary.com? Is this a company that you would typically put under your Vendor Management process or exclude from it?
I am still waiting for more information on what services we will receive; however, these are some of the ones posted online:
I am wondering, with the information below, does it seem like a subscription or a consultant?
For Employers
Empower your team with integrated compensation data and technology solutions.
CompAnalyst® Make smarter compensation decisions that keep you competitive.
JobArchitectTM Simplify the process of creating job descriptions and price jobs accurately.
Consulting Discover data-driven solutions to today's top total rewards challenges.