What IT security questions to ask when outsourcing payroll?

By Scott Thomson – Chief Operation Officer, Links International Hong Kong

With a huge number of high profile data breeches in 2016 and increasing statutory obligations on companies in Asia to protect employees’ information, it’s critical when outsourcing payroll in Hong Kong to select a payroll processing provider with excellent data security processes and a robust IT environment. 

While IT security requirements vary by industry, here are the key payroll security questions we’re regularly asked by large clients (especially banking and FI clients) and that any HR team should ask when outsourcing their Hong Kong payroll. 

What IT security questions to ask when outsourcing payroll-2.jpgWhat security accreditations are the payroll providers’ processes and IT infrastructure compliant with?

In Hong Kong, as well as in most other parts of Asia, it is relatively common for payroll companies to be completely unregulated and not hold any security accreditations. While this can be concerning, especially for overseas companies investing in Asia, the best Hong Kong payroll companies will voluntarily adopt security standards and the provider you use should be compliant with ISO 27001 as a good starting point!

ISO 27001
is part of a family of standards that helps organisations keep their information assets secure and is published by the International Organization for Standardization.  Hong Kong payroll providers that meet the standard are certified compliant by an independent and accredited
certification body on successful completion of a formal compliance audit.  Leading Hong Kong payroll outsourcing companies choose to implement the standard in order to benefit from the best security practices and reassure clients that its recommendations have been followed. 

Other common standards that good Hong Kong payroll outsourcing companies will hold include SOC 1 SOC 1SSAE 16/ISAE 3402, SOC 2 (it’s worth noting that a large number of common US and UK standards will not be widely used in Hong Kong). However, asking your provider whether they hold ISO 27001 is a good way of quickly weeding out risky vendors. 

Where is the payroll data hosted?  Who has access to the data?

Virtually all payroll clients with an IT or compliance function will be keen to understand the following when determining the level of risk associated with a Hong Kong payroll outsourcing company hosting confidential HR information:

  • Where the payroll data is hosted – where will the payroll data be physically hosted? Is the server physically owned or leased?  How is the network structured?

    Most clients will prefer that the payroll data is hosted in-country from a risk perspective and some industries in certain countries (e.g. banking) will have statutory requirements that information be hosted and stored in-country, as opposed to in off-shore processing centres in low cost countries (e.g. India, Philippines, Malaysia, etc.).  IT teams (and payroll providers) will also generally prefer in-country hosting where possible, as it ensures a faster user experience for employees when logging into HR Portals to access employee payslips, apply for leave, etc. A good Hong Kong payroll provider will host the data in Hong Kong, but will also be able to provide flexible hosting options like geo-replication to enhance disaster recovery plans, if required.

  • How the data is stored and transmitted – how is the payroll data secured when being stored and transmitted?

    Assuming the payroll provider is compliant with ISO 27001 best practices, most questions from clients about data storage and transmission will be in respect of whether the payroll data is encrypted at Rest, e.g. data is protected while on disk/in storage, and encrypted in Transit, e.g. data is protected between the client and the payroll provider against snooping. Good Hong Kong payroll providers will have data encrypted at both stages and ensure client HR teams can obtain compliance sign-off easier.  A lot of compliance and IT teams will not be comfortable transmitting confidential payroll data over unsecured email (even if password protected), so it is important that your Hong Kong payroll provider can provide other options for data transmission, e.g. FTP-S.

    In addition, compliance teams will also be interested in how data is retained and destroyed when no longer required.  Ensuring that your Hong Kong payroll provider has clear data retention policies is your first port of call.

  • Who has access to the data? – what is the framework for access to data and how is access monitored?

Restricting user access to client payroll data to a strict need-to-know basis should be the Hong Kong payroll service provider’s basic starting point, and their policies in respect of data access should be standardised for user access and reflect this principle. 

However, arguably more important and what is often overlooked is the practicality of monitoring user access to payroll data at scale and detecting any potential data breeches. It is all well and good to use a Hong Kong payroll provider with a great documented security policy. However, what systems and processes do they have to check for breeches? What proof do they have to show that they actually follow the processes? 

Good IT security questions to ask Hong Kong payroll providers-3.jpg

“Will the payroll provider even know a breech has occurred?!?” 

Good questions to answer this include:

  • Whether the Hong Kong payroll provider has security reporting that tracks inconsistent access patterns, as well as analytics and alerts to notify of a potential breach?
  • Can the payroll provider discover, restrict and monitor privileged identities and their access to resources from a single system?
  • Does the payroll provider maintain an access log and can the access log be edited?

A concerning number of Hong Kong HR technology is renowned for lagging behind the rest of the world and you don’t learn about your company’s HR data breach on www.scmp.com.  Thoroughly understanding your vendor’s ability to detect and monitor potential breeches is key to reducing your ‘front page of the paper’ risk.

What other information security questions should we ask?

While this list is not exhaustive, other important security questions that large clients will ask include:

  • What on-premise security is there? E.g. in office CCTV (with readily available access to records), monitored alarm systems, etc.
  • How does the provider communicate InfoSec policies and procedures to staff? Can they provide evidence such as email communications, training records, memos, etc.?
  • How does the provider reference check new staff? What is the disciplinary process in the event of a security incident with a staff member?
  • How are change and access requests processed? Can proof of requests be given?
  • What firewalls/antivirus protection is used? How are updates and patches distributed systematically to all users? 

Having a good understanding of your Hong Kong payroll outsourcing provider’s information security is key to having a successful and stress-free payroll experience, and asking the right questions makes all the difference.    

Interested in knowing more?

Information security is critical to Links’ business and our HR Outsourcing services and IT infrastructure is audited and certified for a number of security accreditations including the ISO 27001 information security standard.  

Are you looking to outsource your payroll in Hong Kong, but worry about security breeches? Links International is ISO 27001 compliant, which ensures that all our clients have the highest level of information security.