White Paper

Scissortail HCM Cloud Security - What are the Facts?

Published on

October 19, 2018

Brandi Clymer

Published on

October 19, 2018

Brandi Clymer

Scissortail HCM powered by Kronos helps organizations like yours control labor costs, minimize compliance risk, and improve workforce productivity. Offered exclusively as Software-as-a-Service (SaaS), the solution offers applications for human resources (HR), payroll, time and attendance, leave, accruals, scheduling, and more. Each application can be used individually, as part of a complete, integrated solution, or in conjunction with other third-party applications, content, and/or services. The Scissortail solution delivers a single front-end interface that is available to customers at any time, from anywhere.

The cloud-based solution is the ideal choice for organizations looking to achieve their HR and payroll goals without exceeding their capital equipment budget or placing additional demands on their busy in-house IT staff. Because the Scissortail solution is hosted in the Kronos cloud, you get 24x7 access to your solution without having to purchase additional hardware, operating systems, or database licenses. You gain peace of mind knowing that experienced technical consultants are managing the solution infrastructure, as well as your applications and employee data, to help ensure high availability, reliable performance, and multi- layer security. In addition, because upgrades and add-ons take place in the cloud, you enjoy instant access to the latest software enhancements to help you manage your workforce for optimal results.

When evaluating any vendor’s cloud offering, you need to be confident that your application(s) and data are being maintained at a state-of-the-art data center facility engineered to incorporate multiple levels of security and redundancy, thereby ensuring maximum availability of your HR and Payroll solution. This document is intended to describe the world-class infrastructure, services, processes, and policies behind the Scissortail solution that enable us to deliver the availability, performance, and security your organization demands.

SYSTEM DESIGN

We understand that SaaS offerings must be backed by a world-class technology infrastructure that customers can count on day in and day out. That’s why this solution’s cloud infrastructure environment features a true multi-tenant architecture that provides the highest levels of data security, system up-time, and built-in redundancy.

Our primary and secondary data centers — among the most secure, connected, and compliant facilities in the industry — are designed from the ground up to help ensure the availability and security of your HCM applications and data, and to deliver seamless business continuity across virtually any circumstances. As a result, your organization can rely on secure, continuous access to the automated tools and high-quality information needed for effective HR and payroll processingthat drives competitive advantage and bottom-line results.

Primary Data Center

The Scissortail HCM powered by Kronos solution is hosted at a secure off-site data center in Dulles, Virginia.* This world-class data center facility delivers cloud, managed hosting, and co location services while providing superior integrated hosting services, carrier/network connectivity, and 24x7 security. This data center specializes in meeting industry-specific compliance standards to help ensure the ongoing security and integrity of your deployed solution. The primary data center is constructed and equipped to meet the most stringent security mandates for comprehensive physical, network, and policy-based security.

Security and Auditing

The Scissortail HCM solution environment has achieved the American Institute of Certified Public Accountants (“AICPA”) SSAE 16 SOC 1 Type II and AT101 SOC 2 Type II criteria for security, availability, and confidentiality. The cloud environment undergoes an annual audit by an independent Tier 1 auditing firm that publishes the SOC Type II reports attesting to the suitability and operating effectiveness of the controls in place. The environment is Safe Harbor Certified.

System Up-time

We work closely with the data center to help ensure both the physical security and consistent availability of your data and applications. As a result of these efforts, the system’s up-time has historically measured 99.5 percent or greater monthly. The data center facility, which is designed to eliminate any single point of failure within the system architecture, provides the following features to maximize up-time:

• 24x7x365 monitoring of system operations

• N + N power redundancy

• Connectivity to multiple backbone providers

• Variable switch load technology

• Hardened operating systems on all servers

Up-time Architecture

The platform database availability strategy relies on SQL Server transaction log shipping to maintain copies of its production database on three different servers. This strategy helps ensure that your data, application configurations, and stored code continue to be available even if a server, SAN, or site experiences failure. The primary SQL database solution consists of two databases built in a cluster to provide instant redundancy in the event that one server fails. Transaction logs are shipped to another SQL Server in the production environment, thereby creating a local backup SQL Server. Transaction log files are also shipped via a secure transmission to an off-site SQL server at the disaster recovery location. Full database backup is performed weekly — with incremental backups running daily — to further minimize risk

System Updates

All updates occur on Wednesdays or Thursdays at midnight, U.S. Eastern time.

• Service Packs: Weekly

• System Releases: Monthly

• System Maintenance: 24-hour notice

Up-time Facilities

The HVAC system maintains a consistent operating temperature and is powered by multiple 20-ton computer room air-conditioning units and three 100-ton chillers. Redundant power lines provide over 265 watts of power per square foot utilizing two-megawatt transformers. If a power outage occurs, a two-megawatt Caterpillar diesel generator provides full load in less than 10 seconds and can run for more than 24 hours without refueling. Time-guaranteed contracts with multiple diesel fuel suppliers help ensure uninterrupted service.

Disaster Recovery

Because Scissortail HCM  stores and processed a wide range of human resources data, including confidential employee information, it is critical that the system is both highly available and highly secure. To this end, a multi-layer availability strategy has been implemented across the solution’s cloud hosting infrastructure.

The cloud computing environment features a high-availability design that helps ensure ongoing operation and proper functioning of the system even if individual components fail. To maintain business continuity in the unlikely event that our primary hosting site experiences a catastrophic failure, an emergency secondary data center in Phoenix, Arizona,* is ready to take over production duties within a reasonable time frame:

• Recovery Point Objective (RPO): 15 minutes

• Recovery Time Objective (RTO): 48 hours

The Phoenix-based disaster recovery data center has all the space, power, and security features required for reliable, high-performance hosting and management of your HCM solution.

SECURITY POLICIES AND PROCESSES

Data security is a top priority. We have a designated management representative responsible for implementing policies and procedures designed to protect and safeguard customers’ workforce data.

Data Collection and Encryption Options

Your organization’s users access the platform’s cloud environment from a web browser or mobile device via encrypted transport layer security (TLS) sessions using port 443. Kronos® InTouch® terminal connections are Ethernet-based using port 80 or 443. They can utilize TLS to encrypt data transmission when you provide a digital ID certificate from a third-party vendor.

Secure System Login

End-users authenticate using a unique password. Industry-standard, modern hashing algorithms are used to secure these passwords, and they are never stored in clear text. Your end-users may gain access to the HCM platform via single sign-on (SSO). To implement security assertion markup language (SAML) 2.0, the platform requires an X.509 certificate, which may be self-signed. You will also need to provide the entity ID of your Identity Provider, such as ADFS 2.0, and a login redirect URL. Once a user is logged in via SSO, a multi-faceted security profile controls the role-based functional and data access rights of supervisors and employees.

Browser Support

End-users may access the HCM solution applications via a web browser or mobile app provided that the following requirements are met:

• Internet Explorer®: Versions 9, 10, or 11

• Chrome™/Firefox®/Safari®: Current versions

• The mobile app runs on the following Apple®, Android™, or Windows® Mobile devices with a data plan or Wi-Fi:

• Apple iPhone® or iPad® with iOS 4 or higher

• Android OS 2.2 or higher

• Windows Mobile OS

Physical and Logical Security Features

Scissortail is hosted in a private cloud deployed from an AICPA AT101 SOC2-compliant data center with multi-level physical and logical security features, including:

• Intrusion Prevention System (IPS)/Intrusion Detection System (IDS): Next-generation functionality firewalls are deployed, which restrict network traffic to authorized traffic.

• Secure Transmission Sessions: Secure protocol versions TLS 1.1 and above are supported.

• Virtual Code Authentication: The HCM solution requires virtual code authentication — user name, password, and a system-generated code. Passwords are required to be complex with a minimum number of characters and expiration at a predefined interval. (See Virtual Code Authentication datasheet for more information.)

• Best-Practice Coding: Employs secure coding practices and control processes across application development and software maintenance. Code reviews are conducted regularly to identify potential security flaws.

• Penetration Testing: Uses a qualified third-party vendor to perform penetration testing annually.

• Vulnerability Scanning: Conducts vulnerability scanning using a third-party tool, evaluates identified risks, and develops remediation and/or mitigation plans to address the vulnerability.

• Antivirus Software: Deploys a third-party, commercially available antivirus solution on servers to prevent viruses and malware from being deployed in the cloud environment.

• Patch Management: Patches the HCM solution environment regularly as a routine part of maintaining a secure cloud infrastructure. Patches are reviewed by engineers as they are released from the vendors. Approved patches are tested and then deployed to the environment in accordance with change management policies.

• Risk Assessment: Conducts an annual risk assessment of the HCM solution cloud environment to determine if the control framework achieves the data privacy and data security objectives.

• Security Incident Management: Maintains an escalation procedure to notify appropriate management staff and customer contacts in the event of a security incident. The event is worked to resolution and a root-cause analysis is performed.

Security and Data Protection Training

Security and data protection awareness training for new and existing employees is conducted. New employees are required to complete training within 60 days of their date of hire and annually thereafter. This training focuses on teaching employees what information constitutes personal information, how to protect confidential data and personal information, and security trends of which employees need to be aware. At the conclusion of the training session, employees must pass a test to demonstrate their understanding of data protection and security and privacy awareness issues.

Background Checks

Before extending an offer of employment to a candidate, background checks are conducted to determine if he or she is eligible for hire. These checks include education and employment history verification, and if permitted by law and authorized for the position in question, criminal background and credit check searches.

Certifications

The KRONOS Cloud Services team has the breadth and depth of IT experience, technical skills, and HCM application expertise required to manage, support, and maintain your cloud-hosted HCM system. Team members have earned a wide range of technical and security certifications, which prove they have amassed the experience and mastered the skills needed to deliver reliable, high-performance cloud hosting services.

These certifications include:

• Microsoft® Certified Professional

• Microsoft® Certified Technology Specialist (MCTS)

• Microsoft® Certified Solutions Developer (MCSD)

• PMI’s Project Management Professional (PMP)

• ITIL v3 (Foundation)

• CompTIA A+ (2008), Computer-Communications Systems Supervisor – 7 level (military)

• Microsoft® Certified Professional (MCP Server 2003)

• Microsoft® Certified System Administrator (MCSA Server 2003)

• Microsoft® Certified Technology Specialist (MCTS SQL 2005)

• Juniper Certified - JNCIA-EX (Associate, Enterprise Switching)

• Juniper Certified - JNCIS-ER (Specialist, Enterprise Routing)

• Microsoft® Certified DBA (MCDBA)

• VMware® Certification

• HP® 3Par Storage Certification

• HP® Data Protector Certification

• Certified Information Systems Security Professional (CISSP)

• Certified Information Systems Auditor (CISA)

• Certified Information Security Manager (CISM)

• Certified in the Governance of Enterprise IT (CGEIT)

• Certified in Risk and Information Systems Control (CRISC)




Written By