Ceridian Data Center Hosting & Service Level Agreement
Data Center Hosting
When it comes to looking after client information, Ceridian takes security – both virtual and physical – seriously. Balancing the data workload and acting as a backup for one another, Ceridian’s two hosting centers are in Atlanta, GA and Louisville, KY. Browser-server interaction is via the standard 128-bit SSL (Secure Socket Layer) technology for encrypted communications and the servers themselves are stored in secured facilities in unmarked buildings with 24/7 monitoring by both security personnel and video surveillance.
For redundancy and disaster recovery, the data center hardware infrastructure is protected on a number of levels. Database clusters with external storage arrays and web servers configured in a traditional farm environment enable Ceridian to distribute processing, as well as obtain a high level of web server utilization. This federated approach achieves real-time fail-over and smoothes processing performance for customers. The same features also enable server maintenance without interruption to online services.
Both data centers are hardened facilities with fully redundant power, multiple uninterruptible power supply (UPS), backup 1650 KVA diesel generators. They also employ the usual server safeguards such as raised floors, redundant HVAC temperature control systems, separate cooling zones, separately zoned smoke and heat detection, and non-water first response fire suppression systems.
Ceridian has an appointed Vice President for Information Protection Services who directs and is responsible for just that – policy, standards, risk management, governance and compliance as related to the security of client information – and is in turn supported by a network of local information protection offices. The security program is supported by the technical expertise of security operations teams within the IT organization, which consist of security professionals with a broad experience base, many of them CISSP (Certified Information Systems Security Professional) and/or SANS Institute certified. If by now, you’re thinking that this level of governance and staffing dedicated to information security is unusual among SaaS (Software-as-a-Service) payroll providers, you would be correct – Ceridian takes the safeguarding of their client’s data and its availability very seriously.
As a truly global organization, Ceridian’s information security policies are compliant with ISO 27001 and include information security, data privacy, acceptable use, information security incident, business continuity management and compliance. In addition to monitoring compliance with internal policies, several other assessments are regularly conducted:
- Annual technical network/application external penetration assessment to identify weakness or exposure in the corporate network infrastructure.
- For many Ceridian applications, a SSAE 16 assessment is conducted to help ensure that appropriate internal controls are implemented are operating effectively.
- Vulnerability assessments are conducted by internal staff on a regular basis.
- Product assessments to evaluate the security capabilities of individual products are conducted on key product offerings.
- The independent Internal Audit function conducts several audits each year that focus on IT security programs, provisions and procedures.
Weaknesses identified during these assessments result in remediation plans based on assessment of probability, risk and impact of the identified issue.
As if all this were not enough, a variety of technical safeguards are also in place to ensure day-to-day operational security:
- Stateful firewalls are in place at all egress points to the external network. Firewalls are configured as default-deny and ports are enabled only as approved business needs require.
- Tiered security architecture is in place, making use of DMZ and internal secure network zones.
- Intrusion detection and intrusion prevention technology is in place, and is managed on a 24x7x365 basis. Sensors are deployed at Internet connections and strategic locations throughout the network environment.
- Antivirus software is implemented on all gateways, servers and workstations, and is configured to automatically update pattern files and scan engines on a regular basis. Files and e-mails are scanned in real-time and full-system scans are performed on a weekly basis. Further, desktop anti-virus is managed centrally and cannot be disabled by end users.
- Alerts and vulnerability information from numerous sources, such as CERT, ISS, SANS and technology vendors are provided. An internal review is conducted for these alerts and patches for the identified vulnerabilities and system administrators have a pre-defined schedule and deadline to implement the updates patches and configurations.
- Content management is in place for all inbound/outbound email as well as web traffic (using a web proxy).
There is, of course, a reason for such security measures and it is not merely the desire to protect client information. In 2011, charges were filed against the company following a 2009 data breach and the Federal Trade Commission (FTC) handed down a unanimous ruling that Ceridian had not taken, "reasonable and appropriate measures to protect personal information against unauthorized access" as the company had previously stated, failing to protect the data in the network against attacks that were "reasonably foreseeable." Many of the above-described security measures are in response to the mandated information security program, which the FTC decreed should include:
- The designation of an employee or employees to coordinate and be accountable for the information security program;
- The identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to, (1) employee training and management, (2) information systems, including network and software design, information processing, storage, transmission, and disposal, and (3) prevention, detection, and response to attacks, intrusions, or other systems failure;
- The design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards' key controls, systems, and procedures;
- The development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent and requiring service providers by contract to implement and maintain appropriate safeguards; and
- The evaluation and adjustment of respondent's information security program in light of the results of the testing and monitoring required.
Service Level Agreement
Ceridian’s standard payroll software service level agreement (SLA) includes agreed standards for:
- Network availability, including the database, network, and Payroll web or Latitude, self-service, and time modules.
- Payroll processing and reruns.
- Payroll accuracy (percentage of paychecks produced accurately).
The baseline standard for uptime and accuracy is set at 99.5%. In the event of this target not being met, the client may receive a 3% monthly credit for each month following breach until the agreed level of service is regained.
Ceridian Software Pricing
As with many payroll software vendors, Ceridian bases their pricing according to customer requirements. The company declined to provide the specifics of how prices are calculated or negotiated. Unfortunately, this lack of transparency can be interpreted as sales gamesmanship and create an air of mistrust early in the client relationship. However, in Ceridian’s case, the cost model that was disclosed indicated that pricing would be based on "per module" and "per employee/pay period" distinctions. The client’s chosen deployment option – from "un-hosted" to "hosted" and "single-tenant" to "multi-tenant" – can also substantially affect pricing and the overall Total Cost of Ownership (TCO).
Next - Ceridian Software Pricing & Company Viability Review >>
Share This Article