When it comes to sensitive information, brands need to know that their contact center partner has their back. Customer data is precious, which is why a comprehensive information security program should always be in place. So, what should be included? We’ve laid out the details below.Walk Like an Encryption
Any program that requires the transmission of client-related information should be using an approved method of encryption. This means using strong techniques (at least 128 bit) such as Transport Layer Security (TLS) or Internet Protocol Security (IPSEC). These ensure confidential data is safeguarded when being transmitted over public networks.
Join the Compliance Alliance
Is your partner PCI compliant? This certification enforces standards for payment account security. For example, if customer calls are being recorded for quality assurance, mitigation controls need to be in place to prevent any recording or storing of cardholder data. Strict encryption and multiple security controls would also need to be in place to keep the recording database secure.
Let’s Get Physical...Security
Swipe card readers and cameras are pretty standard within the contact center, but does your partner compliment them with audit and management processes through dedicated security roles? Access to systems should be explicitly authorized, managed by a directory and granted on a least-rights basis. There should also be incident response procedures in place to identify and handle any information security incidents.
What’s Your Background?
Background checks should be done for every employee of your partner’s organization, regardless of position or department. It’s also best practice for security training to be done across the company on an ongoing basis, whether it’s part of orientation or a monthly educational email (or both).
What’s the VLAN, Stan?
Talk to your partner about being segregated on your own Virtual LAN, allowing traffic to run in and out of an explicitly authorized VLAN, separate from other programs.
As part of PCI’s standards, a reputable company should be contracted to conduct annual testing on internal and external penetration and network segmentation. Vulnerability scans of all external-facing IPs and internal VLANs should be conducted quarterly by a PCI approved scanning vendor.
Also remember: your partner should never share penetration tests or vulnerability scan results with third parties.
Be On High Alert
Firewall, antivirus and file integrity monitoring (FIM) logs should be reviewed daily. FIM software should enforce data integrity, while log aggregation processes should be in place to accommodate any evidence gathering or audit requirements. IPS tools should be used to provide real-time alerting for any unusual activity.
On an ongoing basis, risks to your partner’s organization should be identified and mitigated. Also, all system changes should go through a detailed change management process to identify risks and document authorization.
As you can see, there's a lot that goes into protecting the confidentiality, availability and integrity of your data and your customers’ sensitive information. Ask lots of questions with your current or prospective partner to make sure you feel comfortable with the processes and certifications they have in place.
Also Read To QA or Not to QA: That is the Question