Avoid the Minefield of Security Compliance
01 December, 2022
Your company culture will determine the level of rigor necessary to protect critical data.
By Keith Smith, Director of Compliance, Transparent BPO
Company culture isn’t frequently uttered in the same breath as information security and compliance regulations. ‘Client success’ and ‘supportive workplaces’ are corporate values and terms more frequently associated with a company’s culture. But the rigor and attention paid to security policies and compliance protocols are essentially an extension of your corporate ‘culture.’
Government oversight and security compliance regulations continue to expand as headlines remind us daily of data breaches and ransomware attacks. But developing a culture dedicated to adhering to clear security and compliance policies can generally spell relative relief from data issues.
But as the tautology goes, ’you don’t know what you don’t know.’
When selecting a business process outsourcing (BPO) partner to manage your contact center operations, companies have varying levels of familiarity or understanding of what they should be looking for in an outsourced service provider.
A company dipping its toe into the BPO space for the first time – the company that is starting small with a few dozen seats or completely moving its domestic contact center operations to a nearshore or offshore market has to be asking the right questions.
If your company has never faced the complexities of throwing a blanket over all your data – your information and your client’s – the demands can be daunting.
Building a culture focused on data security and third-party compliance can fall into a handful of buckets: certifications, digital and physical security, and vendor management.
To begin, there are some basic certifications you should ensure your BPO possesses. These are table stakes and a good place to begin:
- SOC2 Type 2: Essentially, this certification is a formal report capturing how a company safeguards customer data and how well those controls are operating. This report is compiled by a recognized external auditor who visits your facility and measures your organizational measures to ensure you have the policies, practices and procedures in place to operate securely. The audit is based on ‘common criteria’ that measure security, privacy, availability, confidentiality, and processing integrity. Examples may include background checks for new employees or an ethics hotline to report issues. If your BPO can’t demonstrate they have a SOC2 Type 2 certification, you haven’t done your due diligence and are putting your critical information and your clients’ data at risk.
- PCI – DSS: This acronym stands for ‘Payment Card Industry Data Security Standard.’ If your BPO has this designation, it can accept, transmit and store payment information, such as credit card information. There are six major principles of PCI DSS:
- Build and maintain a secure network.
- Protect cardholder data.
- Maintain a vulnerability management program.
- Implement strong access control measures.
- Regularly monitor and test networks.
- Maintain an information security policy.
It will be important to ask your BPO which level of PCI – DSS certification they have. There are four different levels, and they are based on the volume of transactions that are processed as well as independent audits: Level 1: Merchants that process more than 6 million card transactions annually. Level 2: Merchants that process 1 to 6 million transactions annually. Level 3: Merchants that process 20,000 to 1 million transactions annually. Level 4: Merchants that process fewer than 20,000 transactions annually.
A Level 1 certification – the highest – also requires a third-party Qualified Security Assessor to conduct an audit to review the BPO’s performance the review while the other levels are required only to conduct the quarterly and annual self-assessments, network scans and compliance forms.
The second area you want to discuss with any potential BPO is its digital and physical security. If you don’t allow your employees to access questionable websites using company computers, why would you allow your BPO employees to do it? You want to ensure their equipment and practices have the same safeguards in place you have for your employees: restricting websites and internet access or no access to personal email.
These days – particularly since March 2020 – another security component everyone is talking about is the security risks when agents work from home (WFH). This component is overlooked because it is a newer phenomenon but frankly, the same security policies that apply in a brick-and-mortar facility should apply and be enforced in a WFH environment. But there are additional considerations when your BPO deploys WFH agents to support your program:
- Is the person sitting at the monitor looking at your client’s information the right person? You don’t want an agent’s friend or relative sitting in for them and presenting a security issue.
- Do they have the proper workspace? Is it quiet and secure?
- Are they where they should be? Agents should be in an approved home location, not the local coffee shop where their screen can be seen by strangers walking past.
- Are they practicing a clean desk policy that mirrors the policy that is enforced in the brick-and-mortar facility?
If your BPO is using WFH agents, you have to be more diligent to ensure security measures are being consistently monitored and enforced.
A frequent area that is overlooked is the physical security of a BPO’s facility. The building shouldn’t be a black box where you don’t know what happens inside. Instead, your BPO should be open on how they control access, just like any of their security measures.
As far as the physical location, you want to ensure only those individuals who should be there are allowed access to the building – that is your first gateway, but inside is another story. If there are different floors, you want to ensure agents from another program – or your competitor – are not allowed access to your call floor. And this is non-negotiable. Internal access to different areas should be controlled just as access to the building is controlled.
Our final checkpoint is vendor security. Lots of BPOs use local contractors and vendors for various services to support their business, but do they have a security-minded ‘vendor management process?’
Everything from cleaning staff to document shredding companies have to be vetted and approved to ensure every measure is reasonably being taken to protect your information and your clients’ data. While your BPO has all the right measures in place, a data breach may occur further downstream, but the accountability will fall to you and your organization to ensure information is safe and secure.
You may have great policies, but unless you monitor and enforce these policies and know where your data is stored, you may not be creating s company culture dedicated to reducing your security risk.