What You Need To Know About Security When Outsourcing
There are few greater challenges to businesses today than data security. From customer data to proprietary internal information, the responsibility for ensuring its safety and protection becomes a collaborative effort among all businesses involved in deep strategic relationships.
Since our founding in 1989, TSD Global has been laser focused on providing the highest level of security for the critical data entrusted to us by our partners and their customers.
TSD Global is fully committed to maintaining industry standard security certifications by investing in our people, processes, and technology. We accomplish this by exceeding the standards set by governing authorities like the PCI Security Standards Council (PCI SSC), and the American Institute of Certified Public Accountants (AICPA).
TSD has achieved PCI DSS Level 1 certification from a Qualified Security Assessor (QSA) and has achieved the SOC 2 Type 1 audit certification for our call center sites. Both of these certifications require stringent annual audits by a certified third party, and include onsite visits, along with internal and external penetration tests. These milestone achievements are a reflection of our commitment to data security for our partners and their valued relationships.
Our goal is to ensure our partners have the utmost confidence in our ability to safeguard their customers’ data. It is simply mission critical that all of our employees understand their responsibilities regarding integrity, confidentiality, and availability of customer data. We require annual security training for all of our employees. This training is designed to ensure standards and processes are followed, and allows for new regulations and data security mechanisms to be made known to all members of the team. Above all, we ask our people to treat customer data with the same care and respect that their own personal data should receive.
Outsourcing the customer service experience can be a difficult decision for companies. We understand that one of the major factors is the level of trust that must be inherent in the relationship.
After all, our contact centers may be the main touchpoint for many customers, so it should be a seamless integration to embody vital relationships in a way that is transparent to the customer.
The backbone of our security platform is a focus on fraud detection and regulatory compliance. Our systems help mitigate the risks of noncompliance, fraud, and privacy breaches for the industries in which we operate.
Our industry-leading team has developed controls to manage significant risk areas, including:
Multi-factor Access Control Measures
Real Time Intrusion Detection
Audit and Assessment
Employee Training and Adherence
Information Security Policies
Log Management and Monitoring
Vulnerability and Patch Management
Dedicated Security team
A Culture of Security
Security is firmly rooted in our corporate culture. Such a culture is not built overnight, and it is not automatically self-sustaining. It takes a constant focus on training, certification, and feedback to maintain a bulwark against malicious actors that search for any vulnerability.
We believe security is everyone’s responsibility. Of course, we have dedicated teams that oversee our strategies. But security cuts across departmental and national borders. Strong security is the result of creating an environment in which knowledgeable, dedicated people are invested in promoting our partner’s best interests by assuming deep responsibility for their data.
Our security culture reflects the excellence of our people, processes, and technology.
People: The connection to our security-first culture begins during the employee hiring and on-boarding process. It’s an ongoing process to ensure that our associates don’t stop at awareness, but adopt our security orientation. Our people don’t
merely pay lip service to security, they buy in wholeheartedly. That’s why our best security asset is our people.
Process: Our information security programs align with our partners’ goals and priorities, delivering genuine value for the enterprise. TSD Global focuses on each process to ensure all operational and security procedures are distinct, documented, and repeatable. We look for innovations when they will help deliver additional risk mitigation.
Technology: At TSD Global, we don’t see information security as solely an IT task. Actually, technology is where our people and processes meet. We integrate implementation efforts, technical controls, and systems management along with our leading security technologies.
Employee Training and Compliance:
We believe in training. We see it as one of our core competencies, as our employees are exposed to security training from their very earliest interactions with the company. In addition to general security procedures and techniques, our associates undergo partner-oriented training programs regularly to align with our partners’ ongoing development.
For new associates, security awareness begins on day one. Their initial training sessions review every aspect of security at TSD Global, including associates’ responsibilities for safeguarding our customers’ data.
Our security policies and standards are widely available to associates to review on a regular basis, often preparation for annual security training. In addition, specialized teams such as Information Technology and incident response undergo specific, high-level security training.
One of the most interesting aspects of our program is the periodic phishing exercises we use to gauge teammates’ vulnerabilities to social engineering attacks. Of course, we provide additional training for any associates who may fail the exercise.
Email is a common vector for malware and social engineering attacks, so we have implemented safeguards to secure our associates email experience. Our associates are empowered to report suspicious behavior and potential security threats to our Information Security team.
Information Security Policies:
TSD Global has developed policies and guidelines to define security controls for all our assets, resources, and data to protect confidentiality, integrity and availability
for our partners. TSD Global protocols align with the ISO 27001 Information Security Management System standards, as well as ITILv3 IT Service Management best practices. We review all policies regularly, usually bi-annually, to ensure we are up to date with industry standards and regulations.
As people are the cornerstone of our security, we conduct thorough background checks via industry leading vendors to vet candidates for trusted positions that handle customer support programs and sensitive information. The background checks include indicators of trustworthiness for associates in key positions.
We use a layered security approach for our contact centers, creating barriers to unauthorized access. Security measures such as full CCTV coverage, security guard coverage for every shift, and access control with ID badges, ensure associates work in a safe environment, providing for a high level of service.
Visitor access is tightly managed, with access granted only with an escort by an authorized employee. We monitor the movement of computers and other IT equipment, and restrict access of mobile devices on the production floors. Vital infrastructure, such as server rooms, has a high level of access control and is equipped with backup power to ensure business continuity.
Audit and Assessment:
We routinely test systems for compliance with all standard configurations. We engage in annual audits by a Qualified Security Assessor (QSA) to validate compliance with Payment Card Industry Data Security Standards (PCI DSS). The QSA review includes both internal and external penetration testing. These critical tests may be conducted more often as needed.
TSD Global also engages an independent auditor to perform an annual audit following American Institute of Certified Public Accountants (AICPA) Trust Services Principles. The auditor then issues a SOC 2 Report on Controls at a Service Organization Relevant to Security, Availability, Confidentiality and Privacy.
Our risk-based methodology for information security program management and measurement utilizes the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
The NIST CSF standard creates a common language for internal and external communication of cyber-security issues using the process model of identify, protect, detect, respond and recover. We use regular periodic assessments to manage maturity growth and to support continued investments in security.
We partner with best-in-class security-consulting firms to assess our security eco-system and infrastructure controls to continuously re-examine our security posture.
In the event of a security incident, TSD Global will implement our robust incident management process. This process will be deployed for any security event that could potentially affect the confidentiality, integrity or availability of systems or data. In our incident security classification, we reserve the highest level for incidents that could directly affect our partners and their ability to conduct business.
The TSD Global Incident Response Plan includes seven stages of response: preparation, identification, containment, eradication, recovery/closure, breach notification and after incident review follow-up.
Our procedure, in the unlikely event that partner data is breached, is to notify any affected partners within the time period specified in the SLA.
Our team conducts incident response plan testing using unfamiliar scenarios to ensure a time-sensitive and proportionate resolution of any potential threat.
Our network security utilizes a hardened layered approach to prevent unauthorized access. By default, all traffic is blocked, only whitelisted traffic is allowed through. Change management and configuration reviews ensure that our network remains operational and secure to exceed our partners’ expectations for availability. We maintain active firewall technology and Intrusion Detection System (IDS) sensors at each location. TSD encrypts all site to site call center traffic with 256 bit tunneling technology. We also utilize web proxy and filter servers at each location and PC, which only provides the minimal level of access required by the job function.
Technical controls provide a tough layer of defense to protect partner data. All endpoints (servers, workstations and laptops) use centrally managed Antivirus and web filtering, with a management console server that ensures enterprise protection and full compliance reporting.
Full-disk encryption protects all workstations and laptops to mitigate the loss or theft of a system. Any sensitive data transmitted over any network, whether internal or external, is encrypted. Host Data Loss prevention (DLP) on all workstations and laptops protects against unauthorized transfer of data by identifying sensitive content and applying blocking/alerting protocols.
Google Mobile Device Management (MDM) is used on all mobile devices with access to TSD Global’s Google Apps. Additional measures include minimum passcode length, device idle lock and remote wipe of data for lost or stolen devices.
Secure system build standards across all endpoints and network devices enforce a consistent security baseline throughout the organization. This includes the management of default configurations, encryption of administrative access, and robust systems hardening to reduce attack surface to only secure services.
All assets are managed through a centralized change control process and a configuration management database in accordance with ITILv3 IT Service Management standards.
Access Control Measures:
All users are managed through centralized access controls. Users have unique IDs, and access rights are defined by job functions and based upon the principle of least privilege.
Active Directory Domain Service enforces password complexity, expiration and account lockout controls. Two-factor authentication (2FA) is required for all remote access to our network, and 2FA is required for the use of privileged accounts to ensure secure access to corporate networks and critical system administration consoles.
Log Monitoring and Management:
Security monitoring focuses on data moving on the internal network, associates’ actions on our systems and awareness of external vulnerabilities. The Security Information & Event Management (SIEM) system stores security and audit logs from all mission-critical systems for analysis and reporting in a central location. The automated audit trails allow us to reconstruct user activity to identify and stop malicious actions. The system file integrity monitoring (FIM) on all critical servers in the production environment is also tracked via the SIEM.
We regularly conduct internal and external vulnerability reviews for all systems. Our IT Security team is tasked with tracking and following up on vulnerabilities, which may require remediation. When a vulnerability has been identified, it is logged, prioritized according to severity and assigned to an owner. These issues are tracked until remediation can be verified.
We use a centralized patch management system to push operating system and application patches to all endpoints and network gear on a scheduled basis or immediately in the case of critical security patches.