Establish Security Guidelines

Dec 20 09:43 2011 Laura Lowell Print This Article

Your call center outsourcer is responsible for your call center security.  This complex system covers user access to systems, data storage, Internet access, email retention, and many other operational processes.  Discover what guidelines you need to set for optimal security systems.

Security can be complex. It deals with user access to systems,Guest Posting data storage, Internet access, email retention, and many other operational processes. Yet, to a large extent, security for your call center work will be dependent on the network and operating systems established by your outsourcer. Hence, the need for guidelines.

Guidelines should define the topics used in a basic checklist. The checklist should define physical and technical safeguards that protect the confidentiality, integrity, and availability of the electronic information that the outsourcer creates, receives, maintains, and transmits on behalf of your company from any anticipated threats, hazards, or improper access or use.

Guidelines need to reflect your own security goals and, likewise, used to evaluate the security of any prospective outsourcer. Keep in mind that you are already obligated to protect the confidentiality and integrity of your customers. Your outsourcer should honor the same commitment. Not providing guidelines may inadvertently violate contracts, expose confidential data, reduce market credibility, or result in government imposed penalties.

Security goals may vary, but at a minimum, your guidelines should incorporate policies to maintain the confidentiality of data, protection of data being modified by unauthorized sources, levels of access for applications and associated data, and accountability to verify compliance with security policies.

Outline enforceable security requirements in any contractual or other form of agreement. Remember these requirements have a lifecyclethrough which policies will be generated, applied, audited, and revised.

Validate your outsourcer has a Chief Security Officer (CSO), or equivalent executive, that oversees security across their organization and periodically report on all aspects of security at his site.

Ensure your outsourcer has an organizational hierarchy that identifies who will have access to sensitive data or critical applications. Be sure you have established your own internal process for classifying data, and appropriate levels of security for each data class.

While your prospective outsourcer may independently submit the details of their security department in an RFP or other due diligence request, you should establish the security guidelines you expect to be followed. After all, it is your business.

As an example of what happens when guidelines are not enforced, consider the breach that Sony experienced between April 17 and April 19, 2011. After the breach, Sony informed the public that the names, addresses, and credit card numbers of 77 million of its users had been compromised.

Reuters later reported that Michael Pachter, Wedbush Securities Analyst, said "Sony probably did not pay enough attention to security when it was developing the software that runs its network. In the rush to get out innovative new products, security can sometimes take a back seat."

Guidelines need to define the process of any new technologies, products, or data uses and identify the potential security impact, whether recommended by you or your outsourcer. Guidelines should also include the process for your outsourcer to respond to security "alerts" released by software vendors.

When security breaches are discovered, guidelines should set forth penalties and the procedures to correct the breach as promptly as possible. Guidelines should stipulate an incident recovery/back-up plan, including backup software and a secondary site to maintain data, in case of any breaches in your information security systems. The guidelines should also mandate a process to eradicate data from equipment prior to disposal.

For the desktop, guidelines should mandate the use of virus protection programs and the regular updates of virus and software patches.  When guidelines are not followed, you will need to identify how to handle and resolve disputes. Thus, your guidelines need to include a plan for resolution of disputes arising out of security breaches or alleged misuse of customer identifiable information.

© 2011 Geoffrey Best

Source: Free Guest Posting Articles from

About Article Author

Laura Lowell
Laura Lowell

This excerpt, courtesy of Editor Laura Lowell, is Rule 25 from "42 Rules for Outsourcing Your Call Center by Geoffrey A. Best".  Geoffrey A. Best has worked with call centers for over 20 years.  His experience has provided him with insight into the systems and methods that companies use to operate their call centers and service their customers.   You can learn more about Geoffrey and purchase the book at

View More Articles