Cloud Contact Center. Security White Paper



Similar documents
HIPAA Privacy & Security White Paper

Nuance OnDemand provides security and reliablity.

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

Secure, Scalable and Reliable Cloud Analytics from FusionOps

Security Controls for the Autodesk 360 Managed Services

IBX Business Network Platform Information Security Controls Document Classification [Public]

Complying with PCI Data Security

Secure and control how your business shares files using Hightail

Cisco Advanced Services for Network Security

GoodData Corporation Security White Paper

PCI Requirements Coverage Summary Table

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

StratusLIVE for Fundraisers Cloud Operations

Security Considerations

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

twilio cloud communications SECURITY ARCHITECTURE

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

Contact Center Security: Moving to the Cloud

Privacy + Security + Integrity

Retention & Destruction

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM

BMC s Security Strategy for ITSM in the SaaS Environment

CHIS, Inc. Privacy General Guidelines

BOLDCHAT ARCHITECTURE & APPLICATION CONTROL

PCI Requirements Coverage Summary Table

PCI v2.0 Compliance for Wireless LAN

Healthcare Compliance Solutions

Security Information & Policies

GOVERNANCE AND SECURITY BEST PRACTICES FOR PAYMENT PROCESSORS

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Tenzing Security Services and Best Practices

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

HIPAA Security Alert

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Contact Center Security: Moving to the True Cloud

Security & Infra-Structure Overview

Vendor Questionnaire

Josiah Wilkinson Internal Security Assessor. Nationwide

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Preemptive security solutions for healthcare

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

Addressing Cloud Computing Security Considerations

RMS. Privacy Policy for RMS Hosting Plus and RMS(one) Guiding Principles

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Apteligent White Paper. Security and Information Polices

Becoming PCI Compliant

Autodesk PLM 360 Security Whitepaper

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Achieving Compliance with the PCI Data Security Standard

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today!

Payment Card Industry Data Security Standard

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

White Paper How Noah Mobile uses Microsoft Azure Core Services

Payment Card Industry Data Security Standard

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

Keyfort Cloud Services (KCS)

Our Key Security Features Are:

How To Achieve Pca Compliance With Redhat Enterprise Linux

PCI DSS COMPLIANCE DATA

Altus UC Security Overview

NetSuite Data Center Fact Sheet

Healthcare Security and HIPAA Compliance with A10

SECURITY OVERVIEW FOR MY.ENDNOTE.COM. In line with commercial industry standards, Thomson Reuters employs a dedicated security team to protect our

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Cloud Management. Overview. Cloud Managed Networks

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

QuickBooks Online: Security & Infrastructure

Famly ApS: Overview of Security Processes

Achieving PCI-Compliance through Cyberoam

Collaborate on your projects in a secure environment. Physical security. World-class datacenters. Uptime over 99%

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Security and Managed Services

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

PRIVACY, SECURITY AND THE VOLLY SERVICE

TENDER NOTICE No. UGVCL/SP/III/608/GPRS Modem Page 1 of 6. TECHNICAL SPECIFICATION OF GPRS based MODEM PART 4

ACI ON DEMAND DELIVERS PEACE OF MIND

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

KeyLock Solutions Security and Privacy Protection Practices

SAS 70 Type II Audits

CREDIT CARD PROCESSING POLICY AND PROCEDURES

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

Transcription:

Cloud Contact Center Security White Paper

Introduction Customers communicate with organizations in a variety of forms from phone conversations to email, web chat and social media. As each interaction may contain sensitive and confidential information, security has become a top requirement for consumers and enterprises alike. Many companies are turning to cloud-based solutions for more robust security as part of their contact center strategy. Cloud contact center solutions provide many advantages over traditional on-premise solutions, including the lower upfront capital expenditure, deployment flexibility and scalability, relief of infrastructure installation and maintenance, and an instant gateway to advanced capabilities. One important benefit of cloud contact center solutions is the relief of security implementation. This built-in benefit with the right cloud contact center solution can translate into significant cost savings. Mitel has implemented security measures that take a comprehensive multiple-layer approach that has been certified to meet industry s standards including Payment Card Industry - Data Security Standards (PCI-DSS) and Health Insurance Portability and Accountability (HiPAA) compliance. In fact, Mitel has been providing secure cloud contact center solutions to leading enterprises, including some of the largest financial and insurance companies in the world, for over a decade. Overview Mitel s security strategy provides controls at multiple levels of data storage, access, and transfer. The strategy includes the following components: Physical Security Network Security Platform Security Application Security Data Security Human Security Compliance Physical Security Mitel s MiContact Center Live Cloud solution for large enterprises operates in Tier 4-class data centers. Each data center employs the same physical security standards and is controlled by multiple security parameters including: Electronic entry systems that require each person who enters a data center have a valid badge and pass biometric controls System access includes multiple levels of authentication including two layers of biometric authentication Surveillance cameras supported by infrared, ultrasonic and photoelectric motion sensors Alarm systems deployed throughout the datacenters Armed security guards on duty 24x7 Exterior walls constructed of steel reinforced poured concrete or reinforced masonry that exceeds building code requirements for structural strength Multiple Internet connections to block intentional disruptions of service Multiple power connections with generator backup Fire suppression systems Tracking and recording of all access made to the data center Network Security MiContact Center Live uses network elements that interconnect systems and information across multiple locations. Mitel achieves network security through technical systems and processes including the following: Firewalls: Multiple layers of firewalls are deployed Web Application Firewall (WAF): Analyzes application level activity in real-time to detect and block malicious activity Segmentation: Systems are broken up in logical groups with restricted access to other groups, helping to contain intrusions that may occur Intrusion Detection Systems (IDS): Detects suspicious activity Data Encryption: Ensures added security when data travels over our internal network and when customers access the information externally over other types of networks 2 Mitel

SECURITY VULNERABILITY ASSESSMENTS Internal and external network vulnerability scans are conducted each quarter (at a minimum) and after significant changes in the network (e.g. new system component installations, changes in network topology, firewall rule modifications, product upgrades). As a result: All potential vulnerabilities identified are communicated to appropriate Mitel personnel for remediation All high-level vulnerabilities are scheduled to be corrected within 10 days Medium-level vulnerabilities are corrected and subject to Change Control Policy Follow-up scans confirm compliance with Mitel security standards In addition, the Mitel Security Operations Center (SOC) staff engages in efforts to monitor activities on the Mitel network 24x7x365. The SOC team manages the network to detect and prevent threats and to maintain recovery control and audit logs of all activities of all users. This allows the security team to assist any necessary investigations or audits. Platform Security As a cloud-based solution, MiContact Center Live was built as a multi-tenant solution with distributed systems on an application architecture to preserve the security of each tenant. The platform has designed the platform with tight security in mind around servers and the operating system, middleware and application/ multi-tenancy stack. In the past year the MiContact Center platform has: Processed billions of dollars through the platform Supported 144 million calls on the Mitel platform for 531 million minutes That s over a thousand years of voice calls! Supported hundreds of clients within Financial Services, Healthcare, High Tech, Insurance and Retail Collected over 25 million credit card numbers (PCI-DSS) Collected over 4 million bank account numbers Processed 100+ million instances including Personally Identifiable Information (PII) Collected tens of millions of medical data artifacts (HIPAA) HIGH AVAILABILITY To minimize service interruption due to hardware failures, natural disasters, Denial of Service (DoS) attacks, or other catastrophes, a disaster recovery plans has been implemented for all MiContact Center Live data centers. This program includes: Geographically dispersed data centers that operate in activeactive mode. Redundant applications that provide backup capabilities. If the primary server goes out of service, a backup server acts as the primary server. LOAD DISTRIBUTION MiContact Center Live deploys proxy and parallel servers to add efficiency to large-scale configurations. The use of these technologies reduces the loss of functionality and data caused by an outage or security attack. MULTI-TENANT SECURITY MiContact Center Live separates tenant applications and data. This isolation and separation preserves the integrity of each tenant environment and its data. Mitel supports the following tenant separations: Server level: Each tenant has a unique and isolated (virtual or physical) environment with a single management system. Data level: The application is designed so that access across tenants is securely administered. Mitel may deploy different tenant separate methodologies depending on the features that a customer orders. Application Security Mitel has deployed the following application security methodologies: SECURE BY DESIGN Secure Software Installation Controls: Access to Mitel applications uses multi-level authentication and all access is logged. Prudent Configuration of Access Controls: Least Privilege and Need-to-Know principles are applied during the design of the applications. 3 Mitel

HOLISTIC SECURITY Users access the MiContact Center Live Platform in the Cloud via our Secure Sign-in feature. Customers can adjust their level of password strength and expiration policies to fit their needs. The platform provides a rolebased and IP-based permission systems, giving you fine grained control over who in your organization has to access to specific applications and data. In addition, we offer several unique capabilities to ensure that your customers data remains secure. Mitel s Secure Exchange feature, for example, allows callers to securely provide sensitive personal information while ensuring that agents do not hear or have access to that data. Data Security Security and privacy of customer data is extremely important to Mitel and is an essential element of our client relationship. Mitel ensures particular security measures and attention to customer data are addressed as detailed in the following sections. POLICY AND PROCEDURES Security Policy and Procedures for MiContact Center Live include provisions to protect customer data from unauthorized access by implementing access controls and employing data and protocol encryption. DATA COLLECTION Mitel views secure customer data collection and retention as a top priority. To address this business goal, Mitel employs a variety of practices and procedures. End customer data must be kept private when it is collected, such as when an end customer makes a purchase or provides personal information necessary to receive support or benefits. Mitel protects and maintains the security of that data in its possession until it is deleted or destroyed in accordance with defined data retention periods and data deletion procedures. DATA ENCRYPTION DATABASE SERVERS Customer data is stored on Mitel database servers on a secure database VLAN. Database access is limited to authorized operations and engineering teams. Logical access is protected in the MiContact Center Live application hosted on web servers in a DMZ, utilizing 128-bit SSL cipher key minimums, and requiring unique usernames and passwords to authorized users. User access and database transactions are logged. Human Security Background and reference checks are performed on all personnel who are authorized to access customer data. In addition, all employees must review and certify a full understanding of the Mitel s Policy and Procedures, which includes: Data retention Employee security awareness training and management Data storage and transmission Security vulnerability assessment program Acceptable usage of Mitel s systems Fraud Detection A specialized team can audit and gather information regarding potentially fraudulent activity. Automatic monitoring systems detect anomalies in the behavior of agents. Manual review and investigations are conducted when required. Constant tuning of heuristic detection methods to identify fraudulent activities. Compliance Procedures have been implemented to ensure high levels of compliance to legal and consumer laws. Compliance measures and achievements adhere to a broad range of laws and regulations governing electronic information security. Always consult your legal counsel to ensure you understand what regulatory and compliance requirements are appropriate for your specific use of MiContact Center Live and its features. Sensitive data is stored in 2048-bit RSA encrypted secured databases. These databases are not accessible to agents who have access to MiContact Center Live. Call recordings are encrypted on a hardened appliance using the AES256 encryption standard in accordance with NIST FIPS 140-2 3 (US Federal Information Processing Standard). 4 Mitel

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI) What is PCI-DSS? PCI is a certification required by Visa, MasterCard and other major credit card processors for ensuring data security and privacy. PCI certification protects a company from liability if credit card data is stolen or compromised. For more information, visit: https://www. pcisecuritystandards.org/. Who is required to adhere to PCI-DSS? Any company (merchant or service provider) that stores, transmits, records, or acts as a gateway for credit card information is required to become PCI-DSS compliant. How does Mitel comply with PCI-DSS? Mitel is fully compliant with the 12 Security Domains of PCI-DSS Level-1 service provider. Compliance is audited and certified yearly by an independent 3rd party, Qualified Security Assessor. What parts of Mitel s services are in compliance? The following components have been certified for use with PCI-DSS related data: Mitel telephony components. IVR system, including the Secure Exchange feature. Call recording and playback system. Mitel Scripting system (e.g., credit card collection screens). Mitel real-time fulfillment. Mitel batch fulfillment. Mitel s data centers located in the United States, Australia and Europe. HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) What is HIPAA? Enacted in 1996, HIPAA regulations require companies to adopt policies and procedures to protect the privacy and security of Protected Health Information (PHI). Covered Entities, as defined in the regulations, which include health insurers and billing processors, must fulfill the requirements defined under HIPAA s privacy and security rules. These rules define administrative, physical and technical safeguards for PHI. For more information, visit: http://www.hhs.gov/ocr/privacy/hipaa/. Who is required to adhere to HIPAA? The Privacy Rule applies to health plans, healthcare clearing houses, and any health care provider who electronically transmits health information in connection with certain transactions, which include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which the U.S. Department of Health and Human Services has established standards under the HIPAA Transactions Rule. How does Mitel comply with HIPAA? MiContact Center Live security procedures and controls meet customer HIPAA compliance requirements. What parts of Mitel s services are in compliance with the HIPAA requirements? Mitel is in compliance with HIPAA requirements in accordance with the following security features: Call recording encryption. Strict access controls. Access logging. Auditing & reporting systems. Configurable data sensitivity levels on collected data:»» Confidential: Normal access control.»» Highly confidential: Restricted access.»» Highly confidential - FMG : Encrypted, no user access. 5 Mitel

SAFE HARBOR What is Safe Harbor? The U.S. Department of Commerce, in concert with the European Commission, developed the Safe Harbor Framework to allow U.S. organization to comply with the directive by agreeing to abide by the Safe Harbor Privacy Principles. Companies certify their compliance with these Principles on the U. S. Department of Commerce website. The Framework, approved by the EU in 2000, gives companies assurance that the EU will consider their practices adequate for data transfers between the U.S. and both the EU and Switzerland. For more information, visit: http://www.export.gov/safeharbor/. Summary Mitel employs a multi-layered security strategy that support a cloud contact center platform used by leading enterprises and business worldwide. The MiContact Center Live solution provides heightened security and high availability at no additional cost, saving our clients excessive overhead and expenses. How does Mitel comply with Safe Harbor? Mitel complies with the U.S. E.U. Safe Harbor framework and the U.S. - Swiss Safe Harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries and Switzerland. Written by Ian Maclaren Portfolio Manager Contact Center Cloud Solutions Bringing a broad range of expertise and leadership in defining and managing telecommunications product portfolios, Ian Maclaren joined Mitel in 2014 with a mission to help organizations understand the role of the cloud in contact centers. He s responsible for Mitel s cloud contact center portfolio, including both MiCloud Contact Center and MiContact Center Live. Ian comes to Mitel following extensive management and global product experience at Avaya and Nortel, including time as Product Manager for SMB cloud communications at Avaya. Follow Ian Maclaren online: https://ca.linkedin.com/in/ianmaclaren mitel.com Copyright 2015, Mitel Networks Corporation. All Rights Reserved. The Mitel word and logo are trademarks of Mitel Networks Corporation. Any reference to third party trademarks are for reference only and Mitel makes no representation of ownership of these marks. 36115-20254-123456-R0714-EN

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information