Today, organizations of all sizes and all industry sectors are reaping great benefits from business process outsourcing (BPO). They are turning over non-core business functions such as mailroom management, document processing, and customer support to outside service providers to reduce costs, improve efficiency and to benefit from providers’ specialized expertise.
Everest Group analysts forecast the worldwide BPO market (excluding contact center operations) to grow from $80 billion to $107 billion between 2016 and 2019. This robust growth reflects the fact that companies are finding real value in outsourcing non-core business functions to third-party specialists.
However, turning over processes to service providers means relinquishing control of private customer information as well as proprietary information about products and services. Because of this, it is imperative that companies have a complete understanding of how their BPO provider will keep this information secure—from guiding principles to the policies, procedures, people and tools that make it happen.
When selecting an outsourcing partner, companies should thoroughly review the strength of the information safeguards the provider has put in place. An effective way to assess this is by looking at three fronts—or vanguards, to use another word—that are established to protect sensitive information. These include:
- Facility Security: The physical protection of information;
- Human Resources Security: The procedures for hiring and training staff who have access to sensitive client information; and
- Network Security: The prevention of information theft or disruption throughcomputing infrastructure.
This white paper will examine some best practices and considerations regarding these three fundamental fronts of information security, including questions to ask a potential BPO provider.
Access control, monitoring and business continuity
Business process outsourcing providers must completely control access to the facility, keeping record of the time and date employees and visitors enter and exit the building.
For employees, this can be achieved with swipe card and similar door-lock access systems. Identification of visitors should be logged, and visitors should be accompanied by an authorized escort. Access control should be applied in layers as needed, with door-lock controls for the facility, the production floor and supporting data centers.
Camera systems offer another layer of security. Video quality should be high-definition, and video records should be kept for an appropriate period (typically at least 90 days).
Facilities, particularly those with a large footprint, can be further protected with on-site security guards and/or regular patrols from guard services.
Another best practice for facilities is the creation of a documented security-incident response plan—a step-by-step guide for responding to breaches of facility security.
Lastly, facility security systems should be designed with a backup in mind, in case one or more layers fail due to power outages or other unexpected incidents. Experienced service providers will address facility security as part of a comprehensive business continuity/disaster recovery (BC/DR) plan. For example, back-up generators should be ready to reestablish lost power to the facility immediately to ensure access control, camera and communications systems function without interruption.
All plans related to facility security should be tested on a regular basis to identify areas of weakness. Top BPO providers understand as processes and technology change, the threat environment also will change. Regular testing and improvement of security measures is a must.
Questions to ask your provider
- Are your facilities, production rooms and server rooms protected by access-control systems
- What system is in place for monitoring and recording facility access by visitors?
- How long do you keep access control logs, visitor logs and video records?
- What systems are in place to maintain security control in the event of power loss or another unexpected incident?
Human Resources Security
Protection from internal threats
The protection of client information is a foundational element of the hiring and training of service provider employees. Human resource hiring procedures should, at a minimum, include thorough employment refence checks and criminal background checks.
Depending on the sensitivity of the information involved in the outsourced business process, human resources departments can apply background checks that drill deep, going back to many years of employment and schooling locations. Credit checks and Office of Foreign Assets Control (OFAC) checks may also be requested of potential employees.
Employee training also must include education and testing on information security policies and procedures. Training should be designed to meet the requirements, as necessary, for the Payment Card Industry Data Security Standard (PCI DSS), and the privacy and security standards of the Health Insurance Portability and Accountability Act (HIPAA).
Depending on the business process, workplace rules for provider employees can include no possession of cell phones or pens, pencils and paper in the work area—these items should be placed in lockers outside the production room. Additionally, employees must not be allowed to “piggyback” through access-control doors. And when an employee resigns or is terminated, their swipe-card access rights must be removed immediately.
Another effective tool human resource departments can offer to protect client information is a confidential tip line. Remaining anonymous, employees can offer information about potential security breaches without fear of retaliation.
Questions to ask your provider
- What standard background checks do applicants go through before being offered employment
- What type of information security training do employees go through, and how often is training administered?
- Are you PCI-DSS and HIPAA compliant?
- Do you offer employees a confidential tip line to report possible security breaches?
Standards, strategies and tools to meet ever-evolving threats
Viruses and worms, trojans, keyloggers, DDOS attacks, unauthorized access … the list of threats to computer networks seems endless. That’s because external and internal threats are always evolving. Strong network security teams understand the hydra-like nature of cybercrime, and work proactively to stay ahead of data thieves and others determined to disrupt a company’s operations.
In BPO, where client data is transmitted to and from third-party providers, the goal is to make information secure without negatively affecting business performance. In regard to sharing of information, the first line of defense is the firewall: only trusted, secure traffic from the client is authorized and allowed into the network. Intrusion alert systems are used to identify and reject suspicious traffic. The network security team will report suspicious activity to internet service providers and to appropriate law enforcement agencies if necessary.
Experienced BPO providers will also ensure that clients’ data and the equipment and network infrastructure that transmit it is segregated from other clients’ projects.
Security controls also should be in place for users and user groups. Passwords must be required to access systems, with two-factor identity authentication or multi-factor authentication used for highly sensitive information. An automated system should be in place to require password changes at regular intervals.
If a BPO staff member stops working at a workstation or PC, or leaves it unattended, work on the screen should be automatically hidden behind a timed screensaver, and the machine should lock after a short period, requiring re-authentication to be used again. Also, USB ports can be blocked to prevent data theft or transfer of malware to the network through portable flash drives.
To stay on top of new and evolving threats, BPO network security teams can follow a number of industry security standards. These include PCI DSS, which requires regular recertification; HIPAA training for employees to protect private customer information; and Service Organization Controls audits and reports on internal control of financial information.
Questions to ask your provider
- Does your network firewall include intrusion prevention and detection systems?
- What security measures are in place to secure data at rest and/or in transit?
- Is your organization PCI DSS certified and HIPAA compliant?
- Do you follow other standards related to information security, such as Service Organizational Controls?
- What protections do you have in place to protect data from internal theft or disruption?
Common Threads of a BPO Information Security Strategy
This paper envisions information security in BPO as a three-front defense incorporating facilities, people, and network infrastructure.
Of course, for the sake of brevity, we cannot include in this paper every aspect of organizational information security. But we can address some common threads that pull each element together to create a robust security structure.
One thread is cross-department communication. Top-performing BPO firms understand security is every employee’s responsibility. They will organize cross-functional teams or committees to ensure the framework of facilities, people and network infrastructure works together to protect client information while ensuring business performance. These teams develop security policies and procedures and supporting documentation and training systems so that no one in the organization is left out of the loop on security.
A second thread consists of audit processes, both internal and external. Experienced BPO firms welcome security audits by clients or third-party standards organizations, as these help to ensure systems are working to protect the client, and that best practices are in place for a world of continually evolving cyber-threats. BPO firms should also regularly conduct their own internal audits, following guidelines from industry organizations such as the PCI Security Standards Council, the American Institute of Certified Public Accountants (AICPA), and the HIPAA privacy and security rules.
The third, and final, thread is the creation of a comprehensive information security plan for every client. Experienced BPO providers understand that each client’s needs are unique, and there is no “one-size-fits-all” solution for information security. From the beginning of the outsourcing engagement, a BPO firm should work with a client to understand the process from end-to-end, with a goal of developing customized information security plan that delivers both business performance and peace of mind.
Questions to ask your provider
- What internal audit procedures to you have in place for your information security systems?
- Will you accept audits from third-party organizations?
- What framework do you have for developing customized information security strategies for your clients?