GOVERNMENT SOLUTIONS
Telesolutions for Government: Security Standards
Information Security Standards for Success: 10 Principles
DialAmerica Follows to Ensure Security on Government Assignments
As a company that handles an average of 150 million calls a year,
DialAmerica understands the critical importance of maintaining the
highest standards of data security to protect citizens’ personal
information. These concerns are especially urgent for government
agencies that contract with teleservices vendors and need assurance that
extensive procedures are in place to securely protect citizen
information from being compromised – either accidentally or maliciously.
Following are ten key steps that DialAmerica follows to ensure the
security of our data:
Employ a “layered approach”
Recognizing that no single piece of hardware or software or written
policy statement can ensure
that data will be safe, we employ a comprehensive combination of
technology, training, policy and enforcement.
Encrypt….Encrypt…Encrypt!
Beyond operating a highly secure data center, we employ advanced
encryption technologies that provide a strong additional level of
protection in the event of a breach. To date, DialAmerica has never
experienced a data security breach.
Implement security policies and enforce them
We believe that security must be a company-wide mindset. We train our
employees and hold them accountable for the data in their control. We
utilize posters and visual reminders to let our employees know that
security is everyone’s concern.
Apply strong password protection
We implement and enforce a strong password policy by requiring that
passwords consist of upper and lower case letters, numbers and special
characters. We use token or “two factor” authentication wherever
possible, especially when employees are using remote access. A token can
be a card, which generates a random unique number that changes every 60
seconds. Two-factor means that two separate pieces of information are
required to get into the network. In some circumstances for access,
three requirements are preferable, for example establishing aVPN
(virtual private network) connecting through software and then using a
unique password and a token.
Utilize and update a strong anti-virus solution
We use well-known antivirus software and install updated virus
definition files on a regular basis. This approach is accomplished by
utilizing a “parent server” that monitors and automatically downloads
the definitions when they are available. The new definitions are then
pushed out to our systems, ensuring the most current protection on our
network.
Prevent data from being removed by employees
To ensure that data cannot be removed by employees from our premises, we
forbid employees to use portable USB storage devices such as micro
drives, memory sticks and CD/DVD drives. We also monitor all emails and
restrict the size of email transmissions wherever possible to 1 MB or
smaller. If a staff member tries to send a larger file, the email is
automatically blocked.
Restrict Internet access
We limit the ability of employees to surf the Internet by filtering and
allowing them to only visit sites that meet a true business need.
Outside email sites add a potential threat and leave systems more
vulnerable, as they are notorious for harboring viral downloads.
Install operating system patches on a regular schedule
We engage the services of outside consultants to test, analyze and
recommend proper security upgrades. We continuously harden our systems
by removing or shutting down any nonessential programs or services, thus
blocking any “back doors” to hackers seeking to gain entry to our
private network.
Build and maintain firewalls, install intrusion detection/prevention
systems
We place servers on a DMZ (Demilitarization zone) LAN segment behind a
firewall, as opposed to a publicly-facing segment. This approach is
crucial as many of the filtering mechanisms in a firewall can limit
access to specific services based on TCP/IP ports, IP addresses and/or
protocols.
Intrusion detection alerts us to problems on the network while intrusion
prevention shuts them out. An intrusion detection/prevention system
strategically placed greatly assists us in protecting our network
infrastructure and all hosts connected to it.
Conduct regular penetration tests with an outside service
We regularly change the vendor that conducts our annual penetration test
in order to ensure that procedures are completely accurate and unbiased.
We allow companies to spend several days trying to get past our
firewalls, infiltrate our network and extract data.
DialAmerica is a leader in providing secure multi-channel contact center
services consistent with government requirements such as the Federal
Information Security Management Act (FISMA).
How do we do this?
· Periodic risk assessments security policies effectiveness testing
· Cost effective reduction of risks
· Process for implementing remedial actions
· Established systems security plans
· Procedures for security incident response
· Security awareness training ensuring continuity of operations
