A call center security policy is a document that provides comprehensive rules, plans, and security protocols that regulate access to the organization’s network. An excellent security policy ensures information security and the protection of the organization and individual agents.
Here’s a comprehensive call center security policy you can download and customize to suit your needs today:
A. Purpose of the policy
The purpose of this security policy is to define the acceptable use of computer equipment, systems, and information assets at [company name].
This policy outlines cybersecurity measures, and safety procedures every call center agent must follow.
More than just a data security policy, these rules help protect the employee and [company name]. Inappropriate use exposes [company name] to risks and legal issues and compromises network systems and services.
Agents must strictly adhere to this policy, and failing to do so will result in the appropriate disciplinary action.
B. Scope of the policy
This policy applies to the use of information, electronic and computing devices, and network resources to conduct [company name] business or interact with internal networks and business systems.
The security practices outlined apply to devices owned or leased by [company name], the employee, or a third party.
All employees, contractors, consultants, BPO (business process outsourcing) providers, and other agents at [company name] are responsible for the appropriate use of information, devices, and network resources according to company policies, standards, local laws, and regulations.
C. Identifying threats
[Company name] expects all agents and employees to be aware of internal and external security risks when utilizing company systems and devices.
1. Internal threats
Should an agent identify a data breach or any of these threats, they must immediately report it to their manager:
- Compromise sensitive customer data by clicking on a malicious link, either on the web or via email.
- Access sensitive data with the intent of using the information for their personal gain.
- Physical theft and tampering with company devices and equipment.
2. External threats
Should an agent identify any of the following external threats to the company’s data center, they must immediately bring it to the company’s attention.
The following are potential external threats:
- Unsecured VoIP (Voice Over Internet Protocol) systems.
- Unsecured IVR (Interactive Voice Response) systems.
- Inefficient encryption — as even one encryption algorithm glitch can lead to vulnerability to outside threats like hackers.
D. Expected safety etiquette
Here’s a list of the expected safety and security measures that employees should undertake at all times.
1. Physical security measures
These are a few physical security measures that employees and other stakeholders need to adhere to:
A. Call center access control
- Employees should only be present on the floor that they’re authorized to work on.
- All employees and visitors must wear a name badge or a color-coded photo ID.
- All call center doors should be locked to control physical access to the premises.
- All computer stations should also be locked down at the end of a shift. USBs and other access points should be inaccessible after work hours.
- Supervisors, managers, and human resources personnel should ensure background checks are conducted on all employees before recruitment.
B. Cell phone usage
Employees may only use their personal cell phones in the designated cell phone usage area, away from the call center floor.
Usage of cell phones on the call center floor may jeopardize sensitive customer information, [company name] PCI compliance (Payment Card Industry), and HIPAA ( Healthcare Insurance Portability and Accountability Act) regulatory compliance.
PCI DSS compliance (Payment Card Industry Data Security Standard) is mandatory for organizations that handle credit cards from the major card schemes. This includes [company name].
A lot of confidential information and cardholder data is exchanged at the call center on a daily basis. With certain wearable tech (such as smartwatches), it’s possible to steal this sensitive information.
If an agent is caught using a cell phone on the contact center floor, they will be immediately suspended as it goes against compliance requirements.
2. Digital security measures
Here’s a list of the digital security requirements to be undertaken by [company name], its employees, and representatives to ensure a secure network:
- Enterprise virus protection software would be installed on each computer accessing the network.
- Mandatory firewalls should be in place at a network level to prevent a network security breach.
- Third-party firewall breach testing should be done periodically. Firewall penetration testing helps prevent outsiders from gaining access to the network.
- Each agent has their own sign-in information and passwords.
- An IT helpdesk is available to document any network issues, together with a ticketing system to ensure any changes are well documented for PCI compliance.
3. Fraud protection measures
To protect customers, clients, employees, and the organization from fraud threats, [company name] has implemented the following measures:
- Speech Analytics Platform: Due to phishing schemes, we use a speech analytics platform. If clients call in and make certain requests, like address changes, the speech analytics platform flags the calls, and a security expert scrutinizes all flagged calls.
- Voice Authentication: Call center customers can opt-in for biometric voice authentication when they call. Servers will record their voice and compare it the next time they call in to confirm it’s the same person.
4. Interactive voice system (IVR) security measures
In line with [company name]’s digital transformation efforts, we have implemented an interactive voice system and other automated measures. This is to keep pace with the call volume, reduce costs and improve the customer experience.
As a result of this automated interaction, we use a data storage system to store this information on company networks.
[Company name] records 100% of calls. Many calls include sensitive personal information like account or social security number, credit cards, addresses, or birth dates.
If any agent improperly handles a clients’ personally identifiable information (PII), it’ll be treated as a security issue.
5. Additional measures
Here are some additional safety measures you need to be aware of:
- [Company name] uses two factor authentication to prevent phishing attempts. If a customer forgets their password, 2FA helps retrieve their information safely.
- [Company name] utilizes a cloud service provider to offer single sign-on to its agents. In light of this, system-level and user-level passwords must comply with the Password Policy.
- Computers and all other devices should be secured with a password-protected screensaver and automatic activation feature set to no more than 10 minutes when the device is unattended.
- Employees must exercise extreme caution when opening email attachments received from unknown senders.
- [Company name] has implemented intelligent disaster recovery technology as part of its business continuity plan.
- Beware of hackers that use social engineering to gain access to agent passwords and access the network. They do this by threatening to expose private or malicious information about the agent. Agents should be vigilant and use a reliable VPN to avoid falling victim to this scam.
E. Inappropriate behaviour
The list below provides a framework for prohibited system and network activities:
1. Installation Of pirated products
Violation of the rights of any individual or company protected by copyright, patent, trade secret, or other intellectual property laws is prohibited. This includes the installation or distribution of ‘pirated’ or other software products that are not appropriately licensed for use by [company name].
2. Illegal replication of material
Unauthorized duplication of copyrighted material and distribution of any part of magazines, books, music, or other copyrighted sources is prohibited.
The installation of any copyrighted software for which [company name] or the user does not have an active license is also strictly prohibited.
3. Unauthorized access
To ensure data protection, agents are prohibited from accessing data, servers, or accounts for any purpose other than conducting business.
Agents should avoid accessing data, servers, or accounts that aren’t intended for them. This includes but is not limited to network sniffing, packet spoofing, denial of service, and forged routing information for malicious purposes.
These security controls also prohibit agents from accessing private information from [company name] social media accounts.
4. Sharing malicious programs
Intentionally introducing any malicious programs into the network or server (such as viruses, worms, Trojan horses, email bombs, etc.) will result in immediate dismissal.
This includes the introduction of honeypots, honeynets, or similar technology on the [company name] network.
5. Failure to protect your account and password
Agents are prohibited from revealing their [company name] account password to anyone. This includes household members when working from home.
6. Using company resources for illegal activities
Under no circumstances is an employee of [company name] authorized to engage in illegal activities under local, state, federal, or international law while utilizing [company name] owned resources.
F. Disciplinary action
[Company name] has the right to monitor inappropriate or excessive use of any agency-issued or personal computer by the call center agents.
[Company name] created this call center security policy to establish a security standard, implement an accountability loop, and define disciplinary actions that occur when a call center agent violates these policy terms.
Disciplinary action includes but is not limited to verbal and written warnings, loss of device privileges, suspension, demotion, and contract termination.
Any illegal activity (such as harassment) using the company’s network or equipment will lead to immediate termination of the employee’s contract.
G. Employee acknowledgement
I have read and understood the call center security policy of [company name] and will abide by all the policy conditions defined above.
Disclaimer: The call center security policy template is only meant to be a general guide and used only for reference purposes. This policy template may not necessarily include all federal, state, local, and other applicable laws. Therefore, it should not be considered a legal document. Neither Time Doctor nor the author shall be responsible for any legal liability that may result from using this call center security policy.
Carlo Borja is the Head of Online Marketing for Time Doctor, a time tracking software for remote teams. He is a full-time telecommuter, a digital nomad and a coffee junkie.