- This document is part of VCC’s Integrated Management System (hereinafter IMS).
- The IMS contains all relevant regulatory provisions in effect.
- All related documents, references and target audiences are contained in the IMS Table of contents.
- Relevant and applicable law regulations are available in the Legal Register Table.
- Standards and accordance are valid and applicable by the Statement of Applicability (hereinafter SOA) and Validation Scope.
- All related Terms and Definitions are contained in the Terms and Definitions table.
- All related Roles and Responsibilities are contained in the Role Based Access Control Table.
VCC Live commitments
VCC Live deployed, maintains and continuously aims to enhance the Integrated Management System (hereinafter IMS), conforming to the requirements of PCI DSS, ISO27001, and ISO22301 standards, and local laws, including global ICT services, telecommunications and system integration services.
Integrated Management System is a risk-based framework applying Plan-Do-Check-Act methodology.
Each regulation document contains the details of controls and methods.
Classified Data Security Management
VCC’s management is committed to protecting classified data in accordance with valid and relevant law and industry standards, regardless of whether VCC creates, transmits, works with or stores the data.
Classified data protection means VCC Live applies appropriate actions to ensure data security, dependent on the type of data and the risks involved.
By “classified data”, VCC means:
- Personal data
- Business data
- Financial data
- Bank data
By “scope of data environment”, VCC means:
- IT and telecommunication materials, systems
- Infrastructure environment included network tools
- Online or hard copy documents
- Human resources
By “Protecting classified data” VCC means:
- Maintaining Information Security and Business Continuity Management Systems and providing resources for the compliance.
- Included PCI DSS compliance program (to protect CDE and CHD)
- Included PII compliance program (to protect personal identification data)
- Providing regularly security-awareness training for employees or affected third parties
- Agreeing to regular revisions by interested parties (governmental, authorities, certification bodies, customers) to confirm and validate compliance.
- Complying with and keeping up-to-date relevant legal requirements
- Summarizing all logical, administrative and operative activity in a compliance program.
Compliance program units
- Quality Management
- Corporate Governance Policy
- Management Responsibility Policy
- Information Security Management
- Change Management
- Configuration Management Policy
- Change Management policy
- Risk Assessment
- Human Resource Management
- Third-Party Management
- Physical Security and Procedures
- Physical Environment Security Policy
- Visitor-handling procedures
- Project Management
- Communication Security
- Communication Security Policy
- End-User Messaging Policies
- Access Management
- Access management policy
- Password policy
- Identification policy
- Asset Management
- Information Management Policy
- Data Management Policy
- Asset Management Policy
- External Asset Management Policy
- Teleworking Policy
- Document and Record Management
- Software development
- Software development policy
- Secure coding policy
- Operational Security
- Server management policy
- Network management policy
- Anti-virus, Malware Policy
- Patch Management Policy and Procedures
- Environment Maintenance Management
- Logging and monitoring Policy
- Backup Management Policy
- Testing Process and Procedures
- Key & Certificate Management
- Encryption Policy
- Key and Certificate Management Policy
- Incident Management
- Business Continuity Management
- Business Continuity Management Strategy
- Business Continuity Management Policy
- Internal Audit Management
- Continuous Improvement Management
- CDE Extended Security Rules
- CDE Extended Security Rules Policy
- Infrastructure and Network Configuration Standards
- Cardholder Data & Environment Inventory
- Network diagram
- Billing System Extended Security Rules
- Billing System Extended Security Rules Policy
- Network diagram
- Roles and Responsibilities
- Included in Role-Based Access Control Table
- Actions, activities
- Legislation monitoring
- Information security strategy planning
- Systematic information security tasks (based on Regular Tasks and Checks Log Table)
- Systematic operational security tasks (based on Regular Tasks and Checks Log Table)
- Change Management controls
- Systematic risk assessment and analysis
- Security Awareness training
- Employee integration, quality training
- Third-party regular revisions
- Asset Management and investigation
- Penetration testing, network segmentation tests, AVS scans
- Business Continuity Plan management, disaster recovery
- Regular external audit support, internal audits
- Continuous Improvement principle
- Regular report and communication with top management regarding compliance programs, external-internal audit results and interested parties revision results.
- Audit report documents
- Yearly management Review report
- Regular operational security change management tickets
- Quality Management
Intellectual property rights
VCC always guarantees its customers and subcontractors that the software used by the company does not infringe any third-party’s intellectual property rights (in particular copyright, trademarks, patents, know-how).
The company uses the software lawfully in accordance with the law on copyrights provision.
The software used by VCC can be categorized into the following 4 groups:
- Software developed by employees of VCC: the obligation of developers at VCC are responsible for the software design, software development, allowing VCC to be the sole owner of the software product.
- Software purchased and used by VCC: the use of this software is always in accordance with license rights.
- If the software comes in a boxed version, the software installation toolkit should be stored in a secure and safe manner, with controlled access.
- Open source software used by VCC: the use of this software is always in accordance with vendor recommendations and IT security standards..
- Software developed by third parties: this software is ordered by VCC and developed via a contractual agreement; the software is used in accordance with the rights defined in the applicable contracts between the parties.
If any infringements are detected in respect of copyright-protected products, VCC is committed to taking the necessary steps required by law.
The quality of VCC services is ensured by the provision of necessary resources and high-level professional knowledge, flexibility in managing customer demands, monitoring of work performance by the management, integrating feedback from experiences based on complaints into working processes, and by compliance with corporate management regulations.
VCC guarantees that VCC’s Corporate Management Policy is understood and accepted at all levels of the organization.
At the same time VCC expects its employes to aim for and maintain high standards of work quality at all times, for which VCC provides all conditions, including:
- An unambiguous organizational structure and distribution of duties;
- Clear decision-making levels assigned to the above mentioned;
- Individuality and taking responsibility in compliance with the above-mentioned conditions;
- Continuous professional education and training sessions.
VCC maintains quality levels and secures its own services by continuous monitoring and improvements within VCC’s Integrated Management System.
VCC achieves its targets with the support of background services with modern and appropriate infrastructures, continuous improvement regarding the choice of its available services, the establishment of appropriate relations with transportation companies, as well as by the establishment and operation of VCC’s Integrated Management System.
VCC, as well as Virtual Call Center Ltd and subsidiaries (hereinafter collectively refered to as VCC), adhere universally to principles related to VCC’s services, monitors and implements all Hungarian and international legal requirements.
In the course of VCC’s work, VCC uses subcontractors with similar aims who are committed to VCC’s quality policy. VCC expects them to deliver high-quality services in a timely manner and to complete their operations by the deadlines specified.
Risk Management and Assessment
Information Risk Management organization is embedded within VCC’s Organization.
Management has to clearly clarify its intention of implementing the Information Security Policy. Without appropriate management commitment, it is doubtful whether the Information Risk Management initiative would be taken as seriously as is required, leading to severe undervaluation of the Information Risk Management program, including questionable prioritizations and resource allocations.
The Information Security Policy contains the management perspective on how to secure business processes if there is an impact on Information and IT services. The content of this Policy is the management’s high-level directive on how to carry out Information risk management.
Top management is required to sign off and implement this Policy in the part of the company that is identified by the Policy’s scope.
Information Security Management
The protection of information resources and other sources of information, as well as high-level data indispensable to the company in respect to the operation of the company, is VCC’s basic and essential interest.
For the purpose of information security, business continuity and reduction of damages caused by information security incidents, VCC has introduced processes which identify and control the confidentiality, integrity and availability of information, as well as the information elaboration process.
VCC carries out regular revisions of these identification and control processes.
IT Service Management
VCC manages IT services using uniform process-based operations in order to be able to provide IT services in compliance with client and parent company requirements.
VCC fully coordinates IT service management operations and processes with VCC’s partners, and jointly provides VCC’s clients with standardized services.
VCC handles its full-scale IT service processes, regulations, goals and responsibilities in a standardized system.
VCC uses automatized operations, and support operations with modern techniques.
VCC provides continuous professional education and training sessions for VCC’s staff staff, to help them improve their knowledge in all areas. Permanent suitability of the system is provided for by a continuous service improvement program.
Business Continuity Management
VCC’s management focuses on business and service continuity. They continuously develop business continuity efficiency in the Integrated Management System.
- VCC’s management is fully committed to fulfilling the undertaking related to and within the scope of business continuity, including:
- Client requirements
- Other interested parties requirements
- Authorities and law requirements
- The development of the business continuity management system is based on international and national standards (ISO 22301), as well as best practice principles.
- The Business Continuity Policy manual and business continuity management system scope affects all activity and process-related services and processes that are defined in the BCM’s current scope at VCC and VCC’s subsidiaries.
- At VCC the general strategy goals are:
- To provide high-quality, secure and innovative services and solutions.
- To protect and provide availability to information and data. Created information and stored data is valuable and is therefore included as one of VCC’s general strategy goals.
- As such, part of VCC’s business continuity principles is to be prepared for any real-life extraordinary situation that may occur either within the company or beyond the company’s responsibility.
- VCC aligns its business continuity strategy, methodology, regulations, and rules to current standards and their operation terms.
- VCC creates and maintains its business continuity management system and related processes.
- VCC continuously trains and carries out simulation exercises to help management and employees increase their commitment to business continuity tasks implementation.
- VCC raises skill levels and abilities of employees who are affected by business continuity tasks related to:
- Creating business continuity plans
- Keeping business continuity plans up to date.
- Testing and exercising business continuity plans
- Using and applying business continuity plans
- VCC creates indicators to monitor the quality level of business continuity activities and operates processes to monitor and measure these indicators.
- VCC creates and operates partnerships that help support and develop business continuity (e.g. government, special authority, service partners).
VCC plans business continuity tasks implementation in conjunction with other planning tasks based on local laws requirements (e.g. critical infrastructure protection, disaster protection, civil protection).