Security Overview

1. Purpose and Scope

The purpose of this document is to communicate the details of Virtual Call Center’s  (hereinafter VCC) IT and information security regulations and measures for both clients and future clients.

These safety measures are being introduced to provide the highest possible level of protection for clients’ data against external and internal attacks, and to provide high availability for our clients.

 

Standards and accordance
  • Quality and Information Security Management System (QISMS)
    • VCC has been certified as a valid PCI DSS v3.1 compliant Level 1 Service Provider.
    • VCC has been certified as a valid Hungarian National Telecommunication L. Law (Closed Billing System) compliant Level 2 Service Provider.
    • VCC applies ISO/IEC 27001:2013 (Information Security Management System) controls and requirements.
    • VCC applies ISO 22301:2012 (Societal security – Business continuity management systems) controls and requirements.
    • VCC applies ISO/IEC 20000:2011 (Information technology – Service management) controls and requirements.
    • VCC uses a set of ISO/IEC 27002:2013 (Information Security Controls) recommendations.
    • VCC uses a set of ITIL 2011 (Information Technology Infrastructure Library) framework recommendations.
  • Other Standards
    • CIS (Center of Internet Security) hardening.
    • OWASP (Open Web Application Security Project) secure coding check.
    • Semantic Versioning methodology.
    • Version controlling systems (GIT, GITHUB).

 

Control environment mapping

In accordance with the principle IT and Information Security Management System industry standards, VCC implements rules, policies and regulations in the company’s whole management and service process, as follows:

  • Risk Assessment using a PDCA model.
  • Change Management (included release management).
  • Access and Asset Management, with role-based access control.
  • Network and Communication regulations.
  • Regular vulnerability scans (included penetration testing) and regular Patch Management.
  • Software development and testing process, procedures regulations (included secure coding aspects).
  • IT Operational Security regulations (included malware protection, wireless management, server management, logging and monitoring rules and regulations, firewall and router configuration standards).
  • Physical Security Rules and Procedures (included visitor regulations).
  • Incident Management (security, business continuity), Response plan.
  • Key and Certification Management.
  • Third Party Provider, Supplier Management.
  • IT Security Policy and regular Security Awareness training.
  • Business Continuity Management and Plan definitions.

2. Certifications

  • PCI DSS 3.2
    VCC Live PCI 3.2 certification
  • PCI DSS 3.1
    VCC Live PCI DSS 3.1 certificate
  • ISO 27001
    VCC Live ISO 27001 certificate
  • ISO 22301
    VCC Live ISO 22301 certificate

3. Regulations for employees

Password security

Each employee at VCC signs a strict confidentiality agreement at the start of their employment, and receives training in password and IT security.

Regulations are equally valid to all work-related areas, from releasing PC lock screens, to passwords for office and customer-related live systems. In the latter case, very strong passwords are required which are renewed periodically, based on appropriate procedures.

Relevant regulations:

  • Asset Management Policy
  • Access Management Policy

 

Access

All access to clients’ data can only take place if the client specifically requests it.

Only a restricted group of VCC’s employees have access to live systems and data that is related to clients. Accesses privileges are divided into several categories, including access to servers, access to databases, and access  through VCC’s client software.

Only authorized staff are permitted to log onto the servers, and only authorised personnel are allowed access to the databases. Each role has its own relevant, regulated user privileges.

All access to VCC’s client service is at a central location, and both access approval and denial are completely automatic processes. As one would expect, each access must be accompanied by a supplied unique username and password pair, which must comply with the highest safety requirements for passwords.

Only specified persons can have access to the system that manages these access rights.

There may be cases necessary to access a client account via VCC’s client software for fault detection and consultation. In these cases, only specified persons are granted access to VCC client software, and again only if the client specifically agrees to it.

Every event that occurs in VCC’s IT system is logged by a central log server. Thus, any employee activity in the client environment, and the time it takes place, can easily be traced back.

Relevant regulations:

  • Communication Security Policy
  • Access Management Policy (Role-based access control)
  • IT Security Policy
  • Third Party Management Policy
  • Physical Security Policy and Procedures

 

Departing employees

For employees leaving VCC, there is a separate regulation code which outlines the individual steps in the leaving process.

Initially, each of the employee’s access points that apply to client-related live systems are withdrawn. This takes effect immediately due to the automatic system connected to the VCC client software, and the withdrawal of authorizations at server and database levels is handled as high priority.

After that, access to office infrastructure is withdrawn to prevent indirect access to live systems.

The final steps e.g. removing office physical accesses, are taken indirectly to avoid any possible issues.

Relevant regulations:

  • Communication Security Policy
  • Access Management Policy
  • HR Policy
  • IT Security Policy

 

4. VCC client software security features

VCC’s client software includes a number of mandatory and customisable security features which are intended to avoid external attacks, as well as internal attacks and misuse on the client’s side.

 

Audio and data communication

Full encryption of sound and the accompanying communication protocols, using the technology listed below, is possible in VCC, guaranteeing that every conversation-related event which occurs between VCC’s client software and the central system is encrypted:

  • SIP-TLS
  • sRTP

During the use of the software, network data traffic is encrypted with the following industry-standard technologies:

  • Secure Socket Layer (SSL)
  • Hypertext Transfer Protocol Secure (HTTPS)

VCC following the stricter industry-standard recommendations and techniques like:

  • TLS v1.2
  • Current safe cipher suites
  • Current safe hash algorithms
  • File integrity monitoring
  • ISSG-ISSAF4 G and OSSTMM5 C/8 methodology

 

Database and data separation

In VCC’s infrastructure every client has their own separate database, for both uploaded data and other data, for example statistics. Due to our strict firewall policies and incorporated software barriers, clients are not able to access other client databases.

A backup is made of all client-related data (e.g. their individual database) so as to avoid data loss. Servers used to store information are placed in an environment which is appropriately supervised and has restricted access (for more details on this, see ‘Server hosting, DRP/Virtualization’).

Client audio files are stored on a storage file system which is physically stored on several different servers. Even if any server were to be completely destroyed, the sound files would still be accessible and unharmed.

Sound files are stored for a period of 30 days (with the possibility of longer storage if requested), during which time they can be downloaded as required. Downloaded files can also be deleted from the VCC system when archive files are created, before they would be automatically deleted.

 

Adjustable security features in the client software

VCC’s client software provides the client with further opportunities to increase the level of security:

  • customisable IP addresses and ranges for access
  • customisable parameters for the rights system
  • multi-level password policy for individual rights

Relevant regulations:

  • Risk Assessment Policy
  • Communication Security Policy
  • Change Management Policy
  • Testing Process and Procedures Policy
  • Software Development Policy
  • Incident Management Policy

 

5. IT Security

Roles

Every employee at VCC is affected by IT security, as they are obliged to adhere to security regulations during the course of their employment (e.g.: password policy, clear desk-clear screen policy).

The development / operations manager and the systems administrators are responsible for protecting sensitive data. Employees knowledge is particularly important in this respect, and thus VCC pays special attention to integrating the latest IT security knowledge and innovations into their system.

As such, colleagues working in this field receive continual training and assignments to help widen their knowledge.

The company has no external associates. External partners participating in website development have no access to the software or related infrastructure, either in the office or in a live environment.

 

Firewall

VCC’s firewall is set in accordance with strict regulation systems on all servers and devices within the infrastructure, in terms of what address the given device can be accessed from, what connection the server can initiate, and with whom it can communicate. These implement low-level protocols (TCP/IP). Devices are protected against DoS attacks (denial-of-service attacks).

 

Testing infrastructure

The structure in the hosting location is also set up in a separate office environment. Uniformity extends from operation systems to program versions. Any changes made in the live environment at the hosting location are created and checked in this testing infrastructure. VCC works exclusively with test data generated by themselves in the testing environment, and client data is not present in any form in these systems.

 

Release process and testing

VCC pays special attention to the pre-testing of completed developments and improvements, and to the regulation of the release process.

The company uses a continuous integration (CI) system, which ensures that tests related to the software continuously run, and that every error detected in the completed tests is marked and corrected prior to release. This is immediately displayed on a real-time system and is thus registered by colleagues.

Each release process connected with the client-related live system is documented. The process consists of an initial approval by a manager, and the report of the employee who oversees the release about when and where the actual development, improvement, adjustment, or update went live. The documentation guarantees that no adjustments may be made in the client environment without approval, and ensures that all adjustments can be traced back. The documentation can only be edited by authorised persons, so that again any changes can be traced back.

 

Package updates

Package updates are made regularly on all servers, with priority given to critical vulnerabilities. Changes in versions of external software are monitored by systems administrators and, following successful testing, updates to the latest version, as far as possible,  are made. Scripts are created specifically for this purpose. In each case, updates are documented, and thus the exact time and type of update can subsequently be traced back.

 

Virtual Private Network (VPN)

The restricted group of employees who need to have access to the servers to be able to perform their work have an individual VPN key, with which they can use to connect to the VPN network. They can only access the servers with this key, along with an individual username and password supplied by the LDAP (Lightweight Directory Access Protocol). It is not possible to access the servers from the public Internet.

 

Monitoring

VCC continuously monitors the status of their systems. Thanks to our monitoring system, clients are informed about events that affect the systems even before they occur, so that they have the chance to handle them in advance.

Authorised persons are informed by the system about alerts in real-time, and via e-mail and instant messages, while every key part of the system can be observed in real-time on a status board placed in the operation section, thus making it possible to monitor the current and previous status.

 

Incident management

VCC system engineers and managers are responsible for dealing with incident management. Any event that endangers or may endanger business continuity or security is considered to be an incident. The primary aim of incident management is to restore normal service conditions as quickly as possible, and to minimise its harmful effect on business continuity, thus ensuring the highest possible level of service quality.

The tasks involved are as follows:

  • Preparation, Identification
    • incident detection, logging and reporting to the development / operations manager,
    • establishment of a crisis team and classification of the incident,
  • Notification, Evaluation, Prioritization
    • troubleshooting and diagnosis,
    • recording incident event in Incident Information Table
  • Containment, eradication, recovery
    • resolution and restoration, putting systems-related security measures into effect,
    • activation of BCP, DRP plans
  • Lesson learned, post-incident
    • taking the necessary steps to avoid recurrence in the future,
    • closure of the incident.

Relevant regulations:

  • Change Management Policy
  • Risk Assessment Policy
  • Testing Process and Procedures Policy
  • Software Development Policy
  • Incident Management Policy and Response Plan
  • Business Continuity Management
  • IT Security Policy

 

6. Infrastructure – Operational security

Hardware quality

All equipment at the hosting location, including (but not only) the router, switch, server, components are purchased from a high-quality manufacturer via their official Hungarian distributor. Compatibility of devices with one another and high availability are required criteria during procurement. Devices are specifically designed to operate 24 hours a day in a server production environment.

In order to improve operational security, remote management is also available for each server with strictly limited and documented access rights. This allows low-level server administration, e.g. BIOS updates.

 

Separate racks

The company has its own rack cabinets in the hosting facility which can only be accessed by VCC system engineers with the required authorisation, thus access by unauthorised persons is prevented. Physical access to the infrastructure is regulated by strict hosting processes which separately record the access time, type of access, and data accessed.

 

Power supplies

All of the servers have redundant power supply units and receive current from two separate circuits, thus no shutdown can occur due to power supply failure.

Equipment without dual power supply units are designed redundantly and connected to a so-called static switch which performs this function instead.

 

Network setup

Each server located in the hosting room has at least two network connections which are connected to two different switches. The two switches have Internet access from two separate core devices and therefore, if any device, switch or network card fails, the computer is still able to fully communicate. If a fault occurs in these components, the changeover is made fully automatically.

 

Business Continuity, Disaster Recovery and virtualization

VCC’s systems are installed in a virtual environment, which has a number of advantages. One of the main advantages is that if any computer becomes physically unusable, and even if all of the data held on it is lost, both operations and data can be restored in a very short period of time, because virtual machines are regularly archived and so can be easily and quickly restored from the most recent backup. Only databases are present on the machine as variable data. As recorded sound files are stored on a distributed file system, there is less chance that they will be damaged; and a real-time replica is made of the databases so that the most recent status can be restored without any data loss.

If a disaster event occurs:

  • Depending on the event type VCC uses different manner of business continuity and disaster recovery plans.
  • Every disaster event is logged and recorded in accordance with quality regulations and information security policies, including incident management and business continuity management.
  • Examples of event and event management:
    • In the case of a partial malfunction or breakdown, if the affected server is still operational, it is easy to move the client to a new server within VCC’s infrastructure, the transfer of the entire database and the complete set of telecommunications settings, without data loss, taking up to two hours (depending on the size of the database).
    • In the case of a total outage (server halt) the fastest solution is to rebuild the customer database from the data backed up the previous day in VCC’s infrastructure. This takes about eight hours (including approximately two initial hours to restore the database, depending on the size of the database) and subsequently includes the restoration of data created between the outage and the creation of the back-up.
    • If a disaster event takes place, customer working processes may be affected during the restoration process. In particular, during the restoration process incoming calls may be redirected to pre-defined secondary telephone numbers.
  • To help with continuous improvement of our systems, after every incident event VCC analyses results and data, and if applicable applies relevant lessons learned to improve business continuity.

 

Call management

VCC is connected to several large service providers who supply telecommunication lines. If a problem arises at any of our service providers, calls are automatically redirected to another service provider so as to ensure that as many calls as possible are delivered. There are two central call management systems; if one of the systems shuts down, then the other automatically takes over and handles calls.

Relevant regulations:

  • Change Management Policy
  • Risk Assessment Policy
  • Testing Process and Procedures Policy
  • Operational Security Policy
  • Key and Certificate Management Policy
  • Incident Management Policy and Response Plan
  • Business Continuity Management
  • IT Security Policy
  • Third Party Management Policy
  • Physical Security Policy and Procedures

 

7. Server hosting

VCC has a central physical hosting location at T-Systems Data Center Budapest and several other cloud locations.

VCC check and rate (and regularly review) third party providers on quality and IT security aspects before starting to use them in accordance with VCC’s IT security rules and regulations.

T-Systems Data Center Budapest (formerly Dataplex), the market leader in outsourcing information technology infrastructures, was found to be the best in meeting VCC’s strict security and availability requirements. T-System Data Center Budapest is owned by T-Systems (Deutsche Telekom subsidiary), a key industry player in telecommunications networks, and is connected to T-Systems’ core network. The facility is located in Budapest, Hungary and meets the highest global technology standards (Tier III, almost Tier IV level), offering a reliable and secure platform for its clients.

Every large telecommunications service provider in Hungary has connected its network to the data center at T-System Data Center Budapest. The security system meets the highest business security standards, including guaranteed fire protection, a guaranteed, continual power supply and the optimal environment for task-critical devices. The highly-trained staff provide technical support 24 hours a day, 365 days of the year, managing the basic operation and maintenance tasks at the facility. Additional value-added services, unique to the market, are also available at the data centre.

See below for details of the main areas that guarantee the security of VCC’s servers at T-System Data Center Budapest.

 

Extreme security

The data center is a reinforced, protected facility which offers reliable protection for security-sensitive equipment. The security system at the centre is a multi-level system, functioning 24 hours a day, 365 days a year. Its work is supported – both inside and outside the building – by a closed-circuit television system, glass-breakage detector, door and motion detectors, and alarms. Entry into the building, colocation area and rack containers is controlled by a magnetic card system and a variable keypad-access control system. Only persons authorised by the client can enter the building. Entry and exit events can be traced back via the continuously operating video recording system.

 

Availability

The T-System Data Center Budapest Service Level Agreement (SLA), relating to the provided infrastructure services, meets the requirements of the most demanding industry standards, thus ensuring the most secure operational environment for clients’ critical systems, with 99.999% annual availability for power supply and air conditioning.

 

Power supply, optimal environmental conditions

Uninterrupted operation of client equipment is ensured by an uninterruptible power supply with 99.999% availability. The facility receives power from the public electricity network via duplicated, secure substations. However, redundant diesel generators (with N+1 configuration) can take over the full load of the centre in less than three minutes and supply power for up to 72 hours, or indefinitely after refuelling, if necessary. In addition, the reliable operation of info-communication equipment is also ensured by online redundant power supplies (with N+1 configuration). Power is always supplied to users by A+B redundant feeds. The building is fully air-conditioned, which is ensured by N+1 redundant, locally adjustable, precision air conditioner units. The temperature and relative humidity are kept continuously at 22 degrees Celsius (+/-2°C) and at 50% (+/- 10%), respectively.

 

Regional presence of T-Systems

The T-System Data Center Budapest Network is connected to the core network of several key partners, including Deutsche Telekom, KPN, Telecom Austria, TeliaSonera, Telefónica, Interoute, Linx Telecom, Cable & Wireless.

 

Fire detection and extinguishing – VESDA

Full fire detection and extinguishing is a basic service available throughout the building. The complex is equipped with a fire detection and extinguishing system of the highest standard currently available. For fire detection, the VESDA (Very Early Smoke Detection Apparatus) system was installed, which checks for the possible presence of fire and smoke by using laser detectors and an air sampling system. The fire extinguishing system is permanently connected to the Budapest Fire Department which automatically receives the centre’s fire alarm signals and thus the firefighters on duty – after checking the received emergency signal – can go, if necessary, to the location with the appropriate resources.
 

Main references
  • CIB Bank: main IT centre
  • Vodafone Hungary: main IT centre and call centre
  • Allianz Insurance: main IT centre in Hungary
  • Erste Bank: main IT centre in Hungary
  • Aegon: main and backup IT centre in Hungary
  • MOL: main IT centre

 

Certifications
  • ISO14001:2004
  • ISO/IEC 20000:2011
  • ISO27001:2005
  • AQAP 2110
  • ISO 50001:2011

Relevant regulations:

  • Change Management Policy
  • Risk Assessment Policy
  • Testing Process and Procedures Policy
  • Operational Security Policy
  • Key and Certificate Management Policy
  • Incident Management Policy and Response Plan
  • Business Continuity Management
  • IT Security Policy
  • Third Party Management Policy
  • Physical Security Policy and Procedures

 

8. Continuous Improvement

In accordance with IT industry standards and VCC’s philosophy, continuous improvement is an important part of all operations and processes at VCC.

As such, VCC creates KPIs, and monitors, gathers and  rates results, incorporating its experiences and lessons learned into its daily operations and processes, to prevent and minimise the impact of unexpected events.

Regular security awareness training sessions, industry standards compliance, risk assessment, business continuity, operation control points and numerous regulations are part of this continuous improvement.