The purpose of this document is to communicate the details of Virtual Call Center’s (hereinafter VCC) IT and information security regulations and measures for both clients and future clients.
These safety measures are being introduced to provide the highest possible level of protection for clients’ data against external and internal attacks, and to provide high availability for our clients.
In accordance with the principle IT and Information Security Management System industry standards, VCC implements rules, policies and regulations in the company’s whole management and service process, as follows:
Each employee at VCC signs a strict confidentiality agreement at the start of their employment, and receives training in password and IT security.
Regulations are equally valid to all work-related areas, from releasing PC lock screens, to passwords for office and customer-related live systems. In the latter case, very strong passwords are required which are renewed periodically, based on appropriate procedures.
All access to clients’ data can only take place if the client specifically requests it.
Only a restricted group of VCC’s employees have access to live systems and data that is related to clients. Accesses privileges are divided into several categories, including access to servers, access to databases, and access through VCC’s client software.
Only authorized staff are permitted to log onto the servers, and only authorised personnel are allowed access to the databases. Each role has its own relevant, regulated user privileges.
All access to VCC’s client service is at a central location, and both access approval and denial are completely automatic processes. As one would expect, each access must be accompanied by a supplied unique username and password pair, which must comply with the highest safety requirements for passwords.
Only specified persons can have access to the system that manages these access rights.
There may be cases necessary to access a client account via VCC’s client software for fault detection and consultation. In these cases, only specified persons are granted access to VCC client software, and again only if the client specifically agrees to it.
Every event that occurs in VCC’s IT system is logged by a central log server. Thus, any employee activity in the client environment, and the time it takes place, can easily be traced back.
For employees leaving VCC, there is a separate regulation code which outlines the individual steps in the leaving process.
Initially, each of the employee’s access points that apply to client-related live systems are withdrawn. This takes effect immediately due to the automatic system connected to the VCC client software, and the withdrawal of authorizations at server and database levels is handled as high priority.
After that, access to office infrastructure is withdrawn to prevent indirect access to live systems.
The final steps e.g. removing office physical accesses, are taken indirectly to avoid any possible issues.
VCC’s client software includes a number of mandatory and customisable security features which are intended to avoid external attacks, as well as internal attacks and misuse on the client’s side.
Full encryption of sound and the accompanying communication protocols, using the technology listed below, is possible in VCC, guaranteeing that every conversation-related event which occurs between VCC’s client software and the central system is encrypted:
During the use of the software, network data traffic is encrypted with the following industry-standard technologies:
VCC following the stricter industry-standard recommendations and techniques like:
In VCC’s infrastructure every client has their own separate database, for both uploaded data and other data, for example statistics. Due to our strict firewall policies and incorporated software barriers, clients are not able to access other client databases.
A backup is made of all client-related data (e.g. their individual database) so as to avoid data loss. Servers used to store information are placed in an environment which is appropriately supervised and has restricted access (for more details on this, see ‘Server hosting, DRP/Virtualization’).
Client audio files are stored on a storage file system which is physically stored on several different servers. Even if any server were to be completely destroyed, the sound files would still be accessible and unharmed.
Sound files are stored for a period of 30 days (with the possibility of longer storage if requested), during which time they can be downloaded as required. Downloaded files can also be deleted from the VCC system when archive files are created, before they would be automatically deleted.
VCC’s client software provides the client with further opportunities to increase the level of security:
Every employee at VCC is affected by IT security, as they are obliged to adhere to security regulations during the course of their employment (e.g.: password policy, clear desk-clear screen policy).
The development / operations manager and the systems administrators are responsible for protecting sensitive data. Employees knowledge is particularly important in this respect, and thus VCC pays special attention to integrating the latest IT security knowledge and innovations into their system.
As such, colleagues working in this field receive continual training and assignments to help widen their knowledge.
The company has no external associates. External partners participating in website development have no access to the software or related infrastructure, either in the office or in a live environment.
VCC’s firewall is set in accordance with strict regulation systems on all servers and devices within the infrastructure, in terms of what address the given device can be accessed from, what connection the server can initiate, and with whom it can communicate. These implement low-level protocols (TCP/IP). Devices are protected against DoS attacks (denial-of-service attacks).
The structure in the hosting location is also set up in a separate office environment. Uniformity extends from operation systems to program versions. Any changes made in the live environment at the hosting location are created and checked in this testing infrastructure. VCC works exclusively with test data generated by themselves in the testing environment, and client data is not present in any form in these systems.
VCC pays special attention to the pre-testing of completed developments and improvements, and to the regulation of the release process.
The company uses a continuous integration (CI) system, which ensures that tests related to the software continuously run, and that every error detected in the completed tests is marked and corrected prior to release. This is immediately displayed on a real-time system and is thus registered by colleagues.
Each release process connected with the client-related live system is documented. The process consists of an initial approval by a manager, and the report of the employee who oversees the release about when and where the actual development, improvement, adjustment, or update went live. The documentation guarantees that no adjustments may be made in the client environment without approval, and ensures that all adjustments can be traced back. The documentation can only be edited by authorised persons, so that again any changes can be traced back.
Package updates are made regularly on all servers, with priority given to critical vulnerabilities. Changes in versions of external software are monitored by systems administrators and, following successful testing, updates to the latest version, as far as possible, are made. Scripts are created specifically for this purpose. In each case, updates are documented, and thus the exact time and type of update can subsequently be traced back.
The restricted group of employees who need to have access to the servers to be able to perform their work have an individual VPN key, with which they can use to connect to the VPN network. They can only access the servers with this key, along with an individual username and password supplied by the LDAP (Lightweight Directory Access Protocol). It is not possible to access the servers from the public Internet.
VCC continuously monitors the status of their systems. Thanks to our monitoring system, clients are informed about events that affect the systems even before they occur, so that they have the chance to handle them in advance.
Authorised persons are informed by the system about alerts in real-time, and via e-mail and instant messages, while every key part of the system can be observed in real-time on a status board placed in the operation section, thus making it possible to monitor the current and previous status.
VCC system engineers and managers are responsible for dealing with incident management. Any event that endangers or may endanger business continuity or security is considered to be an incident. The primary aim of incident management is to restore normal service conditions as quickly as possible, and to minimise its harmful effect on business continuity, thus ensuring the highest possible level of service quality.
The tasks involved are as follows:
All equipment at the hosting location, including (but not only) the router, switch, server, components are purchased from a high-quality manufacturer via their official Hungarian distributor. Compatibility of devices with one another and high availability are required criteria during procurement. Devices are specifically designed to operate 24 hours a day in a server production environment.
In order to improve operational security, remote management is also available for each server with strictly limited and documented access rights. This allows low-level server administration, e.g. BIOS updates.
The company has its own rack cabinets in the hosting facility which can only be accessed by VCC system engineers with the required authorisation, thus access by unauthorised persons is prevented. Physical access to the infrastructure is regulated by strict hosting processes which separately record the access time, type of access, and data accessed.
All of the servers have redundant power supply units and receive current from two separate circuits, thus no shutdown can occur due to power supply failure.
Equipment without dual power supply units are designed redundantly and connected to a so-called static switch which performs this function instead.
Each server located in the hosting room has at least two network connections which are connected to two different switches. The two switches have Internet access from two separate core devices and therefore, if any device, switch or network card fails, the computer is still able to fully communicate. If a fault occurs in these components, the changeover is made fully automatically.
VCC’s systems are installed in a virtual environment, which has a number of advantages. One of the main advantages is that if any computer becomes physically unusable, and even if all of the data held on it is lost, both operations and data can be restored in a very short period of time, because virtual machines are regularly archived and so can be easily and quickly restored from the most recent backup. Only databases are present on the machine as variable data. As recorded sound files are stored on a distributed file system, there is less chance that they will be damaged; and a real-time replica is made of the databases so that the most recent status can be restored without any data loss.
If a disaster event occurs:
VCC is connected to several large service providers who supply telecommunication lines. If a problem arises at any of our service providers, calls are automatically redirected to another service provider so as to ensure that as many calls as possible are delivered. There are two central call management systems; if one of the systems shuts down, then the other automatically takes over and handles calls.
VCC has a central physical hosting location at T-Systems Data Center Budapest and several other cloud locations.
VCC check and rate (and regularly review) third party providers on quality and IT security aspects before starting to use them in accordance with VCC’s IT security rules and regulations.
T-Systems Data Center Budapest (formerly Dataplex), the market leader in outsourcing information technology infrastructures, was found to be the best in meeting VCC’s strict security and availability requirements. T-System Data Center Budapest is owned by T-Systems (Deutsche Telekom subsidiary), a key industry player in telecommunications networks, and is connected to T-Systems’ core network. The facility is located in Budapest, Hungary and meets the highest global technology standards (Tier III, almost Tier IV level), offering a reliable and secure platform for its clients.
Every large telecommunications service provider in Hungary has connected its network to the data center at T-System Data Center Budapest. The security system meets the highest business security standards, including guaranteed fire protection, a guaranteed, continual power supply and the optimal environment for task-critical devices. The highly-trained staff provide technical support 24 hours a day, 365 days of the year, managing the basic operation and maintenance tasks at the facility. Additional value-added services, unique to the market, are also available at the data centre.
See below for details of the main areas that guarantee the security of VCC’s servers at T-System Data Center Budapest.
The data center is a reinforced, protected facility which offers reliable protection for security-sensitive equipment. The security system at the centre is a multi-level system, functioning 24 hours a day, 365 days a year. Its work is supported – both inside and outside the building – by a closed-circuit television system, glass-breakage detector, door and motion detectors, and alarms. Entry into the building, colocation area and rack containers is controlled by a magnetic card system and a variable keypad-access control system. Only persons authorised by the client can enter the building. Entry and exit events can be traced back via the continuously operating video recording system.
The T-System Data Center Budapest Service Level Agreement (SLA), relating to the provided infrastructure services, meets the requirements of the most demanding industry standards, thus ensuring the most secure operational environment for clients’ critical systems, with 99.999% annual availability for power supply and air conditioning.
Uninterrupted operation of client equipment is ensured by an uninterruptible power supply with 99.999% availability. The facility receives power from the public electricity network via duplicated, secure substations. However, redundant diesel generators (with N+1 configuration) can take over the full load of the centre in less than three minutes and supply power for up to 72 hours, or indefinitely after refuelling, if necessary. In addition, the reliable operation of info-communication equipment is also ensured by online redundant power supplies (with N+1 configuration). Power is always supplied to users by A+B redundant feeds. The building is fully air-conditioned, which is ensured by N+1 redundant, locally adjustable, precision air conditioner units. The temperature and relative humidity are kept continuously at 22 degrees Celsius (+/-2°C) and at 50% (+/- 10%), respectively.
The T-System Data Center Budapest Network is connected to the core network of several key partners, including Deutsche Telekom, KPN, Telecom Austria, TeliaSonera, Telefónica, Interoute, Linx Telecom, Cable & Wireless.
Full fire detection and extinguishing is a basic service available throughout the building. The complex is equipped with a fire detection and extinguishing system of the highest standard currently available. For fire detection, the VESDA (Very Early Smoke Detection Apparatus) system was installed, which checks for the possible presence of fire and smoke by using laser detectors and an air sampling system. The fire extinguishing system is permanently connected to the Budapest Fire Department which automatically receives the centre’s fire alarm signals and thus the firefighters on duty – after checking the received emergency signal – can go, if necessary, to the location with the appropriate resources.
In accordance with IT industry standards and VCC’s philosophy, continuous improvement is an important part of all operations and processes at VCC.
As such, VCC creates KPIs, and monitors, gathers and rates results, incorporating its experiences and lessons learned into its daily operations and processes, to prevent and minimise the impact of unexpected events.
Regular security awareness training sessions, industry standards compliance, risk assessment, business continuity, operation control points and numerous regulations are part of this continuous improvement.