Purpose and Scope

The purpose of this document is to communicate the details of Virtual Call Center’s  (hereinafter VCC) IT and information security regulations and measures for both clients and future clients.

These safety measures are being introduced to provide the highest possible level of protection for clients’ data against external and internal attacks, and to provide high availability for our clients.

 

Standards and accordance
  • Quality and Information Security Management System (QISMS)
    • VCC has been certified as a valid PCI DSS v3.1 compliant Level 1 Service Provider.
    • VCC has been certified as a valid Hungarian National Telecommunication L. Law (Closed Billing System) compliant Level 2 Service Provider.
    • VCC applies ISO/IEC 27001:2013 (Information Security Management System) controls and requirements.
    • VCC applies ISO 22301:2012 (Societal security – Business continuity management systems) controls and requirements.
    • VCC applies ISO/IEC 20000:2011 (Information technology – Service management) controls and requirements.
    • VCC uses a set of ISO/IEC 27002:2013 (Information Security Controls) recommendations.
    • VCC uses a set of ITIL 2011 (Information Technology Infrastructure Library) framework recommendations.
  • Other Standards
    • CIS (Center of Internet Security) hardening.
    • OWASP (Open Web Application Security Project) secure coding check.
    • Semantic Versioning methodology.
    • Version controlling systems (GIT, GITHUB).

 

Control environment mapping

In accordance with the principle IT and Information Security Management System industry standards, VCC implements rules, policies and regulations in the company’s whole management and service process, as follows:

  • Risk Assessment using a PDCA model.
  • Change Management (included release management).
  • Access and Asset Management, with role-based access control.
  • Network and Communication regulations.
  • Regular vulnerability scans (included penetration testing) and regular Patch Management.
  • Software development and testing process, procedures regulations (included secure coding aspects).
  • IT Operational Security regulations (included malware protection, wireless management, server management, logging and monitoring rules and regulations, firewall and router configuration standards).
  • Physical Security Rules and Procedures (included visitor regulations).
  • Incident Management (security, business continuity), Response plan.
  • Key and Certification Management.
  • Third Party Provider, Supplier Management.
  • IT Security Policy and regular Security Awareness training.
  • Business Continuity Management and Plan definitions.