Introduction
Customers communicate with organizations in a variety of forms—from phone conversations to email, web chat and social media. As each interaction may contain sensitive and confidential information, security has become a top requirement for consumers and enterprises alike.
Many companies are turning to cloud-based solutions for more robust security as part of their contact center strategy. Cloud contact center solutions provide many advantages over traditional on-premise solutions, including the lower upfront capital expenditure, deployment flexibility and scalability, relief of infrastructure installation and maintenance, and an instant gateway to advanced capabilities. One important benefit of cloud contact center solutions is the relief of security implementation. This built-in benefit—with the right cloud contact center solution—can translate into significant cost savings.
Mitel has implemented security measures that take a comprehensive multiple-layer approach that has been certified to meet industry’s standards including Payment Card Industry - Data Security Standards (PCI-DSS) and Health Insurance Portability and Accountability (HiPAA) compliance. In fact, Mitel has been providing secure cloud contact center solutions to leading enterprises, including some of the largest financial and insurance companies in the world, for over a decade.
Overview
Mitel’s security strategy provides controls at multiple levels of data storage, access, and transfer. The strategy includes the following components:
Physical Security
Network Security
Platform Security
Application Security
Data Security
Human Security
Compliance
Physical Security
Mitel’s MiContact Center Live Cloud solution for large enterprises operates in Tier 4-class data centers. Each data center employs the same physical security standards and is controlled by multiple security parameters including:
Electronic entry systems that require each person who enters a data center have a valid badge and pass biometric controls
System access includes multiple levels of authentication including two layers of biometric authentication
Surveillance cameras supported by infrared, ultrasonic and photoelectric motion sensors
Alarm systems deployed throughout the datacenters
Armed security guards on duty 24x7
Exterior walls constructed of steel reinforced poured concrete or reinforced masonry that exceeds building code requirements for structural strength
Multiple Internet connections to block intentional disruptions of service
Multiple power connections with generator backup
Fire suppression systems
Tracking and recording of all access made to the data center
Network Security
MiContact Center Live uses network elements that interconnect systems and information across multiple locations. Mitel achieves network security through technical systems and processes including the following:
Firewalls: Multiple layers of firewalls are deployed
Web Application Firewall (WAF): Analyzes application level activity in real-time to detect and block malicious activity
Segmentation: Systems are broken up in logical groups with restricted access to other groups, helping to contain intrusions that may occur
Intrusion Detection Systems (IDS): Detects suspicious activity
Data Encryption: Ensures added security when data travels over our internal network and when customers access the information externally over other types of networks
SECURITY VULNERABILITY ASSESSMENTS
Mitel conducts internal and external network vulnerability scans each quarter (at a minimum) and after significant changes in the network (e.g. new system component installations, changes in network topology, firewall rule modifications, product upgrades).
As a result:
All potential vulnerabilities identified are communicated to appropriate Mitel personnel for remediation
All high-level vulnerabilities are scheduled to be corrected within 10 days
Medium-level vulnerabilities are corrected and subject to Change Control Policy
Follow-up scans confirm compliance with Mitel security standards
In addition, the Mitel Security Operations Center (SOC) staff engages in efforts to monitor activities on the Mitel network 24x7x365. The SOC team manages the network to detect and prevent threats and to maintain recovery control and audit logs of all activities of all users. This allows the security team to assist any necessary investigations or audits.
Platform Security
As a cloud-based solution, MiContact Center Live was built as a multi-tenant solution with distributed systems on an application architecture to preserve the security of each tenant. Mitel has designed the platform with tight security in mind around servers and the operating system, middleware and application/ multi-tenancy stack.
HIGH AVAILABILITY
To minimize service interruption due to hardware failures, natural disasters, Denial of Service (DoS) attacks, or other catastrophes, Mitel has implemented a disaster recovery plans for its data centers. This program includes:
Geographically dispersed data centers that operate in activeactive mode.
Redundant applications that provide backup capabilities. If the primary server goes out of service, a backup server acts as the primary server.
LOAD DISTRIBUTION
MiContact Center Live deploys proxy and parallel servers to add efficiency to large-scale configurations. The use of these technologies reduces the loss of functionality and data caused by an outage or security attack.
MULTI-TENANT SECURITY
MiContact Center Live separates tenant applications and data. This isolation and separation preserves the integrity of each tenant environment and its data. Mitel supports the following tenant separations:
Server level: Each tenant has a unique and isolated (virtual or physical) environment with a single management system.
Data level: The application is designed so that access across tenants is securely administered.
Mitel may deploy different tenant separate methodologies depending on the features that a customer orders.
Application Security
Mitel has deployed the following application security methodologies:
SECURE BY DESIGN
Secure Software Installation Controls: Access to Mitel applications uses multi-level authentication and all access is logged.
Prudent Configuration of Access Controls: “Least Privilege” and “Need-to-Know” principles are applied during the design of the applications.
HOLISTIC SECURITY
Users access the MiContact Center Live Platform in the Cloud via our Secure Sign-in feature. Customers can adjust their level of password strength and expiration policies to fit their needs. The platform provides a rolebased and IP-based permission systems, giving you fine grained control over who in your organization has to access to specific applications and data. In addition, we offer several unique capabilities to ensure that your customers’ data remains secure. Mitel’s Secure Exchange feature, for example, allows callers to securely provide sensitive personal information while ensuring that agents do not hear or have access to that data.
Data Security
Security and privacy of customer data is extremely important to LiveOps and is an essential element of our client relationship. Mitel applies particular security measures and attention to customer data in various areas as detailed in the following sections.
In the past year Mitel has:
Processed billions of dollars through the platform
Supported 144 million calls on the Mitel platform for 531 million minutes That’s over a thousand years of voice calls!
Supported hundreds of clients within Financial Services, Healthcare, High Tech, Insurance and Retail
Collected over 25 million credit card numbers (PCI-DSS)
Collected over 4 million bank account numbers
Processed 100+ million instances including Personally Identifiable Information (PII)
Collected tens of millions of medical data artifacts (HIPAA)
POLICY AND PROCEDURES
Mitel Security Policy and Procedures include provisions to protect customer data from unauthorized access by implementing access controls and employing data and protocol encryption.
DATA COLLECTION
Mitel views secure customer data collection and retention as a top priority. To address this business goal, Mitel employs a variety of practices and procedures. End customer data must be kept private when it is collected, such as when an end customer makes a purchase or provides personal information necessary to receive support or benefits. Mitel protects and maintains the security of that data in its possession until it is deleted or destroyed in accordance with defined data retention periods and data deletion procedures.
DATA ENCRYPTION
Sensitive data is stored in 2048-bit RSA encrypted secured databases. These databases are not accessible to agents who have access to Mitel Contact Center. Call recordings are encrypted on a hardened appliance using the AES256 encryption standard in accordance with NIST FIPS 140-2 3 (US Federal Information Processing Standard).
DATABASE SERVERS
Customer data is stored on Mitel database servers on a secure database VLAN.
Database access is limited to authorized operations and engineering teams.
Logical access is protected in the MiContact Center Live application hosted on web servers in a DMZ, utilizing 128-bit SSL cipher key minimums, and requiring unique usernames and passwords to authorized users.
User access and database transactions are logged.
Human Security
Background and reference checks are performed on Mitel personnel who are authorized to access customer data. In addition, all employees must review and certify a full understanding of the Mitel’s Policy and Procedures, which includes:
Data retention
Employee security awareness training and management
Data storage and transmission
Security vulnerability assessment program
Acceptable usage of Mitel’s systems Fraud Detection
A specialized team can audit and gather information regarding potentially fraudulent activity.
Automatic monitoring systems detect anomalies in the behavior of agents.
Manual review and investigations are conducted when required.
Constant tuning of heuristic detection methods to identify fraudulent activities.
Compliance
Mitel has implemented the compliance procedures to ensure high levels of compliance to legal and consumer laws. Mitel compliance measures and achievements adhere to a broad range of laws and regulations governing electronic information security.
Always consult your legal counsel to ensure you understand what regulatory and compliance requirements are appropriate for your specific use of MiContact Center Live and its features.
PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI)
What is PCI-DSS?
PCI is a certification required by Visa, MasterCard and other major credit card processors for ensuring data security and privacy. PCI certification protects a company from liability if credit card data is stolen or compromised. For more information, visit: https://www. pcisecuritystandards.org/.
Who is required to adhere to PCI-DSS?
Any company (merchant or service provider) that stores, transmits, records, or acts as a gateway for credit card information is required to become PCI-DSS compliant.
How does Mitel comply with PCI-DSS?
Mitel is fully compliant with the 12 Security Domains of PCI-DSS Level-1 service provider. Compliance is audited and certified yearly by an independent 3rd party, Qualified Security Assessor.
What parts of Mitel’s services are in compliance?
The following components have been certified for use with PCI-DSS related data:
Mitel telephony components.
IVR system, including the “Secure Exchange” feature.
Call recording and playback system.
Mitel Scripting system (e.g., credit card collection screens).
Mitel real-time fulfillment.
Mitel batch fulfillment.
Mitel’s data centers located in the United States, Australia and Europe.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
What is HIPAA?
Enacted in 1996, HIPAA regulations require companies to adopt policies and procedures to protect the privacy and security of Protected Health Information (PHI). Covered Entities, as defined in the regulations, which include health insurers and billing processors, must fulfill the requirements defined under HIPAA’s privacy and security rules. These rules define administrative, physical and technical safeguards for PHI. For more information, visit: http://www.hhs.gov/ocr/privacy/hipaa/.
Who is required to adhere to HIPAA?
The Privacy Rule applies to health plans, healthcare clearing houses, and any health care provider who electronically transmits health information in connection with certain transactions, which include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which the U.S. Department of Health and Human Services has established standards under the HIPAA Transactions Rule.
How does Mitel comply with HIPAA?
Mitel security procedures and controls meet customer HIPAA compliance requirements.
What parts of Mitel’s services are in compliance with the HIPAA requirements?
Mitel is in compliance with HIPAA requirements in accordance with the following security features:
Call recording encryption.
Strict access controls.
Access logging.
Auditing & reporting systems.
Configurable data sensitivity levels on collected data:
Confidential: Normal access control.
Highly confidential: Restricted access.
Highly confidential - FMG : Encrypted, no user access.
SAFE HARBOR
What is Safe Harbor?
The U.S. Department of Commerce, in concert with the European Commission, developed the “Safe Harbor Framework” to allow U.S. organization to comply with the directive by agreeing to abide by the Safe Harbor Privacy Principles. Companies certify their compliance with these Principles on the U. S. Department of Commerce website. The Framework, approved by the EU in 2000, gives companies assurance that the EU will consider their practices “adequate” for data transfers between the U.S. and both the EU and Switzerland. For more information, visit: http://www.export.gov/safeharbor/.
How does Mitel comply with Safe Harbor?
Mitel complies with the U.S. – E.U. Safe Harbor framework and the U.S. - Swiss Safe Harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries and Switzerland. Mitel has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement.
Summary
Mitel employs a multi-layered security strategy that support a cloud contact center platform used by leading enterprises and business worldwide. The MiContact Center Live solution provides heightened security and high availability at no additional cost, saving our clients excessive overhead and expenses.
