17 Info Security & Privacy Topics Call Center Staff Must Understand

Okay…back to my continuing lecture on the need to provide targeted training on specific information security and privacy topics to the various responsibility groups throughout your enterprise.
Consider this; what if you took a driver’s education class and all they told you to do, by showing you on a PowerPoint slide, is how to put the key in the ignition, turn the engine over, how to press the accelerator to move forward, and how to press the brakes to stop. Then they told you to go out there and drive…have it it! Would you be well prepared to get onto the road and deal with all the other things you need to know about driving? Most likely not. If you feel you would be well prepared, please tell me you will not be driving on the central Iowa roads… 🙂


Unfortunately, this is the way most information security and privacy training programs are run. Many organizations have a tendency to give their personnel very high level, poorly presented, and educationally ineffective, information about security and privacy, and then send the personnel on their way, expecting them to do their job responsibilities in ways that will also protect the information they must handle while doing those job requirements. Is it likely security incidents and privacy breaches will occur without giving your personnel targeted information, specific to their job responsibilities, for how to protect information on a daily basis? You bet it is.
High level information security and privacy training is important and necessary as a primer. However, you must then provide additional training, and ongoing awareness communications, to your personnel if you truly expect for them to have the knowledge and understanding necessary to effectively safeguard information and preserve privacy.
Some areas will need a lot of additional training and awareness, and some will need just a little bit more; again, it depends upon their job responsibilties and their access to information and computer systems.
Call centers typically have a HUGE amount of access to all kinds of information. Call centers will need to have quite a bit of training, and ongoing awareness communications, to help them to effectively safeguard the information they handle during the course of carrying out their job responsibilities.
Here is the fourth and final part of the third article, “Providing Call Centers with Information Security and Privacy Education,” in my July issue of IT Compliance in Realtime, that speaks to this issue…
———————————–

Call Center Personnel Need Customized Education Content
When you consider the types of information to which call center staff has access, and the direct contact they have with consumers, customers, and employees, it should be compelling to provide ongoing information security and privacy training and ongoing awareness communications, activities, and events to the call center staff members.
The following list highlights 17 topics and very brief descriptions for what most call center personnel need to know and understand. As you can probably imagine, writing out all the details for all topics would fill a fairly large book. However, this list should give you a good start for determining the topics for which your call center personnel need training:

  1. Information security and privacy policies –Call center personnel must know and understand the organization’s information security and privacy policies so that they can create procedures to support them during their interactions with each type of individual that contacts the call center.
  2. Web site privacy policies –Call center personnel must know and understand the organization’s posted Web site privacy and security policies. These Web site policies are legally binding documents that must be supported internally by procedures within the call center for promises related to accessing customer information and how the PII is safeguarded.
  3. Roles and responsibilities –Call center personnel must understand their responsibilities for safeguarding information resources during the course of their normal work responsibilities, such as how to verify the identities of callers, how to protect their unattended workstations, and so on. Establishing and communicating responsibility to the call center personnel creates personal accountability.
  4. Information security and privacy in job definitions and performance appraisals –Call center managers must understand how to work with Human Resources (HR) to incorporate information security and privacy responsibilities into job descriptions. Information security and privacy actions and policy compliance can then be included within job appraisals. Such actions will better motivate personnel to be diligent in safeguarding information.
  5. Applicable laws and regulations –Call center personnel must understand the laws and regulations related to giving individuals access to their corresponding PII, and the organization’s procedures for providing this access. Call center staff also need to know how to know regulations, such as the Red Flags Rule in the U.S., and how they must comply to help prevent identity fraud.
  6. Security and privacy procedures for customer and consumer contact –Call center personnel must know and understand their department’s security and privacy procedures that have been established to support compliance with the organization’s policies, in addition to supporting compliance with a very wide range of laws, regulations, and industry standards.
  7. Dealing with the unexpected –Call center personnel must understand how to effectively and consistently handle situations that pop up that do not fit the mold for the procedures they have established. For example, they must know the appropriate thing to do if a reporter calls and asks about a newly discovered privacy breach in the organization that the call center did not know about. As another example, they must know the appropriate thing to do if a caller makes a threat if they do not provide requested PII. These actions will complement the organization’s incident response plans.
  8. Mitigation for customer concerns and complaints –Call center staff must know and understand the appropriate tools and procedures to use to document caller complaints, feedback, and comments accurately. Call center staff must know the appropriate type of language and demeanor to use when speaking with callers. This type of training would be very good to couple with the customer service area to ensure privacy and security issues are addressed while the call center is providing exceptional customer service; the two are not mutually exclusive.
  9. Securing third-party access to business and customer information –Call center personnel must know and thoroughly understand the policies and procedures for providing third parties access to information resources. Call center staff must understand the types of social engineering schemes that may be used to trick them into providing third parties with access when in actuality the third party should not be provided access.
  10. Information security and privacy incident response –Call center personnel must understand, know their roles for, and be ready to effectively respond to information security and privacy incidents according to the organization’s documented incident and breach response plans. Call centers typically play a key role in communications that occur during incident and breach response. Call center staff must know and understand the information they should and should not provide to callers regarding incidents.
  11. Physical security –Call center personnel must know how to protect against the physical security risks to information. They need to know how to secure printed information, how to spot physical dangers to information and data within work areas, and how to report individuals who may have inappropriate physical access to, or be a physical threat to, information.
  12. Computing equipment security –Call center personnel must know and understand how to physically protect computing and electronic storage equipment, in their work areas, when they take computers home to do work, and when they leave their workstations unattended. Call center staff must know the organization’s computer equipment security policies and be able to point callers who ask about those policies to the appropriate persons and departments.
  13. Identity verification –Call centers staff must follow documented procedures to verify the identity of callers who request access to PII and other sensitive information, who want changes made in accounts, and other types of similar activities that impact customer accounts or business activities. Be sure that appropriate types of information items are used for identity verification; Social Security numbers, mother’s maiden name, birth date, and other types of data items are increasingly found to be unreliable for authenticating caller identities.
  14. Notice –Call center personnel must know and follow the organization’s policies, along with the regulatory requirements, to provide notice to callers whenever PII is involved. For example, to let callers know that the call may be monitored and recorded, such as required within the state of California, for citizens in Australia, and many other jurisdictions. Call center personnel must also know how to provide a comprehensive notice of privacy practices to callers upon their request.
  15. Call transfer –Call center personnel must know and understand the procedures and restrictions for providing and transferring information across country borders. Call center personnel must know if the callers’ PII will or may be transferred to call centers in other geographic locations, and any related restrictions for these transfers.
  16. Sanctions and disciplinary actions –Call center personnel must know and understand their responsibilities for following the organization’s information security and privacy policies, along with the possible sanctions and disciplinary actions that they could face as a result of policy and legal noncompliance.
  17. Key information security and privacy contacts –Call center personnel must know who is responsible within the organization for information security, privacy, and compliance. They must know whom to contact for related issues, and to whom they can turn with information security and privacy concerns and questions.

———————————–

Tags: , , , , , , , , , ,

Leave a Reply