Information Security
Talkdesk Physical Security and Security Operations
By Steve Bell
0 min read
Security is one of the most critical aspects of any enterprise cloud contact center. Talkdesk understands that the confidentiality, integrity and availability of our customers’ data is vital to your business operations and our own success.
This post is the third in a four-part series outlining Talkdesk’s security policies. In this post, we cover the topic of Talkdesk physical security and security operations.
Physical Security
Office Security
Although Talkdesk does not manage physical infrastructure or data centers, physical access controls are implemented in Talkdesk offices that typically include card-reader or biometric access to facilities.
Data Center Security
Talkdesk data centers are hosted and managed by AWS. Physical access to all AWS data centers, collocations and facilities housing IT infrastructure components is restricted to authorized data center employees, vendors and contractors who require access in order to execute their jobs. AWS utilizes multi-factor authentication mechanisms for data center access, as well as additional security mechanisms to ensure that only authorized individuals enter an AWS data center.
Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:
- ISO 27001
- SOC 1
- SOC 2/SSAE 16/ISAE 3402
- PCI Level 1
- FISMA Moderate
Security Operations
Vulnerability Management
The Engineering Security team continuously monitors Talkdesk environments for system vulnerabilities and performs scanning on a recurring basis in accordance with Talkdesk policy, by using industry standard scanning technologies. These technologies are customized to test the organization’s infrastructure and software in an efficient manner while minimizing the potential risks associated with active scanning.
Once a vulnerability requiring remediation has been identified, it is logged, prioritized according to severity and assigned an owner. The Engineering Security team tracks such issues and follows up frequently until they can verify that the issues have been remediated.
Patching
Talkdesk has implemented a patch management process to ensure contracted customer and infrastructure systems are patched in accordance with vendor-recommended operating system patches.
This process includes steps to review proposed patches to determine the risk of applying or not applying patches based upon the security and availability impact of those systems, and any critical applications hosted on them.
Talkdesk continually reviews patches and updates as they are released to determine their criticalities.
Penetration Testing
Independent penetration testing is completed at least annually to measure the security posture of a target system or environment. The third-party vendor uses an accepted industry standard penetration testing methodology. Penetration testing also includes network and application layer testing. This ensures that we have an “alternative” view of how effectively implemented security policies and processes are. Internal penetration tests are also conducted by the Engineering Security team.
Get an in-depth look at Talkdesk security policies.
Change Control
The goal of Talkdesk’s change management process is to prevent unintended service disruptions and to maintain the integrity of services provided to customers. Therefore, all changes, before deployed to production, are reviewed, tested, approved and communicated.
This is aligned with our Systems/Software Development Life Cycle (SDLC). SDLC also covers documentation requirements, development practices and quality assurance testing requirements.
Segregation of Duties
Different areas of responsibilities are segregated to reduce opportunities for unauthorized or unintentional modification or the misuse of our infrastructure.
Asset Management
Talkdesk uses an asset management solution to manage all computer assets. It automates device setup, fleet intelligence, app and OS updates, and security across Talkdesk.
Regarding virtual assets, all resources are managed in the virtual asset inventory system (within AWS). AWS account owners are responsible for approving access to the resource and for performing periodic reviews of access by role.
Monitoring
Talkdesk’s management performs monitoring activities to continuously assess the quality of internal control over time. Necessary corrective actions are taken as required to correct deviations from company policies and procedures.
Employee activity and adherence to company policies and procedures is also monitored. This process is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two.
At Talkdesk, we take security seriously and work every day to improve and keep your information protected. The protection of user data is a primary design consideration for all of Talkdesk infrastructure, applications and personnel operations. Protection of user data is far from being an afterthought or the focus of occasional initiatives – it’s an integral part of what we do. That’s why we have talented security professionals, industry-best technology to address risks and processes to make sure everything functions optimally.
Watch for our fourth blog in the security series covering incident management, business continuity, compliance and accreditation, and more.
