Security

1.0 Introduction

Puzzel has offered cloud solutions for more than 15 years. Over the years, we have established processes, methods and technologies and embraced proven standards to meet our customers’ security, privacy and accessibility needs. The nature of threats is constantly changing; thus, security awareness is a natural part of our development and operational processes.

Some of our customers are very specific when it comes to information security, and have a comprehensive information security management system themselves. It is important to Puzzel to be recognised as a trusted partner for all customers. Therefore, we will adapt to customer needs as long as it does not compromise our policies and business model.

Puzzel has implemented and will maintain appropriate technical and organizational measures, internal controls, and information security routines intended to protect Customer Data against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction.

1.1 Information security policies

Puzzel’s management team has developed the Information Security Policy and the related Security Objectives to support Puzzel’s Business Objectives. The policy is the foundation for Puzzel’s Information Security Management System (ISMS), and the starting point for top-down risk assessments. The policy is revised and improved yearly. The Information Security Policy is a high-level document, supported by the Information Security Handbook holding more detailed policies. Finally, a range of underlying procedures detail security related activities and controls.

Statement of Applicability

The applicability of all controls in Annex A ISO/IEC 27001:2013 have been evaluated against requirements from all interested parties. All controls listed in Annex A have been mapped to requirements and marked as applicable in the Statement of Applicability. This means that Puzzel must adhere to, and be audited towards, all parts of ISO/IEC 27001:2013.

1.2 Organization of information security

Puzzel security organisation covers all relevant areas of the business, and appropriate training is therefore planned and executed to fit the level and role.

Puzzel has appointed one or more security officers responsible for coordinating and monitoring the security rules and procedures.

Compliance Officer is responsible for managing the ISO 9001 and ISO 27001 certifications, internal audits, security awareness training and compliance with all data protection and privacy laws and regulations generally applicable to Puzzel.

Compliance Officer is also the Data Protection Officer in Puzzel.

1.3 Human resources security

To maintain a high and consistent security level, continuous training and awareness sessions are key. At Puzzel all employees are continuously trained and updated on our Security Policy, Data Discipline instructions, Visitor Policy, procedure for handling Information Assets as well as role specific policies and procedures.

Puzzel only use anonymous data in training.

All Puzzel employees are obligated to sign our Confidentiality Agreement and must adhere to our Business & Ethics Conduct Policy. Mandatory security training is completed as part of the enrolment process of new employees.

Puzzel informs its personnel about relevant security procedures and their respective roles. Puzzel also informs its personnel of possible consequences of breaching the security rules and procedures.

Puzzel has developed employee onboarding and offboarding procedures also considering employee role changes within the organization granting new or expanded access privileges.

1.4 Asset management

a) Puzzel maintains an asset register containing all parts of the Puzzel Contact Centre Cloud.
b) A separate personal data register contains all assets where personal data are stored.
c) Puzzel also maintains a responsibility matrix linking assets and technology to responsibility owners.
d) Puzzel classifies Customer Data to help identify, restrict and secure data according to sensitivity (e.g., through encryption).
e) Puzzel imposes restrictions on printing Customer Data and has procedures for disposing of printed materials that contain Customer Data.
f) Puzzel personnel must obtain Puzzel authorization prior to storing Customer Data on portable devices, remotely accessing Customer Data (e.g. remote VPN access), or processing Customer Data outside Puzzel’s facilities.
g) Removable media must be encrypted before removal from Puzzel’s facilities.
h) Hard drives from Puzzel data centres are destroyed onsite before proper disposal.

1.5 Access control

Puzzel implements physical and logical access control across Puzzel networks, IT systems and services in order to provide authorised, granular, auditable and appropriate user access, and to ensure appropriate preservation of data confidentiality, integrity and availability in accordance with the Information Security Policy.

Access control systems are in place to protect the interests of all authorised users of Puzzel Contact Centre Systems by providing a safe, secure and accessible environment.

Access Authorization

a) Puzzel maintains and updates a record of personnel authorized to access Puzzel systems that contain Customer Data.
b) Puzzel deactivates authentication credentials that have not been used for six months.
c) Puzzel identifies personnel who may grant, alter or cancel authorized access to data and resources.
d) External parties such as consultants, sub-suppliers and others with access to any of Puzzel’s assets are required to sign a Non-Disclosure Agreement.

Least Privilege

Puzzel restricts access to Customer Data to only those individuals who require such access to perform their job function.

Integrity and Confidentiality

Puzzel instructs Puzzel personnel to disable administrative sessions when leaving premises. Automatic computer locking is enabled on Puzzel personnel’s computers and session timeout on servers.

Authentication

a) Puzzel uses industry standard practices to identify and authenticate users who attempt to access information systems.
b) Where authentication mechanisms are based on passwords, Puzzel requires that the passwords are renewed regularly.
c) Where authentication mechanisms are based on passwords, Puzzel requires the use of strong passwords.
d) Puzzel ensures that de-activated or expired identifiers are not granted to other individuals.
e) Puzzel monitors repeated attempts to gain access to the information system using an invalid password.
f) Puzzel maintains industry standard procedures to deactivate passwords that have been corrupted or inadvertently disclosed.
g) Puzzel uses industry standard password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, and during storage.

1.6 Cryptography

a) Security Manager has the overall responsibility for implementing and managing cryptography in Puzzel
b) Data in transit over public networks use encrypted protocols.
c) Data in transit over internal Puzzel networks user encrypted protocols if feasible and according to sensitivity of the data.
d) Wireless access network equipment is not allowed in Puzzel Data Centres.
e) Wireless networks in Puzzel Offices use industry standard technology.
f) Puzzel Office Guest Wi-Fi access is located on separate network segments with restricted access to internet only.
g) Only secure protocols are in use for remote administration (e.g. SSH v2, RDP and HTTPS).
h) Mobile devices are encrypted.
i) Remote administration of Puzzel systems use industry standard VPN technology.
j) Puzzel web servers only use certificates issued from recognized 3rd party certificate vendors.

1.7 Physical and Environmental Security

Puzzel physically protect the production environments in cooperation with professional data centre service providers. Except for the rental of Datacentre rooms with provided redundant power and cooling, Puzzel provides all physical and application deliveries ourselves. Some of the mechanisms involved are security guards, surveillance systems, comprehensive access control systems and monitoring of operating conditions.

a) Physical Access to Facilities: Puzzel limits access to facilities where information systems that process Customer Data are located to identified authorized individuals.
b) Physical Access to Components. Puzzel maintains records of the incoming and outgoing media containing Customer Data, including the kind of media, the authorized sender/recipients, date and time, the number of media and the types of Customer Data they contain.
c) Protection from Disruptions: Puzzel uses a variety of industry standard systems to protect against loss of data due to component failure.
d) Component Disposal: Puzzel uses industry standard processes to delete Customer Data when it is no longer needed.

1.8 Operational Security

Operational Policy

Puzzel maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Customer Data.

Malicious Software

Puzzel has anti-malware controls to help avoid malicious software gaining unauthorized access to Customer Data, including malicious software originating from public networks.
User awareness around malware are periodically performed.

IPS and DDoS protection are installed and protecting internet perimeters. DDoS protection from ISP’s are in place to mitigate high-volume attacks and in the Puzzel perimeters to mitigate more advanced attacks.

Data Recovery Procedures

a) On an ongoing basis, but in no case less frequently than once a week (unless no Customer Data has been updated during that period), Puzzel maintains multiple copies of Customer Data from which Customer Data can be recovered.
b) Separate backup systems are in use and configured for cross backup between Puzzel’s two data centres.
c) Puzzel has specific procedures in place governing access to copies of Customer Data.
d) Puzzel reviews data recovery procedures at least every six months.
e) Puzzel logs data restoration efforts, including the person responsible, the description of the restored data and which data (if any) had to be input manually in the data recovery process.

Logging and Monitoring

System administrator activities, exceptions, faults and information security events are logged in a central monitoring tool 24/7/365.

All Puzzel Services are continuously monitored, and if any deviations are detected and have an impact on one or several of our customers it is reported on our status site.

All system clocks are synchronized to the same sources using the NTP protocol.

In the Puzzel Contact Centre all changes and user logon activity are logged. The logs are available to the Customers administrators in the Admin Portal.

ITIL processes around change, release and problem are in use for software installation and patching.

Maintenance Windows

During planned maintenance, we do patching, security upgrades, replace equipment, add capacity as well as releases and other changes in our infrastructure. All maintenance is notified in advance and any disturbances expected are highlighted in the notification. Standard maintenance work will normally not disturb the Service.

Vulnerability management

When making our services available to our customers, they are carefully monitored. This includes continuous scanning for vulnerabilities, monitoring of intrusion attempts as well as abuse detection. Denial-of-service (DDoS) attack prevention, frequent penetration testing as well as data analytics to make sure that the operation is stable and secure.

1.9 Communications Security

a) Puzzel networks are segregated according to system use and data sensitivity.
b) Production systems are physically and logically separated from development and test systems.
c) All traffic between networks are controlled by firewalls.
d) Voice and data networks are separated.
e) In the case of external information transfer of Customer data this is agreed upon with the Customer. In the Case of sub processors data protection agreement between Puzzel and the sub processor is in place, and the sub processor are specified in the data protection agreement between Puzzel and the Customer.

1.10 System acquisition, development and maintenance

From planning to deployment of new services or features, we follow our Secure Development Process, meaning that security requirements are embedded and measured during the service’s lifetime. Security requirements are based on a combination of legal, sector, client, best practices and compliance with privacy laws and regulations.

  • We perform security audits and penetration testing using both internal and external experts. These include;
    o Risk assessment of every user case to be developed
    o Continues awareness training
    o External applications penetration testing
    o Internal & external audits
  • Our services are teste to ensure resilience attacks like SQLi, XSS and CSRF, session hijacking, and other threats. Our security focusses on the OWASP top 10 vulnerabilities.
  • Puzzel strives to develop software according to current development best practices. We keep up to date with industry trends and predictions, as well as planned and possible disruptive changes. Out development teams use a SCRUM-based approach for to prioritize, organize and develop new releases. We have 4 main releases per year (January, April, June and October). Patches and minor upgrades are released continuously, but mainly during planned maintenance.
  • The quality of our software is our highest priority, including security and performance of the service. Customer involvement during the development stage is a crucial aspect for us to always be in tune with our customers’ needs, and to deliver the most important features requested by our customers.
  • Customer Data are not used in testing.

1.11 Supplier relationships

Head of Voice & Service Management is responsible for the Supplier Management Process involving management for Supplier contracts, agreements and audits.
Where the controller agrees to the appointment of sub-processors, those sub processors are appointed on the same terms as are set out in the contract between the controller and the processor.

1.12 Information security incident management

Risk Management

Puzzel performs risk assessments to protect Services and Customer Data.
We assess risk both top-down and bottom-up. Our risk treatment plan is managed and updated quarterly. Our documented risk management process ensures both existing and residual risk are assessed and planned.

Change Management

We plan, conduct and review changes carefully in our production environment, using service level agreements actively as our defined minimum for service availability. Using documented processes for development, change management and release management, we focus on quality assurance.

Incident management

An incident is defined as “any event which is not part of the standard operation of a service and which causes or may cause an interruption to, or a reduction in, the quality of that service”. When we receive notification of an incident in our system, either from our customers who report a deviation, or from our internal resources (personnel or monitoring), our teams immediately act upon this information and try to classify the incident severity. If of high severity, we follow an escalation process to reach the correct team and fix the deviation as soon as possible.

Incident Response Process

When things go wrong we notify the relevant external parties and alert our internal staff, in effort to bring services and production back to normal as soon as possible. We investigate problems and incidents according to ITIL-aligned problem management and incident management processes.

Response to errors and incidents is planned and documented. Puzzel has various groups of employees specially trained to handle different abnormalities or deviations, such as our Security Response Team, Service Desk and Operations On-call duty.
Puzzel maintains a record of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and the procedure for recovering data.

1.13 Information security aspects of business continuity management

Business Continuity is planned and ensured according to our own BC plans that are based on ISO/IEC 27031.

We protect personal and business information both physically and logically, using perimeter security measures, access control mechanisms and encryption techniques at both system and application level. Access levels and access to business information are given according to the system owners’ instructions, and the operators’ roles and responsibilities.

We regularly copy and back-up data securely between our physical locations using system independent enterprise data protection and access solution, and we do test and plan for various restore situations.

a) Puzzel maintains emergency and contingency plans for the facilities in which Puzzel information systems that process Customer Data are located.
b) Puzzel’s redundant systems and storage and its procedures for recovering data are designed to attempt to reconstruct Customer Data in its original state from before the time it was lost or destroyed.

1.14 Compliance

To make sure that we are following the best practices, we always strive to comply with industry standards and have regular audits by approved external organisations to ensure these are followed to the right extent.

Puzzel has established and agrees to maintain a data security policy that complies with the ISO 27001 standards for the establishment, implementation, control, and improvement of the Information Security Management System and the ISO/IEC 27002 code of best practices for information security. On a confidential need-to-know basis, and subject to Customer’s agreement to non-disclosure obligations Puzzel specifies, Puzzel will make the Information Security Policy available to Customer, along with other information reasonably requested by Customer regarding Puzzel security practices and policies.

Certifications and licences held by Puzzel

ISO/IEC 27001 certified
“A certified information security management system demonstrates commitment to the protection of information and provides confidence that assets are suitably protected – whether held on paper, electronically, or as employee knowledge. Such systems take a systematic approach to minimising risk and ensure compliance with legal and other requirements. An ISO 27001 certificate demonstrates that you have taken necessary precautions to protect sensitive information against unauthorised access and changes.”
(Source: DNV GL)

PCI DSS – Level 2 certified Service Provider

“PCI security for merchants and payment card processors is the vital result of applying the information security best practices in the Payment Card Industry Data Security Standard (PCI DSS). The standard includes 12 requirements for any business that stores, processes or transmits payment cardholder data. These requirements specify the framework for a secure payments environment; for purposes of PCI compliance, their essence is three steps: Assess, Remediate and Report.”
(Source: PCI Security Standards Council)

ISO 9001 certified

“Quality management systems provide a framework for focus on customer and product requirements, process performance and effectiveness with emphasis on continual improvement and objective measurement. An ISO 9001 certificate proves that your quality management system has been certified against a best practice standard and found compliant.”
(Source: DNV GL)

Audits

Puzzel uses both internal and external audits in several areas. Internal audits follow a plan to ensure that we cover all areas in a certain period.

Puzzel will audit the security of the computers and computing environment that it uses in processing Customer Data (including personal data) on the Puzzel Cloud Services and the physical data centres from which Puzzel provides the Puzzel Cloud Services.

Internal audits are performed regularly and external audits at least annually.

External Penetration testing are performed annually by independent 3rd party.

Document retention

Puzzel retains its security documents pursuant to its retention requirements after they are no longer in effect.

Puzzel Cloud Services – Infrastructure Overview

The Puzzel Cloud Services are built on secure best of breed components. All services are produced and delivered from data centres fully managed and operated by Puzzel. Data processing takes place in Europe (EU/EEA) and follows European regulations and requirements regarding protection of data privacy.

  • Only well recognized Co-Location partners are used
  • All Puzzel infrastructure is isolated in separate rooms or cages with access only for personnel controlled by Puzzel.
  • All data centres are locked and alarmed with 24/7/365 surveillance.
  • External and internal video monitoring and traceability of access to the premises.
  • Redundant climate control with environmental monitoring of gas, moisture, heat and water.
  • Fire alarm with automatic firefighting equipment.
  • Uninterruptible power supplies regularly tested against fictional power outages.

Data Centres

Puzzel stores and processes customer data at the following data centres:

Data Centre 1: Puzzel DC 1, Oslo, Norway.
Data Centre 2: Puzzel DC 2, Akershus, Norway.

Data Centres key compliance: ISO 9001:2015, ISO 27001:2013, PCI DSS

Data Centre Services offered and information stored at Puzzel DC 1 & 2:

  • Agent Interface
  • Management Interface
  • Recordings (Voice and text)
  • Call Data Records
  • Payment Solutions
  • SMS Solutions
  • Work Force Management

Infrastructure & Resilience

All components in Puzzel’s infrastructure are redundant by design. There are three levels of redundancy built into the infrastructure;

  • Component resilience: Every component in the infrastructure has built in resilience within the unit. This might be redundant power adaptors, network cards, mirrored disks etc.
  • Load balancing & redundancy: All critical infrastructure such as web servers and application servers are load balanced allowing operational systems even if components/ servers fail completely. For components not suited for load-balancing such as databases advanced synchronization mechanism is used between the active server and passive servers. This prevents data loss and minimal disruption during failover.
  • Geo redundancy: All systems can be run at full capacity from either DC1 or DC2 allowing a full outage of either of the data centres.
  • Backup: Separate backup systems do cross-site backup of the Puzzel Data Centres. Backup from the Data Centres are duplicated on both Data Centres.

Systems

  • Carrier interconnections & Internet connections: Operator connections and internet connections are redundant and traffic are either load balanced or run in active/passive mode from ISPs or Carriers.
  • Network, Firewalls & Backbone: Internal networks (core switches, firewalls, routers, MUX’es, panels, intercompany connections) are redundant by design
  • Operator Switches and Session Border Controllers: Soft-switches and Session Border Controllers (SBC’s) have component resilience and are redundant across the Data Centres. They connect to operator networks, enabling Puzzel’s services to switch voice traffic to and from callers and agents.
  • Traffic modules: Traffic modules hold the contact centre functionality (IVR, ACD, menus, queues etc). They are stacked and scale by adding more modules (servers).
  • Application and Web servers: Application Servers provide the services and functionality for the Puzzel Contact Centre such as user management, configuration, SMS services, email channel, Social media channel, billing, statistics etc. Application servers are load balanced and redundant across the Data Centres.
  • Database servers & File Storage: The databases are the primary storage of the Application- and Customer Data. Examples of data are CDR information, users, statistics, configurations, billing information, recordings and chat dialogues. Databases are either redundant across the Data Centres or run Active/Passive configurations with synchronous synchronization of data between the Data Centres.