Compliance Risk &

Information Security Partners

Introducing the new small business third-party risk management company

22-U: Call Centers

This section evaluates how your organization manages call center operations that handle customer information or support services.

The questions focus on whether call center staff are properly vetted and trained, how scripts and procedures address confidentiality and authentication, and what controls exist around call recording, screen viewing, and data entry. They also address physical and logical security in call center environments, quality monitoring, and supervision.

Overall, this section confirms that call center activities do not introduce undue risk to sensitive information, systems, or customers.

Organization

Full Name

95.8- Is the call center network separated from the corporate and WAN networks?

YES

NO

N/A

Explanation: Network separation ensures that sensitive client data in the call center is isolated from broader corporate networks, reducing the risk of unauthorized access or data breaches.

Risks of Incorrect Answer: Increased exposure of sensitive client data to network attacks.

Non-compliance with data protection regulations requiring segregation.

Vulnerability to lateral movement by attackers.

Applicable Frameworks: NIST CSF (PR.AC-5): Ensures access control by segregating networks.

ISO 27001 (A.13.1.1): Requires network security controls.

PCI DSS (Requirement 1.2): Requires segmentation of networks handling cardholder data

If possible, provide a network diagram.

95.8- If No or N/A, please provide an additional explanation

96.8- Does the client enforce both logical and physical separation for the call center?

YES

NO

N/A

Explanation: Logical and physical separation minimizes unauthorized access and protects client data. Logical controls include VLANs and firewalls, while physical controls include restricted access areas.

Risks of Incorrect Answer: Unauthorized personnel accessing sensitive systems or data.

Breaches stemming from insufficient controls over access points.

Applicable Frameworks: ISO 27001 (A.11.1.1): Physical access controls.

HIPAA (164.310(a)): Safeguards for physical access.

NIST CSF (PR.AC-4): Logical access control implementation.

96.8- If No or N/A, please provide an additional explanation

97.9- What controls are in place to prevent unauthorized employees from taking customer information offsite?

YES

NO

N/A

Explanation: Strong controls, such as disabling USB ports, implementing policies against mobile phones in work areas, and monitoring access logs, prevent data exfiltration.

Risks of Incorrect Answer: Loss or theft of sensitive customer data.

Potential regulatory violations and reputational harm.

Applicable Frameworks: NIST CSF (PR.DS-5): Protecting data in transit and at endpoints.

GDPR (Article 32): Ensures safeguards to prevent unauthorized data access.

PCI DSS (Requirement 12.3): Restricts unauthorized physical or logical access.

97.9- If No or N/A, please provide an additional explanation

98.4- Are call center calls recorded digitally or on audio tapes?

YES

NO

N/A

Explanation: Understanding the format of call recordings is critical for determining security requirements, such as encryption and storage access controls.

Risks of Incorrect Answer: Loss of unencrypted or poorly secured recordings.

Compliance failures with data storage and retention standards.

Applicable Frameworks: PCI DSS (Requirement 3.4): Encryption of sensitive data.

NIST CSF (PR.DS-1): Protecting stored data.

ISO 27001 (A.12.4.1): Logging and monitoring requirements.

98.4- If No or N/A, please provide an additional explanation

99.7- How are audio tapes or digital recordings secured?

YES

NO

N/A

Explanation: Proper storage, encryption, and access controls for recordings protect sensitive information and ensure compliance with data privacy standards.

Risks of Incorrect Answer: Breaches exposing sensitive conversations.

Loss of client trust due to non-compliance with security requirements.

Applicable Frameworks: NIST CSF (PR.DS-1): Encrypting stored recordings.

GDPR (Article 32): Data protection and access control measures.

HIPAA (164.310(d)(2)(iv)): Data storage security

99.7- If No or N/A, please provide an additional explanation

100.6- What controls are in place to record calls and review them periodically for quality assurance purposes?

YES

NO

N/A

Explanation: Quality assurance ensures compliance with service and data handling policies. It also helps identify potential security or operational issues.

Risks of Incorrect Answer: Lack of oversight may lead to poor data handling practices.

Undetected issues could result in regulatory fines or breaches.

Applicable Frameworks: ISO 27001 (A.12.7.1): Monitoring and quality assurance.

NIST CSF (DE.DP-5): Continuous monitoring and auditing.

100.6- If No or N/A, please provide an additional explanation

101.6- Do you have a policy or procedure for the retention and disposal of recorded calls?

YES

NO

N/A

Explanation: Retention and disposal policies ensure that call recordings are stored only as long as necessary and securely destroyed when no longer needed.

Risks of Incorrect Answer: Over-retention increases the attack surface for data breaches.

Non-compliance with data retention laws can result in penalties.

Applicable Frameworks: NIST CSF (PR.IP-6): Retention and disposal policies.

GDPR (Article 5.1(e)): Data minimization and retention principles.

HIPAA (164.310(d)(2)(i)): Disposal of sensitive data.

102.7- Are employees and devices used for client data restricted from browsing unrelated websites, including email and social media platforms?

YES

NO

N/A

Explanation: Restricting access reduces the risk of malware infections or accidental data leaks from unsecured browsing.

Risks of Incorrect Answer: Exposure of client data to phishing attacks or malware.

Breaches through compromised employee devices.

Applicable Frameworks: NIST CSF (PR.PT-4): Safeguards against unauthorized software and usage.

ISO 27001 (A.12.6.2): Restrictions on software and browsing.

102.7- If No or N/A, please provide an additional explanation

103.9- During the normal process of servicing customer accounts, do call center representatives collect or access customer-specific billing information (e.g., credit card details, account numbers)?

YES

NO

N/A

Explanation: Monitoring access to sensitive financial data ensures compliance with PCI DSS and other financial data security standards.

Risks of Incorrect Answer: Mishandling of sensitive billing information could lead to fraud or breaches.

Violations of PCI DSS requirements result in fines and loss of payment processing privileges.

Applicable Frameworks: PCI DSS (Requirement 3): Secure storage and handling of cardholder data.

NIST CSF (PR.AC-4): Role-based access control for sensitive data.

GDPR (Article 5.1(f)): Safeguarding personal data.

103.9- If No or N/A, please provide an additional explanation

THANK YOU.

You have completed the
Call Center portion
of the vendor assessment

Press Submit
so that we can process
your responses

Compliance Risk &

Information Security
Partners

CRISP

Empowering small businesses
with BIG Solutions

HOME

ABOUT

CONTACT

Some or all of the services described in this engagement may not be available to certain clients, including those who have affiliations or relationships with audit firms or related entities.

The information provided herein is of a general nature and is not intended to address the specific circumstances of any individual or entity. While we strive to offer accurate and up-to-date information, we cannot guarantee its accuracy at the time it is received or in the future. No action should be taken based solely on this information without seeking appropriate professional advice tailored to your particular situation. CRISP does not provide legal or tax advice.

This information is not intended to constitute “written advice concerning one or more Federal tax matters” as defined by section 10.37(a)(2) of Treasury Department Circular 230.

Contact Us

Let’s discuss your unique security needs and address any other questions you may have. Contact us today for a free consultation and take the next step towards strengthening your company’s defenses.

LEGAL POLICIES

Privacy Policy

Terms & Conditions

Disclaimer

Cookie Policy

DSAR

Refunds/Returns

Shipping Policy

EULA

Message

I Consent to Receive SMS Notifications, Alerts & Occasional Marketing Communication from CRISP. Message frequency varies. Message & data rates may apply. Text HELP to (330) 737-2223 for assistance. You can reply STOP to unsubscribe at any time.

​Compliance Risk &

Information Security Partners

Introducing the new small business third-party risk management company

22-U: Call Centers

​Compliance Risk &

Information SecurityPartners

Empowering small businesses with BIG Solutions

HOME

ABOUT

Contact Us

LEGAL POLICIES

Compliance Risk &

Compliance Risk &

Information Security
Partners

Empowering small businesses
with BIG Solutions