Logical and Physical Separation
In the latter half of 2009 while we were in the process of acquiring our first new customer for the BPO operations of Vantage Agora other than our first customer we went through and discussed and put together systems and procedures that will make sure that there is no infringement of data or otherwise happens from one customer to another. This document lists out all the areas that we have considered to ensure that there is logical and physical separation.
In this document we have segregated the efforts into three main sections
People: That deals with how we are allocating people to different projects without having access or skills to other projects or customers.
Process: Here we will address how systems, access and training are separated from one customer to another and thereby making sure that separation in processes.
Projects: All projects have separate reporting and SOP for which we have created SOP of interaction for each customer. This is attached as an appendix to this document in the form links to make sure that one customer cannot access information for other customers even when auditing this document.
1. Talent is acquired keeping in mind the specific technical and business domain skills needed for the Client. These individuals usually want to work on the same tool and same domain for their careers.
2. Measurements of personality, skills, abilities & past employment behavior are key aspects of our hiring.
These measures are an integral part of our Standard Operating Procedure (SOP). This SOP ensures that our people are inherently (by Nature) are customer & domain specific.
1. The SME’s are trained & assisted by business on specific scopes to deliver the knowledge competently. This information is specific to each customer. The other teams in Vantage Agora not only are not provided this information but are also not interested in the information of other customer processes.
2. The VA training team creates a comprehensive training material that is usually provided by the customer and very specific to the customer needs. This training includes class room presentation by the trainers that are trained by the customer.
3. Resources are trained & thereafter coached & mentored by our dedicated coach/Subject Matter Expert.
4. Post completion of the training within timelines specified, the workforce are accredited for the domain & business specific expertise.
5. Monthly product knowledge test is carried out to check the staff awareness on recent impacting updates. This is tracked and audited in our system as shown below. This will help you see that only the people on the project are trained and nobody else.
The VA management team is conscious of the SOP which emphasizes the Non disclosure of customer & business sensitive details would not be disclosed, copied or distributed to any other person nor use its contents in any way. VA has a strict policy of NOT printing any customer training document for two reasons:
1. To make sure that is nobody can take the documents.
2. Since all the documents are on client systems that are citric based it is almost impossible for us to download and print this information. Any document that is in the VA network is stored on the VA internal server. Please see Training document section of respective Handbooks for each customer.
3. VA is green company (Please refer article “Red Going Green”) and we try everything in our power to stop using paper where possible.
VA persistently underlines the career aspirations of the staff. An employee exhibiting immense business specific knowledge & expertise moves on to execute higher responsibilities within the boundaries of each project. This ensures no leakage of workforce from the specified project.
Organization structure: Our executing organization structure is based to enable and promote logical separation of duties. Please see the link below to see the current organization structure at Vantage Agora.
ID Creation & Deletion:
1. All users have unique business specific User Id’s authenticated by the business for specific job roles & responsibilities. For E.g.: Manager Level Access / Rater Level Access / Trainer Level Access.
2. User Id’s are created & logged in the local database. All passwords are unique & user specific which ascertains utmost data security. This is tested in the IT audit that happens on a monthly basis. The list of user Id and passwords are located on client servers. User Id’s are deleted or deactivated once the staff has decided or confirmed to leave the organization.
The Vantage Agora offices have a secure access to all employees that tracks both inbound and outbound access. This information is recorded and can be extracted and provided anytime required.
This access control helps make sure that your data and information is secure at all times.
This is the location for the access control logs:
Please see pictures of physical access control:
Network: The VA network is protected by a firewall. We have striped the network into primary and secondary networks. The primary network VSNL 2MB 1:1 is supports our largest client. All other customers including office management Reliance 2MB 1:1. We are already in the process of signing up a third network provider to prepare for any additional requirement that we might have.
Individual systems: The individual systems at the desks of each employee are directly connected to the network. None of the desktops other than the VA internal Windows 2003 server that is used as a local server has any media drives. The configurations of the desktops are:
In addition to these desktops the management team has been provided with laptops:
All laptops that have media drives attached are listed here with the users using the system:
- David Francis: HP CNF7480V3W
- Jagadish Shetty: HP 98333002Q
- Yuvraj S: HP DV6 CND9153JF9
- Anoop Sam: HP CNU9382QPL
All these people have also signed an NDA with VA. The NDA information for the people is placed in link below:
All Workstations (Laptops & Desktops) have been installed & protected with Anti Virus software to keep your data safe. The Software is updated & run on a periodical basis. The Anti Virus software is configured to scan all incoming and outgoing files, and hook into your email in some way, to double check that your received Email is clean as well.
What do we do to keep your data safe?
- Keep the anti-virus software up to date
- Run the anti-virus software regularly
- Use a firewall
- Update & apply patches to close vulnerabilities
- Done on a Monthly Operating rhythm
We currently use McAfee/NORTON/ AVG Enterprise anti virus software’s to keep your data safe.
Most of our client systems are run on Citrix based terminal server/RDP emulation which literally makes it impossible for the VA employees to keep any data on local machines.
Employees are granted access to client systems while they are getting trained. This ensures that only the people working on the project are given the required access. This is monitored by our customers on a daily basis to check on the work that has been done.
Each employee is given a specific access to the client system. This is controlled by our clients and we don’t have any control over this. When an employee joins or leaves a project, VA project managers request this system access is changed by sending an email to the respective client counterpart. The link below shows the location of the Handbook for all projects. Please look at the Access right section for each client in the list of handbooks for each client.
Employees sign and NDA with VA explicitly stating that they agree NOT to disclose
- Any information to even their fellow employees other than their managers that are within their projects about the work that they are doing and accounts they working unless required
- They also agree NOT to disclose any information about any account or account details to any person outside their project
- They agree NOT bring in any storage media to take any of the data outside the office
Because of the nature of the work and very systematic nature and non relevance of work to everyday life employees don’t have any need or interest to discuss their work or take their work outside the office.
Monthly IT audit:
In addition there is a monthly audit. Please refer
This SOP is audited on a monthly operating rhythm:
The results of the monthly log are listed here: read more (If you do not have access to this site please contact your VA account manager to help you with an audit for your organization at VA).
VA is a third party provider of back-office knowledge processing, IT, and Consulting work. We hold our customers data and work at the highest level of regard and responsibility. In order to make sure that we have physical and logical separation in terms of systems and controls that will help you, our customer, get the confidence that we have done our work in a legal, ethical manner as you would do in your own organization. This policy and associated procedures should help convince you that your data and operations are safe with VA.
*Club website hyperlink access will provided to auditors on request.
About Vantage Agora
Vantage Agora (VA) is a global provider of back-office solutions, custom IT services and consulting services for companies in the insurance, finance, and healthcare sectors. As a SSAE 16 Type II audited company, Vantage Agora utilizes advanced data processing and quality control systems on a secured network to ensure efficient, comprehensive management of back-office functions such as insurance, accounting, financial and administrative tasks. Founded in 2004, Vantage Agora has offices in Cleveland and Dallas.