1. My employees take credit card numbers from customers and type them into our system, how does Dizzion help?
If you have employees or contractors that handle credit card information, healthcare information or other types of personally identifiable information (PII), you are subject toPCI DSS, HIPAA, or other security or compliance regulations. Dizzion’s service provides a secure, compliant, cloud-based workspace for your agents, employees, and contractors to work with sensitive information like credit card numbers, healthcare information, and other PII. Dizzion’s service is audited annually by a third party to ensure our continued compliance with PCI DSS, HIPAA HITECH, SOC 2 Type II, GDPR, and other compliance regulations. By moving your sensitive workloads to the Dizzion cloud, you can offload the majority of compliance and security risk to Dizzion and leverage our Attestations of Compliance to ease your audit processes.
2. Can I achieve PCI/HIPAA/GDPR compliance while allowing employees to work from home?
YES! Dizzion provides solutions that can help you achieve compliance all the way down to your endusers’ endpoint device. We employ technologies that not only ensure the compliance of Windows virtual desktops running in the Dizzion cloud, but also your users’ workstations, whether they are sitting in an office, or their own home.
3. If I use screen masking software to hide credit card numbers, or an IVR system to ensure my agents don’t hear credit card numbers, do I need Dizzion’s compliance package?
Only someone who is familiar with the details of how your business operates can say for sure, but in general, if the systems you use to process, transmit, or store credit card information, regardless of whether your end users can see or hear that information, you are subject to PCI regulations.
Achieving PCI compliance may be easier for organizations that implement IVR systems or mask credit card numbers on agents’ screens, but these approaches will not free you from PCI compliance.The workstations and systems that your agents use for processing, transmitting, or storing customer data (including credit card information) are also still subject to PCI regulations.
4. We don’t process credit cards; do we even need to be PCI compliant?
As PCI DSS is a regulation mandated by major credit card companies, PCI applies to every company that stores, processes or transmits credit card information. If you allow customers to pay for your products or services with credit cards, you are subject to PCI compliance. Even if you only process a few credit card transactions a month, you must comply withPCI standards. If you use a third-party payment processor, you must still comply with PCI standards. If you don’t store credit card data but it passes through your servers or your network, you must also comply with PCI standards. However, if your organization does not take credit card payments and doesn’t store, process, or transmit cardholder data whatsoever, you are probably not subject to PCI compliance, although you should seek the advice of a compliance expert to be certain.
Even if you are not subject toPCI DSS, HIPAA, SOC, GDPR, or other compliance regulations, you may choose to leverage Dizzion compliance services as part of your general IT security framework, as it provides many tools, processes, and procedures that can help further augment existing security controls. Many organizations choose to leverage PCI DSS as a frame work to govern their IT security policies even if they are not subject to compliance, as the standard provides prescriptive guidance and standards that help to bolster IT security.
5. We outsource our credit card payment systems– are we subject to PCI compliance?
Outsourcing simplifies payment card processing but does not provide automatic compliance. Even when using an out sourced credit card payment system, you are still responsible for addressing policies and procedures within your organization that govern cardholder transactions and data processing, including compliance training for employees that take credit card payments over the phone, in person, or who otherwise interact with cardholder data. Your business must protect cardholder data when you receive it, store it or process it, including charge backs and refunds. You must also ensure that your payment system providers’ applications and card payment terminals comply with respective PCI standards. You should request anAttestation of Compliance and a ResponsibilityMatrix annually from any service providers that handle cardholder data on your behalf.
6. Can I be compliant and still allow users to use their own personal computers?
Absolutely! There are no PCI, HIPAA, SOC, GDPR, or other major compliance regulations for which Dizzion is audited that prohibits an organization from allowing users to connect to Dizzion systems and services with their own personal computers.However, if you choose to allow end users to use their personal computers, you will need to implement policies, procedures, and technologies to ensure that the security of their computer meets all applicable compliance requirements. Dizzion can Help here too.
7. How can I control the security of a user’s personal computer?
First, it’s important to understand what requirements are applicable to your end user’s workstation. Whether a user is working from home, or they’re in your corporate headquarters, PCI DSS compliance specifies a number of controls, including, but not limited to the following:
• PCI Section 1.2.3, 2.1.1, 4.1.1 – These sections (among others) dictate controls for wireless networks. This applies to corporate wireless networks as well as your users’ home WiFi networks. PCI dictates that you protect all WiFi networks with perimeter firewalls, change ` default settings on WiFi routers (encryption keys, passwords, SNMP community strings, etc…), and ensure that strong encryption is used for authentication and transmission.
• PCI Section 1.4 – Requires that personal firewall software is installed on any computing devices that connect to the internet when outside the corporate network.
• PCI Section 5.1 – Requires that anti-virus software is deployed on all systems commonly affected by malicious software. This includes your end users’ personal computers.
• PCI Section 5.2 – Requires that all anti-virus mechanisms are kept current and perform periodic scans.
So how can you ensure that your users’ personal computers and home WiFi networks meet all these requirements? One option is to install software on the user’s computer that would allow you to monitor and control it, such as an MDM solution. But this isn’t a very popular option with most end users and can be difficult to gain support for.
A second option is to simply perform a few non-intrusive checks of the user’s endpoint before allowing them to connect to their Dizzion desktop. Dizzion can provide this ability as part of our service, checking to ensure that the end user is running an antivirus that is up to date, that Windows firewall has been installed and configured, and can even make sure the user is on a wired network connection as opposed to WiFi(eliminating the complexities required to audit a user’s home WiFi network).And we can do all this without installing an MDM software suite or taking control of the user’s computer. This approach can speed time to complete an audit as well as alleviate a lot of headache on your part to ensure the security and compliance of your user’s personal computers. All while remaining non-intrusive to the user’s personal device.
8. Do I need Multi-Factor Authentication to be compliant?
YES. When it comes to PCIDSS, Multi-Factor Authentication (MFA), or requiring an individual to present a minimum of two separate forms of authentication before access is granted, is required for all remote access. Future versions of the PCI DSS standard will likely mandate that ALL users (not just those who connect via remote access methods) will requireMFA to access the cardholder data environment (CDE).
From the PCI DSS Requirements document:
PCI Section 8.3 - Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication.
This means that MFA is required for any user (administrative or otherwise) who has remote access to the Cardholder Data Environment (CDE).If a user has access to interact with cardholder data in any way (credit card numbers, cardholder names, addresses, etc…), that user is required to useMulti- Factor Authentication to access that system. The PCI standard goes on to state that MFA can occur at the system level or the application level, which means that if the application(s) that is(are) used to access the CDE already leverage MFA, then a user would not have to use MFA when logging onto their physical or virtual desktop – MFA is only required once before granting the user access to the CDE.
When it comes to HIPAA, under the section relating to Security Awareness and Training (164.308(a)(5)), the standard stipulates that covered entities must implement “procedures for
creating, changing and safeguarding passwords”. The standard does not explicitly require Multi- FactorAuthentication, but further states in requirement 164.312(d) that an organization “Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.” Multi-Factor Authentication is certainly an effective way to achieve this requirement but is not explicitly mandated.
SOC and GDPR requirements are similar to HIPAA in that they do not explicitly require MFA but many best practices suggest the best way to meet the protection control/directives of each of these standards is by using MFA.
9. What is a Clean Desk Policy, and do I need one?
Generally, a clean desk policy is an organizational directive that specifies how employees should maintain their working space. Most clean desk policies contain rules like, no personal items at the workstation, no paper and pens for writing things down, no cell phones, and other restrictions to prevent sensitive information from being leaked from a user’s workspace.
If you are simply attempting to pass a PCI DSS, HIPAA or GDPR compliance audit, you are not required to have a clean desk policy, as there are no controls in those regulations that mandate it. If, however you are subject to ISO 27001, you will need a clean desk policy. A “clear desk and clear screen policy” is specified in ISO 27001 control A.11.2.9.
Even in cases where a clean desk policy is not mandatory, some organizations choose to implement one to further augment security.
10. How do I know my customer data is safe with Dizzion?
In most cases, Dizzion does not processor store customer data (this would only occur in rare cases in which a customer has explicitly asked Dizzion to store sensitive data). Dizzion customers use Dizzion virtual desktops as a method to deliver a secure, compliant workspace to their agents and end users, but not typically to host personal or sensitive information (PII or PHI). Dizzion virtual desktops allow those end users to securely connect to the systems that process and store customer data, but Dizzion does not become anew custodian of your data. When customers transition from a traditional desktop model to a DaaS model with Dizzion, those customers do not typically change the systems on which customer data is being processed or stored.
Having said that, the data that is resident in Dizzion’s cloud service is encrypted both in transit, and at rest. Data in transit between the end user and the Dizzion cloud uses a TLS 1.2 or above encryption protocol. Data in transit between our customer’s data centers and the Dizzion cloud are encrypted in IPSec VPN tunnels using AES-GCM encryption. Data at rest on Dizzion storage uses FIPS 140-2validated AES-256 encryption.
11. How do I prevent my employees from looking at unapproved/malicious/in appropriate websites?
While there are no explicit requirements in either PCI DSS, HIPAA, SOC2, or GDPR to use technology to prevent users from accessing the public internet, and no mandate to prevent access to websites deemed offensive, inappropriate, malicious, or otherwise objectionable, some organizations still choose to enforce content filtering (sometimes referred to as“URL filtering”, or “WebFiltering”) to control web access as part of best practice security policies.
Dizzion provides web content filtering as an optional part of our service, which allows our customers to prevent access by their users to certain websites. It works by categorizing sites by type (sports, gambling, adult, streaming, etc…), and then allowing or blocking access to each category. We also allow for the creation of whitelists(allowed sites) and blacklists (blocked sites) and can even block objectionable content within allowed sites.
If you already have a content filtering solution in place, talk to Dizzion about our ability to integrate with it.
12. How do I know my employees aren’t taking pictures of the screen when a client’s personal information is displayed?
Preventing employees from taking pictures of the screen can be a difficult thing to enforce, however, implementing a clean desk policy that mandates users keep cell phones and other technologies capable of taking pictures away from their desks can be a good start. Current PCI DSS, HIPAA, SOC, and GDPR regulations do not mandate that you implement technologies to prevent this from occurring, however Dizzion does provide solutions that can prevent an end user from using the “screenshot” or “snipping” tools in Windows, making it more difficult to capture the screen image.
13. How do I know my employees aren’t writing down clients’ personal information?
Just like the previous question, this can be a difficult thing to enforce, however, implementing a clean desk policy that mandates users keep pens, pencils, and paper away from their desks can be a good start. Again, Dizzion provides solutions that can prevent an end user from using the “screenshot” or “snipping” tools in Windows to capture an image of the screen, making it more difficult to capture the screen image.
14. How do I know my employees are actually working, and not goofing off?
Dizzion provides much of this visibility as part of our basic service, for no additional charge. With Dizzion’s “Insights” portal, you can monitor the time of day that a user logs in to their desktop, the time they spend using the desktop, compare their active time to their idle time, and see when they log out. This helps many organizations to develop a better understanding of the work habits and efficiencies of their team, especially in work from home scenarios.
If you need even more visibility into the productivity of your users, including application-level auditing or monitoring, workforce management tools may provide even more depth in their ability to monitor and audit the work habits of your agents, employees, or contractors. Talk to Dizzion about how we are able to integrate with these third-party tools.
15. Can we perform our own penetration tests against Dizzion’s service?
Yes! Dizzion allows our customers to perform penetration tests against their dedicated Dizzion service environment. Any customer penetration testing can only be performed against a customers own deployment and not any other customer environments or other Dizzion services or components. We require that you notify us when you plan to perform any penetration tests against your environment so that our Security Operations Center is aware. Following your tests, we’re also happy to review the results with your security team.
16. I need compliance that Dizzion doesn’t list (CCPA, ISO 27001, state regulations, etc.) –can you certify me for compliance?
Dizzion can only officially attest to compliance for the industry standards for which we are audited.As of the writing of this document, that includes PCI DSS, HIPAA HITECH, SOC 2 Type II, and GDPR. However, many of the technologies, processes, and procedures that we have put in place to achieve compliance for those regulations also meet many of the requirements for other compliance standards. Dizzion can provide an Attestation of Compliance(AOC) document to customers who subscribe to our compliant services. Dizzion’s AOC provides information gathered as a result of a third-party audit against Dizzion’s service and can help your organization through an audit of another type by providing information necessary to prove compliance in numerous areas.
17. If I subscribe to a Dizzion compliant DaaS service, is my organization automatically100% compliant?
No. Neither Dizzion, nor any other service provider can make your organization 100% compliant (no matter what they tell you), but we can get you most of the way there! Achieving compliance is a multifaceted effort between your organization and the service providers to which you choose to outsource business services. Dizzion’s compliant DaaS service provides hundreds of technologies, processes, and procedures then meet and/or exceed 70%+ of the controls required to achieve the compliance regulations for which we are audited. No matter which service provider you choose, there will always be some compliance controls for which your organization will need to be responsible.
Those include items such a straining your employees on how to responsibly handle personal information, ensuring you only give access to personnel who require it as part of their job function, and ensuring that other vendors (including Dizzion) attest to their own compliance.