Content guide

    1. Our approach
    2. Potential risks in a work-from-home or remote work offshore arrangement
    3. MicroSourcing’s existing onsite controls
    4. Recommended client security measures

    Our approach

    Our business model at MicroSourcing includes providing clients with state-of-the-art in center work environments and office space. However, we also recognize that unexpected situations or preferential arrangements may lead to the need for remote or work-from-home solutions.

    MicroSourcing is responsible for providing connectivity, staff deployment and in-center office space, along with desktops and laptops for client operations. Clients are responsible for equipping their offshore staff with the necessary tools, applications and systems they need to fulfill their duties as required. It’s important to note that client data remains under the client’s control and systems; MicroSourcing does not transfer it to our systems.

    While we implement robust security measures for our systems, the security of client systems falls under the client’s responsibility. Remote and work-from-home arrangements pose increased data security risks as offshore staff will be operating telecommunications and computer technologies outside our secure in-center environment.

    Subject to client’s evaluation of risks and/or controls, MicroSourcing recommends, as part of our partnership has already identified many of the risks through its robust experience in deploying work-from-home solution. As may be applicable, guidance and controls in mitigating client-controlled risks, are listed in this document.

    Potential risks in a work-from-home or remote work offshore arrangement

    Risk Description
    Unauthorized data sharing Offshore employees may accidentally or intentionally download, store and share sensitive client data on their local devices. This includes sharing data through screen-capturing applications and keyboard shortcuts on their computers.
    Lack of visibility into client and client's customers' system security MicroSourcing may have limited visibility into the security measures and controls in place within the client's tools and systems, as well as those used by the client's customers.
    Unauthorized electronic transfer of personal data in work-from-home set-up There is a risk of both malicious and accidental unauthorized electronic transfer of personal data when standard data protection measures, such as firewalls, are not present in a work-from-home set-up.
    Unsecured Wi-Fi credential risk If offshore, remote staff connect to unsecured or public Wi-Fi, it could put their login information at risk, which might lead to problems for the client's network.
    The presence of unmonitored devices in a remote work environment Unmonitored devices may capture, store or share sensitive data, including personal data, health data and credit card information, posing a security risk.
    Unauthorized sharing of web- based tool credentials If the client's tools are web-based, there is a risk that usernames and passwords to access these tools may be easily shared with unauthorized individuals.
    Unauthorized access to sensitive data due to non- isolated workstations If employee workstations are not isolated, unauthorized third parties may inadvertently or intentionally gain access to view and/or hear data.
    Personal device usage may compromise information security Allowing employees to use their personal devices may jeopardize information security as standard authorized tools, such as approved anti-virus software, may not be deployed on their personal desktops/ laptops.
    Unauthorized software installations Offshore employees with local administrator privileges may install unauthorized software.

    MicroSourcing’s existing onsite controls

    The below list summarizes the existing onsite controls implemented by MicroSourcing to manage data security, covering staff screening, organizational policies, technical safeguards, physical security measures and additional contractual agreements and disciplinary actions.

    Staff screening and training:

    • Criminal history checks for all offshore employees before client onboarding.
    • Data privacy and information security awareness training for offshore employees upon client onboarding and annually.

    Organizational controls:

    • Information Security Policy prohibits unlawful activities and unauthorized commercial use of systems.
    • Prohibition of personal gain and activities violating MicroSourcing's regulations.
    • Prohibition of connecting to unsecured (public, free) Wi-Fi.
    • Confidentiality clauses (NDAs) in employment contracts.
    • Prohibition of downloading, sharing or disclosing personal client data to unauthorized persons.
    • Breach of Confidentiality and Data Privacy Laws are punishable as offenses under MicroSourcing's Code of Conduct.
    • Conducting data privacy and information security awareness training upon client onboarding and annually.
    • Prohibition of using personal ICT equipment without security exemption.
    • Strict implementation of MicroSourcing Employees' Disciplinary Policy.

    Technical controls:

    • Installation of approved anti-virus software on all Windows-based systems.
    • Encryption of hard drives for personal data at rest and in transit.
    • Use of multi-factor authentication to access systems.
    • Network security deployed on MicroSourcing's devices (computers).
    • Regular patch updates.
    • Tool to scan unwanted applications installed on computers.
    • I.T. Administrator Access Agreements (ITAA) for local admin privileges.

    Physical controls:

    • Surveillance cameras onsite.
    • Workstation protection onsite.
    • Onsite computers are positioned with spaces for privacy and data protection.

    Here are the recommended actions and industry best practices that clients should implement to minimize and address risks within a remote or offshore work-from-home setup:

    Data access and permissions:

    • Prohibit unauthorized access, disclosure and data transfer outside the client's environment.
    • Implement and manage appropriate access permissions for offshore employees, limiting access to only what is necessary for their work.
    • Implement secondary authentication (such as multi-factor authentication or token-based authentication) for added security.

    Monitoring and awareness:

    • Ensure tools can monitor user activities within the client's systems.
    • Conduct regular information security awareness training for offshore employees to remind them of their responsibilities.
    • Consider providing devices with client-approved security controls for offshore employees, allowing the client to manage patching, antivirus, encryption and security-related aspects.

    Device and work environment:

    • Encourage offshore employees to have a private home office with minimal access to third parties during work hours.
    • Restrict the use of personal devices for work, except during natural calamities and fortuitous events.
    • Prohibit the use of mobile devices and data-capturing devices within the offshore employee's workstations.
    • Prohibit the use of paper and pens for recording sensitive information.

    Privacy and compliance:

    • Ensure personal information processors (third-party service providers) implement appropriate security measures to protect personal data.
    • Conduct a thorough assessment of potential risks and vulnerabilities to electronic protected health information (if applicable).
    • Apply appropriate risk management measures and sanctions for non-compliance.
    • Establish procedures for authorizing and supervising workforce members working with sensitive information.
    • Implement a security awareness and training program for all workforce members.
    • Develop policies and procedures for addressing security incidents.
    • Establish emergency response protocols for events like system failures or natural disasters.

    HIPAA compliance (if applicable):

    • Implement physical safeguards (e.g. facility access controls, workstation security) as required by HIPAA.
    • Implement technical safeguards (e.g. encryption, audit controls) compliant with HIPAA.
    • Comply with HIPAA organizational requirements, including contracts with business associates and group health plans.
    • Establish a breach notification process under HIPAA.

    Payment Card Industry Data Security Standard (PCI DSS) compliance (if applicable):

    • Implement a Data Retention Policy for credit card information storage.
    • Encrypt transmission of cardholder data.
    • Track and monitor all access to network resources and cardholder data.

    For more information, reach out to your dedicated Client Experience Account Manager today.

    Organize a free 30-minute call to discuss.

    CONTACT US