Insight on Support :: Compliance Checklist--Did you Forget Customer Service?

By TMCnet Special Guest

 

 Author: Adi Dulberg
CEO and Founder of NextNine. 

 

Compliance has become a four-letter word in today’s global business community. With Sarbanes Oxley (SOX) now the government decreed industry-standard for financial reporting, and with HIPAA in healthcare and insurance, compliance has dramatically altered the way business is done.

 

When enterprises and service providers address compliance, they focus their efforts on their respective IT and finance departments, often overlooking other areas that also demand attention. You’ll be surprised to note that chief among the oversights is Customer Service – especially in the case of B2B technical support.

 

All enterprises rely on technology to effectively run their business: subscriber networks; billing systems for communication service providers; healthcare information systems for hospitals; CRM systems for the financial services facility. These systems are at the heart of day-to-day business operations, but unfortunately for most businesses, the status quo remains reactive in nature: when support is required, it is after-the-fact, in panic mode when business has already taken a hit.

 

Several forward-thinking organizations have found a solution. But first, think about this glaring fact: B2B Technical Support is NOT Compliant!

 

In most cases, a technical support session for a business-critical system will take the shape of an IT vendor support engineer remotely accessing the system at the enterprise or service provider level, looking at log files, configuration files, changing configuration and system parameters. As you can imagine, these steps raise a number of critical compliance concerns:

Was the remote access authorized according to required process? With the wide use of Internet-based remote access tools, like webex and GoToAssist, vendors can directly access backbone systems without any prior authorization from the enterprise IT department.

 

Was access limited to allowed content and resources? In panic mode, a vendor’s technical support engineer is often provided administrator-level credentials, granting access to ANY resource on that, and in many cases, other systems.

Were configuration changes documented? During most support sessions, system configuration is manipulated to resolve issues, but often times, only in a temporary manner, such as raising logging levels. The problem facing us, is that these changes are often neither logged nor audited, or if they are logged, it is unusable for rollbacks or audits.

Can the process be audited? A cornerstone of most new regulations is auditing. But in the current support process, auditing is not always possible due to the fact that not all operations are logged, or because the logging is performed in a non-searchable format. In other cases, a file may be sent via FTP or email to the vendor organization for review, containing confidential information, but without a trace of it being sent.

Was security compromised? Enterprises invest significant resources on security mechanisms that defend from external and internal security threats. In the case of B2B technical support, a confidential password might be provided to a remote support rep., or the file might be sent without prior review of the content – all examples of situations that breach security mechanisms without the knowledge of the IT department.

 

So the big question is – how can technical support be delivered in a compliant manner, without raising costs? Fortunately, an innovative support paradigm called the “Virtual Support Engineer” enables vendors to deliver exactly that.

 

The Virtual Support Engineer is, quite frankly, an arm of the IT vendor technical support team, located at the client's site, and provides 24x7 support that is compliant with stringent regulatory limits. Acting as a human support engineer, the Virtual Support Engineer continuously monitors and maintains the installed systems, using rules and scripts that collect data from various protocols, analyze data, and act on an ‘as needed’ basis.

 

The Virtual Support Engineer (VSE) was designed specifically for support, so it includes all the necessary mechanisms that ensure every action taken is governed by strict access rules (ensuring that users can access and view only the data to which they are allowed).

 

For example, one of the Virtual Support Engineer's most unique capabilities in terms of ensuring regulatory compliance is its ability to sanitize data. When hospitals are unable to share sensitive data with their vendors but require them to resolve a support issue, the VSE is able to collect data from the database, ‘sanitize’ sensitive patient information and only then share it with the vendor support engineer. The VSE allows vendors to maintain HIPAA compliance, while sharing the necessary data required for effective support.

 

Remote support is the de-facto method of delivering support. To enable remote support in a compliant fashion, the Virtual Support Engineer ensures that all remote sessions are logged, that all communication to and from the customer is fully encrypted and authenticated, and that the customer can gain control of the session at any given time.

 

The Compliance Advantage

Compliance must be maintained when delivering customer service and technical support. The good news is that the process can be painless, and the result: customer satisfaction. In fact, smart vendors are using compliant service and support as a differentiation point, a nice advantage over competitors.