TaskUs Security and Data Protection

Share this

TaskUs

October 25, 2016

TaskUs’ culture embraces having a robust, nucleus-focus on security and privacy. Nothing less should be or is acceptable in today’s modern business world. Our team is proud to announce that we have heightened our security procedures. As of October 2016, TaskUs now holds the prestigious PCI DSS Level 1 certification from Qualified Security Assessor (QSA) Control Case and the SOC 2 Type 1 audit certification for three of our Manila Metro-based sites. Additionally, TaskUs has held the EU-US Privacy Shield certification since August 2016. TaskUs is fully committed to security!

We believe that it is mission-critical for our teammates to be top-tier guardians of our partners’ confidentiality, integrity and availability of customer data with the same degree of stewardship that we would expect of our data. Our aim is to ensure that our partners are confident that its customer’s data is safe and secure with us.

TaskUs genuinely understands – and appreciates – the critical importance of being able to trust that service levels are stable when a partner makes the strategic choice to outsource components of its business. A contact center often presents as “the face of the company” to users and, thus, must reflect both the partner’s business with seamless continuity and become an extension of it.

Fraud detection and regulatory compliance are crucial to any program’s success, regardless of where the work takes place. More so, mitigating the significant risks of noncompliance, fraud and privacy breach is a critical responsibility and customer service obligation in industries such as technology, retail and financial services to list a few.

TaskUs has built a robust set of controls that are designed to address each of these risks. Controls include:

  • Employee Training and Adherence
  • Information Security Policies
  • Background Checks
  • Physical Security
  • Audit and Assessment
  • Incident Response
  • Network Security
  • Data Protection
  • Configuration Standards
  • Access Control Measures
  • Log Monitoring and Management
  • Vulnerability Management

Our Approach: People, Process and Technology

Fostering and delivering a “security culture” is neither instinctive nor is it built overnight. Further, it not a forgotten one-off event once implemented. A security culture should be rooted in an organization’s ethos.

At TaskUs, it is.

TaskUs CEO Bryce Maddock frequently states that “Security is the most important aspect of our operations and is everyone’s responsibility.” Logically, security does not exist within a silo – it is the organic end result of hiring the right people who are committed to serving our partners’ best interests and protecting their data.

People: We promote our security culture to each teammate from day one. This importance of this type of culture is communicated during the hiring and employee onboarding and continues throughout each employee’s tenure to drive awareness and adoption. As such, a core TaskUs strength resides in our people.

Process: TaskUs is hyper-focused on process to ensure that all operational and security procedures are well-defined, documented and repeatable. We align our informational security program with enterprise goals and priorities to deliver genuine value for our partners. Additionally, we support the ability of our leaders to innovate when it helps to further control risk for our partners.

Technology: Information security is not simply a technical discipline at TaskUs. While we believe that IT teams provide useful tools for safeguarding

information, we know that technology alone is not the solution. In support of our investment in leading security technologies, TaskUs believes in thorough solution implementation efforts, enforcement of effective technical controls and continual system management.

Employee Training and Adherence

Simply put, we train our employees early and often. Training is a core operational strength at TaskUs. Our teammates receive new and revised partner-specific training programs regularly to keep pace with our partners’ evolving processes.

New teammates’ formal security awareness training begins on the first day during New Employee Orientation (NEO). This training session teaches new hires all aspects of TaskUs, including their duties and responsibilities that pertain to security and keeping our customers’ (and their users’) data safe.

Information security training is provided through a learning management system (LMS) to ensure full coverage of all internal security policies and guidelines for respecting the confidentiality of all data handled. TaskUs provides short videos on our very popular teammate intranet that are focused on security best practices. Security alerts and other advisories are distributed via email.

TaskUs’ security policies and standards are published and made readily available so that teammates are prepared to sit for mandatory fundamental security training annually. IT and incident response teams are required to take specialized security training.

We conduct periodic phishing simulation exercises to assess teammates’ awareness. Follow-up training is provided to those who fail this simulation.

To better secure our teammates’ email experience (and by extension to safeguard our partners’ data), TaskUs has deployed a sender policy framework, domainkeys identified mail and domain-based message authentication reporting and conformance (SPF+DKIM+DMARC), and email sender identity and authentication practices to mitigate spoofed email, spam and phishing attacks.

Last, but not least, all teammates are required to report suspicious behavior and potential security events to the Information Security team at infosec@taskus.com.

Information Security Policies

TaskUs has implemented policies, standards and guidelines that define security controls across all assets, resources and data to protect the confidentiality, integrity and availability of the organization.

TaskUs aligns our policies with the ISO 27001 Information Security Management System standards, as well as ITILv3 IT Service Management best practices. Our policies are reviewed periodically on an at-least annual basis for necessary updates.

Background Checks

TaskUs ensures that only well-vetted candidates are in a trusted position to handle partners’ customer support programs and sensitive data. We conduct comprehensive background checks for all new hires via trusted (and verified) third-party vendors. Background checks include: an identity check, education and work history verification, credit check and criminal records verification.

Physical Security

The physical security of all of TaskUs’ contact centers is of critical importance to us, as our layered security model demonstrates.

Blind-spot free CCTV video monitors are present at every entrance and throughout our production floors. Security guards are positioned 24/7 at every entrance and also roam production floors throughout each shift.

TaskUs requires an employee ID badge for initial building access. This badge is also required for production floor access. Facial image recognition scanners are featured at all doors that grant production floor access. Our doors will only unlock for an authorized employee upon a successful facial scan. Teammates must also submit to facial scanning upon exit to discourage tailgating and further enforce the facial scan authorization checks.

Visitors must be signed in by an authorized employee and must remain escorted at all times. Personal bags are checked at building and production floor entrances to record the (potential) movement of laptops and other IT equipment. TaskUs does not permit mobile devices/smart phones on our production floors.

Our server rooms are also protected with facial scan access control, fire suppression and smoke detection. Further, UPS and backup power generation are present in the extremely unlikely event of a power outage.

Audit and Assessment

TaskUs’ systems are routinely tested for compliance with configuration standards. On an annual basis, audits are performed by a Qualified Security Assessor (QSA) to validate compliance with Payment Card Industry Data Security Standards (PCI DSS). This QSA review includes both internal and external penetration testing, which are oftentimes conducted more than once per year at our discretion.

TaskUs also annually engages an independent auditor to perform an audit based upon the American Institute of Certified Public Accountants (AICPA) Trust Services Principles, and then issue a SOC 2 Report on Controls at a Service Organization Relevant to Security, Availability, Confidentiality and Privacy.

TaskUs utilizes the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) as a risk-based methodology for information security program management and measurement. Additionally, it creates a common language for internal and external communication of cybersecurity issues. The NIST CSF process model of identify, protect, detect, respond and recover is central to TaskUs’ information security program. Semi-annual assessments are performed to gauge maturity growth and to support continued investments in security.

Additionally, we work with leading security consulting firms for the assessment of security posture and infrastructure controls so that we can continuously improve our protection levels.

Incident Response

TaskUs has a rigorous incident management process for security events that could potentially affect the confidentiality, integrity and/or availability of systems or data.

If such an event occurs, the security team logs and prioritizes it according to severity for incident classification. We assign the highest priority to incidents that have the potential to directly impact our partners.

Our incident response and breach notification process is detailed at length within the TaskUs Incident Response Plan, and includes seven primary stages of response: preparation, identification, containment, eradication, recovery/closure, breach notification and after incident review follow-up.

In the unlikely event that a security incident results in the breach of partner data – or upon the discovery of any data breach – TaskUs will notify affected partners within 24 to 72 hours of identifying that any customer data was impacted by the breach (or as per specific contractual SLAs).

Incident response plan testing is conducted periodically and considers a variety of scenarios to ensure a swift and appropriate resolution of any and all security incidents.

Network Security

TaskUs strongly believes in the benefit of having a layered security model. We consider network security to be a foundational element for our security (and that of our partners). As such, we take the task of securing our perimeter very seriously.

Each of our locations has redundant Palo Alto Networks (PAN) next-generation firewalls that are deployed for enterprise-grade protection and high availability. By default, all traffic from untrusted networks and hosts are denied. Deep VLAN segmentation is applied to isolate each partner’s campaign. This added layer of protection keeps trusted networks isolated from untrusted ones.

PAN Threat Prevention blocks perimeter threats with intrusion detection and prevention (IDPS) controls. URL web content filtering is enabled to protect users from malicious and non-work related websites (customized per partner campaign needs and preferences).

PAN Wildfire protection provides cloud-based malware analysis that automatically detects and prevents unknown threats for all network traffic. PAN Data Loss Prevention is deployed to block sensitive data (including personally identifiable information and payment card information) from unauthorized transfer outside of the network.

Lastly, thoughtful change management and configuration reviews have been implemented to ensure that TaskUs’ network remains operational and secure at all times to the best of our ability.

Data Protection

The protection of partner data is of paramount concern to everyone at TaskUs. As such, we employ rigorous technical controls to ensure that it remains protected at all times.

Antivirus is deployed to all endpoints (servers, workstations and laptops) and is centrally managed with the management console server to ensure enterprise coverage and comprehensive compliance reporting.

We use full-disk encryption to protect all workstations and laptops to negate the impact of system loss or theft. Sensitive data is also always encrypted when transmitted over any network, whether internal or external. We deploy host Data Loss prevention (DLP) on all workstations and laptops to identify sensitive content and apply blocking/alerting policies to protect against the risk of unauthorized transfer of data from within or outside of the network.

Google Mobile Device Management (MDM) is enforced upon all mobile devices that have access to TaskUs’ Google Apps. Additionally, we require minimum passcode length, device idle lock and remote wipe of data for lost or stolen devices.

Configuration Standards

TaskUs implements secure system build standards at all endpoints and network devices to enforce a consistent security baseline across our organization. This includes the management of default configurations, encryption of administrative access and robust systems hardening to reduce attack surface to only necessary, secure services.

We manage all assets through a centralized change control process and a configuration management database (CMDB) in line with ITILv3 IT Service Management standards.

Access Control Measures

At TaskUs, all users are managed through centralized access controls. Users have unique IDs, and rights are defined by job functions and based upon the principle of least privilege.

Password complexity, expiration and account lockout controls are enforced through centralized Active Directory Domain Services. Two-factor authentication (2FA) is required for all remote access to our network, and 2FA is required for the use of privileged accounts to ensure secure access to corporate networks and critical system administration consoles beyond ordinary passwords alone.

Single sign-on using the Bitium IdaaS (Identity as a Service) portal is employed to centralize identity management and cloud application access, as well as to enforce 2FA and ensure robust account provisioning.

Log Monitoring and Management

At TaskUs, security monitoring is focused on information that is gathered from internal network traffic, teammates’ actions on our systems and external knowledge of vulnerabilities.

Our Security Information & Event Management (SIEM) system maintains and centrally stores security and audit logs from all critical systems for analysis and reporting. We implement automated audit trails to reconstruct information such as: data access, all actions taken by any individual with root or administrative privileges, access to all audit trails, invalid logical access attempts, and modification of system-level objects. Further, we have implemented system file integrity monitoring (FIM) on all critical servers in the production environment which is also tracked by the SIEM.

Vulnerability Management

TaskUs conducts internal and external vulnerability assessments for all systems on a quarterly basis. The Information Security team is responsible for tracking and following up on vulnerabilities which, upon risk methodology, require remediation. Once a vulnerability requiring remediation has been identified, it is logged, prioritized according to severity and assigned to an owner.

We track and require regular follow-up on these issues until we can verify that all issues have been remediated.

Operating system and application patches are risk assessed and deployed to all endpoints and network gear by a centralized patch management system on a monthly basis, or as necessary in the event of critical security patches.