Security & Compliance

Why enterprises trust our security

Spoken’s security approach avoids the piecemeal problems that affect businesses and their security posture. Our security approach is business-driven, and describes a structured interrelationship between technical and procedural solutions to support the long-term needs of our business and our clients. The Spoken security architecture provides a rational framework within which decisions can be made upon the selection of security solutions.

Understanding the security needs of Spoken and its customers:

  • Scalable security solutions
  • User and data confidentiality
  • Integrity of transmission and data handling
  • Secure availability of data
  • Interoperability of our security controls – internally and externally

Network Security

Spoken data center network security starts with physical and logical separation of the production environment from all other environments. Data center operations consist of a strong physical infrastructure, including secure facilities, located in major metropolitan areas, featuring N+1 redundancy for both power and cooling, along with fire protection and system monitoring. The facility and environmental standards Spoken enforces at the data center are designed to ensure that uptime is maximized by providing redundancy to the primary facility, as well as environmental systems to ensure that mechanical or electrical failures will not result in an outage.

The production network is protected by multiple firewalls and a state-of-the-art security information and event management (SIEM) system that supports the network security architecture design. As part of the high-security standard, each server host is secured using host-based intrusion detection (HIDS) agents. By monitoring and reporting on the system configuration and application activity, the agents enable Spoken to prevent malicious or anomalous activity actively on the host system.

Application Security

The core security focus is the application code and customer data that resides within the system, especially involving PII (Personally Identifiable Information, like address and social security numbers) and payment data. Spoken uses HTTPS encryption for all data in transit from the application production network.

All sensitive data is encrypted using AES-256 bit encryption. Application development aligns with industry standards such as OWASP. Spoken works hard to ensure that applications are developed and tested free of high-risk vulnerabilities.

Managing Vulnerabilities

Spoken Communications regularly scans its internal and external network using a scan appliance and network testing services. Systems are reviewed and tested for security vulnerabilities before they are rolled out. New vulnerabilities occasionally arise on operating systems (such as Linux), software applications (such as web servers), and network devices. Newly identified vulnerabilities trigger an investigation and tracking for remediation.

Spoken Communication scrupulously inspects platform and application code for common application vulnerabilities ranging from SQL injection and cross-site scripting to Denial of Service susceptibility for web application services.

Spoken also uses third-party testing and monitoring of compliance. Additionally, third-party penetration testing is done annually in the course of regulatory audits. The Security Architecture requires that Spoken conduct risk assessment to identify the level of risk and impact to the business and our client’s data. All high-risk issues are given priority and are managed toward closure in a time frame commensurate with the level of risk. On a consistent pace, we review and prioritize critical patches to be installed into our system.

Regulatory Standards

A key part of ensuring trust with the Spoken customer base is maintaining compliance with standard required certifications. The first of these standards is the Payment Card Industry Data Security Standard (PCI-DSS). PCI-DSS has 12 main requirements, which in turn are supported by close to 300 detailed and very specific requirements. Spoken complies to these requirements, and the company will continue to evaluate and maintain PCI compliance on an annual basis. Many of the basic security controls and some advanced controls you that you may find in many governing bodies in addition to PCI-DSS are satisfied, including Organization and Administration, Physical Access Controls, Logical Access Controls, System Availability and Performance, Infrastructure Systems Development, Application Software Development, Customer Implementation and Setup, Data Classification, Integration, and Exchange, and System Backup and Recovery.

Some Spoken clients require compliance with the Health Insurance Portability and Accountability Act (HIPAA). As with the annual PCI audit, the company contracts with a third party for audit as to HIPAA compliance. Our compliance audits will continue every year.

If you believe that an employee or business associate of Spoken Communications violated health information or PII privacy rights or committed another violation of the Privacy or Security policies, please send us an email and we will investigate.