4 Minutes
That was a rather provocative headline, right? What does he mean? Is the CIA another regulatory agency getting into the collection industry? And what is that header image supposed to mean? Take a deep breath, my friend. The image isn't meaningful, I just love the Monty Python skit on the Ministry of Silly Walks, saw a loose connection to government, and I thought the art was great. And no, the Central Intelligence Agency is not going to be getting in on the BCFP's action, I just used that acronym to get you to click on the link, but stick around, this is good stuff!
The CIA of the US government is known for its secrets, but it is also a great acronym for collection agencies to use to refer to the storage of data and ensuring technology, software or equipment that data is accessed through stays up and running.
Increasingly, applications and software are available via web-based subscriptions and are less frequently hosted on local machines. That said, software that is only available online presents a different set of challenges and concerns, especially for the ARM industry, which has access to personal data that needs to be kept secure.
That’s where "CIA" comes in. The acronym was used by
Jeremy Mapes, an industry consultant, during a
webinar held earlier this month. The webinar, sponsored by InterProse, featured a panel of technology experts talking about safety, security and compliance in web-based software.
CIA, at least according to Mapes, stands for Confidentiality, Integrity, and Availability (come to think of it, maybe the actual CIA should stand for that, too). The acronym is meant to provide a checklist for companies to make sure their vendors are doing everything that can be done with the data they are storing on behalf of their clients.
Vendors need to be able to tell their clients how they are going to
keep their information confidential, Mapes said during the webinar.
Confidentiality is just as important to collection agencies, who must protect the data sent to them by their clients to facilitate the collection of unpaid accounts.
Once the data is kept safe, it can not afford to be corrupted. That’s where integrity comes in. Vendors need to be able to detail how they will maintain the integrity of the data and, in the event something goes horribly awry, how they will bring the data back and restore it, Mapes said.
Technical Sidebar
Let's dive into some technical weeds for just a moment, shall we? Stay with me, my friend, I need you to understand this part. "Hosted in the cloud", "web hosted", or "cloudy web stuff" (don't go with that last guy's software, by the way - that terminology is a giant red flag) are terms that are used liberally in the software space, especially in the debt collection software market.
Here's the point: if you are responsible for the data center server that the software is hosted within, that is NOT cloud-based software - nor is it "web-based". That is merely "off-premises" and no bueno. You are still responsible for paying for the server even though the software provider is telling you you are inheriting "Tier III", "SSAE16", or whatever other acronym the data center puts on their marketing brochure. Those inherited certifications are very limited in scope and many of your clients will not be satisfied with them if you are not doing more auditing on top of them. They are just housing your box that could just as easily be parked down your hallway.
The second level you will hear is a genuine SaaS model where you pay a monthly service fee and just log into the software via a browser like Chrome, Firefox, or Safari (sorry Microsoft, no one likes Explorer). Chances are good you may be assigned your own dedicated application server - guess what? If your software provider is not providing penetration testing or audits beyond a self-attestation of PCI compliance (that has no real value) of that server instance. As a result, many of the data center's compliance certifications on their brochures aren't going to satisfy your clients. Sucks, right? Misleading, even.
The next level is a software provider *cough* InterProse *cough* that provides 3rd party, independent audits of its server infrastructure, including the client server instances, to add to the inherited compliance standards and certifications of the data center. Even better, if that cloud computing infrastructure is AWS, there is no greater level of inherited protection you can ask for.
Now you know what to ask. Back to the blog post.
The data needs to be kept safe and secure so companies can access it, which means the data needs to be available at all times, Mapes said. Vendors need to be able to tell you how they are going to keep the lights on and their systems running. Mapes used an example of eBay, which had an agreement with one of its vendors where the vendor agreed to pay $1 million for every hour that the vendor’s systems were down, if ever such an event happened. This arrangement is called an SLA, or a Service Level Agreement, and is essentially another level of commitment and insurance policy for the customer.
It’s unlikely that the average collection agency would need similar agreement terms, but SLAs for first party clients or large collection agencies are not unheard of. Collection agencies or departments need to ask the tough questions of their vendors to establish what processes and/or safeguards are in place to ensure data they are transmitting back and forth is kept safe and secure — as well as accessible — at all times.
You need to ask the right questions, but by leveraging the advantages of a web-based software application, you should get more. More security, more confidence, more peace of mind. More of everything, EXCEPT cost - that should go down. Sound too good to be true? It's not, it's progress.