Enterprise-Ready Security

Cloud Security Office

Trustworthy Cloud Computing

cloud security alliance

The Five9 Cloud Security Office is responsible for securing our infrastructure, applications, and operations against security breaches and unforeseen events—even natural disasters.

Five9 is a proud member of the Cloud Security Alliance (CSA). The CSA is a not-for-profit, vendor-neutral organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing and to provide education on the uses of Cloud Computing to help secure all other forms of computing.

SOC 2 Type 2 Attestation
SOC 2 Type 2 Attestation in Accordance with AICPA Standard AT 101

Five9 has completed a SOC 2 Type 2 audit in accordance with American Institute of Certified Public Accountants (AIPCA) Standard AT 101 and AICPA Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (TSP 100). Our SOC 2 Type 2 attestation offers customers one of the highest forms of assurance available in the marketplace today. Our report covers the AICPA Security Principle in relation to Virtual Contact Center and provides an independent and objective opinion that Five9 has developed, implemented, operates and maintains security controls that customers expect for data protection and regulatory compliance purposes.

Payment Card Industry Data Security Standard (PCI DSS)

As a Level 2 Service Provider, Five9 engages an independent PCI Approved Scanning Vendor (ASV) to perform quarterly vulnerability scans and annual penetration testing. Our Technology Risk Management group completes an annual PCI Self-Assessment Questionnaire D (SAQ D) and Attestation of Compliance (AOC) covering all 12 PCI DSS requirements for the design, implementation, and continuous improvement of controls for safeguarding cardholder data and sensitive information.

Customer Proprietary Network Information (CPNI)

Five9 complies with Federal Communications Commission (FCC) regulations for protecting the confidentiality of CPNI data including telephone numbers, times, dates, and duration of calls, as well as the types of services and products we provide you. We have designed and implemented security and privacy controls to protect CPNI from unauthorized access or improper use. Five9 does not sell CPNI to third parties, and we do not disclose CPNI without customer consent except as required by law.

Ongoing Security and Privacy Training

Five9 provides ongoing information security and privacy training to all workforce members to ensure a common understanding of applicable data protection laws and regulations, as well as how to detect and report security issues to executive management. Ongoing training is designed to promote a culture of compliance and reinforces the concept of data protection accountability at all levels of the company.

Health Insurance Portability and Accountability Act (HIPAA)

Five9 has many customers in the healthcare sector including providers, hospitals, insurance companies, and business process outsourcers. As a Business Associate, Five9 has designed and implemented appropriate administrative, physical and technical safeguards for Protected Health Information in transit and at rest in compliance with the Health Insurance Portability and Accountability Act (HIPAA). These safeguards include, but are not limited to:

  • Least-privilege, minimum necessary access controls
  • Two-factor authentication for highly privileged users
  • Encryption of data in transit between customers and VCC
  • Encryption of data at rest for call recordings
  • Rigorous change management processes
  • Anti-virus and anti-malware defenses
  • Intrusion detection and prevention systems
  • Internal and external vulnerability scanning
  • Periodic network penetration testing
  • Secure code development lifecycle
  • 24x7x365 network operations center
  • Problem and incident management processes
  • Geographic Redundancy for business continuity
  • AICPA Service Organization Control (SOC) attestation reports
  • Ongoing information security and privacy training and awareness

How We Keep Your Data Secure

Cloud Security and Data Protection

  • Security Standards — Five9 secures our cloud infrastructure by utilizing the standards and best practices established by ISO 27001/27002, COBIT, PCI DSS, and Cloud Security Alliance (CSA).
  • Secure Data Centers — Our data centers are regularly audited under AICPA AT 101 or SSAE 16 standards demonstrating robust data protection controls such as two-factor building access (badge and biometrics), 24/7 on-site security, video monitoring, and more. We also use process safeguards to ensure that employee access is controlled appropriately.
  • Security Patch Management — We update our systems based on our patch management policy and internal operating level agreements to ensure all systems have the very latest critical security and anti-virus patches.
  • Intrusion Detection and Prevention/Vulnerability Management — Our real-time intrusion detection and prevention vulnerability detection systems run around the clock to immediately identify and respond to any threats.

Application Security

The Five9 Virtual Contact Center (VCC) is designed with security features that protect our customers‘ data in transit and at rest, and prevent unauthorized access to our customers‘ instances of the solution. 

  • User Access — User passwords are hashed, and password policies can be configured to include requirements for complexity, expiration periods, password history, and user lockouts based on our customers‘ security policies. User access can also be limited to whitelisted IP addresses.
  • Data at Rest — Call recording features can be configured so they don’t include any sensitive information. Additionally, customers‘ data is partitioned within our multi-tenant infrastructure so that it cannot be viewed by another customer.
  • Data in Transit — All voice and data transmissions between the VCC and your network can be secured using protocols such as HTTPS, Secure FTP, and Secure RTP

Business Continuity

In addition to the above security measures, Five9 provides capabilities that help our customers ensure continuity during natural disasters or other unforeseen events that can potentially disrupt operations of an entire region. Customers can opt for Geographic Redundancy, ensuring that their operations transition between our geographically-distributed data center within minutes after an event. Five9 also backs up customer data to another facility to ensure against data loss in the event of a natural disaster at our primary data center.

We‘ve Built a Community of Cloud Security Experts

The Five9 Cloud Security Office is helping our industry drive towards more effective safeguards against data breaches and loss. Team members possess advanced degrees in computer science and related fields and receive continuing education and training on emerging threats and defenses. They also hold certifications from ISACA, (ISC)2, the Cloud Security Alliance, and the SANS Institute.

Customer and Corporate Data Protection

The following is an overview of the measures that Five9 takes to protect confidential customer and corporate data from cyber-security threats.

Executive management has established tone from the top with respect to maintaining appropriate business and IT controls to mitigate the risk of intrusions and data breaches. Executive management also plays a key role in continuously assessing and monitoring cyber-security risks to Five9’s operating environment.

Administrative, Physical, and Technical Safeguards

Five9 has designed and implemented administrative, physical, and technical safeguards in accordance with a number of data protection laws, regulations, and standards including, but not limited to, the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), the UK Data Protection Act 1998 and EU Directive 95/46/EC.

  • Our administrative safeguards include an information security management process developed to align with ISO 27001/27002; full-time security personnel; and processes for information access management, workforce training and awareness, and ongoing evaluation of the control environment
  • Our physical safeguards include facility access controls and workstation/device security measures
  • Our technical safeguards include controls for role-based access, audit logs, data integrity, and data transmission security

Defense-in-Depth Approach

Five9 has implemented stateful inspection firewalls, de-militarized zones (DMZs), intrusion prevention and detection systems (IPS/IDS), vulnerability scanning, annual penetration testing, file integrity monitoring (FIM), anti-virus/anti-malware protection, two-factor authentication, and virtual private networking (VPN) to defend against cyber exposures.

This defense-in-depth strategy provides layers of security from the edge of the Five9 network to its core to mitigate the risk of unauthorized access or use of systems that contain confidential customer or corporate data. Five9 has also implemented “least privilege, minimum necessary” role-based access controls to grant access privileges to systems containing confidential customer or corporate data only to those employees whose roles require it.

Five9 Information Security is accountable for monitoring intrusion prevention and detection systems; regularly performing information security assessments and vulnerability scans; taking appropriate actions to patch system vulnerabilities; and promptly investigating and reporting security alerts and assessment findings to executive management. The work that this team performs is essential for continuous improvement of the Five9 environment and ensures Five9 executive management has timely visibility into security and privacy risks, issues, and incidents.

Continuous Improvement

Five9 also provides ongoing information security and privacy training to all workforce members to ensure a common understanding of applicable data protection laws and regulations, as well as how to watch for and report security risks and issues to executive management. This effort is designed to promote a culture of compliance and reinforces the concepts of “Know it. Own it. Control it.” with respect to data protection accountability at all levels of the company.

Five9 has engaged an independent auditor to perform a SOC 2 Type 2 attestation (performed under AICPA standard AT 101) covering the Trust Services Security Principle for the period from 10/01-12/31/2015 and then annually thereafter. The initial attestation report will become available to our customers in early Q1 2016.

Mitigate the risk of security breaches, network intrusion, and data loss by following these security best practices.

  1. Implement a formal security and privacy awareness program to ensure that all personnel understand applicable data protection laws, regulations, and industry standards, and are properly trained and knowledgeable about your security and privacy policies and procedures.
  2. Install and maintain appropriate firewalls and intrusion prevention systems to defend against intrusions into network, systems, and data.
  3. Install and regularly update anti-virus/anti-malware software on servers, workstations, and mobile devices used in your operating environment to mitigate the risk of attacks.
  4. Regularly patch your operating systems, databases, and applications including Web browsers to mitigate the risk of vulnerabilities.
  5. Implement trusted IP address ranges to restrict access to the Five9 Virtual Contact Center. This will help mitigate the risk of unauthorized access from outside of pre-defined ranges.
  6. Require password expirations at least every 90 days and enforce password history to remember at least the last five or more passwords previously used.
  7. Define password complexity to ensure a minimum of eight characters (preferably more), including the use of uppercase letters, numbers, and special characters such as *, !, $, %, _, and -.
  8. Enforce invalid login attempts to conform to applicable industry standards such as the Payment Card Industry Data Security Standard (PCI DSS).
  9. Control permissions enable for each user to conform to the principle of least privilege (i.e., minimum necessary).
  10. Promptly de-provision any terminated users and re-provision any users whose access or permissions requires changes.