The Five9 Cloud Security Office is responsible for securing our infrastructure, applications, and operations against security breaches and unforeseen events—even natural disasters.
Five9 is a proud member of the Cloud Security Alliance (CSA). The CSA is a not-for-profit, vendor-neutral organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing and to provide education on the uses of Cloud Computing to help secure all other forms of computing.
Five9 has completed a SOC 2 Type 2 audit in accordance with American Institute of Certified Public Accountants (AIPCA) Standard AT 101 and AICPA Trust Services Principles and Criteria for Security, and Availability. Our SOC 2 Type 2 attestation offers customers one of the highest forms of assurance available in the marketplace today. Our report covers the AICPA Security Principle in relation to Virtual Contact Center and provides an independent and objective opinion that Five9 has developed, implemented, operates and maintains security controls that customers expect for data protection and regulatory compliance purposes.
The General Data Protection Regulation, better known as GDPR, is a European Union (EU) regulation focused on data protection and privacy for EU citizens which takes effect May 25, 2018.
Five9 is evolving and improving our Virtual Contact Center service to offer features required for our customers to comply with the GDPR regulation. Areas of focus include: information security, breach management, content management, data visibility, individual data rights management, and records management.
Five9 is also requesting our customers, otherwise known as the data controllers, notify us of their EU processing activities so we can maintain an accurate report of processing activity as required by the GDPR.
Five9 is committed to providing services to our customers, which enable GDPR compliance.
As a Level 2 Service Provider, Five9 engages an independent PCI Approved Scanning Vendor (ASV) to perform quarterly vulnerability scans and annual penetration testing. Our Technology Risk Management group completes an annual PCI Self-Assessment Questionnaire D (SAQ D) and Attestation of Compliance (AOC) covering all 12 PCI DSS requirements for the design, implementation, and continuous improvement of controls for safeguarding cardholder data and sensitive information.
Five9 complies with Federal Communications Commission (FCC) regulations for protecting the confidentiality of CPNI data including telephone numbers, times, dates, and duration of calls, as well as the types of services and products we provide you. We have designed and implemented security and privacy controls to protect CPNI from unauthorized access or improper use. Five9 does not sell CPNI to third parties, and we do not disclose CPNI without customer consent except as required by law.
Five9 provides ongoing information security and privacy training to all workforce members to ensure a common understanding of applicable data protection laws and regulations, as well as how to detect and report security issues to executive management. Ongoing training is designed to promote a culture of compliance and reinforces the concept of data protection accountability at all levels of the company.
Five9 has many customers in the healthcare sector including providers, hospitals, insurance companies, and business process outsourcers. As a Business Associate, Five9 has designed and implemented appropriate administrative, physical and technical safeguards for Protected Health Information in transit and at rest in compliance with the Health Insurance Portability and Accountability Act (HIPAA). These safeguards include, but are not limited to:
The Five9 Virtual Contact Center (VCC) is designed with security features that protect our customers‘ data in transit and at rest, and prevent unauthorized access to our customers‘ instances of the solution.
In addition to the above security measures, Five9 provides capabilities that help our customers ensure continuity during natural disasters or other unforeseen events that can potentially disrupt operations of an entire region. Customers can opt for Geographic Redundancy, ensuring that their operations transition between our geographically-distributed data center within minutes after an event. Five9 also backs up customer data to another facility to ensure against data loss in the event of a natural disaster at our primary data center.
The Five9 Cloud Security Office is helping our industry drive towards more effective safeguards against data breaches and loss. Team members possess advanced degrees in computer science and related fields and receive continuing education and training on emerging threats and defenses. They also hold certifications from ISACA, (ISC)2, the Cloud Security Alliance, and the SANS Institute.
The following is an overview of the measures that Five9 takes to protect confidential customer and corporate data from cyber-security threats.
Executive management has established tone from the top with respect to maintaining appropriate business and IT controls to mitigate the risk of intrusions and data breaches. Executive management also plays a key role in continuously assessing and monitoring cyber-security risks to Five9’s operating environment.
Five9 has designed and implemented administrative, physical, and technical safeguards in accordance with a number of data protection laws, regulations, and standards including, but not limited to, the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), the UK Data Protection Act 1998 and EU Directive 95/46/EC.
Five9 has implemented stateful inspection firewalls, de-militarized zones (DMZs), intrusion prevention and detection systems (IPS/IDS), vulnerability scanning, annual penetration testing, file integrity monitoring (FIM), anti-virus/anti-malware protection, two-factor authentication, and virtual private networking (VPN) to defend against cyber exposures.
This defense-in-depth strategy provides layers of security from the edge of the Five9 network to its core to mitigate the risk of unauthorized access or use of systems that contain confidential customer or corporate data. Five9 has also implemented “least privilege, minimum necessary” role-based access controls to grant access privileges to systems containing confidential customer or corporate data only to those employees whose roles require it.
Five9 Information Security is accountable for monitoring intrusion prevention and detection systems; regularly performing information security assessments and vulnerability scans; taking appropriate actions to patch system vulnerabilities; and promptly investigating and reporting security alerts and assessment findings to executive management. The work that this team performs is essential for continuous improvement of the Five9 environment and ensures Five9 executive management has timely visibility into security and privacy risks, issues, and incidents.
Five9 also provides ongoing information security and privacy training to all workforce members to ensure a common understanding of applicable data protection laws and regulations, as well as how to watch for and report security risks and issues to executive management. This effort is designed to promote a culture of compliance and reinforces the concepts of “Know it. Own it. Control it.” with respect to data protection accountability at all levels of the company.
Five9 has engaged an independent auditor to perform a SOC 2 Type 2 attestation (performed under AICPA standard AT 101) covering the Trust Services Security Principle for the period from 10/01-12/31/2015 and then annually thereafter. The initial attestation report will become available to our customers in early Q1 2016.