Security

Bright Pattern Documentation

Generated: 7/06/2022 9:49 pm
Content is available under license unless otherwise noted.

Security Overview

Section Security is where global (i.e., contact-center wide) security settings are defined, including account lockout settings, text masking, system access restrictions, the audit log, and so forth.

Sections

The following is a list of sections found in the Contact Center Administrator application, section Security.


Security



Security Policy

Section Security Policy is where you may set further restrictions on the security policy for your contact center.

Note that the settings you configure may not be weaker than what is defined by your service provider; if defined, the service provider settings are displayed next to the settings in this section. Any attempts to set a value weaker than the default service provider settings will produce a descriptive error message and is blocked.

Your system can be configured for automatic lock out of a user account after a number of unsuccessful login attempts. An account locked-out in this manner can be subsequently unlocked either manually or automatically after a configured timeout.

You can also configure the system to force your users to change their passwords after a specified number of days, prevent them from submitting previously used passwords, and automatically disable inactive accounts.

Note that your service provider may also impose some password complexity rules, such as minimum password length, mandatory use of various character groups, and exclusion of weak passwords (e.g., usernames). If any such rules are imposed, you cannot change them. You should get descriptions of these rules from your service provider and inform your personnel about them.

To configure security policy settings, select the Security Policy option from the Security menu.


Security > Security Policy


Screen Properties

The Security Policy screen properties are described as follows.

Enable lockouts

Checking this box indicates that the account lockout option is enabled.

To comply with the PCI DSS security standard, this option must be enabled.

Maximum login attempts

This property specifies the number of consecutive unsuccessful login attempts after which the account will be locked out.

To comply with the PCI DSS security standard, set this parameter to at least six attempts.

Reset attempt count after

This property specifies the amount of time after which the counter of unsuccessful login attempts will be reset.

Lockout duration

Lockout duration is the amount of time after which a locked-out account will be unlocked automatically. To disable auto-unlocking, set this parameter to “0” (zero), in which case, locked-out accounts can be unlocked manually only.

To comply with the PCI DSS security standard, set this parameter to at least 30 minutes.

Password complexity

This section allows you to define various password complexity requirements; the settings you configure may not be weaker than what is defined by your service provider. Note that passwords can be checked against usernames and your service provider’s list of weak passwords.

Notes:

Password history

The Password history section allows you to prevent the user from submitting a new password that is the same as any of the specified number of previous passwords that the user used.

Check against previously used passwords

To comply with the PCI DSS security standard, select the checkbox for Check against previously used passwords.

Number of previously used passwords to keep

To comply with the PCI DSS security standard, set the number to 4 (or greater).

Expiration policy

The Expiration policy section provides control over how often users will be required to change their passwords and after how many days inactive user accounts will be disabled.

Require users to change passwords every

This parameter allows you to specify how often users will be required to change their passwords. To comply with the PCI DSS security standard, set this parameter to no more than 90 days.

Disable inactive accounts after

This parameter allows you to specify after how many days inactive user accounts will be disabled. To comply with the PCI DSS security standard, set this parameter to no more than 90 days.

Exceptions, these user accounts will not be disabled on inactivity

This parameter allows you to define the Contact Center Administrator application users that will be exempt from being disabled on inactivity. Note that API users will no longer be disabled due to inactivity (i.e., API usage now counts as account activity).



System Access Restrictions

The system may be configured to limit access from a number of predefined IP address ranges.

To configure such IP address ranges, go to Security > System Access Restrictions.


Security > System Access Restrictions


Limit system access by client IP address

Select this checkbox to enable IP address verification.

When enabling Limit system access by client IP address, you can define addresses for each subsection. Note that the default setting is <Any> in the Agent Desktop and Contact Center Applications section and the "Privileged Access IP Range" section, which means there is no limiting. Once IP addresses are defined in these sections, <Any> will disappear.

Defining IP Address Ranges

You can define the range of IP addresses for the Agent Desktop and Contact Center Administrator applications, for privileged users (i.e. , and, if necessary, for access via APIs by clicking add in the following sections as appropriate:

The desired IP address range should be expressed as a combination of the base IP address and a mask. The mask is used to define which bits in the base IP address are fixed and which bits are variable. A 1 bit is used to indicate a bit in the IP address that is fixed, while a 0 bit indicates that the bit is variable. Use variable bits will form the desired range.

Example Usage

If you set the following, System Access Restrictions will be from address 192.168.64.0 to address 192.168.64.63.

If you set the following, System Access Restrictions will be from address 192.168.64.128 to address 192.168.64.192.




Text Masking

Depending on the type of services that your contact center provides, incoming chats or emails may contain some sensitive data that could pose Internet security risks. Examples of such data include payment card numbers, access codes, social security numbers, and clients’ personal health information. The handling of such data may be governed by various laws, industry security standards, as well as internal policies of your organization, which may require that sensitive data be masked. (Data masking is the process of hiding original data by replacing it with random characters.)

Masking can be done manually by the agents reviewing the incoming interactions and/or automatically where the system checks incoming data against some preconfigured data patterns. This article explains how to configure automatic masking. For manual data masking, see the Agent Guide, section How to Remove Sensitive Data from Emails.


Security > Text Masking


Properties

Mask sensitive data in web chat

When enabled, this setting automatically masks the text of any incoming chats that match the regex defined in Patterns.

Mask sensitive data in incoming emails

When enabled, this setting automatically masks the text of any incoming emails that match the regex defined in Patterns. Note that both text and HTML versions of email bodies will be scanned and masked.

Patterns

The Patterns property is where you define incoming chat and email regex masks. To define a mask, click add to add the following values.


Select a box to mask sensitive data


Example Masks

Masks require regex syntax. After entering an expression, click Apply to save your changes. Saving masks will cause any matching data element in chat and/or email messages to be "masked" in subsequent chats on the Agent Desktop application.

Note: Each expression must be entered separately.


Credit card masking:

These masks will hide credit card numbers that are provided by customers in incoming chats. Note that the name (Visa, Amex, MC, etc.) of each mask does not affect the mask settings.


Social security number masking:


Use text masking to hide Social Security numbers


This mask will hide Social Security numbers that may be provided by customers in incoming chats.



Encryption Settings

Recordings and transcripts of all your contact center interactions can be encrypted while they are stored in the Bright Pattern Contact Center system.

Before you can use the encryption capability, it must be enabled for your contact center at the service provider level.

To enable encryption, go to Security > Encryption Settings and check the items that you intend to store encrypted.

Select from the following:


Security > Encryption


When you export any encrypted items out of the system, they will be unencrypted for export.

For more information about the method and keys used for encryption, see section Encryption Key Management.



Encryption Key Management

Bright Pattern Contact Center supports optional encryption for various data elements that are stored in the system and may contain sensitive information about your customers. This includes voice and screen recordings, chat and SMS transcripts, and email texts and attachments. For more information about enabling encryption for these data elements, see section Encryption. Custom fields of calling lists and activity forms can also be encrypted. For more information, see section Lists of this guide and section Field of the Bright Pattern Contact Center Form Builder Reference Guide, respectively.

Before you can use the encryption capability, it must be enabled for your contact center at the service-provider level. When this capability is enabled, a data encryption key will be generated automatically by the system. You can manually generate a new encryption key at any time. To generate a new data encryption key, select the Encryption Key Management option from the Security menu and click the Generate a new encryption key button.


Security > Encryption Key Management


Old encryption keys are stored in the system; they are used to decrypt the data that was encrypted using those keys. You can view the date and time of generation of the current and previous keys.

Note that in compliance with various data security standards, data encryption keys themselves are encrypted with a key encryption key (KEK), which is stored separately.

The AES-256 algorithm is used for encryption of both the data and encryption keys.

When you export any encrypted items out of the system, they will be unencrypted for export.




Audit Log

Bright Pattern Contact Center keeps track of all changes applied to the contact center configuration by all users. You can view information about these changes using the audit log function. The audit log also includes information about every attempt to log into the Contact Center Administrator application as well as every instance of access to voice and screen recordings.

Note, that in order to view the audit log, you must be assigned a role that has the View Audit Log privilege. By default, only the Service Administrator and System Administrator roles have this privilege.

To view the log, select Audit Log option from the Security menu. The upper area of the application pane will display various filter options that you can use to define your search criteria.


Security > Audit Log


Filters

The Audit Log filters are described as follows.

From/To

The From/To filter returns records about the operations that happened within the specified time interval. Leave the To field blank if you want to get all records up until the present moment.

Who

The Who filter returns records about the operations performed by the specified user.

Item

The Item filter returns records about the operations applied to the resource with the specified name. This filter should normally be used in combination with filter Type.

Operation

The Operation filter returns records about the operations of a particular type (i.e., add, delete, update, etc.).

Type

The Type filter returns records about the operations with the resources of a particular type (i.e., service, user, etc.)

Screen

The Screen filter returns records about the operations with resource properties that are defined in a particular screen. When you select the resource type using filter Type above, this option will display only the screens that are used to edit properties of the resources of the selected type.

Note the following:


Audit Log Data Fields

The Audit Log data fields give more details for each record, and they are described as follows.


Audit Log Summary


When

When gives the time stamp of the corresponding operation.

Who

Who specifies the username of the person who performed the operation.

Screen

The Screen is particular screen of the Contact Center Administrator application where the operation (i.e., action) was applied to a specific resource property.

Type

This is the Type of resource to which the operation was applied.

Summary

Summary provides details of the operation, such as the specific properties that were affected and, where applicable, the new values that were applied. If all summary information does not fit in the visible area of the table cell, you can mouse-over or click on that cell and view the entire Summary content in a pop-up window.

Note: You can change the order in which log records are sorted using the drop-down menu that appears when you mouse-over the corresponding column header. The same menu also allows you to disable display of any column if you need to make more room to view content of other columns.