First Part:

Table Analysis based on the Findings of the Previous Compliance Analyst (Dec-2023/Jan-2024)
The most recent analysis, conducted in DE 2023, revealed crucial information that could
explain why our operations floor is not in adherence to the client's requirements for safeguarding
customers' personal information.
By constructing a pivot table, we identified that last year, personnel designated as
coaches were observed introducing paper or writing materials into the operations room. This
behavior may have influenced others to perceive it as acceptable. Additionally, one coach was
caught bringing a cell phone into the operations room.
In January this situation got worse it is in this year when we can start seeing a risky
spread of this behavior, so our team found a total of 10 unlocked workstations, 8 phones, 7
paper/writing materials, 4 handbags/purses, 3 cases of improper badge usage, and 1 electronic
wearable device inside the operations floor.

Risk Identification.

• Data privacy put at risk.

At this point, we have identified potential breaches that compromise our floor's
compliance. It is imperative to ascertain that regulations and laws, specifically the Gramm-
Leach-Bliley Act (GLBA), have not been violated. The GLBA is crucial for protecting our
customers from compromises in credit card/banking information and personal information.
• Contractual compromising.
The account is subject to contractual requirements specified by the client. Violating these
contractual agreements could have legal consequences, including potential legal actions or
termination of the business relationship.
• Workplace policies violation
The paper / Writing materials prohibition were violated by an important part of our
personnel, this implicates the violation of some Foundever internal rules and our client’s
requirements. This could even imply business relationship termination.

• PCI DSS (Payment Card Industry Data Security Standard)

The presence of electronic devices implies a high-level risk while personnel are working
handling cards information, even the presence of writing material or another personal item
implies an important risk.
 • Some State Privacy Laws (e.g., CCPA, VCDPA, SHIELD Act)
Unauthorized presence of electronic devices and mishandling of personal information
could violate state privacy laws.

• Security and Confidentiality of Information

The lack of a completely paperless environment and the presence of unauthorized
electronic devices could compromise the security and confidentiality of information.

Second part.
Risk response and mitigation.
How can we respond to this potential incident?
coaches’ on mind the data compiled by the department, we can find that the main issue in
our company is the negligence, in December 2023 a total of 12 writing materials, 2 Cell phones,
1 electronic wearable device and 1 piggybacking incident were reported but non action was
taken, so this can be the main factor that determined the spread of these behaviors over all the
operations room, it is important to expose that these behaviors were mostly practiced by our
coaches team, so, this could be the root were we can start investigating and creating a solution
plan.
By 2024 there was an evident failure over all the operations room, according to the data
found we pass from 12 writing material to 7, from 2 cell phones incidents to 8 Cell phones and
we are still having the same employee entering the operations room with the same electronical
wearable device, it is evident that no action was taken and that no plan was not developed in
order to advise or advert the implicate personnel.
What can we do to mitigate this specific risk?
Non electronic program
• Conduct a thorough review and update of privacy and data security policies.
• Enhance employee training on handling sensitive information securely.
• Implement regular audits and monitoring to ensure compliance.
This one could be done by the implementation of a program of training made by the compliance
department and provided to the operations room personnel, as we can see it is important to
highlight the need to meet client’s expectations by eliminating undesirable behaviors, emphasize
the importance of maintaining work areas free of electronic devices and sensitive materials,
describe the non-electronic device training program developed by the compliance team and
explain the training distribution process from the compliance team to OMTT, coaches and
agents, with this first step applied to the risk identification we are covering the Gramm-Leach-
Bliley Act (GLBA), workspace policies and the PCI DSS (Payment Card Industry Data Security
Standard).
2. Enhancing monitoring

• Restrict access to electronic devices to only authorized personnel.

• Introduce strong access controls and authentication mechanisms.
This could be done by emphasizing the importance of preventing the entry of electronic
devices, implementing electronic detectors at the operations room entrance, and it is important to
designate a guard to check each operations room personnel to avoid the entrance of electronic
devices and writing materials.
3.Physical security.
Address trust issues the provided lockers by securing this zone and the locker’s quality, it
is also important to purpose the implementation of a comprehensive security system, including a
guard and cameras and whit this physical aspect covered our agents won’t have the need to enter
their personal devices into the operations room.
4.Contacting personnel and initiating a compliance process.
It is also important to take care about our personnel, if someone is not taking in account
all the privacy and internal policies this employee could be acting negligent or we did not
provide the enough training and advise, that is why it is important to work with our employees to
understand their situation and with that we can apply the most accurate punishment.
Third part
Risk transference.
To implement a full system response, it is important to inform and work with the most accurate
departments.
IT department:
Authorized and non-authorized devices management
• Establish a comprehensive device management policy to control the use of electronic
devices in the production area.
• Implement mobile device management solutions to monitor and secure company
approved mobile phones.
• Need to know.
Encryption
• This department should be focused on encrypting all the relevant information and
bringing limited access control to the agent.
 Legal department:

• Work closely with the legal department to ensure that all policies and procedures align
with relevant laws and regulations.
• Seek legal guidance on privacy laws, compliance requirements, and contractual
obligations.
Human Resources (HR):

• Involve HR in the development and implementation of employee training programs,

especially on security awareness and privacy policies.
• Coordinate with HR for background checks and screening of employees handling
sensitive information.
Operations Department:

• Engage with the operations department to understand the workflow and identify areas
where sensitive information is processed.
• Collaborate on the development and enforcement of policies related to the paperless
environment and personal items in the production area.
Training and Development:

• Collaborate with the training and development department to create and deliver ongoing
training programs for employees at all levels.
• Ensure that training materials are tailored to different job roles and include specific
information about compliance requirements.
Solutions proposed.
We know that an internal problem of this size could be happening due to internal breaches in
more than one department, as a great company it is important that all our departments work
together to maintain our employees the most updated in security process and our client’s safe
from customer demands or information theft. In the previous case the security breach has his root
in the coaches not following of the compliance and legal processes. To avoid that, we need to
cover all this internal problem in a multidimensional way working together for the same goal.