Back

Establish, implement, and maintain a customer service program.


CONTROL ID
00846
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Operational management, CC ID: 00805

This Control has the following implementation support Control(s):
  • Assign roles and responsibilities in the customer service program., CC ID: 13911
  • Establish, implement, and maintain an Incident Management program., CC ID: 00853
  • Establish, implement, and maintain a customer service business function., CC ID: 00847
  • Provide and display incident management contact information to customers., CC ID: 06386
  • Investigate and take action regarding help desk queries., CC ID: 06324
  • Log help desk queries., CC ID: 00848
  • Establish, implement, and maintain help desk query escalation procedures., CC ID: 00849
  • Establish, implement, and maintain help desk query clearance procedures., CC ID: 00850
  • Establish, implement, and maintain help desk query trend analysis procedures., CC ID: 00851
  • Provide customer security advice, as necessary., CC ID: 13674
  • Review and update security advice for customers, as necessary., CC ID: 06868


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • AIs should have in place a problem management system to respond promptly to IT operational incidents, to escalate reported incidents to relevant IT management staff and to record, analyse and keep track of all these incidents until rectification of the incidents. A helpdesk function can be set up to… (5.1.3, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Provision of various electronic banking channels like ATM/debit cards/internet banking/phone banking should be issued only at the option of the customers based on specific written or authenticated electronic requisition along with a positive acknowledgement of the terms and conditions from the custo… (Critical components of information security 31) (i), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Help desk systems are recipients of information on new or modified recordkeeping systems. (§ G.4.1.2, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
  • will enable the entity to deal with inquiries or complaints from individuals about the entity's compliance with the Australian Privacy Principles or such a code. (Schedule 1 Part 1 Clause 1 Subclause 1.2(b), Australian Privacy Act 1988, Compilation No. 77)
  • PSPs should provide PSUs with assistance on all questions, requests for support and notifications of anomalies or issues regarding security matters related to payment services. PSUs should be appropriately informed about how such assistance can be obtained. (3.8 98, Final Report EBA Guidelines on ICT and security risk management)
  • A firm must pay due regard to the interests of its customers and treat them fairly. (2.1.1 Principle 6 Customers' interests, Principles for Businesses)
  • The organization shall establish procedures for a feedback system. The feedback system shall include experience gained from the post-production phase when it is required by national or regional regulations. (§ 8.2.1 ¶ 3, § 8.2.1 ¶ 4, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • ensuring the promotion of customer focus throughout the organization; (5.3 ¶ 2(d), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • handling enquiries, contracts or orders, including changes; (8.2.1 ¶ 1(b), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • providing information relating to products and services; (8.2.1 ¶ 1(a), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • the risks and opportunities that can affect conformity of products and services and the ability to enhance customer satisfaction are determined and addressed; (5.1.2 ¶ 1(b), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The cloud service provider should provide information to the cloud service customer regarding the circumstances in which it uses cryptography to protect the information it processes. The cloud service provider should also provide information to the cloud service customer about any capabilities it pr… (§ 10.1.1 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • The cloud service customer should agree with the cloud service provider on an appropriate allocation of information security roles and responsibilities, and confirm that it can fulfil its allocated roles and responsibilities. The information security roles and responsibilities of both parties should… (§ 6.1.1 Table: Cloud service customer, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • Product support services shall accommodate the communication needs of end-users who have disabilities. (§ 1194.41(c), 36 CFR Part 1194 Electronic and Information Technology Accessibility Standards)
  • Database administration, systems analysis, client support, systems administration, and network administration. (App A Objective 2:9c Bullet 8, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management should develop and implement service and support processes. These processes should be designed to support an entity's strategic goals and objectives by preventing issues, ensuring continuous reliability and resilience, and supporting users (e.g., business lines, personnel, and customers). (VI.C Action Summary ¶ 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management develops and implements service and support processes to support an entity's strategic goals and objectives by preventing issues, ensuring continuous reliability and resilience, and supporting users. (VI.C, "Service and Support Processes") (App A Objective 16, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Customer service. (App A Objective 8:1 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Formal procedures are in effect and staff is assigned to provide interface with users/customers to control data center-related issues (i.e., program change requests, record differences, service quality); (TIER II OBJECTIVES AND PROCEDURES F.1. Bullet 1, FFIEC IT Examination Handbook - Audit, April 2012)
  • Determine whether audit procedures for operations consider ▪ The adequacy of security policies, procedures, and practices in all units and at all levels of the financial institution and service providers. ▪ The adequacy of data controls over preparation, input, processing, and output. ▪ The ad… (Exam Tier II Obj C.1, FFIEC IT Examination Handbook - Audit, August 2003)
  • The organization should use on-line instructions and help features to reduce customer confusion. (Pg 35, Pg 36, Obj 6.5, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • Determine the quality of customer service and support provided to customer institutions by: ▪ Reviewing management reports used to monitor customer service or reported problems, ▪ Reviewing complaint files and methods used to handle complaints, ▪ Evaluating the extent of user group activity an… (Exam Obj 7.4, FFIEC IT Examination Handbook - Management)
  • The organization should ensure that end users have continuous support to perform their jobs efficiently and effectively. The help desk should be staffed by dedicated personnel. (Pg 35, Pg 36, Exam Tier I Obj 10.3, FFIEC IT Examination Handbook - Operations, July 2004)
  • Consumer awareness program. (App A Tier 2 Objectives and Procedures M.2 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Does the Credit Union offer e-statements? (IT - Member Online Services Q 35, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the Credit Union Information Technology policy include member services? (IT - Policy Checklist Q 18, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Calls for user support in the form of a help desk but do not elaborate. (§ 3.9, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Coordinate and manage the overall service provided to a customer end-to-end. (T0354, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide information and assessments for the purposes of informing leadership and customers; developing and refining objectives; supporting operation planning and execution; and assessing the effects of operations. (T0786, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide information and assessments for the purposes of informing leadership and customers; developing and refining objectives; supporting operation planning and execution; and assessing the effects of operations. (T0786, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Coordinate and manage the overall service provided to a customer end-to-end. (T0354, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Becomes a policyholder of a licensee that is an insurer when the insurer delivers an insurance policy or contract to the consumer, or in the case of a licensee that is an insurance producer or surplus line broker, obtains insurance through that licensee; or (Regulation 6-4-1 § 5 C.1., Colorado Code of Regulations, Section 702-6, Consumer Protection (General))
  • Agrees to obtain financial, economic or investment advisory services relating to insurance products or services for a fee from the licensee. (Regulation 6-4-1 § 5 C.2., Colorado Code of Regulations, Section 702-6, Consumer Protection (General))