Back

Log help desk queries.


CONTROL ID
00848
CONTROL TYPE
Log Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a customer service program., CC ID: 00846

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Standard § I.2(4).2.b: External party communications provide important information and is needed to develop a process to identify, encapsulate, and process information in a timely and appropriate manner. Practice Standard § I.2(4)[3]: A Whistleblower System may be developed by the organization as … (Standard § I.2(4).2.b, Practice Standard § I.2(4)[3], On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • The organization should record the time when a theft, loss, or other incident is reported by a customer and register the notice for appropriate management. A system should be in place for when the report is taken by phone so as to be able take appropriate precautions until it is placed in writing. (O41.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • In cases where the locations for acceptance of notifications of accidents are to be registered in the directory inquiry service provided by a telephone company, they should be registered by appropriate designations to facilitate the search by operators. (P64.7., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The organization should communicate pertinent information, gather views and inputs, and address concerns from shareholders on a regular basis. The information should be as descriptive and detailed as possible. (¶ 14.1, CODE OF CORPORATE GOVERNANCE 2005)
  • (§ 3.3.2.3, OGC ITIL: Security Management)
  • The purpose of the service desk practice is to capture demand for incident resolution and service requests. It should also be the entry point and single point of contact for the service provider with all of its users. (5.2.14 ¶ 1, ITIL Foundation, 4 Edition)
  • Establish a function and system to allow logging and tracking of calls, incidents, service requests and information needs. It should work closely with such processes as incident management, problem management, change management, capacity management and availability management. Incidents should be cl… (DS8.2 Registration of Customer Queries, CobiT, Version 4.1)
  • Produce reports of service desk activity to enable management to measure service performance and service response times and to identify trends or recurring problems, so service can be continually improved. (DS8.5 Reporting and Trend Analysis, CobiT, Version 4.1)
  • Sensitive information received during a customer query should be deleted immediately after being used and the collection of this information should be kept to a minimum. (§ 1.1.5, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • The organization should use an e-mail autoresponder to acknowledge receipt of customer questions. The e-mail response should include the approximate time for response to the customer's question. A standard timeframe should be established for responding to 100% of the e-mail inquiries. (Pg 30, Pg 31, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • The help desk should log all queries and send an e-mail to the appropriate personnel needed to correct the problem. Personnel who call the hotline should receive a call back to thank them for the information, even if it was not used. (Pg 12-IV-5, Revised Volume 2 Pg 1-I 38, Revised Volume 2 Pg 1-I-61, Protection of Assets Manual, ASIS International)
  • The organization shall keep records of all customer complaint investigations. (§ 8.5.1 ¶ 3, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • § 6.2.1.2: For software systems assigned to Class A, Class B, and Class C software safety classes, the medical device manufacturer shall document all feedback and evaluate it to determine if a problem exists in the software. If there is a problem, it shall be recorded as a problem report and shall … (§ 6.2.1.2, § 9.1, § 9.5, ISO 62304 - 2006 Medical device software - Software life cycle processes, 2006)
  • recorded and classified; (§ 8.6.2 ¶ 1(a), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization should establish a set of fair, effective, and timely procedures for handling complaints received from consumers and other businesses. (§ I18, Canadian Marketing Association Code of Ethics and Standards of Practice)
  • The organization should record all unresolved complaints, disputes, and all access request denials. (Table Ref 6.2.4, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Complaint files shall be maintained by the medical device manufacturer. The manufacturer shall establish and maintain procedures to receive, review, and evaluate complaints. These procedures shall ensure all complaints are processed uniformly and timely; oral complaints are documented when they are … (§ 820.198(a), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • Determine the quality of customer service and support provided to customer institutions by: ▪ Reviewing management reports used to monitor customer service or reported problems, ▪ Reviewing complaint files and methods used to handle complaints, ▪ Evaluating the extent of user group activity an… (Exam Obj 7.4, FFIEC IT Examination Handbook - Management)
  • The help desk should record and document all inquiries. The help desk documentation should include the name of the user, a description of the problem, what systems the problem affects, a priority code, who is responsible for fixing the problem, and a target time for correction. (Pg 36, Exam Tier II Obj G.5, FFIEC IT Examination Handbook - Operations, July 2004)
  • Exam Tier II Obj 6.4 Assess the adequacy of the investigative unit in place to address customer inquiries and control non-posted items, rejects, and differences. Management should periodically receive aging reports that list outstanding items. Exam Tier II Obj 8.10 Determine whether the RDFI has est… (Exam Tier II Obj 6.4, Exam Tier II Obj 8.10, Exam Tier II Obj 9.12, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)