Client-Side System Access Security in BPO

When Felcorp delivers outsourced services, staff frequently need access to systems and software that belong to the client. These might include practice management platforms, accounting software, CRM systems, document management tools or cloud storage environments.

Because these systems sit on the client's side, the client controls user permissions. Felcorp's role is to work with the client to ensure the right level of access is configured from the outset and maintained throughout the engagement.

The Principle of Least Privilege

Felcorp staff should hold only the minimum user privileges and access requirements needed to comfortably deliver the agreed services. This means enough access to perform the work efficiently, without unnecessary visibility into areas of the system that fall outside the scope of the engagement.

Granting full administrative access or unrestricted permissions creates risk that can be avoided through considered role configuration. The goal is to match system access precisely to the responsibilities outlined in the engagement terms.

How Access Is Typically Configured

The specifics of access configuration depend on the client's systems and internal policies, but the general approach follows a consistent pattern.

At the start of an engagement, Felcorp provides the client with a clear outline of what access is required, which staff members need it and what tasks they will be performing. The client then provisions user accounts with the appropriate role and permission levels within their own platform.

Where a system supports role-based access controls, Felcorp recommends configuring a dedicated role that reflects the scope of work rather than assigning generic or elevated permission sets. This keeps access contained and makes it easier to audit.

What Felcorp Recommends to Clients

While Felcorp cannot enforce permissions on client-owned systems, we provide guidance to support secure configuration:

• Assign role-based access that matches the engagement scope rather than granting broad or administrative privileges
• Create dedicated user accounts for Felcorp staff rather than sharing credentials across multiple users
• Enable multi-factor authentication on Felcorp user accounts where the platform supports it
• Review and adjust permissions if the scope of work changes during the engagement
• Revoke access promptly when a staff member is reassigned or the engagement concludes

These recommendations align with Felcorp's internal access management practices described under Identity and Access Management.

Ongoing Access Management

Access requirements can change as an engagement evolves. New tasks may require additional permissions, or a shift in scope may mean certain access is no longer needed.

Felcorp communicates access changes to the client as they arise, and recommends periodic review of user permissions to confirm they remain appropriate. Where a temporary staff substitution is required, the client is notified and must provide written approval before the substitute is given access to any client system.

When an engagement ends, Felcorp requests that the client revoke all associated user accounts and access credentials. On Felcorp's side, all stored client data is securely transferred back and permanently removed from internal systems within the agreed timeframe, as described under Operational Processes and Policies.

How This Fits the Security Framework

Client-side system access sits at the intersection of the Security By Design and Security By Engagement layers. The principle of least privilege is a design-level standard, while the specific permissions configured for each client reflect engagement-level controls.

For detail on how Felcorp governs access on its own systems, refer to Identity and Access Management.