I am with an on-line TPA and we are reviewing our security policies and practises. I am interested in identifying a source of information that provides industry standards or best practices regarding things such as: how to best keep personal private information (SSN's, ...) private, what types of standard account verification practices are used for call center personnel to identify/verify callers, ...

I appreciate any assistance you can provide.