1. QI SaaS Production Environment
QI employs a public cloud deployment model using both physical and virtualized resources for its software-as-a-service solutions (“SaaS Solutions”). All maintenance and configuration activities are conducted by QI, primarily remotely from our corporate office.
QI SaaS Solutions are multi-tenant and logical access controls using authentication and roles ensure the necessary separation between data from different clients. All infrastructure responsibilities rest with QI, and clients are provided with functionality to manage their own users and roles at the application level.
QI follows guidance from the ISO/IEC 27002:2013 standard. Additionally, QI employs industry standard practices and relies on its experiences in operating highly secure SaaS solutions for security controls such as firewalls, intrusion detection, change management and written security policies.
QI distributed architecture for data collection, processing and reporting allows it to scale horizontally as the number of clients and volume of traffic increase. QI uses multiple monitoring processes and tools to continuously track network resources, operating systems, applications and capacity. Systems are load balanced and scaled up when predetermined capacity thresholds are reached.
1.2 SaaS Management
QI Operations Team is responsible for all aspects of the SaaS Solutions production environment. SaaS Operations’ professional depth enables QI to provide SaaS services at the highest levels of efficiency.
2. Risk Management
QI business continuity planning includes practices to assist management in identifying and managing risks that could affect the organization’s ability to provide reliable services to its clients. These practices are used to identify significant risks for the organization, initiate the identification and/or implementation of appropriate risk mitigation measures, and assist management in monitoring risk and remediation activities.
QI evaluates and manages risks related to its SaaS Solutions throughout their lifecycle, taking into considerations the consequences for our clients of loss of confidentiality or availability of the information we collect, process and store.
3. Security Policies & Organization of Information Security
QI maintains a general System Security Architecture, that explicitly addresses the confidentiality, integrity and availability of client data and information technology resources, and details responsibilities and managements’ role.
3.2 Information and Communication
QI utilizes various methods of communication, including email and the corporate intranet to update employees on current events and policies, and share information relevant to employees, such as corporate data, industry news, training and development materials, employee resources, and other corporate policies.
3.3 Information Security Coordination
QI has adopted a centralized approach to information security. Responsibilities include:
- Driving security initiatives
- Policy review
- Security planning and program management
- Review effectiveness of the security program
- Coordinate QI security incident response plan
QI separates its SaaS QI production network and all associated functions from the general corporate IT.
3.4 Segregation of Duties
Only authorized personnel can administer systems or perform security management and operational functions. Authorization for and implementation of changes are segregated responsibilities wherever appropriate to the organization.
4. Human Resources Security
4.1 Employee Screening
QI requires that non-disclosure and/or confidentiality agreements are signed by all Personnel. QI policy prohibits employees from using confidential information (including Client Data) other than for legitimate business purposes, such as providing technical support, and this obligation continues after their employment ends.
An employee’s failure to cooperate fully in any background check and any dishonesty or omission of information pertaining to a background check by an employee precludes employment with QI.
4.2 Terms of Employment
QI operates an onboarding process including at a minimum the following steps:
- Communication to the new employees of policies, code of conduct and behavioral standards.
- Employee signature of the employment agreement (which includes a confidentiality agreement).
General information security training is provided to all new employees (both full time and temporary) as part of their onboarding.
Development and operations staff receives further training specific to product development, deployment and management of secure applications. Additional security training is also provided to employees who handle client data.
4.4 Termination of Employment
QI maintains a formal termination or change of employment process that, promptly upon termination or change of employment, requires return of any and all QI and Client assets, disables or adjusts access rights, and reminds ex-employees of their remaining employment restrictions and contractual obligations. All access (logical and physical) are terminated on or before the termination date. QI uses pre-defined checklists to help ensure the consistency and completeness of the termination process.
5. Asset management
All data collected by QI on behalf of its clients is the property of the respective clients and classified as highly confidential under QI information classification policy, which provides employees with the necessary guidance for the handling of all information according to its classification. Access to client data is restricted to legitimate business use only.
QI generally performs no additional encryption on data collected and stored within the QI SaaS production environment.
5.1 Client Data Location
All client data is processed and stored in the United States.
6. Access Control & Physical Security
QI IT manages access control policies and procedures for the corporate network. QI SaaS Operations maintains a list of all staff authorized to access SaaS Operations data.
6.1 User Access Management
Accounts on QI SaaS production network, including for network administrators and database administrators, are mapped directly to staffs. Upon notification by HR as part of the formal termination notification process, all system accesses are immediately adjusted to the new role or revoked both on QI Corporate network and in QI SaaS Solutions production network.
Password complexity rules and account lockouts are enforced in all environments to protect against brute force dictionary attacks or other passwords threats.
6.2 User responsibilities
QI security policy requires employees to notify corporate IT immediately if they believe that the security of their password has been compromised. Employees must abide by all QI policies.
6.3 System and Application Access Control
Authentication and robust access controls ensure that all clients’ confidential information is secured against unauthorized access. Users of QI SaaS Solutions must be authenticated before they can access their data, and rights associated to their credentials control access to the logical structures containing their data.
Accesses to resources are controlled by explicit rights in all environments.
Access to client data is limited to legitimate business need, including activities required to support clients’ use of the SaaS Solutions. Employees may only access resources relevant to their work duties.
6.3.1 Data Access by Clients
Client end users are authorized only to see data from their account and may have additional privilege restrictions placed on their access to the account by their account administrator.
Client end users authenticate to the system over an HTTPS connection.
6.3.2 Access control to program source code
Write access to QI SaaS production source code is limited to the engineering staff.
7. SaaS Operations Security
QI SaaS Solutions infrastructure is managed by a team separate both from corporate IT and from development, and employs industry best practices.
7.1 Documented Procedures
QI maintains documented procedures that include:
- Security control measures for all systems in the environment.
- Patches deployed promptly on all applicable systems per manufacturer recommendation.
- Change management procedures.
- Incident detection and management.
7.2 Separation of development, testing and operational facilities
All systems used for the Solutions are managed by the QI SaaS Operations team, which is separate from corporate network resources. All access is limited to the least privilege needed and requires authentication.
7.3 Data Backup
QI stores all client data in the SaaS production environment on fully redundant storage systems.
7.4 Logging and Monitoring
QI maintains audit information and logs for all information technology resources, applications and network accesses, monitors these logs for abnormal pattern and unauthorized access attempts, and maintains processes for security alerting, escalation and remediation.