Skip to main content

Turn responses into revenue. Get a demo

QorusDocs Technical and Organizational Measures

Last Modified: May 9, 2024

Table of Contents

  1. Security and Privacy Program
  2. Organizational Structure and Assignment of Authority and Responsibility
  3. Human Resource Security
  4. Policies and Procedures
  5. Change Management
  6. System Development Life Cycle
  7. Asset Management
  8. Access Control
  9. Business Continuity and Disaster Recovery
  10. Data Center Security
  11. Information Security Incident Management
  12. Risk Management
  13. Monitoring
  14. Privacy Commitments


Security and Privacy Program

QorusDocs maintains a SOC 2 Type 2 report and the effectiveness of the implemented controls is therefore observed for twelve months per year by an external independent auditor to provide reasonable assurance that QorusDocs service commitments and system requirements were achieved based on the trust services criteria relevant to security and privacy (applicable trust criteria) set forth TSP Section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA Trust Services Criteria).

 

Organizational Structure and Assignment of Authority and Responsibility

QorusDocs’ governance framework is designed to delineate clear lines of authority and ensure a proper division of responsibilities. This structure encompasses various control measures, including the segregation of the company into distinct functional areas, and the implementation of detailed job descriptions outlining necessary qualifications, duties, and responsibilities.

QorusDocs has established an Information Security and Compliance team, with security and privacy responsibilities shared across the business.

 

Human Resource Security

Human Resource Security is a critical aspect of QorusDocs' operational integrity.

QorusDocs requires that all new employees and contractors sign comprehensive non-disclosure and confidentiality agreements.

Background checks are performed for new hires including education verification, employment history verification, reference checks, social security number verification, and criminal background checks.

New employees and contractors receive training on all privacy and security controls and company policies upon hire and annually thereafter.

QorusDocs maintains a documented procedure for changes in employment status. This includes personnel onboarding, role changes, and employment termination (including notification, access modification, and asset collection).

 

Policies and Procedures

Policies are supported by associated procedures, standards, and guidelines. Policies are documented and published among all relevant personnel along with relevant training.

All personnel are required to sign an acknowledgment of the Information Security and Acceptable Use Policy upon hire or when there are significant changes to the policy.

Policies include, but are not limited to:

  • Privacy Policy
  • Information Security and Acceptable Use Policy
  • Employee Handbook
  • Data Classification-, Data Disposal-, and Data Retention Policy
  • Information Security Incident Management Policy and Procedure
  • Change Management Policy
  • Procurement- and Vendor Relationship Management Policy
  • Email Policy
  • Password Policy
  • Remote Access Policy
  • Bring Your Own Device (BYOD) Policy
  • Policy on the Use of Artificial Intelligence (AI) Tools
  • Physical Environment Security Policy

 

Change Management

QorusDocs maintains documented application and infrastructure change management policies and procedures to communicate the company’s expectations regarding the change management and system development life cycle (SDLC) processes to personnel, and to ensure no unauthorized changes are made to production systems.

 

System Development Life Cycle

Product features are managed through a formalized product management process.

Security requirements are discussed and formulated during scoping and design discussions.

All changes are planned, reviewed, tested against acceptable standards, and tracked from start to completion. Full auditability and traceability are maintained for each change.

No product deployment to the production environment can be done unless the change is linked to a Product Backlog Item.  This rule applies to scheduled- as well as unscheduled / emergency work items.

Only users with the appropriate rights can deploy software. All changes must be approved by authorized senior personnel.

 

Asset Management

The QorusDocs Information Assets Classification policy ensures that data is handled according to its sensitivity, while the Data Disposal Policy guarantees that both physical and digital assets are disposed of securely.

Physical assets are tracked in a physical asset inventory. All computer equipment is returned to the company upon termination of the employee contract. The use of encrypted storage partitions on desktops and laptops further reinforces the commitment to safeguarding data integrity even in the event of hardware turnover.

 

Access Control

The QorusDocs Information Security and Acceptable Use policy outlines requirements for the use of user IDs and passwords.

QorusDocs maintains Role Based Access Control on the principle of least privilege to ensure individuals has only enough access to perform their jobs.

Upon a change in employee role or notice of termination, the user access is updated or removed. 

Internal audits are performed quarterly to validate access controls and user rights across systems.

 

Business Continuity and Disaster Recovery

QorusDocs maintains a Business Continuity Plan which is reviewed and updated at least annually or whenever there are significant changes that may impact the BCP.

Qorus utilizes failover and scaling technology to better support high availability across the entire system. Each key service layer includes redundant components that mitigate the impact of failures and allow for capacity scaling as customer data and usage grow.

Documented backup procedures are maintained.

 

Data Center Security

QorusDocs uses Microsoft Azure as a PaaS provider to host the system.

The Microsoft Azure cloud infrastructure and offerings meet a broad set of international and industry-specific compliance standards, such as ISO, HIPAA, FedRAMP, and SOC, as well as country-specific standards. For more information refer to:

https://learn.microsoft.com/en-us/compliance/assurance/assurance-datacenter-security

 

Information Security Incident Management

Qorus maintains an Information Security Incident Response Plan that is tested annually. The plan addresses specific incident response procedures such as, but not limited to; Roles and Responsibilities, Incident Classification and Escalation Criteria, Communication Procedures, Detection and Reporting, Initial Response Actions, Investigation and Analysis, Containment and Eradication, Recovery and Restoration, Lessons Learned and Improvement, and Legal and Regulatory Considerations.

Qorus provides notification of breaches and incidents to customers, regulators, and relevant stakeholders within 24 hours of discovery.

 

Risk Management

Management is proactive in identifying the risks that threaten client commitments.  Risk assessment efforts include analyses of threats, probabilities of occurrence, potential business impacts, and associated mitigation plans. 

As a result of the annual risk assessment process, management formulates a risk treatment plan that documents risk treatment decisions including designed control activities to mitigate risks to defined risk tolerance levels.  Management also documents availability plans to guide personnel in procedures to protect against disruptions caused by an unexpected event.  Vendor evaluations are conducted as part of the vendor selection process, and management also reviews audit reports from current vendors to help ensure that they maintain compliance with QorusDocs’ system requirements and commitments.

 

Monitoring

Management has implemented monitoring controls to respond to issues that may impact information security.  Qorus achieves this through a variety of monitoring activities and periodic evaluations, such as:

  • Vulnerability monitoring and annual penetration test of the production environment.
  • Alerting on intrusions and network breaches; and
  • Monitoring the services provided by sub-service organizations on an ongoing basis as a component of standard business operations.

 

Privacy Commitments

  • Consent for the collection, use, retention, disclosure, and disposal of personal information is obtained from customers before access to QorusDocs is granted.
  • Qorus limits the use and retention of personal information to the purposes identified in the company’s objectives related to privacy.
  • Privacy commitments are obtained from vendors and other third parties.  Qorus assesses those parties’ compliance on a periodic and as-needed basis and takes corrective action, if necessary.
  • Qorus securely disposes of personal information to meet the objectives related to privacy.
  • Confidentiality and nondisclosure agreements are signed by all entities (employees, contractors, business partners, vendors, etc.) requiring access to sensitive, proprietary, personal, or otherwise confidential information.