Last Modified: May 9, 2024
Table of Contents
Security and Privacy Program
QorusDocs maintains a SOC 2 Type 2 report and the effectiveness of the implemented controls is therefore observed for twelve months per year by an external independent auditor to provide reasonable assurance that QorusDocs service commitments and system requirements were achieved based on the trust services criteria relevant to security and privacy (applicable trust criteria) set forth TSP Section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA Trust Services Criteria).
Organizational Structure and Assignment of Authority and Responsibility
QorusDocs’ governance framework is designed to delineate clear lines of authority and ensure a proper division of responsibilities. This structure encompasses various control measures, including the segregation of the company into distinct functional areas, and the implementation of detailed job descriptions outlining necessary qualifications, duties, and responsibilities.
QorusDocs has established an Information Security and Compliance team, with security and privacy responsibilities shared across the business.
Human Resource Security
Human Resource Security is a critical aspect of QorusDocs' operational integrity.
QorusDocs requires that all new employees and contractors sign comprehensive non-disclosure and confidentiality agreements.
Background checks are performed for new hires including education verification, employment history verification, reference checks, social security number verification, and criminal background checks.
New employees and contractors receive training on all privacy and security controls and company policies upon hire and annually thereafter.
QorusDocs maintains a documented procedure for changes in employment status. This includes personnel onboarding, role changes, and employment termination (including notification, access modification, and asset collection).
Policies and Procedures
Policies are supported by associated procedures, standards, and guidelines. Policies are documented and published among all relevant personnel along with relevant training.
All personnel are required to sign an acknowledgment of the Information Security and Acceptable Use Policy upon hire or when there are significant changes to the policy.
Policies include, but are not limited to:
Change Management
QorusDocs maintains documented application and infrastructure change management policies and procedures to communicate the company’s expectations regarding the change management and system development life cycle (SDLC) processes to personnel, and to ensure no unauthorized changes are made to production systems.
System Development Life Cycle
Product features are managed through a formalized product management process.
Security requirements are discussed and formulated during scoping and design discussions.
All changes are planned, reviewed, tested against acceptable standards, and tracked from start to completion. Full auditability and traceability are maintained for each change.
No product deployment to the production environment can be done unless the change is linked to a Product Backlog Item. This rule applies to scheduled- as well as unscheduled / emergency work items.
Only users with the appropriate rights can deploy software. All changes must be approved by authorized senior personnel.
Asset Management
The QorusDocs Information Assets Classification policy ensures that data is handled according to its sensitivity, while the Data Disposal Policy guarantees that both physical and digital assets are disposed of securely.
Physical assets are tracked in a physical asset inventory. All computer equipment is returned to the company upon termination of the employee contract. The use of encrypted storage partitions on desktops and laptops further reinforces the commitment to safeguarding data integrity even in the event of hardware turnover.
Access Control
The QorusDocs Information Security and Acceptable Use policy outlines requirements for the use of user IDs and passwords.
QorusDocs maintains Role Based Access Control on the principle of least privilege to ensure individuals has only enough access to perform their jobs.
Upon a change in employee role or notice of termination, the user access is updated or removed.
Internal audits are performed quarterly to validate access controls and user rights across systems.
Business Continuity and Disaster Recovery
QorusDocs maintains a Business Continuity Plan which is reviewed and updated at least annually or whenever there are significant changes that may impact the BCP.
Qorus utilizes failover and scaling technology to better support high availability across the entire system. Each key service layer includes redundant components that mitigate the impact of failures and allow for capacity scaling as customer data and usage grow.
Documented backup procedures are maintained.
Data Center Security
QorusDocs uses Microsoft Azure as a PaaS provider to host the system.
The Microsoft Azure cloud infrastructure and offerings meet a broad set of international and industry-specific compliance standards, such as ISO, HIPAA, FedRAMP, and SOC, as well as country-specific standards. For more information refer to:
https://learn.microsoft.com/en-us/compliance/assurance/assurance-datacenter-security
Information Security Incident Management
Qorus maintains an Information Security Incident Response Plan that is tested annually. The plan addresses specific incident response procedures such as, but not limited to; Roles and Responsibilities, Incident Classification and Escalation Criteria, Communication Procedures, Detection and Reporting, Initial Response Actions, Investigation and Analysis, Containment and Eradication, Recovery and Restoration, Lessons Learned and Improvement, and Legal and Regulatory Considerations.
Qorus provides notification of breaches and incidents to customers, regulators, and relevant stakeholders within 24 hours of discovery.
Risk Management
Management is proactive in identifying the risks that threaten client commitments. Risk assessment efforts include analyses of threats, probabilities of occurrence, potential business impacts, and associated mitigation plans.
As a result of the annual risk assessment process, management formulates a risk treatment plan that documents risk treatment decisions including designed control activities to mitigate risks to defined risk tolerance levels. Management also documents availability plans to guide personnel in procedures to protect against disruptions caused by an unexpected event. Vendor evaluations are conducted as part of the vendor selection process, and management also reviews audit reports from current vendors to help ensure that they maintain compliance with QorusDocs’ system requirements and commitments.
Monitoring
Management has implemented monitoring controls to respond to issues that may impact information security. Qorus achieves this through a variety of monitoring activities and periodic evaluations, such as:
Privacy Commitments
