Prepared by Igor Antonyuk & Phil Thorne
Version 0.3
01/03/2019
This document contains data considered Proprietary and Confidential by Quorso. No part of this material may be reproduced or transmitted in any form or by any means, electronic, mechanical, or otherwise, including photocopying and recording or in connection with any information storage or retrieval system, without the permission in writing from Quorso.
Quorso provides its employees with security policies and guidelines to communicate individual responsibilities with respect to safeguarding Quorso’s resources. These policies are readily available to employees. Quorso has established an Information Security Handbook based on ISO 27002. This Information Security Handbook has been independently reviewed to ensure compatibility with and conformity to ISO/IEC 27001:2013.
All Quorso new hires are required to undertake a series of training sessions, which among other issues address staff responsibilities as they relate to our code of conduct, local policies and procedures, information security, and privacy. The company’s Privacy Statement is available at https://quorso.com/privacy-policy/.
Quorso staff and partners are required to complete an individual confirmation of their responsibility for the security of Quorso’s information to which they are granted access and to take due care to protect the technology equipment assigned to them.
Quorso has established and maintains asset inventory processes for its main physical and information assets. Quorso’s information classification and asset management policies define a three-tier scheme for classifying its main information assets, which are:
Information subject to legislative or regulatory requirements is identified through the asset inventory. Security controls are established to address the relevant requirements. Quorso staff are provided with instructions on identifying and handling Quorso’s information.
When staff connect to the Quorso network, they are required to conduct themselves in a manner consistent with Quorso’s security policies regarding, among other matters, confidentiality, business ethics, and professional standards. Quorso requires that communications via these connections comply with applicable laws and regulations, including those governing:
All Quorso staff must participate in Quorso’s annual awareness training in data privacy and cyber security. This process requires that staff provide an individual confirmation of their responsibility for the security of Quorso’s information to which they have access, and to take due care to protect the technology systems assigned to them.
The Quorso Information Security Policy and Acceptable Use Policy address the appropriate use of systems and technologies. Staff who violate the Quorso compliance policies and procedures will be subject to disciplinary action, up to and including dismissal, depending on the seriousness of the violation. Cyber security awareness training is an integral part of the Quorso hiring process. An awareness program periodically reinforces the concepts and responsibilities defined in the Information Security Policy.
Quorso has established documented termination processes that define responsibilities for the collection of information assets and removal of access rights for staff who leave the company.
Physical access controls are implemented at the Quorso offices. Controls include building security and secured access to the offices occupied by Quorso staff. Proximity card access is required to enter Quorso’s office. There are defined procedures for visitor access control, requiring all visitors report to reception.
Quorso host all client systems and services with Amazon AWS, located within the EEA. Amazon operates a Tier-3/4 data center operation that is ISO 27001:2013, SOC2 Type II and PCI-DSS Level-1 compliant.
Quorso’s Engineering team has established and maintains controls over standard operating procedures, including daily health checks.
Quorso’s Engineering and Development teams have established and maintained a Change Management and Change Control procedure which includes risk assessment, roll-back, and a review and approval process.
Quorso uses a combination of technology systems to provide a secure computing environment including:
Quorso has deployed and regularly updates URL filtering software that blocks access to inappropriate web sites from its network.
Quorso systems and data are routinely backed up for disaster recovery purposes by its providers and partners.
Only Quorso managed wireless networks are permitted. Wireless access security controls include segregation of corporate and guest access and rotation of wireless keys.
Network security is established at the hosted data center with Amazon AWS. No sensitive systems or data are located on-premise.
Processes are established to assess and correct any vulnerabilities discovered during annual penetration testing by a qualified and independent network testing vendor.
Quorso has patch management processes and tools to assess and deploy operating system and application-specific patches and updates.
Quorso has established procedures for secure erasure or destruction of storage media prior to disposal, aimed at protecting the secrecy and confidentiality of information.
Procedures for conducting security reviews have been established and include the following:
Quorso follows a formal process to grant or revoke access to its resources. System access is based on the concepts of “least-privilege” and “need-to-know” to ensure that authorized access is consistent with defined responsibilities. Quorso uses a combination of user-based, role-based, and rule-based access control through Okta identity management system.
Quorso has established documented procedures for secure creation and deletion of user accounts, including processes to disable and/or delete accounts of employees temporarily away from the company. All Quorso’s staff and partners are required to agree to take reasonable precautions to protect the integrity and confidentiality of security credentials.
Access to authentication servers at administrative, root or system levels is limited to Quorso Lead Engineers. These systems require use of multi-factor authentication (MFA).
Quorso’s security policy establishes requirements for password changes, reuse and complexity, following latest guidance on best practise. Quorso requires the use of screensavers that reactivate after a period of inactivity through the use of a password.
Quorso uses virtual private network (VPN) software to enable secure, internet-based remote access to key systems.
All Quorso laptops are full disk encrypted with the keys managed using a security vault.
Mobile device access is only permitted from devices configured in accordance with Quorso’s security policy. This security policy requires a password to be entered to access the device and allows remote erasure if it is reported lost or stolen.
Information security risk management is built into Quorso’s third-party supplier management process which covers supplier selection, onboarding, performance monitoring, and risk management. Quorso policy requires that for critical suppliers non-disclosure agreements are in place before any sensitive information is shared with a third-party. Regular reporting of supplier risks and supplier service review activity are made to senior management. All critical new suppliers must undergo an information security evaluation and their contracts include information security related requirements.
Quorso staff are made aware that security incidents and events must be reported immediately. Quorso has documented procedures for the receipt of security incident reports and has a documented incident response process which includes:
Quorso maintains Business Continuity and Disaster Recovery Plans for its critical operations. The purpose of these plans is to provide a set of guidelines and corresponding processes for supporting priority activities in the event of a disaster. Examples of disaster situations that could lead to the plan activation are destructive events such as fire, power or communication blackouts, or terrorist threat.
It is recognised that Quorso relies on the managed services of its providers (mainly Amazon AWS); Quorso has assured itself that adequate controls are in place through its external partners. While Quorso has taken many steps to mitigate the risk of a systems disaster, Quorso recognises that there are external variables beyond its control.
Quorso has established a Privacy & Data Protection Policy that defines, among other issues, the standards of behaviour regarding the protection of Quorso information. The Quorso Data Privacy statement is available at https://www.quorso.com/privacy-policy/.
Quorso does not process, nor do we ask for, our client’s customer data. If a client sends us data about their customers, we will immediately destroy it in a secure manner.
While we do utilise third parties in processing client data, it is for the following primary purposes:
Quorso has established processes for performing periodic external network and application penetration testing of its application systems and platform environment. This testing is undertaken externally by a suitably qualified service provider.
Good information security is everyone’s shared responsibility and often involves cooperation between companies and their clients. While Quorso seeks to provide as much assurance as possible for the services offered, it does rely on the sensible use of data and systems shared with and between its partners and clients. Examples of standard information security controls applicable to such data and systems include:
