Engage Security and Compliance Reporting

Engage Security and Compliance Reporting

Security and Compliance Reporting Requirements

1. Overview

This document contains procedures for reporting, managing, tracking, and addressing Security and Compliance issues. Procedures must exist not only for Support requests, but also for managing issues of compliance with security policies. All of these matters will be promptly addressed by the Questline Support and/or Questline security team based on their criticality or the Service Level Agreement; issues must be documented and tracked through to their resolution.

2. Purpose

This document details the responsibilities of Questline, its employees, clients, and any contracted third parties to report and begin the mitigation of any Security or Compliance issues.

3. Scope

All incidents should be documented and reported. Each incident is tracked by management through to resolution, where it is reviewed, approved, and marked with a “closed” status.

4. Applies To

All Questline employees, clients, affiliates, and subsidiaries will be responsible for maintaining the confidentiality of Questline data and information, based on the confidentiality details outlined in the “Information Asset Classification Policy and Details” document or applicable contractual agreements.

Reported issues will be managed and reviewed on an hourly basis by the Questline Support team, and all Security matters — defined as such or determined otherwise — will be escalated to the Questline security team.

5. Application Security Process

A robust Application Security process is fully integrated into Questline’s Software Development Life Cycle (SDLC), and includes:

  • Defined in-house security requirements and policies, and industry standard best practices applied in every stage of the lifecycle.
  • Security review of architectures, design of features, and solutions.
  • Iterative manual and automated source code review for security weaknesses, vulnerabilities, and code quality, and providing of sufficient advice and guidance to the development team.
  • Regular manual assessment and dynamic scanning of pre-production environments.
  • Security training for Questline staff, conducted according to their respective job roles.

6. Definition

  • “Sensitive Data” means data or information (regardless of form, e.g., electronic, paper copy, etc.) which is
    • Personally identifiable information [including, but not limited to: (i) individual user passwords (e.g., challenge/response answers, personal identification numbers (PIN) and any other access codes that correlate to a person, etc.); (ii) Social Security number; (iii) driver’s license number; (iv) state identification number; (v) date of birth; (vi) government or federal identification number; (vii) financial information (e.g., financial account number, credit card number or debit card number in combination with any required security code, access code, or PIN that would permit access to an individual’s account, etc.); (viii) health coverage ID number; (ix) biometric data (e.g., thumb print, retina scan, palm scan, etc.); (x) email addresses; (xi) electronic handwritten signature; and (xii) any subscriber level data];
    • Passwords other than individual user passwords [such passwords include application passwords, database passwords, and shared account passwords];
    • Session identifiers that represent or potentially represent an authenticated identity (e.g., a single sign-on cookie) used by systems that contain any data element considered Sensitive Data;
    • Employee data [including, but not limited to: (i) human resources data (e.g., performance reviews, medical information, health information, family information, etc.); and, (ii) compensation data (e.g., salary, performance pay, stock options, etc.)];
    • Corporate financial data that has not been released to the public;
    • Identified by Questline as “Sensitive Data;”
    • Developed, derived, converted, translated, or otherwise created from any of the foregoing categories (including, but not limited to, subsequent variables or data files).

For the avoidance of doubt, Sensitive Data includes any of the foregoing even when categorized under a different name (e.g., a person’s social security number is such person’s “pilot certification number”).

  • “Process” means any operation in relation to Sensitive Data irrespective of the purposes and means applied including, without limitation, access, collection, retention, storage, transfer, disclosure, use, erasure, destruction, and any other operation.
  • “Breach” means any (a) unauthorized processing of Sensitive Data or (b) any act or omission that compromises or undermines the physical, technical, or organizational safeguards put in place by Questline regarding processing Sensitive Data or otherwise put in place to comply with these Compliance Requirements. For the avoidance of doubt, “unauthorized processing” includes, but is not limited to: misuse, loss, destruction, compromise, or unauthorized access, collection, retention, storage, or transfer.
  • “Authorized Provider” means any client, consultant, auditor, contractor, distributor, subcontractor, outsourcer or other third party, acting on behalf of Questline (whether direct or indirect and at any tier) who has agreed, in writing, to comply with these Compliance Requirements.

7. Reporting

  • Specifics:
    • If sensitive Questline information is lost, disclosed to unauthorized parties, or suspected of being lost or disclosed to unauthorized parties, Questline or the designated ‘Security’ team must be notified immediately. Similarly, whenever passwords or other system access control mechanisms are lost, stolen, or disclosed, or are suspected of being lost, stolen, or disclosed, Questline or the designated ‘Security’ team must be notified immediately.
    • If a computer virus infection is detected or similar security problem, all unusual system behavior, such as missing files, frequent system crashes, misrouted messages, and the like must also be immediately reported to Questline or the designated ‘Security’ team must be notified immediately. The specifics of security problems should not be discussed widely but should instead be shared on a need-to-know basis.
    • All new internal and external Engage system users are registered and authorized prior to being issued system credentials and granted the ability to access the system. User system credentials are removed when user access is no longer authorized.
    • Each user of the Engage system has a unique account with verified email address, and protected with a password. Passwords are checked to be compliant with password policy and stored securely using a strong hashing algorithm with unique salt for every password. Engage also supports multiple methods of authentication.
    • All Engage clients have an obligation to ensure that changes to access needs, roles or responsibilities for their users must be reported through the appropriate channels. All security role changes, whether due to employee termination or role change, are and should be processed completely, accurately, and in a timely fashion. Documentation must be maintained validating the access removal was authorized appropriately. This must be completed in order to prevent unauthorized access to the Engage system.
    • Annually, on a per client basis, Engage system administrators will be informed of associated users who have access.
  • Responsibilities:
    • Questline information owners or holders must report to Questline or the designated Questline security team promptly (but in no event more than eight (8) hours) after a Breach or any incident is discovered or that appears to compromise the security of Questline information resources. These include missing data, virus infestations, and unexplained transactions.
    • The Questline security team and all applicable parties must process any reported security issues, recording updated status of issues for reporting and archiving.
    • Questline will logically and/or physically segregate Sensitive Data from the data of any third party.
    • Questline will encrypt (utilizing strong encryption) Sensitive Data if it is stored on laptops or portable media devices (e.g., USB drives, CD-ROMs, DVDs, backup tapes, etc.).
    • Questline information owners or holders must process Sensitive Data only in accordance with applicable laws, the terms of the applicable agreement with Questline (including, without limitation, these Compliance Requirements), and on the basis of any authorized additional instructions from Questline and its authorized agents and subcontractors.
    • Questline will not transfer, provide or otherwise disclose Sensitive Data to any third party, other than an Authorized Provider, unless required to by applicable law.
    • Questline will not permit any third party, other than an Authorized Provider, to process Sensitive Data.
    • Questline will take prompt correction action(s) to remedy a Breach and to prevent any future Breach.
    • Questline will take prompt corrective action(s) to remedy a violation of (and to prevent any future violation of any Compliance Requirement.
    • Questline will take prompt corrective action(s) to remediate any vulnerabilities or security concerns identified by the Questline security team.
    • Questline will implement corrective action(s) in a timeframe commensurate with the risk or as agreed upon with Questline.
    • Questline information owners or holders must cooperate fully with Questline in facilitating investigation and remediation of a Breach. For avoidance of doubt, all applicable companies shall provide such access, information, and assistance as is necessary for Questline and/or its designee(s) to complete the investigation of the Breach.
    • Questline information owners or holders must see to it that the sensitivity of data is defined and designated on these systems in a manner consistent with the following sensitivity classifications which are based on the ‘Asset Classification and Handling’ guidelines.
    • All parties, not limited to Questline or Questline information owners or holders, must protect at all times any information assets that are sensitive or have value. Consideration must be given to day to day activities, protection outside normal working hours and protection both on and off Questline property. All information is/must be classified into one of the following categories by those who own or are responsible for the information — Public, Open, Confidential, or Strictly Confidential.
    • Questline Asset Classification Categories, Types, and Handling Methods:
Category Type Asset Handling Methods

*Any deficiencies in this document (missing data types for example) must be reported to the Questline security team for inclusion.
Public

(Definition: May be viewed by anyone inside or outside Questline.)

Public information assets may include but are not limited to:

  • Corporate financial reports (which are made available to Dunn and Bradstreet)
  • Marketing data, including example clients and testimonials (unless limited by client contracts), company profile, whitepapers, case studies, list of products and services
  • Press releases and media
  • Social media postings and publicly released photos
  • Articles of incorporation, held with Ohio and Oregon Secretaries of State
  • Questline and Client websites
  • Selected documentation/support portal content
  • Selected industry benchmarking/aggregate metric data
  • Service marks and patents (both applications and approved)
  • Selected Product roadmaps and feature release plans
 Public information is either made public via webpage or printed copy, or disseminated by request.
Open

(Definition: Access is available to all Questline employees or approved contractors/client representatives.)

Open information assets may include but are not limited to:

  • Questline employee contact information, e.g. name/email address/telephone number
  • “Approved” communications, e.g. Questline newsletter and similar updates to ensure relevance to day to day activities
  • Open-access company information, including policy documentation, HR forms and documentation (including Employee Handbook), and marketing collateral.
  • Product release notes
  • Software Bug Reports
  • Purchased stock photos
  • Files stored on Shared network drive folders (unless specifically locked down to specific users)
  • Selected documentation/support portal content
  • Product roadmaps and feature release plans (those not released publically)
  • Sales data sheets and sales decks/training presentations (open, and shared with external prospects/clients as appropriate)
 Secure handling may include but is not limited to:

Information should be formatted to enable basic security e.g. Office documents converted into PDF to avoid tampering, or password protection of MS Office documents. These include documents such as but not limited to:

  • Procedures
  • Policies
  • Guidelines
  • Reporting or Analytics
Confidential

(Definition: Access is limited to specified employees of Questline, approved contractors, or authorized client representatives, with appropriate authorization or on a need to know basis.)

Confidential information assets may include but are not limited to:

  • General client data, such as Subscriber lists and customer information (NOTE: These are often stored on the network drive before being imported into systems such as IQ or Engage. When stored on the network drive, the folder will be given security so that it can be accessed only by specific employees)
  • Webinar data (NOTE: This should be accessible only by select Questline roles as well as clients, so will be stored on the Shared network drive and assigned appropriate security.)
  • Marketing email lists
  • Sales and Contract information: client account data and contact information, sales opportunities, presentations, proposals, Statements of Work, Contracts, client Non-Disclosure Agreements, service activity pricing information, client communications, invoicing information (Stored in paper form as well as in Salesforce)
  • Webinar registration lists, reporting, archives, client and customer data
  • Hotline requests and Ask an Expert queries (unless specifically requested to be Strictly Confidential)
  • System administration and preference center records
  • Communications reporting analysis and metrics (email, SMS, fax, and newsletter), including events and deliverability
  • Client and customer behavioral tracking data and metrics
  • Documents for later Open or Public access currently in “draft” format
  • Test data
  • Client creative assets (including HTML, comps, and images), creative briefs, and creative development project request details
  • Secured marketing video recordings not made available to the public
  • Energy cost/use and fixture data used for Energy Calculator sites
  • Algorithms and source code for Questline products
  • Employee Time Tracking data
  • Selected documentation/support portal content
  • Logins/credentials for marketing websites and social media sites
  • Selected industry benchmarking/aggregate metric data
  • Deliverability metrics and sender reputations
  • Client Satisfaction Survey results and netpromoter score
  • Project information stored in Wrike
 Secure handling may include but is not limited to:

Paper Documents (In Transit/Rest)
  • Secure storage – locked (files/folders/cabinets)
  • Approved third party courier
  • Use sealed envelopes instead of the usual transit envelopes
  • Secure disposal
Electronic Information assets (In Transit/Rest
  • Encryption
  • Password protection
  • Folder/user access security
  • SFTP (Secure file transfer protocol)
  • Secure file stores
  • Secure disposal
  • Access rights/Level of privileges
Strictly Confidential

(Definition: Access is controlled and restricted to a small number of named individuals.)

Strictly Confidential information assets may include but are not limited to:

  • Corporate and Client Financial data, including tax information and bank account information
  • Vendor contracts and NDAs
  • Server physical assets
  • Questline employee, subscriber, and client Usernames and Passwords as well as application credentials (database, API, etc.)
  • Records of employee reviews, internal Investigations, or disciplinary proceedings
  • Employee personal details (inc. salary, tax, 401K, PTO, background checks, bank account information, SSN, insurance/HSA/HIPAA information, Non-Disclosure Agreements)
  • Webinar administration data
  • Technology Assessments
  • Specific Ask an Expert queries where the client requests strict confidentiality (e.g., client is releasing a new product)
  • FTP server information, Website administration and Google Analytics
  • Email server/account administrative data
  • Selected documentation/support portal content
 Secure handling may include but is not limited to:

Paper Documents (In Transit/Rest)
  • Secure storage – locked (files/folders/cabinets)
  • Approved third party courier
  • Use sealed envelopes instead of the usual transit envelopes
Electronic Information assets (In Transit/Rest)
  • Encryption
  • SFTP (Secure file transfer protocol)
  • Secure file stores
  • Asset tags
  • Secure disposal
  • Access rights/Level of privileges

8. Procedures

  • Triage – If the severity of the issue demands, or a breach is discovered, promptly (but in no event more than eight (8) hours) contact the Questline security team by calling 1-800-242-3654, or such other number(s) as Questline may designate from time to time. As well, submit a Support ticket of type “Security” which is defined in the ‘Tracking Ticket Process’.
  • Tools – Requests should be reported using our support portal – either online or via email:
  • Tracking Ticket Process
    • To submit a request online:
      • Open a browser and go to https://help.questline.com
      • If you have an account, log in. OR If you do not have an account, select the Submit A Request tab. NOTE: If you do not already have an account, you will be prompted to create an account after you submit a request.
      • In the ‘Subject’ field, enter a title, such as “Security – Unauthorized access to client files”.
      • In the Description field, enter as much information as possible to help establish the effort and expectations along with any promised deliverables.
      • NOTE: Support requests should be submitted with 48 hours’ notice, unless categorized as an ‘Issue’ or ‘Security’ matter. Any requests not meeting the 48 hours expectation should be followed up with a direct conversation to review the possibilities by calling 1-800-242-3654, or such other number(s) as Questline may designate from time to time.
      • From the Category drop-down list, select the appropriate value. (See the Categories and Priorities table below.)
      • If you have files to attach to the request, such as documents, emails or screen shots, click the Attach Files link and attach files appropriately.
      • Click Submit when you are finished.
    • To submit a support request via email:
      • Open an email message and enter support@questline.com in the To: field.
      • In the Subject field, enter the email subject or title of the support request.
      • In the message area, enter details – just as you would when filling out the ‘Description’ field when submitting directly through the support web portal.
      • Send the email message.
  • Categories and Priorities – All requests must also be defined further, via a ‘Category’ option, which ensures it is prioritized appropriately. There are four options – Security, Issue, Task, and Question. Use the table below to help determine the potential categorization/prioritization:
Category Priority Definition (Example) Deliverables
Security Critical An employee or client has determined a breach in company policy or an unauthorized action has occurred that violates any of the three security principles – integrity, availability, or confidentiality. (Examples: unauthorized network monitoring; stealing of password files; Viruses; Denial-of-service attacks.) Immediately
Issue Urgent An employee or client is unable to perform their job and no workaround is available. (Examples: User cannot log in; site is down; data is missing; fatal exception error; newsletter is broken; anything that is not working as expected and for which there is not a workaround.) 4 to 24 hours
Task Low/Normal/ High An employee or client is unable to perform a task, but a workaround is available. (Examples: Need a list of subscribers in admin for a specific client; a link is broken but still accessible; user list upload fails.) Low: 30 to 60 Days
Normal: 2 to 4 weeks
High: 24 to 48 hours
Question Low/Normal/ High An item that requires additional information to complete, usually within a specified time frame and focused on a specific issue. (Examples: software installation, user upload, hardware support, phone issues, custom queries.) Low: 30 to 60 Days
Normal: 2 to 4 weeks
High: 24 to 48 hours