Engage Security and Compliance Reporting
Engage Security and Compliance Reporting
Security and Compliance Reporting Requirements
1. Overview
This document contains procedures for reporting, managing, tracking, and addressing Security and Compliance issues. Procedures must exist not only for Support requests, but also for managing issues of compliance with security policies. All of these matters will be promptly addressed by the Questline Support and/or Questline security team based on their criticality or the Service Level Agreement; issues must be documented and tracked through to their resolution.
2. Purpose
This document details the responsibilities of Questline, its employees, clients, and any contracted third parties to report and begin the mitigation of any Security or Compliance issues.
3. Scope
All incidents should be documented and reported. Each incident is tracked by management through to resolution, where it is reviewed, approved, and marked with a “closed” status.
4. Applies To
All Questline employees, clients, affiliates, and subsidiaries will be responsible for maintaining the confidentiality of Questline data and information, based on the confidentiality details outlined in the “Information Asset Classification Policy and Details” document or applicable contractual agreements.
Reported issues will be managed and reviewed on an hourly basis by the Questline Support team, and all Security matters — defined as such or determined otherwise — will be escalated to the Questline security team.
5. Application Security Process
A robust Application Security process is fully integrated into Questline’s Software Development Life Cycle (SDLC), and includes:
- Defined in-house security requirements and policies, and industry standard best practices applied in every stage of the lifecycle.
- Security review of architectures, design of features, and solutions.
- Iterative manual and automated source code review for security weaknesses, vulnerabilities, and code quality, and providing of sufficient advice and guidance to the development team.
- Regular manual assessment and dynamic scanning of pre-production environments.
- Security training for Questline staff, conducted according to their respective job roles.
6. Definition
- “Sensitive Data” means data or information (regardless of form, e.g., electronic, paper copy, etc.) which is
- Personally identifiable information [including, but not limited to: (i) individual user passwords (e.g., challenge/response answers, personal identification numbers (PIN) and any other access codes that correlate to a person, etc.); (ii) Social Security number; (iii) driver’s license number; (iv) state identification number; (v) date of birth; (vi) government or federal identification number; (vii) financial information (e.g., financial account number, credit card number or debit card number in combination with any required security code, access code, or PIN that would permit access to an individual’s account, etc.); (viii) health coverage ID number; (ix) biometric data (e.g., thumb print, retina scan, palm scan, etc.); (x) email addresses; (xi) electronic handwritten signature; and (xii) any subscriber level data];
- Passwords other than individual user passwords [such passwords include application passwords, database passwords, and shared account passwords];
- Session identifiers that represent or potentially represent an authenticated identity (e.g., a single sign-on cookie) used by systems that contain any data element considered Sensitive Data;
- Employee data [including, but not limited to: (i) human resources data (e.g., performance reviews, medical information, health information, family information, etc.); and, (ii) compensation data (e.g., salary, performance pay, stock options, etc.)];
- Corporate financial data that has not been released to the public;
- Identified by Questline as “Sensitive Data;”
- Developed, derived, converted, translated, or otherwise created from any of the foregoing categories (including, but not limited to, subsequent variables or data files).
For the avoidance of doubt, Sensitive Data includes any of the foregoing even when categorized under a different name (e.g., a person’s social security number is such person’s “pilot certification number”).
- “Process” means any operation in relation to Sensitive Data irrespective of the purposes and means applied including, without limitation, access, collection, retention, storage, transfer, disclosure, use, erasure, destruction, and any other operation.
- “Breach” means any (a) unauthorized processing of Sensitive Data or (b) any act or omission that compromises or undermines the physical, technical, or organizational safeguards put in place by Questline regarding processing Sensitive Data or otherwise put in place to comply with these Compliance Requirements. For the avoidance of doubt, “unauthorized processing” includes, but is not limited to: misuse, loss, destruction, compromise, or unauthorized access, collection, retention, storage, or transfer.
- “Authorized Provider” means any client, consultant, auditor, contractor, distributor, subcontractor, outsourcer or other third party, acting on behalf of Questline (whether direct or indirect and at any tier) who has agreed, in writing, to comply with these Compliance Requirements.
7. Reporting
- Specifics:
- If sensitive Questline information is lost, disclosed to unauthorized parties, or suspected of being lost or disclosed to unauthorized parties, Questline or the designated ‘Security’ team must be notified immediately. Similarly, whenever passwords or other system access control mechanisms are lost, stolen, or disclosed, or are suspected of being lost, stolen, or disclosed, Questline or the designated ‘Security’ team must be notified immediately.
- If a computer virus infection is detected or similar security problem, all unusual system behavior, such as missing files, frequent system crashes, misrouted messages, and the like must also be immediately reported to Questline or the designated ‘Security’ team must be notified immediately. The specifics of security problems should not be discussed widely but should instead be shared on a need-to-know basis.
- All new internal and external Engage system users are registered and authorized prior to being issued system credentials and granted the ability to access the system. User system credentials are removed when user access is no longer authorized.
- Each user of the Engage system has a unique account with verified email address, and protected with a password. Passwords are checked to be compliant with password policy and stored securely using a strong hashing algorithm with unique salt for every password. Engage also supports multiple methods of authentication.
- All Engage clients have an obligation to ensure that changes to access needs, roles or responsibilities for their users must be reported through the appropriate channels. All security role changes, whether due to employee termination or role change, are and should be processed completely, accurately, and in a timely fashion. Documentation must be maintained validating the access removal was authorized appropriately. This must be completed in order to prevent unauthorized access to the Engage system.
- Annually, on a per client basis, Engage system administrators will be informed of associated users who have access.
- Responsibilities:
- Questline information owners or holders must report to Questline or the designated Questline security team promptly (but in no event more than eight (8) hours) after a Breach or any incident is discovered or that appears to compromise the security of Questline information resources. These include missing data, virus infestations, and unexplained transactions.
- The Questline security team and all applicable parties must process any reported security issues, recording updated status of issues for reporting and archiving.
- Questline will logically and/or physically segregate Sensitive Data from the data of any third party.
- Questline will encrypt (utilizing strong encryption) Sensitive Data if it is stored on laptops or portable media devices (e.g., USB drives, CD-ROMs, DVDs, backup tapes, etc.).
- Questline information owners or holders must process Sensitive Data only in accordance with applicable laws, the terms of the applicable agreement with Questline (including, without limitation, these Compliance Requirements), and on the basis of any authorized additional instructions from Questline and its authorized agents and subcontractors.
- Questline will not transfer, provide or otherwise disclose Sensitive Data to any third party, other than an Authorized Provider, unless required to by applicable law.
- Questline will not permit any third party, other than an Authorized Provider, to process Sensitive Data.
- Questline will take prompt correction action(s) to remedy a Breach and to prevent any future Breach.
- Questline will take prompt corrective action(s) to remedy a violation of (and to prevent any future violation of any Compliance Requirement.
- Questline will take prompt corrective action(s) to remediate any vulnerabilities or security concerns identified by the Questline security team.
- Questline will implement corrective action(s) in a timeframe commensurate with the risk or as agreed upon with Questline.
- Questline information owners or holders must cooperate fully with Questline in facilitating investigation and remediation of a Breach. For avoidance of doubt, all applicable companies shall provide such access, information, and assistance as is necessary for Questline and/or its designee(s) to complete the investigation of the Breach.
- Questline information owners or holders must see to it that the sensitivity of data is defined and designated on these systems in a manner consistent with the following sensitivity classifications which are based on the ‘Asset Classification and Handling’ guidelines.
- All parties, not limited to Questline or Questline information owners or holders, must protect at all times any information assets that are sensitive or have value. Consideration must be given to day to day activities, protection outside normal working hours and protection both on and off Questline property. All information is/must be classified into one of the following categories by those who own or are responsible for the information — Public, Open, Confidential, or Strictly Confidential.
- Questline Asset Classification Categories, Types, and Handling Methods:
Category | Type | Asset Handling Methods |
---|---|---|
*Any deficiencies in this document (missing data types for example) must be reported to the Questline security team for inclusion. |
||
Public(Definition: May be viewed by anyone inside or outside Questline.) |
Public information assets may include but are not limited to:
|
Public information is either made public via webpage or printed copy, or disseminated by request. |
Open(Definition: Access is available to all Questline employees or approved contractors/client representatives.) |
Open information assets may include but are not limited to:
|
Secure handling may include but is not limited to:
Information should be formatted to enable basic security e.g. Office documents converted into PDF to avoid tampering, or password protection of MS Office documents. These include documents such as but not limited to:
|
Confidential(Definition: Access is limited to specified employees of Questline, approved contractors, or authorized client representatives, with appropriate authorization or on a need to know basis.) |
Confidential information assets may include but are not limited to:
|
Secure handling may include but is not limited to:
Paper Documents (In Transit/Rest)
Electronic Information assets (In Transit/Rest
|
Strictly Confidential(Definition: Access is controlled and restricted to a small number of named individuals.) |
Strictly Confidential information assets may include but are not limited to:
|
Secure handling may include but is not limited to:
Paper Documents (In Transit/Rest)
Electronic Information assets (In Transit/Rest)
|
8. Procedures
- Triage – If the severity of the issue demands, or a breach is discovered, promptly (but in no event more than eight (8) hours) contact the Questline security team by calling 1-800-242-3654, or such other number(s) as Questline may designate from time to time. As well, submit a Support ticket of type “Security” which is defined in the ‘Tracking Ticket Process’.
- Tools – Requests should be reported using our support portal – either online or via email:
- https://help.questline.com or
- email to: support@questline.com
- Tracking Ticket Process
- To submit a request online:
- Open a browser and go to https://help.questline.com
- If you have an account, log in. OR If you do not have an account, select the Submit A Request tab. NOTE: If you do not already have an account, you will be prompted to create an account after you submit a request.
- In the ‘Subject’ field, enter a title, such as “Security – Unauthorized access to client files”.
- In the Description field, enter as much information as possible to help establish the effort and expectations along with any promised deliverables.
- NOTE: Support requests should be submitted with 48 hours’ notice, unless categorized as an ‘Issue’ or ‘Security’ matter. Any requests not meeting the 48 hours expectation should be followed up with a direct conversation to review the possibilities by calling 1-800-242-3654, or such other number(s) as Questline may designate from time to time.
- From the Category drop-down list, select the appropriate value. (See the Categories and Priorities table below.)
- If you have files to attach to the request, such as documents, emails or screen shots, click the Attach Files link and attach files appropriately.
- Click Submit when you are finished.
- To submit a support request via email:
- Open an email message and enter support@questline.com in the To: field.
- In the Subject field, enter the email subject or title of the support request.
- In the message area, enter details – just as you would when filling out the ‘Description’ field when submitting directly through the support web portal.
- Send the email message.
- To submit a request online:
- Categories and Priorities – All requests must also be defined further, via a ‘Category’ option, which ensures it is prioritized appropriately. There are four options – Security, Issue, Task, and Question. Use the table below to help determine the potential categorization/prioritization:
Category | Priority | Definition (Example) | Deliverables |
---|---|---|---|
Security | Critical | An employee or client has determined a breach in company policy or an unauthorized action has occurred that violates any of the three security principles – integrity, availability, or confidentiality. (Examples: unauthorized network monitoring; stealing of password files; Viruses; Denial-of-service attacks.) | Immediately |
Issue | Urgent | An employee or client is unable to perform their job and no workaround is available. (Examples: User cannot log in; site is down; data is missing; fatal exception error; newsletter is broken; anything that is not working as expected and for which there is not a workaround.) | 4 to 24 hours |
Task | Low/Normal/ High | An employee or client is unable to perform a task, but a workaround is available. (Examples: Need a list of subscribers in admin for a specific client; a link is broken but still accessible; user list upload fails.) |
Low: 30 to 60 Days Normal: 2 to 4 weeks High: 24 to 48 hours |
Question | Low/Normal/ High | An item that requires additional information to complete, usually within a specified time frame and focused on a specific issue. (Examples: software installation, user upload, hardware support, phone issues, custom queries.) |
Low: 30 to 60 Days Normal: 2 to 4 weeks High: 24 to 48 hours |