Posted by Julie Delazyn
Our commitment to security is real. Security and reliability are key to both to our success and the success of our customers. That’s why we’ve established our Trust Center — a single place us to feature our different accreditations and validations. In order to highlight Questionmark’s commitment to security, I spoke to Questionmark’s Executive Director and Founder John Kleeman about what security means to Questionmark and how far we go to ensure the protection and privacy of our customer’s data.
What does security mean to Questionmark?
Organizations and companies around the world — companies, universities, and colleges, certification organizations — entrust us with a large amount of confidential data from assessments. We conduct millions of assessments a year and customers depend on us to keep those secure. To Questionmark, security means: Confidentiality, Integrity and Availability of our services for our customers. It’s one of our central aims and goals.
How does Questionmark make security a priority?
You can never 100% ensure security. As you can see in the media, Governments or large well-regarded corporations have had security breaches –so it’s about reducing that risk and making it unlikely that there will be a security issue. The main way in which we do that is by having an information security management system and putting processes in place to look at the risks and put in place controls and take other actions to reduce them.
Anyone can claim to be secure. What sets us apart from some companies in the space is that we don’t just say we’re secure, we get external validation of our security. We’ve recently certified against the ISO 27001 standard, and that’s an involved, grueling audit, which looks at our procedures. By having external validation, we can prove that experts have looked at our security and checked that it’s real — not just that we’re claiming it.
Questionmark is a global company with customers around the world – how do the standards we meet reflect that?
Everyone in the world wants confidentiality, integrity and availability, but there are local compliance criteria—technical rules – that can differ. While ISO 27001 is an international accreditation, we’re also looking to meet various national standards. We’re in the process of establishing compliance with FedRAMP, which is a US Government requirement. We are an approved supplier under GSA in the US and the G-Cloud in the UK, we’ve also passed a Cyber Essentials certification in the UK, and we’re looking to pass other national and international accreditations. In Europe, the GDPR is a focus for European customers, and we’re making sure that we’re complaint with the GDPR. That compliance will help our customers around the world ensure that we follow best practices in data protection. But the main security issues are essentially the same in every country in the world and every geography.
What tools do we offer our customers to help them protect their own data?
The Questionmark software has a strong authentication structure in place—you can define password policies that allow you to have strong passwords. We support integration with SAML, which many of our customers use with their own systems. And then Questionmark has very flexible capabilities to give differential access to data. You can set up your system so only those people who need to know have access to data in your Questionmark system. These are the kinds of features in the product that genuinely increase security.
Why the trust center?
We know with all the concerns about cyber security that there is a real need for our customers to understand whether we as a supplier are secure and safe for them, and so we wanted to create a single place to feature these different accreditations and validations.
There are only a few ways to prove you are secure. Let’s take the example of a castle—you or I could look at this massive structure and guess that if it’s secure or not. But if we’re not castle experts, we really can’t be sure.
Similarly, unless you’re a software as a service security expert, how do you know if company A, B or C is secure? By getting to see the different certifications and laws that we follow, customers can get an appreciation of the security we offer, and compare that to others.
What is the future for Questionmark’s commitment to security?
You must have continued improvement. Threats are evolving, and you just can’t stand still. As a very simple example, we currently test our own employees on data security every year, and we’re expanding that by planning different tests by role or department. We’re looking at other accreditations and a continual increase in technical controls. We have many internal improvements that we’re expanding to implement soon. It’s literally a process of continual improvement, and we will continue to add to the trust center.
Questionmark is committed to the highest levels of trust, transparency, and compliance. Please register for a free intro webinar for more information on our key features and functions. We look forward to building your trust and working with you to secure your data.