Statement of Technical and Organizational Measures

Quest

Quest takes information security seriously in its processing and transfers of Personal Data. This information security overview applies to Quest’s corporate controls for safeguarding Personal Data which is processed by Quest or its affiliates and/or transferred amongst Quest’s group companies. 

Security Practices

Quest has implemented corporate information security practices and standards that are designed to safeguard Quest’s corporate environment and to address business objectives across information security, system and asset management, development, and governance.  

These practices and standards are approved by Quest’s executive management and are periodically reviewed and updated where necessary.  

Quest shall maintain an appropriate data privacy and information security program, including policies and procedures for physical and logical access restrictions, data classification, access rights, credentialing programs, record retention, data privacy, information security and the treatment of personal data and sensitive personal data throughout its lifecycle.  Key policies will be reviewed at least annually.

Organizational Security

It is the responsibility of all of Quest employees who are involved in the processing of Customer Personal Data to comply with these practices and standards. Quest’s Information Security (“IS”) function is responsible for the following activities:

1. Security strategy –The IS function works to ensure compliance with its own security related policies and standards and all relevant regulations, and to raise awareness and provide education to users.  The IS function also carries out risk assessments and risk management activities, and manages contract security requirements.
2. Security engineering – the IS function manages testing, design and implementation of security solutions to enable adoption of security controls across Quest’s online and information technology environment.  
3. Security operations – the IS function manages support of implemented security solutions, monitors and scans Quest’s online and information technology environment and assets, and manages incident response.  
4. Forensic investigations – the IS function works with, Legal and Compliance, and Human Resources to carry out investigations, including discovery and forensics.
5. Security consulting and testing – the IS function works with software developers on developing security best practices, consults on application development and architecture for software projects, and carries out assurance testing.

Asset Classification and Control

Quest’s practice is to track and manage key information and physical, software and logical assets. Examples of the assets that Quest might track include: 

1. information assets, such as identified databases, disaster recovery plans, business continuity plans, data classification, archived information;
2. software assets, such as identified applications and system software;
3. physical assets, such as identified servers, desktops/laptops, backup/archival tapes, printers and communications equipment.

The assets are classified based on business criticality to determine confidentiality requirements.  Industry guidance for handling personal data provides the framework for technical, organizational and physical safeguards.  These safeguards may include controls such as access management, encryption, logging and monitoring, and data destruction.

Employee Screening, Training and Security

1. Screening/background checks: Where reasonably practicable and appropriate, as part of the employment/recruitment process, Quest performs employee screening and background checks on employees or prospective employees (which shall vary from country to country based on local laws and regulations), where such employees will have access to Quest’s networks, systems or facilities.
2. Identification:  Quest requires all employees to provide proof of identification and any additional documentation that may be required based on the country of hire or if required by other Quest entities or customers for whom the employee is providing services.
3. Training: Quest’s annual compliance training program includes a requirement for employees to complete an online data protection and information security awareness.  
4. Confidentiality:  Quest ensures its employees are legally bound to protect and maintain the confidentiality of any data they handle pursuant to standard agreements.

Physical Access Controls and Environmental Security

1. Physical Security Program: Quest uses a number of technological and operational approaches in its physical security program to mitigate security risks to the extent reasonably practicable. Quest’s security team works closely with each site to determine appropriate measures are in place to prevent unauthorized persons from gaining access to systems within which personal data is processed and continually monitor any changes to the physical infrastructure, business and known threats. They also monitor best practice measures used by others in the industry and carefully select approaches that meet both uniqueness in business practice and expectations of Quest. Quest balances its approach towards security by considering elements of control that include architecture, operations and systems.  
2. Physical Access controls: Physical access controls/security measures at Quest’s facilities/premises are designed to meet the following requirements:  
   1. access to Quest’s buildings, facilities and other physical premises is controlled and is based on business necessity, sensitivity of assets and the individual’s role and relationship to Quest. Only personnel associated with Quest are provided access to Quest’s facilities and physical resources. Access is only provided in a manner consistent with the personnel’s role and responsibilities in the organization;
   2. relevant Quest facilities are secured by an access control system.  Access to such facilities is granted with an activated card only;
   3. persons requiring access to card-controlled facilities and/or resources are issued with appropriate and unique physical access credentials (e.g. a badge or keycard assigned to one individual) by the IS function. Individuals issued with unique physical access credentials are instructed not to allow or enable other individuals to access Quest’s facilities or resources using their unique credentials (e.g. no “tailgating”). Temporary (up to 14 days) credentials may be issued to individuals who do not have active identities where this is necessary (i) for access to a specific facility and (ii) for valid business needs. Unique credentials are non-transferable and if an individual cannot produce their credentials upon request they may be denied entry to Quest’s facilities or escorted off the premises. At staffed entrances, individuals are required to present a valid photo identification or valid credentials to the security representative upon entering. Individuals who have lost or misplaced their credentials or other identification are required to enter through a staffed entrance and be issued a temporary badge by a security representative;
   4. visitors who require access to Quest’s facilities must enter through a staffed and/or main facility entrance. Visitors must register their date and time of arrival, time of leaving the building and the name of the person they are visiting. Visitors must produce a current, government issued form of identification to validate their identity. To prevent access to, or disclosure of, company proprietary information visitors are not allowed un-escorted access to restricted or controlled areas;
   5. select Quest facilities use CCTV monitoring, security guards and other physical measures where appropriate and legally permitted;
   6. locked shred bins are provided on most sites to enable secure destruction of confidential information/personal data;
   7. for software development and infrastructure deployment projects, the IS function uses a risk evaluation process and a data classification program to manage risk arising from such activities.

Security Incidents and Response Plan

1. Security incident response plan:  Quest maintains a security incident response policy and related plan and procedures which address the measures that Quest will take in the event of loss of control, theft, unauthorized disclosure, unauthorized access, or unauthorized acquisition of personal data.  These measures may include incident analysis, containment, response, remediation, reporting and the return to normal operations. 
2. Response controls: Controls are in place to protect against, and support the detection of, malicious use of assets and malicious software and to report potential incidents to Quest’s IS function or Service Desk for appropriate action. Controls may include, but are not limited to: information security policies and standards; restricted access; designated development and test environments; virus detection on servers, desktop and notebooks; virus email attachment scanning; system compliance scans; intrusion prevention monitoring and response; firewall rules; logging and alerting on key events; information handling procedures based on data type; e-commerce application and network security; and system and application vulnerability scanning. Additional controls may be implemented based on risk. 

Data Transmission Control and Encryption

Quest shall, to the extent it has control over any electronic transmission or transfer of personal data, take all reasonable steps to ensure that such transmission or transfer cannot be read, copied, altered or removed without proper authority during its transmission or transfer.  In particular, Quest shall:

1. implement industry-standard encryption practices in its transmission of personal data.  Industry-standard encryption methods used by Quest includes Secure Sockets Layer (SSL), Transport Layer Security (TLS), a secure shell program such as SSH, and/or Internet Protocol Security (IPSec);
2. for Internet-facing applications that may handle sensitive personal data and/or provide real-time integration with systems on network that contains such information (including Quest’s core network), a Web Application Firewall (WAF) may be used to provide an additional layer of input checking and attack mitigation. The WAF will be configured to mitigate potential vulnerabilities such as injection attacks, buffer overflows, cookie manipulation and other common attack methods.

System Access Controls

Access to Quest’s systems is restricted to authorized users. Formal procedures and controls govern how access is granted to authorized individuals and the level of access that is required and appropriate for that individual to perform their job duties.

Data Access Control

Quest applies the controls set out below regarding the access and use of personal data:

1. personnel are instructed to only use the minimum amount of personal data necessary in order to achieve Quest’s relevant business purposes
2. personnel are instructed not to read, copy, modify or remove personal data unless necessary in order to carry out their work duties;
3. third party use of personal data is governed through contractual terms and conditions between the third party and Quest which impose limits on the third party’s use of personal data and restricts such use to what is necessary for the third party to provide services;

Availability Control

Quest protects personal data against accidental destruction or loss by following these controls:

1. personal data is retained in accordance with customer contract or, in its absence, Quest’s record management policy and practices, as well as legal retention requirements;
2. hardcopy personal data is disposed of in a secure disposal bin or a crosscut shredder such that the information is no longer decipherable;
3. electronic personal data is given to Quest’s IT Asset Management team for proper disposal;
4. appropriate technical measures are in place, including (without limitation): anti-virus software is installed on all systems; network protection is provided via firewall; network segmentation; user of content filter/proxies; interruption-free power supply; regular generation of back-ups; hard disk mirroring where required; fire safety system; water protection systems where appropriate; emergency plans; and air-conditioned server rooms.

Data Input Control

Quest has, where appropriate, measures designed to check whether and by whom personal data have been input into data processing systems, or whether such data has been modified or removed.  Access to relevant applications is recorded.

System Development and Maintenance

Publicly released third party vulnerabilities are reviewed for applicability in the Quest environment. Based on risk to Quest’s business and customers, there are pre-determined timeframes for remediation. In addition, vulnerability scanning and assessments are performed on new and key applications and the infrastructure based on risk. Code reviews and scanners are used in the development environment prior to production to proactively detect coding vulnerabilities based on risk. These processes enable proactive identification of vulnerabilities as well as compliance.

Compliance

The information security, legal, privacy and compliance departments work to identify regional laws and regulations that may be applicable to Quest.  These requirements cover areas such as, intellectual property of Quest and its customers, software licenses, protection of employee and customer personal information, data protection and data handling procedures, trans-border data transmission, financial and operational procedures, regulatory export controls around technology, and forensic requirements.
Mechanisms such as the information security program, the executive privacy council, internal and external audits/assessments, internal and external legal counsel consultation, internal controls assessment, internal penetration testing and vulnerability assessments, contract management, security awareness, security consulting, policy exception reviews and risk management combine to drive compliance with these requirements.

Sub-processors

Information on current sub-processors is available https://support.quest.com/subprocessor. Customer may subscribe to notifications of new Sub-processors.
Information on further product specific technical and organizational measures are available in the product related Security Guides.