QPharma Infrastructure Security Policy

Securing Cloud Environment

QPharma has enabled anti-malware software, and intrusion detection system (IDS) on all servers hosted on AWS. Our AWS systems are hosted in a virtual private cloud (VPC). We also define security subnets with additional controls (e.g., services and servers hosted in the database subnet would not be accessible via web traffic). AWS also monitors for security anomalies and distributed denial of service (DDoS) attacks.  IT staff with access to the backend servers and services on AWS are required to use two-factor authentication. 

Patch Management

QPharma has a formalized process for patch management.  AWS lists any patches available in a patch management console. Critical patches are applied as soon as possible and no later than two weeks. Non-critical patches are applied during the next available maintenance window.

Quality Management System

QPharma has a formal quality management system.  Standard operating procedures (SOPs) and work instructions (WI) are considered controlled documents that go through approval processes, periodic revisions, and are assigned as trainings to the team. IT procedures were developed with reference to the ISO 27001 security standards.

Vulnerability Testing

QPharma does penetration testing annually or after major application updates.  Penetration testing is done by a 3^rd party and includes testing against the current OWASP list as well as other vulnerabilities. Both automated and manual testing approaches are used. Identified during the test are logged as application defects and with a severity classification. Any critical items are addressed as hotfixes.  Other items are added to the backlog for the development team to address on a schedule.

Backups

QPharma does full nightly backups. Backups are encrypted using AES-256 and stored in S3 buckets on AWS. There is also a formalized process to test the backup and restore process bi-annually.

Disaster Recovery and Business Continuity

QPharma has a formalized process for testing the disaster recovery and business continuity plan.  The current plan entails restoring the application and data to an alternative AWS region to provide clients with access to their data.

Corporate Security Policies and De-provisioning Users

QPharma’s corporate network is detached from the cloud infrastructure. All QPharma users receive cybersecurity training and agree to protect client data.  QPharma has a formalized process for de-provisioning users with access to QPharma’s systems. Managers submit tickets to offboard users.  Infrastructure team then revokes the user’s access.  A deprovisioned used also loses access to client data, as well as to corporate email account.

User Application Access

Each user is provided a unique username and password to access the application. All attempts to access the application are logged. To prevent brute force attacks, we use CAPTCHA after a single failed login attempt.  Multiple consecutive failed logins within a short duration cause the user account to be locked for one hour.  Application access management is role-based. Clients have access to a report to see list of users who have access to their data.

Segregation of Client Data and Audit Trail

All client data is hosted in a multi-tenant SaaS application.  One client’s data is separated from another client’s data via application-level controls.  Data points are tagged with unique client specific keys.  Changes to data are logged in the audit trail.  Clients may request an extract of the audit trail for review as needed.

Security Incident Management Policy
QPharma has a formalized process for incident management.  QPharma notifies clients within one day of a security breach.  Corrective actions are taken immediately to limit the impact of the security breach.  Once a thought investigation is complete and root cause is identified, we apply preventive actions, which may include anything from applying a patch to user training and establishing new processes.  All records pertaining to the incidence and investigation are made available to the client and preserved for future reference.

Account Access Review

QPharma does a semi-annual account access review.  This process is built in as a fail-safe in case a user’s access was not revoked during the de-provisioning/offboarding process.

Encryption

All data at rest is encrypted using AES-256, while all data in transit is encrypted using SSL.

Single Sign-On (SSO)

QPharma applications are built to support SSO.  Turnkey SAML SSO-based SSO is available.  Some configurations may be needed when a client is using another SSO method.

Password Security

QPharma clients may choose to provide specific requirements to define the application password policy, such as:

• password complexity requirements (e.g., use of special characters, numbers, combination of lower- and upper-case characters, etc.)
• Minimum length of characters in a password
• Password reuse policy
• Time period before which a password must be changed

Change Requests and Application Validation

QPharma has a formalized change request process.  All change requests are reviewed by a change request manager and assessed for regulatory risks against PDMA, 21 CFR Part 11, HIPAA, etc.  Based on the assessed risk, change requests are then assigned to undergo either system testing and/or validation.  Application testing may involve developing and maintaining formalized functional requirements, test protocols, trace matrices, and other documents.

Information Sensitivity and Data Retention

QPharma has a formalized process for information sensitivity classification and data retention.  This process assures that data is appropriately protected and not disclosed inadvertently.  Also, data is retained for the period needed and then disposed appropriately.  Client data is retained for the duration of the client’s contract.  Clients may request data dump for legal review or use in another application.