Hi there!


We (Questetra) have been committing to develop and to sell just one cloud service, Questetra BPM Suite for 10 years (started in September 2009). We don’t mean to boast, but we are like a pioneer of “Domestic Cloud BPMS”.
What were you doing 10 years ago? I was playing Dragon Quest IX. People were excited to play StreetPass on Dragon Quest IX in Akihabara. And, I’ve been working for 10 years. Anyway, let me tell you about Questetra …

I am introducing Questetra every day with such sales talk. In addition to demonstrations, I am talking also about information about the cloud service industry, the BPM industry, and the recent RPA industry. In the talk, I am often asked a question as to the following.

“Questetra is a cloud service isn’t it? I need to give an internal explanation regarding the risks of information leakage. How should I handle it ?

Various organizations raise various alerts regarding “risks of information leakage“, for example,

・Compared to 2006, the number of victims by information leakage incidents grew significantly in 2007, totaling approximately 30,530,000 people (a year-on-year increase of 8 million victims). Total projected compensation for damages has likewise increased significantly, amounting to more than ¥2 trillion.

・As was the case in 2006, Loss/ Misplacement, Theft, and Operational Error accounted for the bulk of incidents. However, it should be noted that Administration Error, attributed as the cause of 8.3% of incidents during 2006, jumped to 20.4% for 2007, reaching nearly the same ratio as Loss/ Misplacement.
Survey Report of Information Security Incident 2007

There are articles where the sensational subjects are covered as mentioned above,

 
P.28 Figure 1 Overview of the ISGcloud framework Introducing a Security Governance Framework for Cloud Computing
P.28 Figure 1 Overview of the ISGcloud framework Introducing a Security Governance Framework for Cloud Computing
Introducing a Security Governance Framework for Cloud Computing

and also there are some articles with very detailed information. It is difficult to understand which points should be grasped, over “the risks of information leakage“. While organizing the points, I would like to talk about assessments in the risks of information leakage in the introduction of Questetra.

◆ Organization of Points

I suppose that there could be various aspects of “ the risks of information leakage“, I give a short summary below.

In general, we believe that there will be both “operational system of the customers (companies that use Questetra)” and “trust for Questetra“- I organized the points in each box of the figure above. As much as possible, we Questetra want to provide information to customers so that they can have “trust for Questetra“.

◆ Information related to the trust for Questetra

◆◆ Declaration of Safety on the Website

Questetra publicly provides information on the security of services on the website so that you can check it before you use its service as much as possible. We hope you can regard that as the sort of awareness of the company.

Questetra now has not received the third party conformity assessment (2) for ISMS: the Information Security Management System (1). (1) ISMS: Information Security Management System (2) ISMS Certification standard JIS Q 27001: 2014 (ISO / IEC 27001: 2013)
However, the information on “Confidentiality“, “Integrity“, “Availability“,and “Service availability Records” is disclosed on the website of Questetra.

◆ Our Cloud Service Security
Our SaaS business is built on our Customers’ Trust. At Questetra, we believe it is important not to distribute or inappropriately use data that belongs to you.Questetra SaaS Security

Regarding the handling of personal information, we mention in the section, “Questetra Privacy Policy”.

1.Introduction
The mission of Questetra Inc. (hereinafter referred to as the “Questetra”) is “Innovating the world’s business through software”.
This Privacy Policy describes how and when your information is collected, used and shared by Questetra when you, your colleagues or other users use Questetra’s services or products (which includes the websites, apps and related services that link to this Privacy Policy; hereinafter referred to as the “Questetra Services”)… Questetra Privacy Policy

◆◆ Use of Questetra

Questetra Service has been used by about 200 companies. We have published some example articles where the companies use the service.

Approximately 2000 people use. Switched the Workflow part to the cloud BPM which is capable of visualizing and standardizing at the time of groupware migration. Established an environment where business improvement can be promoted even at each site. Reduced Processing Time by 40%.TMJ,Customers

Various companies have been using Questetra after considering whether it suits their security policy.

◆◆ Security Checks of Questetra

The company create a security checklist based on their security policy and request an answer to Questetra. We will answer exactly, however, there are parts that cannot be answered. For example, we have got the following requests.

・Disclosure of the manufacturer or product name of the detection system device for the unauthorized server intrusion caused by the unauthorized access
・ Disclosure of the manufacturer or product name of the mass access detection device
・Disclosure of the attack detection interval and the upper limit of response when mass access is detected

To each request, we response “undisclosed”, due to any concerns about the reduction of service robustness by disclosing the information.The answer to the questions will be “undisclosed”, but we will sincerely answer them including the reasons why they are undisclosed.

◆◆ The Tendency of the Use of Cloud Services

Questetra is capable of system collaboration with various cloud services via API. We are watching the tendencies of cloud services while creating examples of collaborations.

I roughly categorized relative examples which I’ve experienced.
 * It is not only for REST API
 *You can find more connections with REST API because it has general-purpose connectors
Staff Blog: Examples of Collaborations with Other Systems and BPM Workflow (June, 2019)Staff Blog: Examples of Collaborations with Other Systems and BPM Workflow (June, 2019)

Moreover, we use multiple cloud services ourselves within Questetra in various ways such as groupware, customer service, support system, accounting software, development management tool and customer management system.
The knowledge which we have gained in these activities are reflected in our Questetra Service. In other words, our service is roughly accorded to the service contents (tendencies) of general cloud services.

◆◆ Management System of Questetra

You can visit our website for the company information.

◆Governance Framework

Questetra was founded as a “Company with Committees” under the Company Law of Japan.Company Info

We are managing the company so that you can be aware of our proper management.

Companies with Nominating Committees have a corporate governance mechanism (Corporate Governance) that is different from that of conventional stock companies. The board of directors will set up a committee with a majority of Outside Directors to oversee the management, while leaving the execution of operations to Executive Officers to rationalize and ensure the management.Companies Act - Japanese Law Translation

In addition, if you want to publicly check Questetra’s company information”, you can get Questetra’s “Certificate of Registered Matters”.

*In Japan, The Legal Affairs Bureau serves the following services regarding certificates of registered matters.

  • Anyone can acquire them anytime
  • The fee is 600 yen for the acquisition of the certificates when visiting the Legal Affairs Bureau. Via online, receipt at the Legal Affairs Bureau: 480 yen, Mail: 500 yen

Cite: http://houmukyoku.moj.go.jp/homu/static/online_syoumei_annai.html

◆ Closing

As mentioned above, there are various aspects of information leakage risk. From our customers, we get the following consultations.

  • A request for filling in the security check sheet other companies have created (Hundreds of check items!)
  • A request of the permission of a direct visit to the development of Questetra, our operation facilities and conduct of the audits
  • A request of auditing not only all Questetra logs but source codes and concepts of settings if they are necessary

We occasionally receive these consultations. There are both that can be answered (the security check sheet) and that can’t be done (we can not show the development /operation site from the aspect of security); we will seriously answer them. We as a Japanese SaaS vendor would like to make efforts every day so that the customers can use our service without any worries. If you have any questions or would like to hear more details, please feel free to contact us.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.