Hi there!


We (Questetra) have been committing to develop and sell just one cloud service, Questetra BPM Suite, for 10 years (starting in September 2009). We don’t mean to boast, but we are like a pioneer of Domestic Cloud BPMS.
What were you doing 10 years ago? I was playing Dragon Quest IX. People were excited to play StreetPass on Dragon Quest IX in Akihabara, but, I’ve also been working hard for the last 10 years. Anyway, let me tell you about Questetra …

I introduce Questetra every day with a sales talk like this. In addition to demonstrations, I am also talking about information related to the cloud service industry, the BPM industry, and the recent RPA industry. In the talks, I am often asked the following question.

“Questetra is a cloud service isn’t it? I need to give an internal explanation regarding the risks of information leakage. How should I handle it?”

Various organizations raise various alerts regarding risks of information leakage, for example:

・Compared to 2006, the number of victims by information leakage incidents grew significantly in 2007, totaling approximately 30,530,000 people (a year-on-year increase of 8 million victims). Total projected compensation for damages has likewise increased significantly, amounting to more than ¥2 trillion.

・As was the case in 2006, Loss/ Misplacement, Theft, and Operational Error accounted for the bulk of incidents. However, it should be noted that Administration Error, attributed as the cause of 8.3% of incidents during 2006, jumped to 20.4% for 2007, reaching nearly the same ratio as Loss/ Misplacement.
Survey Report of Information Security Incident 2007

There are articles where sensational subjects are covered as mentioned above, and also there are some articles with very detailed information.

 
P.28 Figure 1 Overview of the ISGcloud framework Introducing a Security Governance Framework for Cloud Computing
P.28 Figure 1 Overview of the ISGcloud framework Introducing a Security Governance Framework for Cloud Computing
Introducing a Security Governance Framework for Cloud Computing

Regarding the risks of information leakage it is tricky to know which points to focus on. While organizing these points, I would like to talk about assessing the risks of information leakage in the introduction of Questetra.

◆ Risks of Information Leakage Between Customers and Questetra

I suppose that there could be various aspects of “the risks of information leakage”, I will give a short summary below.

In general, we believe that there will be risks related to both the “operational system of the customers (companies that use Questetra)” and “Questetra System“- I organized the points in each box of the figure above. As much as possible, we Questetra want to provide information to customers so that they can have “trust in Questetra“.

◆ Information related to the trust in Questetra

◆◆ Declaration of safety on the website

Questetra publicly provides information on the security of services on the website so that you can check it thoroughly before you use its service. We hope you can regard that as an indicator of the sort of awareness the company has.

Questetra now(3) has not received the third party conformity assessment (2) for ISMS: the Information Security Management System (1). (1) ISMS: Information Security Management System (2) ISMS Certification standard JIS Q 27001: 2014 (ISO / IEC 27001: 2013) (3)September 3rd, 2020: Questetra have obtained “ISO / IEC 27001: 2013 / JIS Q 27001: 2014”.
However, the information on confidentiality, integrity, availability ,and service availability records is disclosed on the Questetra website.

◆ Our Cloud Service Security
Our SaaS business is built on our Customers’ Trust. At Questetra, we believe it is important not to distribute or inappropriately use data that belongs to you.Questetra SaaS Security

Regarding the handling of personal information, we mention in the section “Questetra Privacy Policy”.

1.Introduction
The mission of Questetra Inc. (hereinafter referred to as the “Questetra”) is “Innovating the world’s business through software”.
This Privacy Policy describes how and when your information is collected, used and shared by Questetra when you, your colleagues or other users use Questetra’s services or products (which includes the websites, apps and related services that link to this Privacy Policy; hereinafter referred to as the “Questetra Services”)… Questetra Privacy Policy

◆◆ Use of Questetra

Questetra Service has been used by about 200 companies. We have published some example articles where the companies use the service.

Approximately 2000 people use. Switched the Workflow part to the cloud BPM which is capable of visualizing and standardizing at the time of groupware migration. Established an environment where business improvement can be promoted even at each site. Reduced Processing Time by 40%.TMJ,Customers

Various companies have started using Questetra after considering whether it suits their security policy.

◆◆ Security Checks of Questetra

The company created a security checklist based on their security policy and made a request to Questetra. We will address each point, however, there are parts that cannot be answered. For example, we have received requests for the following information.

・The manufacturer or product name of the system for detecting unauthorized server intrusions caused by the unauthorized access
・The manufacturer or product name of the mass access detection device
・The attack detection interval and the upper response limit when mass access is detected

In each case, we were unable to disclose the requested information due to concerns about the reduction of service robustness that disclosure may have caused. Although our response to the above requests will be not to disclose the information, we will respond sincerely including the reasons why it cannot be disclosed.

◆◆ The tendency to use cloud services

Questetra is capable of system collaboration with various cloud services via API. We are monitoring the trends of cloud service usage while creating examples of collaborations.

I roughly categorized relative examples which I’ve experienced.
 * It is not only for REST API
 *You can find more connections with REST API because it has general-purpose connectors
Staff Blog: Examples of Collaborations with Other Systems and BPM Workflow (June, 2019)Staff Blog: Examples of Collaborations with Other Systems and BPM Workflow (June, 2019)

Moreover, we use multiple cloud services ourselves within Questetra in various ways, such as groupware, customer service, support systems, accounting software, development management tools, and customer management systems.
The knowledge which we have gained in these activities is reflected in our Questetra Service. In other words, our service is roughly accorded to the service contents (tendencies) of general cloud services.

◆◆ Management System of Questetra

You can visit our website for the company information.

◆Governance Framework

Questetra was founded as a “Company with Committees” under the Company Law of Japan.Company Info

We are managing the company so that you can be aware of our proper management.

(xii) ”Company with a Nominating Committee, etc.” means any Stock Company which has a nominating committee, an audit committee and a compensation committee (hereinafter referred to as “Nominating Committees, etc.”);
Article 400 (1) Each Committee, including the nominating committee, audit committee, or compensation committee (hereinafter collectively referred to as “Each Committee” in this Article, the following Article, and Article 911, paragraph (3), item (xxiii), (b)) is composed of three or more committee members.
Companies Act - Japanese Law Translation

If you would like to watch the company information, you should obtain the “Certificate of Registered Matters” beforehand. (please refer to the below)

  • Anyone can acquire them anytime
  • The fee is 600 yen for the acquisition of the certificates when visiting the Legal Affairs Bureau. Via online, receipt at the Legal Affairs Bureau: 480 yen, Mail: 500 yen

Cite: http://houmukyoku.moj.go.jp/homu/static/online_syoumei_annai.html

◆ Closing

As mentioned above, there are various aspects of information leakage risk. From our customers we get the following consultations:

  • Requests for filling in the security check sheets other companies have created (Hundreds of check items!)
  • Requests for permission to visit the Questetra development site, our operation facilities and to conduct audits
  • Requests to audit not only all Questetra logs, but source codes and settings concepts if they are necessary

We occasionally receive these consultations. There are both requests that can be answered (the security check sheet) and those that can’t be done (we can not show the development/operation site for security reasons); although we will treat them all seriously. We, as a Japanese SaaS vendor, would like to make efforts every day so that customers can use our service without any worries. If you have any questions or would like to hear more details, please feel free to contact us.

About The Author

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top
%d bloggers like this: