I introduce Questetra every day with a sales talk like this. In addition to demonstrations, I am also talking about information related to the cloud service industry, the BPM industry, and the recent RPA industry. In the talks, I am often asked the following question.
Various organizations raise various alerts regarding risks of information leakage, for example:
・As was the case in 2006, Loss/ Misplacement, Theft, and Operational Error accounted for the bulk of incidents. However, it should be noted that Administration Error, attributed as the cause of 8.3% of incidents during 2006, jumped to 20.4% for 2007, reaching nearly the same ratio as Loss/ Misplacement.
Survey Report of Information Security Incident 2007
There are articles where sensational subjects are covered as mentioned above, and also there are some articles with very detailed information.
Introducing a Security Governance Framework for Cloud Computing
Regarding the risks of information leakage it is tricky to know which points to focus on. While organizing these points, I would like to talk about assessing the risks of information leakage in the introduction of Questetra.
◆ Risks of Information Leakage Between Customers and Questetra
I suppose that there could be various aspects of « the risks of information leakage », I will give a short summary below.
In general, we believe that there will be risks related to both the « operational system of the customers (companies that use Questetra) » and « Questetra System« – I organized the points in each box of the figure above. As much as possible, we Questetra want to provide information to customers so that they can have « trust in Questetra« .
◆ Information related to the trust in Questetra
◆◆ Declaration of safety on the website
Questetra publicly provides information on the security of services on the website so that you can check it thoroughly before you use its service. We hope you can regard that as an indicator of the sort of awareness the company has.
Questetra now(3) has not received the third party conformity assessment (2) for ISMS: the Information Security Management System (1). (1) ISMS: Information Security Management System (2) ISMS Certification standard JIS Q 27001: 2014 (ISO / IEC 27001: 2013) (3)September 3rd, 2020: Questetra have obtained « ISO / IEC 27001: 2013 / JIS Q 27001: 2014 ».
However, the information on confidentiality, integrity, availability ,and service availability records is disclosed on the Questetra website.
Our SaaS business is built on our Customers’ Trust. At Questetra, we believe it is important not to distribute or inappropriately use data that belongs to you.Questetra SaaS Security
The mission of Questetra Inc. (hereinafter referred to as the “Questetra”) is “Innovating the world’s business through software”.
◆◆ Use of Questetra
Questetra Service has been used by about 200 companies. We have published some example articles where the companies use the service.
Various companies have started using Questetra after considering whether it suits their security policy.
◆◆ Security Checks of Questetra
The company created a security checklist based on their security policy and made a request to Questetra. We will address each point, however, there are parts that cannot be answered. For example, we have received requests for the following information.
・The manufacturer or product name of the mass access detection device
・The attack detection interval and the upper response limit when mass access is detected
In each case, we were unable to disclose the requested information due to concerns about the reduction of service robustness that disclosure may have caused. Although our response to the above requests will be not to disclose the information, we will respond sincerely including the reasons why it cannot be disclosed.
◆◆ The tendency to use cloud services
Questetra is capable of system collaboration with various cloud services via API. We are monitoring the trends of cloud service usage while creating examples of collaborations.
* It is not only for REST API
*You can find more connections with REST API because it has general-purpose connectors
Staff Blog: Examples of Collaborations with Other Systems and BPM Workflow (June, 2019)
Moreover, we use multiple cloud services ourselves within Questetra in various ways, such as
groupware, customer service, support systems, accounting software, development management tools, and customer management systems.
The knowledge which we have gained in these activities is reflected in our Questetra Service. In other words, our service is roughly accorded to the service contents (tendencies) of general cloud services.
◆◆ Management System of Questetra
You can visit our website for the company information.
We are managing the company so that you can be aware of our proper management.
Article 400 (1) Each Committee, including the nominating committee, audit committee, or compensation committee (hereinafter collectively referred to as « Each Committee » in this Article, the following Article, and Article 911, paragraph (3), item (xxiii), (b)) is composed of three or more committee members.
Companies Act - Japanese Law Translation
If you would like to watch the company information, you should obtain the “Certificate of Registered Matters” beforehand. (please refer to the below)
- Anyone can acquire them anytime
- The fee is 600 yen for the acquisition of the certificates when visiting the Legal Affairs Bureau. Via online, receipt at the Legal Affairs Bureau: 480 yen, Mail: 500 yen
As mentioned above, there are various aspects of information leakage risk. From our customers we get the following consultations:
- Requests for filling in the security check sheets other companies have created (Hundreds of check items!)
- Requests for permission to visit the Questetra development site, our operation facilities and to conduct audits
- Requests to audit not only all Questetra logs, but source codes and settings concepts if they are necessary
We occasionally receive these consultations. There are both requests that can be answered (the security check sheet) and those that can’t be done (we can not show the development/operation site for security reasons); although we will treat them all seriously. We, as a Japanese SaaS vendor, would like to make efforts every day so that customers can use our service without any worries. If you have any questions or would like to hear more details, please feel free to contact us.