Protocol & Compliance
QberaTek's Help Desk and NOC Technicians are responsible for managing and analyzing various types of systems and associated logs which potentially process or store sensitive information that must be protected at all times.
To assure this, QberaTek has implemented various security policies, procedures, and controls for Help Desk personnel and Network Operations Center which are outlined below.
Third Party Security Audit — QberaTek is found Compliant by an independent, 3rd party auditing firm, for security posture and controls against the requirements defined in HIPAA. In order to maintain compliance, and to continually improve upon the security program, QberaTek Help Desk and NOC team adopted the ISO 27000 framework.
Background Verification — Background checks are performed on all QberaTek's Help Desk and NOC Technicians. In the US, a criminal records search and an SSN verification are performed. In India, a criminal records search and verification checks for education and employment are conducted.
NDA — All QberaTek Help Desk and NOC Technicians are required to sign a Non-Disclosure Agreement.
Roles and Responsibilities — All team members have a job description with detailed roles and responsibilities which are associated with Standard Operating Procedures (SOPs) that are used to perform daily tasks. These are updated regularly and adhered to by the team members.
Secure Remote Connections via LMI — LogMeIn remote access products use a proprietary remote desktop protocol that is transmitted via SSL. An SSL certificate is created for each remote desktop and is used to cryptographically secure communications between the remote desktop and the accessing computer.
Information Security Policies — Each QberaTek's Help Desk and NOC Technicians are required to review and follow all applicable Information Security policies. Acknowledgment of sign-off is captured and stored within HR.
Password Management Policy — A standard password policy is applied to and enforced for all QberaTek users, to include, but not limited to Active Directory domains, hosted applications and internal customer facing portals. Users are required to have a minimum password length which includes complexity and expires every 90 days.
Secure Password Vault — The Secured Information Store allows secure transfer of credentials to QberaTek's Help Desk and NOC Technicians. It also provides a secure central location for Partner technicians to access vital information on their clients’ networks. When a technician accesses these credentials, information such as user name, date/time, system IP address, and any additional information provided by the technician is captured and logged for accountability purposes.
Partner Approval — Approval is a pre-requisite for initial access to a client system if the partner is directly contacting QberaTek Help Desk or NOC to perform specific tasks. QberaTek NOC Access Levels are pre-determined by the partner to designate how proactive troubleshooting will be performed for end-user devices and servers by the NOC technicians when working on alerts or tickets.
Security Controls for Users and Computers — All QberaTek users are provided unique user IDs with enforced password policies. QberaTek NOC technician systems are secured by Active Directory Group Policy to enforce controls for disabling USB ports for removable media and enable Windows firewalls. Additionally, NOC technicians are not granted domain or local administrative access to install or manage software. All requests for software installation are reviewed and approved by IT. Access to wireless networks is secured with Network Policy Server (NPS) for authentication and authorization. QberaTek NOC technicians are also restricted from accessing personal email and cloud storage solutions.
Security Awareness Training — A major component of QberaTek's information security program is user awareness and training to keep all Help Desk and NOC Technicians up to date with security policies, procedures, and leading practices. From annual mandatory training and testing to periodic topic-specific communications, QberaTek's Help Desk and NOC Technicians are armed with a foundation of security knowledge which is applied to daily tasks.
Access Control — QberaTek will provide all Help Desk and NOC Technicians and other users with the information they need in order to carry out their responsibilities in an effective and efficient manner as possible. Access is granted through IT account request procedures, based on the principle of least privilege, and approved by QberaTek management before access is granted. Upon employee separation from QberaTek, HR notifies IT to remove access at the end of the employee’s last day.
Data Center Security — QberaTek's infrastructure is hosted within corporate or best-practice compliance standards such as SSAE 16 TYPE II, ISO 27001, ISO 9001 and HIPAA. QberaTek can supply the certs and the audit reports with an NDA & NCA signed. Many of the other certs such as ITIL, COBIT, Sarbanes-Oxley, PCI-DSS, NI52-109 would need controls and security put in place down to the application layer, which QberaTek is not managing or controlling.
Snapshot Technology Assurance – QberaTek’s NOC team neither has access to partner’s GMC portal (in this case QberaTek) nor Customer’s GMC portal. QberaTek’s NOC team has access only to cluster admin UI which allows them to manage, assign or reclaim the resources when its free. This means QberaTek’s NOC team cannot do anything with client’s VM / Client’s cloud resources unless client will free up those resources. Due to this only reason, we always demand remote session access from partners and clients for troubleshooting.
Data Center Support Technician’s Access - No access to data or console except physical access for remote hand support. Technically data is spread across the cluster with a defined storage algorithm which means each disk or single node is by design secure as it only holds a small chunk of data but not the actual data. Each physical access to our racks and servers are audited per visit.
Data Center Visit - We will provide the Data Center tour, but we shall not re-present any company. This requires NDA & NCA agreement prior to each pre-scheduled visit.