Technical and Organizational Security Measures (TOMs) at CQSE
Last updated: October 15th, 2022
Security of your data is CQSE's number one priority. To ensure this, CQSE maintains a information security management system (ISMS), covering all aspects of information security for Teamscale. This ISMS is regularly audited and certified according to TISAX AL3 (data with a very high need for protection). As part of the ISMS, the following measures are implemented at CQSE.
Policies and Processes
CQSE maintains an information security management system, including a business continuity plan, disaster recovery plans, incident management, etc. The relevant policies are controlled, reviewed, approved by management, and changes are communicated to all relevant employees.
We employ both an information security officer and a data protection officer.
Certification
CQSE GmbH is a TISAX (Trusted Information Security Assessment Exchange) participant and TISAX-certified. We were evaluated at assessment level 3 (AL 3), meaning an evaluation took place against the assessment objectives required for data with a very high need for protection under the definition of TISAX, such as data classified as secret. TISAX is governed by the ENX Association on behalf of the German VDA (Verband der Automobilindustrie, the German Automobile Industry Association). It provides a single industry-specific security framework for assessing information security for the wide landscape of suppliers, OEMs, and partners that contribute to the automobile supply chain.
TISAX Assessments are conducted by accredited audit providers that demonstrate their qualification at regular intervals. TISAX and TISAX results are not intended for the general public. The result is exclusively retrievable over the ENX Portal. The scope ID and assessment ID for CQSE GmbH are SHYVZ2 and AWC924-3, respectively.
Employee Selection and Training
The selection of our employees includes a background check and an aptitude assessment based on the job role. All employees complete regular trainings on information security and data privacy.
Access Management
Access to customer data and cloud infrastructure is granted based on job roles and is limited to authorized personnel. All permissions are updated are part of internal processes and are reviewed regularly.
Software Development
All development efforts follow our secure coding guidelines, which besides others contain reviews of all code changes for Teamscale. To protect from vulnerabilities in third-party components, we regularly update those components and actively monitor relevant CVE entries.
Penetration Tests and Audits
We run yearly penetration tests of both Teamscale and the server infrastructure used for hosting the cloud instances. The test scopes include the OWASP Top 10 as well as our roles and permission model.
Additionally, we run regular audits, both for our policies and processes, and for the configuration of our infrastructure.
Supplier Management
All our suppliers and third-party vendors are run through a security review before starting a business relationship.
Availability
CQSE has business continuity and disaster recovery plans in place. Monitoring systems help to detect problems early and allow for timely reactions. All data is regularly backed up and backups are distributed across multiple data centers.
IT Security
CQSE follows common security best practices, which are materialized in our security guideline. This guideline is regularly updated and all employees receive a regular training. Besides this guideline, our cornerstones for IT security include the following points.
Anti Malware
All servers and clients are provided with malware protection. Incoming and outgoing e-mails are centrally checked for computer viruses.
Patch Management for Clients and Server
We actively monitor clients and servers for known vulnerabilities and missing updates. Patches are applied at regular intervals, or, in case of high associated risks, immediately.
Centralized Log Collection and Evaluation
All server logs are collected in a central unmodifiable location and checked regularly for anomalies.
Incident Management
CQSE implements a process for incident management, based on urgency and impact of the event. Internal escalation paths are established.
Secure Deployment and Hosting of Teamscale
We make available extensive documentation of our Teamscale Security Measures when deploying and hosting Teamscale. The article also includes documentation on how we securely deploy Teamscale in the cloud. We recommend to also implement those measures in your environment when using Teamscale on-premise.