White Paper - Rescop Quality Management Suite (RC-QMS) - Security and GDPR
Rescop Quality Management Suite (RC-QMS) - Security and GDPR
PUBLIC and the revision date 13-MAY-2020
• Rescop meets the most extensive compliance standards. • Rescop utilizes Microsoft's Azure secure cloud services. • Rescop's platform and infrastructure are monitored continuously. • Rescop complies with GDPR as a data processor in the provision of Rescop’s services to its customers.
An Industry Standard Rescop is the digital paperless pioneer in a GxP Compliance world. Founded in 2005, Rescop Quality Management Suite (RC-QMS) is used by companies worldwide, spanning all industries, platforms and sizes.
Hosting and Infrastructure Rescop RC-QMS Software-as-a-Service (SaaS) solution is available for private clouds utilizing top-tier secure cloud services provided by Microsoft Azure.
Microsoft Azure In a world where data breaches are daily occurrences and regulatory requirements for protecting data are increasing, it's essential for organizations to choose a cloud service provider that makes every effort to protect customer data. Microsoft is committed to the highest levels of trust, transparency, standards conformance, and regulatory compliance. Our broad suite of cloud products and services are all built from the ground up to address the most rigorous security and privacy demands of our customers.
To help organizations comply with national, regional, and industry-specific requirements governing the collection and use of individuals’ data, Microsoft provides the most comprehensive set of compliance offerings (including certifications and attestations) of any cloud service provider. For more information: https://www.microsoft.com/en-us/trustcenter/compliance
Compliance Rescop is ISO 27001:2013 certified for Information Security and ISO 9001:2015 certified for Quality Management.
Penetration Tests and Monitoring Rescop’s front and back-end applications, as well as its IT infrastructure undergo frequently pen-tests. This is done in addition to Microsoft’s own independent tests, periodic internal tests, and 27/4 monitoring of security-related events.
Certifications and Accreditations
ISO 27001 Information Security Certification Rescop received the International Organization for Standardization Certification for Information Security (ISO 27001:2013). The audit evaluated Rescop's Information Security Management System from product, infrastructure and organizational aspects, and verified that Rescop has the necessary information security controls in place to ensure the confidentiality, integrity and availability of valuable data and information assets.
Rescop's alignment (as verified by an independent third-party audit agency) with this internationally recognized code of practice demonstrates Rescop's commitment to the privacy and protection of customers' content. By following the standards of ISO/IEC 27001, Rescop demonstrates that its policies and procedures are robust and in line with its high codes of practice, namely: • Rescop customers know where their data is stored. • Customer data won’t be used for marketing or advertising without explicit consent. • Rescop customers know what’s happening with their Privacy data. • Rescop will comply only with legally binding requests for disclosure of customer data.
ISO 27032 Guidelines for Cybersecurity Rescop is ISO/IEC 27032 complying to guidelines for Cybersecurity. ISO/IEC 27032:2012 provides guidance for improving the state of Cybersecurity, drawing out the unique aspects of that activity and its dependencies on information security, network security, internet security, and critical information infrastructure protection (CIIP) domains. By complying, Rescop facilitates a secure and reliable collaboration that protects the privacy of our customers and helps to prepare, detect, monitor, and respond to cybersecurity incidents.
GxP Compliance GxP is a general abbreviation for "good practice" guidelines and regulations. Technology systems that support GxP processes such as Good Laboratory Practices (GLP), Good Clinical Practices (GCP), Good Distribution Practice (GDP) and Good Manufacturing Practices (GMP) require validation and qualification of adherence to GxP requirements. Solutions are considered qualified when they can demonstrate the ability to fulfill GxP requirements.
RC-QMS GxP Compliance Our fully web based solution, which runs on the common browsers and is cross-platform compatible to allow for use on any device type, including pc’s, laptops, tablets and smartphones. Our solution will help you to establish and maintain a GxP-compliant and reliable IT infrastructure and application landscape for continuous business operations. The RC-QMS suite is developed according GxP regulations and fully tested before delivering to customers in a pre-validated way. Rescop Quality Management Suite (RC-QMS) forms a comprehensive solution for quality and compliance management within regulated industries. It contains products for all key quality management processes, and these products have been designed in such a way that they integrate seamlessly with each other, to enable an efficient and fully paperless quality management system. RC-QMS is a full solution for ensuring permanent inspection readiness in an efficient way. Moreover, RC-QMS enables paperless validation and compliance.
Cloud GxP Compliance Organizations building GxP solutions on Microsoft Azure can take advantage of the cloud’s efficiencies while at the same time helping protect patient safety, product quality, and data integrity. Customers also benefit from Microsoft Azure’s multiple layers of security and governance technologies, operational practices, and compliance policies to enforce data privacy and integrity at very specific levels.
The Microsoft Azure GxP qualification guidelines give customers the tools they need to build on Microsoft Azure’s security foundation by providing: • The shared responsibilities between Microsoft and Rescop for meeting GxP requirements • Documentation of the extensive controls implemented as part of Microsoft Azure’s internal development of security and quality practices • Visibility into crucial areas of internal Microsoft Azure quality management, IT infrastructure qualification, and software development practices • Descriptions of GxP-relevant tools and features within Microsoft Azure
We are partnering with Microsoft Azure to make cloud-based systems a safer, more efficient model for driving innovation and maintaining regulatory compliance. For more information: https://aka.ms/gxpcompliance
Privacy – General Data Protection Regulation (GDPR) Rescop complies with GDPR as a data processor in the provision of Rescop’s services to its customers. In addition, we are devoted to helping our customers with their GDPR compliance processes by providing robust privacy and security protections built into our services and contracts.
By default, Rescop does not collect personally identifiable information (PII) other than IP addresses in logs for security purposes, end-users’ approximate geolocation (country and city in which they are located) and masked IP addresses for the ongoing operation of the Rescop systems. Moreover, Rescop collects and transfers environment properties such as browser and OS, page URL, and title.
Operations and Access Control
Security Measures • All the client files in RC-QMS are encrypted in rest state. • All RC-QMS files are encrypted in transit state. • The database of RC-QMS is encrypted. • The RC-QMS security log is recording personal data: User (Last, First Name), Username, External IP Address. • All RC-QMS servers are under change control. • All RC-QMS servers are under access control. • Backups are taking and stored encrypted by Microsoft Azure and ATERA.
Monitoring & Auditing
Intrusion Prevention and Detection Rescop has an extensive Security Information and Event Management system (SIEM), that collects security audit trail logs across infrastructure components in industry standard formats (CEF and Syslog) using an Intrusion Detection System and for analysis and control.
Rescop’s SIEM alerts are based on comprehensive pre-defined scenarios, including identification of suspicious signs such as failed login attempts, logins from unknown and off-premise IP addresses or logins during off-hours.
SIEM alerts are monitored 24/7 by Rescop. The SIEM prioritizes all alerts, notifies in real time, and escalates them according to severity.
User Management and Permissions Rescop’s platform has an integrated, comprehensive role-based user management and enforcement system.
Assigning roles to users requires authorization from the relevant parties in Rescop, and application permissions are granularly controlled per action and screen.
Rescop’s internal corporate access control is centrally and manually managed based on strict need-to know and least-privileged principles on all levels: Application (strong authentication), Network (segmentation, firewall), Platform (access to servers), and procedural (who’s granted to review/approve code, manage changes, etc.).
All internal duties within Rescop are segregated. Access verifications are done by internal audits and period reviews, including but not limited to firewall rules, user accounts permissions etc.
Overall Conclusion Rescop as the developer of RC-QMS, backed with an uncompromising commitment to GxP, security and privacy, is trusted by companies worldwide. Rescop makes sure to comply with corporate, governmental and (inter)national regulations, maintaining and abiding by the strictest requirements, regulations and security measures at all levels – from its staff, through infrastructure and down to the finest details of its products and procedures.
Rescop has received the most demanding international certifications ISO 27001 and ISO 9001, and offers its customers the ability to enforce corporate governance internally, while providing an overarching security umbrella – hosting Rescop’s environments with Microsoft Azure Cloud Services, actively monitoring customer security 24/7, and performing frequently pen-tests on Rescop’s platforms.
Maurice Kerens Managing Director Software Development and Implementation