Security policies

Our Mission

MD Group’s mission is to help companies achieve safer and higher quality workplaces  all around the world through innovative mobile products. We do this  through our Software-as-Service (SaaS) application Qvalon.

We take pride that MD Group is seen as a world leader in products that promote safety and quality, and we know how important our role is in helping our customers improve their day-to-day operations.

We see our approach to cyber security as a key pillar in maintaining our status as a leader in this space, and this page provides an overview of how we approach cyber security as an organization.

Overview

MD Group has an active, robust and continually improving cyber security program in place to ensure that our organization and the products we provide are secured. MD Group’s cyber security program employs a number of controls at a technical and operational level to ensure that we have an effective, defense-in-depth approach to protect from cyber attacks and secure the data handled by our SaaS application Qvalon.

Key features include:

The content below provides an overview of the various parts of our security program.

Organizational Security Practices

Our approach to security is focused on aligning with recommended best practices in recognized standards such as the NIST, ISO27001 & SOC Frameworks.

Security Governance

MD Group has a documented set of policies and procedures that defines our approach to security as an organization. These policies and procedures are shared with all staff and reviewed and updated at least annually (and more frequently if material changes are required) to ensure our approach to security remains current.

We focus on ensuring accountability for security throughout our company. To this end, we have an information security management forum set up with key stakeholders from across MD Group that regularly meets to review and discuss security related matters, and make any decisions that have an influence on our approach to cyber security.

Access to Internal Systems and Cloud Platforms

We ensure that access to systems in our IT environment, including the cloud platforms we use, is restricted to employees who specifically require this access for their work.

All administrator access requires multi-factor authentication and employees accessing our environment are required to use an approved VPN solution.

Access permissions to our systems are regularly reviewed on an employee-by-employee basis and modified promptly. As part of our off-boarding process, all access to systems and services for departing employees is revoked.

Third Party Security

We carefully review the security practices of third parties we engage - initially and on an on-going basis to ensure their practices meet industry standards and are compliant with our own privacy and security policies and procedures. If a third party requires access to our systems we ensure that access is limited specifically to the purpose for which they have been engaged.

As Microsoft Azure (Azure) is one of our primary providers, we engage with them using the Shared Responsibility Model for security and compliance, ensuring there is a clear definition of who assumes responsibility for what when it comes to security. Azure is accredited by and compliant with a large number of the latest industry standards - more information can be found here.

For the processing of financial and credit card data, MD Group uses several partners (Stripe) whose security practices are compliant with the Payment Card Industry Data Security Standard (PCI-DSS).

Network Security

MD Group’s corporate networks are protected with firewalls as well as IDS & IPS technology at the perimeter (provided by dedicated managed Mikrotik security devices) so that we can detect and protect against any malicious traffic.

For our cloud-based platform, we primarily use Azure who provide a multi-layered strategy to defend from external attacks. At an infrastructure level, Azure employs strategies such as network device access control, data segregation using firewalls and virtual private clouds to filter out malicious traffic and make use of extensive logging and monitoring to prevent network-based attacks. At an application level we take advantage of Azure Firewalls to prevent web-based and denial of service (DoS) attacks against our products.

Logging & Monitoring

MD Group makes use of a centralized logging system which includes application access audit events. These logs are retained for 90 days. We also use Azure logs to track service access requests. Logs stored in Azure are not able to be modified. Access is restricted to those who require access for their job roles. We recognize the importance of reviewing logs regularly to identify malicious user activity and identify potential vulnerabilities with our products; we are in the process of incorporating this as part of our security program.

Security Awareness Training

All MD Group personnel undergo regular security awareness training for both technical and non-technical roles. Security training materials are also developed for individual staff where required to ensure they are equipped to handle the specific security-oriented role requirements.

Patching and Vulnerability Management

Patching of our IT environment is one of the most fundamentally important measures we can take to stay secure against a potential security breach. To do this we:

Protecting Customer Data

MD Group takes the security of our customers’ data extremely seriously. We take a number of steps to ensure customer data is carefully protected.

Restricting Access to Data

MD Group takes a number of measures to help protect customer data from inappropriate access or use by unauthorized persons (either external or internal). Customer data is only stored in our production environment, and access to that data by MD Group employees is limited only to the employees who require access to perform their standard duties. Access to customer data is managed using access control and authentication tools (including the use of two factor authentication) provided by Azure and our other cloud partners.

Customer data is only used for purposes that are compatible with providing the contracted services, such as troubleshooting technical support requests. For full details please refer to the MD Group Privacy Policy.

In the rare case that MD Group support employees need to access the full body of a specific customer’s data then MD Group will always require consent from a customer before accessing this data.

We do not store or cache customer financial data used in conjunction with billing through the MD Group platform, and our employees do not have direct access to billing data.

Physical Access to Customer Data

All customer data is hosted on infrastructure provided by Azure which maintains physical security of their sites using industry best practice controls as outlined in their security whitepapers.

No customer data is stored at any of our physical office locations.

Encryption of Data

MD Group has mechanisms in place to ensure that our customers' data is protected both at rest and when in transit. At rest, all customer data is encrypted using AES-256 with keys managed through Azure Key Management Service. All data is stored securely and subject to the security policies and procedures of Azure.

To protect data in transit, MD Group uses Transport Layer Security and enforces a minimum standard of TLS v1.2 using 128-bit cipher keys. We support connections with up to 256-bit cipher keys for use with an Advanced Encryption Standard (AES) cipher.

Backups of Data

MD Group data is backed up at regular intervals to disparate encrypted data storage solutions provided by Azure. Backups are replicated to multiple Azure facilities within the customers chosen region.

Access to data backups is restricted to only specific employees of MD Group where that access is required as part of their job role.

Deletion and Disposal of Data

Our customer data is principally stored in, and subject to the deletion and disposal procedures of Azure. These procedures include a secure process to logically wipe retired media. Wiped media is then inspected to ensure to ensure the successful destruction of data.

Any MD Group owned hardware that contains confidential data - including MD Group backups - are subject to industry standard logical data destruction before recycling. Where possible MD Group will use AES-256 GCM encryption on any digital copies.

Securing our Products

We recognize that for the bulk of customers, their principal experience with MD Group will be through our product Qvalon. Security forms an important part of the way this product is developed, and operates, as discussed below.

Secure Software Development Practices

As part of our product development process, every code change is reviewed prior to the release of any changes into production, which includes observance of security best practice. We also segregate our development, test and production environments.

Change Control

All changes to MD Group products are actively tested during their development to ensure the impact to end users is evaluated prior to deployment, and any significant changes are included in the production release notes.

MD Group employs change tracking and version control to actively monitor and manage changes to the code base of our products.

Vulnerability Identification & Patch Management

We work hard to minimize the number of vulnerabilities that arise in our products, and we recognize that it is important to take proactive steps to make sure we become address any vulnerabilities as quickly as possible. To that end, MD Group actively monitors and tests for vulnerabilities in our applications. We run a private bug bounty program in recognition of the fact that a community of independent security researchers incentivized to test our products on an on-going basis to identify any potential issues will only serve to strengthen the security of our products.

Where a vulnerability is identified (internally or externally), the issue is tracked and prioritized according to the potential severity of impact to a customer. Resolution times will depend on the severity and can include round-the-clock work by our developers until the issue is remediated.

Patches for identified vulnerabilities are developed and released into the production environment through a continuous integration process (CI/CD) and applied as soon as possible.

Handling Security Incidents

While we do our utmost to prevent any security incidents, we recognize that we also need to be prepared to handle these incidents should they arise to minimize any potential impact to our customers and MD Group. We have a range of measures in place including:

MD Group will promptly alert affected clients of major incidents impacting the availability of MD Group services or data and of any incidents affecting the confidentiality and integrity of user data as per our MD Group Privacy Policy.

Final Thoughts

MD Group considers cyber security a fundamental part of our business, and of the products we provide to businesses around the world. While the controls and measures we have in place extends significantly beyond what is covered here, this page has been designed to provide an overall understanding of the multi-faceted approach we take, and our commitment to, security.

If you have any questions about the contents, or require more information about our approach to support, security or privacy please contact us at the details below:

info@qvalon.com