Info

Quality and Security

Our customers present personal health data for processing through the TraIT suite of tools in a so-called federated environment. With a cloud based ICT infrastructure, multiple platforms in various datacenters, subcontracted service providers and different application (open) standards, this requires a tailor-made management system to meet legal, customer and ICT-security requirements.

Quality Mgt. System for Compliant Security

Introduction

A more detailed introduction and/or training in the Quality Management System for Compliant Security (QMS-CS) is available upon request.

Technical and organisational control measures

Based on periodic compliance analysis and risk assessments, the following organisational and technical measures have been taken, and will be updated when necessary, to safeguard the confidentiality, integrity, and accessibility of the entrusted data. Among many other controls, this is a non-exhaustive list:

ControlDescription

Policies 

The Information Security Policy is part of the TraIT ‘Policy Document’. Policies for Quality Management and IT Service Management are also incorporated. These are available and compliance is mandatory to all TraIT service operators.  

Security Procedures 

Policies are translated into detailed procedures. Among others: 

Terms of Use: Principal Investigators as representatives of the data controllers have the responsibility to ensure data are ano/pseudonymised according to the rules set by their Ethical Committees / Informed Consent (IC) or any other applicable regulation and legislation. 

Data deviations / data leaks procedure: if, in the processing of data files, TraIT service operators encounter (potentially) identifiable data that usually is not included in research studies, they will notify the data controller or his/her representative as well as record and communicate the potential data deviation through the appropriate TraIT channels. 
Network controls TraIT uses HTTPS-protocols for network communication and certificates to verify connections
Access control

Verification of user identity, authorizations and connection authentication takes place in a monitored process following a standard procedure with registration of each step.

TraIT works with controlled access through user accounts and authorization at the study and role level. The data owner (data controller) decides who should have access to the study and indicates the role/authorization that should be applied to the user account. The data controller remains the owner of the data.

ID and Access Management 

As part of information security, user management and access control procedures are supported by secured service management software.  

The data controller decides who should have access to the study data and indicates the role/authorization that should be applied to the user account. The data controller remains responsible for the data. 

Human resource security 

TraIT operators must comply with standard operating procedures, ticket system, and working instructions. 

Operators involved with TraIT system maintenance and support must sign non-disclosure agreements or be bound to similar confidentiality restrictions through their employment contract. 
  • Clients and 'Stichting TraIT' enter into Service and Processing Agreements with annexed Terms of Use, defining roles and responsibilities. 
'Stichting TraIT' and subcontracted Service Providers enter into Service (Level) and Processing Agreements for providing hosting, operational and consultancy services to TraIT clients. Subcontractors shall meet as a minimum the security controls as defined in this list. 
Risk Management 

Periodic risk assessments for all processes and services organized in expert meetings result in action reports; the progress with respect to the resulting actions are monitored regularly. 

Contract Management 

Clients and 'Stichting TraIT' enter into Service and Processing Agreements with annexed Terms of Use, defining roles and responsibilities. 

'Stichting TraIT' and subcontracted Service Providers enter into Service (Level) and Processing Agreements for providing hosting, operational and consultancy services to TraIT clients. Subcontractors shall meet as a minimum the security controls as defined in this list. 
IT landscape  An overview of all services and their underlying IT components is kept in a dedicated configuration management database (CMDB)
Certified datacenters 

Services are hosted, and data are stored on servers in certified datacenters with periodic reporting on performance and security. 

Data traffic (up/downloads) to TraIT servers is encrypted.  

Vulnerability Assessments, penetration testing, physical controls, logging and monitoring are all in scope of certification. 
TraIT applications 

TraIT prefers open-source software, which relies on peer review by a potentially large community, resulting in secure solutions with sound architecture and design principles.  

TraIT Service Managers and Operators follow application and security specific forums to track vulnerabilities. 
Service management  IT services, including calls and security incident handling, are given appropriate priority and managed accordingly by means of secured service management software, and adequate availability of all relevant expertise during office hours. 
Change management 

All changes and patches in the TraIT suite of tools follow standard procedures with registration of each step, including prior testing in an acceptance environment before being taken into production. 

Separate computer environments for test, acceptation and production (OTAP principles) are used. 
Availability

Back-up services (daily backup with redundant copy at a different location) provide for long-term availability of applications and data. 

Disaster recovery plans are available in the certified data centers

Transparency and audits

Because of the nature of the TraIT services, being provided in a federated  environment, a tailor made quality management system for compliant  security was required. The design and implementation of this QMS-CS is available for review by our customers. A registered auditor Third Party Memorandum conformable to ISAE3000 type 2 for the TraIT Services is currently being considered.