Information Transparency in Harmony with Data Security

Secure your data (and citizens’ personal identifying information in your care) while ensuring compliance with your state and local laws. GovQA provides best-in-class data security for our hosting, application, and personnel.

GovQA Security product icon
Architecture &
Encryption
No Open Source
in Core Platform
Cloud
Hosting
3rd Party
Compliance
Monitor &
Oversight
Dedicated
Security Team
Foundation

Architecture, Encryption, and Monitoring

GovQA is built upon a proprietary single-tenant architecture that delivers world-class data security. The system employs AES 256 bit encryption using a FIPS 140-2 compliant algorithm.  But, the very best security to protect sensitive government data covers more than hosting and the application itself — GovQA also adds the assurance of secured personnel.  

Single-Tenant: Architectural Barriers to Malicious Invasion

Our single tenant architecture isolates your data in its own database for utmost security. As a GovQA customer, you are the only “tenant” in your database — no other customers can access your data — there is no co-mingling of data. This is a safeguard against hacking; but it also provides more reliable operations since other customers’ activities can’t impact your activities. When other GovQA customers are getting updates requiring brief in-app disturbances – you will not be affected. Additionally, GovQA’s proprietary platform code (with no open source code used in our core software) further reduces vulnerabilities and protects against hackers and bad actors.

The opposite of GovQA’s single-tenant architecture is a multi-tenant system. Multi-tenancy may be more economical for developers to setup and maintain; but multi-tenant systems are far less secure — AND they reduce the capacity to tailor functions on a per customer basis.  With multi-tenant systems, it’s all or nothing – all customers are forced to accept the changes pushed to everyone in the system.  If data security and personalization are priorities for your organization, you can’t afford the cheaper solution

Want to learn more?  Click the link below to see what the Forbes Technology Council has to say about single tenant architecture:

SaaS: Choosing Between Single-Tenant and Multi-Tenant Solutions.

Comprehensive Auditing and Compliance

GovQA, the company itself, has an extensive SETA (Security Education Training Awareness) program in-house that includes CJIS/HIPAA training and certification for employees; incident handling policies; dedicated onsite security staff; FBI LiveScan Fingerprint background checks and more resulting in best-in-class, continuous auditing and compliance.

Internal Security Measures

Encryption at rest and in-transit, role-based access controls, multi-factor authentication, single sign-on integrations, and Microsoft Azure Government hosting provide the most advanced, technically sophisticated on-going security available to government today.

Proprietary

No Open Source Code in Core Platform

There are arguments for and against Open Source compared to Proprietary Software. Through our decades of experience, we see the benefits of both to developers.  But only one choice is best for you, the customer.

Open Source Code

It is often argued that Open Source code makes things easier. It leverages the power of the masses to optimize a code base and prevent “rework” of programming that has already been established. The group mentality also applies to the security of highly visible open code bases. Proponents argue that with many individuals comes more active identification and addressing of security concerns.

We, at GovQA, think Open Source code is great for small software development groups.  Having a bunch of random people (aka free developers) reviewing your code base and helping you fix bugs saves these small development groups time and money.

But what does it cost their customers?

Providing an open book blueprint to your software on Github (a common place to get help with your code) is risky. And promoting your code base as open source makes it easier for bad actors to cause trouble.  Hackers don’t have to begin their mischief by trying to first figure out your software design and source code.

Security vulnerabilities in open source code are prevalent…if not rampant – regardless of how many eyeballs are watching. A quick Google search or review of the Federal Government’s National Vulnerability Database proves this to be true.

Proprietary Source Code

GovQA decided many years ago to develop a proprietary code base and reject the use of open source code in our core platform entirely. Our closely-guarded code base provides immeasurable returns in terms of security.

With fully customized, proprietary code, only GovQA developers understand and have access to the language spoken between our programmers and the computers that execute those instructions. This gives GovQA complete control over the security of our customers’ environments and also allows for constant advancement of our security infrastructure.

Hosting Options

Cloud Hosting

When it comes to cloud hosting there are several big platforms to choose from. With GovQA there are options as well. No two implementations are alike, which is why the GovQA system is configurable.

For those customers who prioritize data hosting security, we offer the deluxe GovQA Fortress™ Secure System. With our Fortress option, the platform is hosted by Microsoft Azure Government combining maximum security and privacy with the highest levels of control, performance, scalability, and accessibility. We are the only company in our market that is partnered with Microsoft Azure Government (which has the highest level of FedRAMP accreditation); and we’re the only ones that can offer this premium hosting option to you for your records exchange platform.

GovQA offers other solutions that include hosting on-site at GovQA or leveraging Amazon Web Services for cloud hosting. Options can be discussed and defined based on your unique situation.

Microsoft Azure Government delivers a cloud platform built upon the foundational principles of security, privacy & control, compliance, and transparency. Public Sector entities receive a physically isolated instance of Microsoft Azure that employs world-class security and compliance services critical to U.S. government for all systems and applications built on its architecture. ... Public Sector entities can also take advantage of the instant scalability and guaranteed uptime of a hyper-scale cloud service.

Microsoft
Read more from Microsoft
Compliant

3rd Party Authorization & Compliance

Several key government organizations set the standards for properly executing software solutions in the best interest of the public. When a software solution complies with these standards, the purchasing group can have confidence that the product has been vetted.

But GovQA goes further. 

Our compliance is not a one-time event and certification.  We don’t “map” our software to the standards and call it a day.  We are committed to on-going, strict compliance day to day, month to month, year to year. This is proven with annual (and more frequent) 3rd party audits of our platform.

…And we go further still. 

GovQA’s employees, building, and company systems and procedures are also compliant.  We have extensive SETA (Security Education Training Awareness) programs in place, state-of-the-art building security, and strictly enforce CJIS and HIPAA staff training, certification, and annual re-certification. Security at GovQA is not just a box to check, it is truly ingrained in our culture.

GovQA can provide Letters of Attestation to confirm we have met all compliance requirements.

FedRAMP

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based services and products. Authorization includes a full security assessment, authorization, and continuous monitoring.  Read about GovQA’s assessment here.

Read about GovQA’s FISMA/NIST Moderate Compliance Audit here.

Learn More >>>

CJIS Compliant

Compliance with the Criminal Justice Information Services (CJIS) Security Policy is ongoing. This includes GovQA data infrastructure and maintenance, product development, and relevant employee background checks.

Learn More >>>

HIPAA Compliant

The HIPAA Security Rule establishes national standards requiring appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Our compliance means we adhere to all HIPAA Rules relevant to our business including Privacy, Security, Enforcement, and Breach Notification.

Learn More >>>

What are some key considerations for best-in-class security?  Check out the security triangle below to learn more.  

All Security Controls Documented & Tested (Audit Required)
Criminal Justice Controls Documented & Tested (Audit Required)
Health Information Controls Documented (Audit Required)
Controls Tested, Voluntary (Audit Required)
Controls Documented, Voluntary
Financial Controls, Voluntary

The Security Triangle

the Human Factor

Monitor and Oversight

GovQA considers the value of all client/agency data and its protection from leaks, breaches, and loss to be of paramount importance.  This is why we have designed our products and services to utilize security features and mechanisms which continually meet or exceed prescribed industry guidelines.

Successful security breaches often go unnoticed. If a hacker can access data and evade detection, their hack is considered all the more successful. At GovQA, monitoring your environment is a priority. Monitoring and auditing helps GovQA (and you) identify irregularities in the use of your system.

24/7 Threat Monitoring

GovQA security operations team uses state-of-the-art software to constantly monitor all endpoints for security threats, identifying all exceptions, and potential intrusions.

Our CJIS, HIPAA, NIST, and other audits and compliance ratings prove we have identified and assessed the criticality of information assets, threats, vulnerabilities and risks; developed controls and action plans; and regularly test the efficacy of those controls and plans.

Comprehensive Auditing

Virtually every action is logged with all pertinent information available for access based on security role. System Administrators see who is doing what at scale or in specific instances.

Disaster Recovery and Data Loss Prevention

The GovQA disaster recovery and data loss prevention plans are specific to each data center with which we work.  We have plans for customers with standard security concerns and plans for Azure Government which cover specific security compliance requirements such as CJIS and HIPAA.  All plans are fully documented, validated, and annually tested (or more frequently if/when key changes to the system occur).  Alerts, backups, training, support and issue escalation procedures are in place to prevent prolonged downtime and data loss.  For specific questions, ask to see our Security and Business Continuity Plan.

Access Controls

One of the inherent issues of a system such as GovQA’s, is human error. Anytime you have a distributed network of people accessing and transmitting data, you need to mix proper training with technology to defend against attack.

Training Users

The first line of defense is the people using the tool. GovQA has a comprehensive training plan, perfected over thousands of implementations. GovQA’s highly trained and passionate staff conduct a series of live, real-world based simulations to ensure your team knows exactly how to use the software.

Multi-Factor Authentication

The GovQA system adds a layer of protection by requiring more than one method for users to identify themselves (i.e. password, email, unique PIN).

Optional single sign-on integration with ADFS, OKTA and others simplifies login while retaining the highest security possible.

Role-Based Access Controls

The entire application is configured to provide correct access levels to different types of users based on login credentials. Users only see the information that they are allowed to see.

GovQA Staff

Dedicated Security Team

Did you know that only 25% of organizations have standalone data security departments?  GovQA belongs to that group!

  • GovQA is the only provider in our market with a full time, dedicated security team on-site
  • Our security team is larger than other providers’ entire staff
  • GovQA employees are HIPAA & CJIS trained and certified
  • We have an extensive SETA (Security Education, Training, and Awareness) Program

Security is crucial to GovQA's Platform. For us, a dedicated team of experts is the ONLY way to ensure we're staying ahead of the game.

Anthony FranciskovichSr. Director of Application Security

Believe it or not, we have even more to say about security...

Send us your questions!
Listen to the GovQA Audio Series, Episode 01152: Five Steps to Software Security with Anthony Franciskovich, Senior Director of Application Security, GovQA. Does your solution follow these best practices?  LISTEN HERE.