How we use the Quick Base Platform to Achieve our IT Compliance Objectives

Tips & Tricks
Dec 13, 2017
|
11 Min Read
How we use the Quick Base Platform to Achieve our IT Compliance Objectives

How we use the Quick Base Platform to Achieve our IT Compliance Objectives

 

At Quick Base we have recently completed our SSAE16 SOC 2 Type II examination, as well as a HIPAA attestation.

Building audit-able processes and controls are at the heart of IT compliance, and that just happens to be something Quick Base apps do really well. I’d like to share some of the ways we utilize our own Quick Base platform to support many of our corporate processes.

 

Our road to independence

When Quick Base divested from our former parent company over a year ago, some of our business processes were already in place and continued to be used. We also had to build brand new functions and processes such as those for Corporate IT, Finance, Legal, and Human Resources. And we had to move quickly—after all it would be hard to operate as a company without these core functions.

I am proud to say that within a very short time Quick Base was able to build maturity as an independent organization. I am doubly proud to say that our own product was key to making that happen.

Let’s look at some of the important processes we built and how we achieved our own goals using Quick Base.

 

Employee management

Staff onboarding and termination is critical for IT to get right. When new employees join a company, background checks must be passed and staff must sign non-disclosure agreements. Then there are other tasks, from assigning a seat location and provisioning a laptop and phone to creating accounts across multiple systems (in line with the user’s job function and role, of course). If someone leaves, these things all need to be done in reverse, and in a timely manner.

You may be thinking “Sounds like a good job for a Quick Base app,” and indeed it is. Our Employee Onboarding and Exit app documents and ensures that all the necessary actions are completed when new staff join or leave the company.

In addition to providing a “paper trail” showing that all assigned tasks were accomplished, tracking the employee onboarding and off boarding process with a Quick Base app makes us more efficient. Steps are no longer missed and the entire process runs more smoothly, with key stakeholders informed at every step.

 

IT change control

What causes more IT downtime than anything else? Changes. Mature IT change control processes can reduce downtime by ensuring changes do not introduce problems. IT changes must be planned documented, reviewed, approved, tested, and authorized.  Quick Base’s Operations team has built an incredibly full featured IT change management app to handle it all.

The Change Control app is the place where IT changes are requested, categorized, prioritized, and approved by management, and then assigned to technicians and tracked to completion. Is the change an emergency? Choose priority P0 and our operations team will be paged for an immediate response.

When all the changes and records are in the app, it’s also easy to demonstrate to our auditors that our IT change control process includes the necessary controls, and that the controls were met.

 

Asset management

Asset management is a critical part of IT management. As a cloud service provider we have numerous server types and network gear to oversee. Quick Base’s Operations team makes heavy use of its Asset Management app. All pertinent information is recorded, including:

  • Whether it’s a virtual or physical asset
  • What kind of operating system, processor type, and how many cores
  • How much memory
  • Even when the server was commissioned

The history of when servers were patched, and the schedule for the next patch deployment, are also maintained.

 

Operations, escalations and incident management

Maintaining high availability numbers requires a dedicated team of smart engineers and automated monitoring and escalation tools that proactively contact our call trees when there is an operational issue. In addition to automated monitoring tools, issues may be escalated to our operations team by internal stakeholders and our customer care team on behalf of customers.

How does our Operations team triage and track operational issues? A Quick Base app does the job nicely. At audit time, it’s easy enough to bring up a specific ticket for a specific issue, and demonstrate how an operational issue was detected, escalated, and resolved—all within the app.

And, since the data about operational issues is in the app too, it’s a great place to analyze that data in whatever way is needed, such as identifying common operational issues for the past year, or which customers are having the most issues.

Using Quick Base apps for operational functions seems to be working well; Quick Base has had 100% uptime for the past 6 months.

 

Development life cycle

Every organization involved in software development has a development lifecycle for its products and Quick Base is no exception. Bugs and enhancements are triaged and prioritized into backlogs and roadmaps. Resources are allocated and developers work to resolve bugs and implement new features.

Other important development life cycle controls include peer reviews and positive confirmation that quality testing has been completed.

All of these development lifecycle activities must be tracked as part of the development workflow—and that record of process, in turn, is demonstrated to auditors. We have been using Quick Base apps to manage our own development lifecycle for quite some time.

 

Vendor and vendor risk management

One of the things Quick Base users love most when using an app for a business process is the realization that they can readily implement change. So, when the question “Wouldn’t it be nice if the app did X?” arises, a builder can turn that into an empowering “I can make it happen.”

As we built our finance department, one the first Quick Base apps created to service financial functions was our Procure to Pay (aka P2P) app. That’s the app where we generate Purchase Orders. Well, as anyone who has generated a purchase order before knows, it’s a good idea to have some controls. For example, it’s important to have the legal team review the contract and for finance to validate that the purchase is budgeted.

As the Security Officer for Quick Base, I needed to build a vendor management program to manage the risk of outsourcing various functions and processes that keep the business running. I particularly wanted to engage vendor risk management so that risk criteria, such as access to data or dependency to deliver our services, would be triggered before a new vendor came onboard. So, we added an approval for security on purchase orders when a new vendor met these criteria.

That worked great, but like any Quick Base app we had some ideas to make it even better. Now, instead of separately collecting needed information about each vendor and their risk factors in a spreadsheet, we are adding those data fields right into the procurement app. As a result, we now have built-in vendor risk management. And, like other apps, all the data and records are readily accessible for review as evidence at audit time.

 

In summary

There is a saying in software about eating one’s own dog food (we tend to call it sipping our own Champagne). The meaning, of course, is that you use your own product right alongside your customers. You understand their perspective because you’re there too, and are therefore better equipped to know how to improve your product.

At Quick Base, we use our own software extensively. Our Quick Base apps are powering many areas of our business and they are certainly helping me, Quick Base’s Compliance Officer, ensure we are meeting our compliance goals—and doing so efficiently.

 

 

Recomended Posts