Enterprise Risk Security and Privacy
Risk Management
Managing risk effectively requires a structured and clearly defined risk management process. We have implemented an Enterprise Risk Management (ERM) Program as the cornerstone of our efforts to identify and manage risks in alignment with our risk framework. The Board of Directors and senior management actively participate in the ERM process to mitigate strategic risks to Q2.
The main components of our program are designed to:
-
1.
Designate several senior leaders (our Chief Risk Officer, Chief Information Security Officer and Chief Compliance Officer) to lead program implementation
-
2.
Conduct on-going risk assessments to identify, categorize, and record foreseeable risk
-
3.
Ensure remediation initiatives are defined, implemented, and governed
We also monitor risks, with the level of monitoring depending on the potential impact and likelihood of the risks and the sensitivity of the information. Monitoring may include sampling, system checks, reports, reviews of logs and audits, and other reasonable measures.
Data Governance and Privacy
Q2 prioritizes data governance and privacy; we know the challenges and risks will only increase. We must meet contractual and regulatory requirements, harmonize data and data practices across distributed cloud, carefully retain and dispose of data, and meet our privacy commitments. Along with those challenges come opportunities. With strong data management capabilities, we sustain our capacity to deliver on our data obligations while reducing costs and risks – and maintaining our strong ethical stance for data privacy.
With those risks and opportunities in mind, we developed and introduced Q2’s new data governance roadmap in 2021, kicking off a multi-year effort to transform our data governance and privacy culture. Our premise is simple: organizations don’t become data-driven by chance but rather as the result of a well-executed strategy. Our vision of data enablement is brought to life by radical differentiation, understanding of customers/users, and achieving scale.
Data Security
Protecting data is vital to the trust our customers and users place in Q2 and the distributed cloud. We have invested in industry-recognized security for our data and systems to avoid breaches and other data security risks. We use a Privileged Asset Management approach to manage database access and educate our teams on data security. We train our developers to build security features into their code, further protecting data.
Information Security Programs
Fraudsters never rest, so we don’t either. Our security solutions study everything from user behavior and logins to suspicious sites and more.
Protecting private information and data
Q2 has adopted an Information Security Program (ISP) to protect private information and data and to comply with federal laws. The ISP applies to sensitive financial information Q2 receives in the conduct of its business, as required by law, and other confidential financial information Q2 has voluntarily chosen as a matter of policy to include within the ISP’s scope. The ISP was created to follow the NIST Cyber Security Framework, and the standards outlined in the Gramm-Leach-Bliley Act and the Payment Card Industry Security Standards Council.
We regularly monitor all aspects of our systems to ensure that safeguards are followed and to detect and correct breakdowns in security swiftly. Q2 applies a rigorous level of monitoring based on the potential impact and risks and the information's sensitivity.