Information Management System: Applicable standard or regulation 6.19, chapter 26 



We use Therap, a software designed specifically for those with intellectual disabilities. It allows customizable plans, data tracking, health tracking, and more. This system allows for all data to be updated in live time and all individuals on the team to have access right away.


This system allows us to track incident reports, appointment records, all updates to client files and activity of any and all agents who access the system.


All client files are similar in format and placement of information with all services related to rules and regulations with customized notes and goals for each client. We encourage all providers and clients to customize to meet their needs, this may result in simple or complex plans.


Backup includes (from Therap), physical controls, logical controls, and procedural controls to secure and back up information.

Therap Security Primer


At Therap Services, emphasis is placed upon the confidentiality, integrity and availability of the

services and associated data provided to customers. The network and computing infrastructure

that has been designed and developed to deliver these services is assessed on an ongoing

basis to ensure compliance with the stated goals. This is accomplished by a combination of

physical, logical and procedural controls.


An important contributor to the controls and practices developed at Therap is the "Twenty

Critical Security Controls for Effective Cyber Defense" document that has been developed by

the SANS organization ( The document was created and is actively mainta'ned

by a combination of federal, military and civilian cyber security experts, and is gaining

acceptance as a de-facto standard for Secure IT infrastructures


Physical Controls

Site Access: Controlled/monitored physical access to site, and installed equipment

System Backups: Local disk and tape backups, offsite encrypted tape backups

Inter-site Redundancy. Two sites with matching infrastructure, either of which can

function as the 'live' site

Redundancy, Environmental: Dual power feeds, supported by UPS and generator

Redundancy, Infrastructure: RAID disk layouts, highly-available storage facilities,

multiple application servers


Logical Controls

Firewalls: Controlled access to Therap •nfrastructure, and between security zones

Anti-Malware: Examination of uploaded files prior to acceptance into system

Load Balancers: Transparent control of user sessions across redundant servers

Database Replication: Near real-time replication (30 seconds or less) between sites

Centrahzed Logging and Event Monitoring: 24x7x365 active monitoring and assessment

of infrastructure- and application-level events by Therap Staff

Vulnerability Assessments: Annual 3rd-party assessments, ongoing assessments

Vulnerability Assessments, self-performed: On-demand and scheduled assessments

performed by Therap staff via locally installed vulnerability assessment software suite


Procedural Controls

Application User IDs: Controlled within the application by agency administrators. user id

policies, including role-based controls, are set by the customer administrator.

• Operations User IDs: Controlled via approval, Chief of System Operations

Role-based Access Control: Access level(s) granted on role-based scope

Change Management: Defined set of procedures executing changes to the environment

Patch Management: Process for the installation of software and firmware updates

Disaster Recovery: Review and (if necessary) address defined failure scenarios

Log Analysis/Review: Device logs are forwarded to a central server for analysis

Perforrnance Review: Performance metrics for the application and infrastructure are

compiled for subsequent analysis and proactive planning


C Copyright Therap Services. LLC. 2003 - 2016. Al Rights Reserved.

US. Patents #8819785, #8739253, #8281370, #8528056. #8613054, #8615790