Service Organization Control (SOC) 3 Report

Transcription

1 Service Organization Control (SOC) 3 Report Trust Services Report on Management s Assertion about the Effectiveness of Controls Regarding the System for Hosting Client Data Through Cloud Services Related to the Security and Availability Principals ProCon Solutions, Inc., dba GoIWx For the Period May 1, 2013 to October 31, 2013

2 TABLE OF CONTENTS I. Management of GoIWx s Assertion Regarding Its System for Hosting Client Data Through Cloud Services throughout the Period May 1, 2013 to October 31, II. Independent Service Auditor s Report... 2 Page III. GoIWx s Description of Its System for Hosting Client Data Through Cloud Services throughout the Period May 1, 2013 to October 31, A. Overview of GoIWx Operations... 3 B. General Systems Controls... 9 C. User Control Considerations... 14

3 I. Management of GoIWx s Assertion Regarding Its System for Hosting Client Data Through Cloud Services throughout the Period May 1, 2013 to October 31, 2013

4 Management Assertion During the period May 1, 2013 through October 31, 2013, GoIWx, in all material respects: Maintained effective controls over the security and availability of the system for hosting client data through cloud services provided through our V2 network configuration to provide reasonable assurance that: 1) the System was protected against unauthorized access (both physical and logical) and 2) the System was available for operation and use, as committed or agreed, based on the trust services for security and availability criteria issued by the American Institute of Certified Public Accountants and CPA Canada. 1

5 II. Independent Service Auditor s Report

6 Independent Practitioner's Trust Services Report To Management of ProconSolutions, Inc., dba GoIWx, Inc. Maple Grove, Minnesota We have examined management's assertion that during the period May 1, 2013 through October 31, 2013, Procon Solutions, Inc., dba GoIWx, Inc. (GoIWx) maintained effective controls over the system for hosting data through cloud services related to the V2 network configuration (the System) based on the AICPA and CPA Canada trust services availability and security criteria to provide reasonable assurance that: the system was available for operation and use, as committed or agreed; the system was protected against unauthorized access (both physical and logical); based on the AICPA and CPA Canada trust services security and availability criteria. GoIWx s management is responsible for this assertion. Our responsibility is to express an opinion based on our examination. Management's description of the aspects of the System covered by its assertion is attached. We did not examine this description, and accordingly, we do not express an opinion on it. Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included (1) obtaining an understanding of GoIWx s relevant controls over the availability and security of the System; (2) testing and evaluating the operating effectiveness of the controls; and (3) performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. Because of the nature and inherent limitations of controls, GoIWx's ability to meet the aforementioned criteria may be affected. For example, controls may not prevent or detect and correct error or fraud, unauthorized access to systems and information, or failure to comply with internal and external policies or requirements. Also, the projection of any conclusions based on our findings to future periods is subject to the risk that changes may alter the validity of such conclusions. In our opinion, management's assertion referred to above is fairly stated, in all material respects, based on the AICPA and CPA Canada trust services security and availability criteria. Minneapolis, Minnesota April 30, Nicollet Mall, Ste Minneapolis, MN T F EOE 2

7 GoIWx s Description of Its System for Hosting Client Data Through Cloud Services throughout the Period May 1, 2013 to October 31, 2013

8 Overview of GoIWx Operations GoIWx, located in Minneapolis, Minnesota has been providing Managed Hosting solutions and ongoing maintenance services that focus on ERP applications for the clients (Clients) we serve. GoIWx has been in the IT industry since 1995, starting its hosting operation in November of GoIWx continues to enhance the expertise levels of our staff and adapt our services offerings to meet the changing business environment. GoIWx takes pride in the ability to design, deploy, and provide hosting services that are right for our Client s business needs. GoIWx offers single tenant, multi-tenant and hybrid hosting services tailored to meet the needs of our diverse Client base whether small, medium or enterprise businesses. From 1995 to 1999, GoIWx had (3) primary service offerings focused in the Manufacturing Industry; Enterprise Resource Planning (ERP) Software sales, Implementation and Training Services. In November of 1999, GoIWx started providing hosting operations. At that time GoIWx architected and built a dedicated network infrastructure in the ENT01-V1 network (hereinafter referred to as V1), comprised predominately of physical servers. In April of 2006 GoIWx recognized a shift in the market place with the acceptance of Cloud computing. GoIWx realigned its business to focus on hosting services only, which would be offered through multiple partner channels and or direct to the end Client. With the business focus aligned with cloud, GoIWx embraced virtual server technology. In 2007, GoIWx architected and built another network infrastructure, MM01-V2 (hereinafter referred to as V2). Both the V1 and V2 networks are built with Cisco firewalls and switching. The V1 network is a mix of Windows servers both physical and VMware virtual servers. The V2 network is a combination of Hyper-V nodes for virtualization and Physical SQL Server clusters for database management. The V1 network is being phased out as Clients upgrade their software or request higher levels of automation. GoIWx Clients communicate with one of these designated networks via secure Internet connections, VPN s and private MPLS. GoIWx does not currently process any data on behalf of our Clients. GoIWx services are available to our Clients on a 24/7/365 basis, notwithstanding planned scheduled outages. Clients of GoIWx utilize either V1 or V2 within their computer infrastructure. Clients that are operating within V1 are dependent on GoIWx for changes related to access and user management. V2 Clients have on-line control panels for self-service user management and accessibility. Clients added since January 2010 subscribe to the V2 service, except for previously existing V1 Clients that subsequently converted to V2. The accompanying description and testing of controls relates to V2, and excludes controls and processes related to V1. In 2008 GoIWx expanded beyond the Manufacturing industry and added Retail, Professional Services, Energy, Healthcare, Financial, Aviation, Entertainment and Non-Profit industries. Within all these industries GoIWx serves a diverse size of companies ranging from small to enterprise businesses. The vast majority of our Clients are located in the United States with Clients in Canada, Mexico, Hong Kong and the UAE. GoIWx has entered into a Master Services Agreement with TW Telecom for access and use of colocation facilities throughout the United States. Today GoIWx has infrastructure in two of the (80) available facilities, with plans to add (1) additional location in ERP application hosting is at the core of the GoIWx offering. The ERP packages hosted by GoIWx are developed in Windows, running on a SQL (relational) database backend. The employees of GoIWx have skills specifically in Windows and SQL that allow for best practices pertaining to security and availability. GoIWx has earned its Silver Partner status with Microsoft, specifically the Microsoft Hosting Competency. This competency requires GoIWx employees to obtain certifications on the different Microsoft platforms used to deliver the hosted services. 3

9 GoIWx provides a handful of hosted products/services to its Clients. Each of these products/services are offered to the Client to accomplish at least one, but typically several of the following; predictable IT spend, automation of IT processes, Information Technology Service Management (ITSM) based service requests, access to company data from anywhere at any time, consistent and repeatable IT services, more productivity, eliminate or reduce capital requirements, possible reduction of on staff IT, increased uptime, increased data security, reduce risk of malware, increase efficiencies, manage critical backup/restore functionality, patching and upgrading. These products/services, taken together or separately, allow our Clients to do business more productively, providing for more focus on their business core competencies. These products/services enables the Client to have more flexibility in its partner selection for ERP services and IT staffing. Clients expect more from a hosting provider than if they operated from their local premise. Security is a big concern for all companies. GoIWx takes extra steps to provide a much higher level of security than a Client could provide on their own. Through the creation and adoption of several internal/external policies, that cover passwords, physical security, remote access, out-sourcing and more, GoIWx has a firm control over security. On a routine basis, GoIWx performs vulnerability scans on its own networks. On an annual basis GoIWx uses a third party company to conduct a vulnerability scan against its network. The results of these scans are documented and if remediation is required it is addressed immediately. Beginning in 2013, on boarding of new Clients requires new users to participate in information security training. This training is designed to help the users maintain a high level of security with their login credentials and security protection on their local devices. Clients have the expectation of availability from anywhere, at any time from any device. GoIWx has architected and built their networks for high availability, and has taken pain staking measures to build redundancy in the event of an equipment or facility failure. The hardware design and colocation facilities are highly redundant to provide maximum availability. Testing is performed on a monthly basis for all generators and HVAC systems. The entire facilities have to run under full load while powered by diesel generators to test the systems. GoIWx uses storage area network (SAN) technology that allows for continual SAN to SAN replication between the two GoIWx facilities. These SAN s are tested on a routine basis to assure replications are succeeding as expected. Different aspects of the GoIWx network are purposely failed over to test the redundancy or the availability architecture. The testing is performed in compliance with specific test procedures, which determines the required testing plan and expected outcome. GoIWx anticipates and expects users will want support based on their company s needs. To best accommodate timely responses to our Clients, GoIWx provides a Service Level Agreement (SLA) which communicates what can be expected for response times. In additional to the SLA, GoIWx may assign a specific engineer, project manager, customer care representative and sales person to each Client. One of the specific roles of these team members is to attend regularly scheduled Client Advisory Board (CAB) meetings. During these meetings several areas are discussed, specifically open Incident Requests (IR), Service Requests (SR), Problem Reports (PR) and Requests for Change (RFC). GoIWx has experienced much success with our Client by setting up these CAB meetings. It is a way for the Clients and the GoIWx team to maintain a high degree of communication. On a day to day basis, GoIWx has a defined support and response time process which is provided to all end users. Support Level and Response Time. Initial Call or Incident request At any time, 24 hours a day, 7 days a week, a Client can create a new incident request using the Company Service Request Portal ( SRP ) located on the Company internet website or directly at The Company provides support for Services through the SRP, over the telephone, or remote screen share support. The following guideline process is used to review and respond to incidents: 4

10 First Level support Calls or Incident requests are acknowledged within (2) hours during standard business hours: Review or create an open incident request First level diagnosis o Determine if Client is able to connect o Determine if applications and databases are operational o Determine and quantify which application requires attention o Learn more if an error message is on the screen o Learn more if unable to print Escalation to Second Level support if applicable Close open incident if applicable Second Level support Upon completion of first level (if not resolved): Review open incident Gain further understanding of the open incident Second level diagnosis over the phone Application related (if applicable) o Contact developer to open log pertaining to open incident o Patch or upgrade software application if possible (see Application Software Patches, Bug Fixes and Upgrades) Local area network (if applicable) o Run quick diagnostics and troubleshooting on devices o Suggest calling the manufacturer of local or network printer o Contact ISP or communications carrier to open a trouble ticket o Down load drivers Escalation to Third Level support if applicable Close open incident if applicable Third Level support Upon completion of second level if incident not resolved: Review open incident Upgrade software at a scheduled time if applicable (see Application Software Patches, Bug Fixes and Upgrades) Run scripts against application software (see Application Software Patches, Bug Fixes and Upgrades) Apply patches immediate or at a scheduled time (see Application Software Patches, Bug Fixes and Upgrades) Work with application developer to resolve open issue At Client s request, work with ISP, communications carrier, web hosting or other outside services at a billable rate Close open incident Client Connection to GoIWx Network Unless the Client has a VPN configured to provide a connection to the GoIWx Network, the Client is responsible to maintain adequate monitoring to assure availability of their ISP s bandwidth. Upon request, GoIWx can provide a test site to the Client for testing bandwidth speed and its connection to the internet. A Client may also connect directly to the GoIWx network via a VPN connection or private circuit. 5

11 Application Software Patches, Bug Fixes and in place Upgrades As part of the monthly hosting fees, GoIWx will provide services to apply Software Patches ( Patches ), Software Bug Fixes ( Fixes ) and Version (in place) Upgrades ( Upgrades ), collectively known as RFC (Request for Change), submitted through the GoIWx Service Request Portal from the Client and/or the Software Developer to perform RFC Services. Under no circumstance will GoIWx apply Version in place Upgrades on its own, but will provide technical assistance to support the Client or Client agent. Client Request Action initiated by the Client The Client can request RFC Services as deemed necessary for continued acceptability of Client applications. The timing for applying the requested RFC Services are based on several factors: o The criticality of the RFC Service o The availability of resources at both GoIWx and the developer of the software o The availability of the hardware in which the software code resides o The level of proficiency of the Client with the use of the software o The availability of the Client to test the software after the RFC Service is performed o The Client is in good standing with respect to applicable licenses it is responsible for. The Client must submit all requests for RFC Services to GoIWx via to customercare@goiwx.com. If the Client deems immediate action is necessary, the Client can call for immediate assistance. However, the actual RFC Service will not be initiated until a written authorization is received and approved by GoIWx. GoIWx Action initiated by GoIWx GoIWx will apply Patches, Fixes or Version Upgrades based on the following: Based on a Client request that is already scheduled, anticipated date on GoIWx schedule; and the Client has performed all applicable testing as instructed by GoIWx; and the Client has authorized GoIWx to perform the RFC Services. GoIWx shall not be responsible for delays in implementing RFC if support from the software supplier is reasonably required but unavailable. Software Supplier Action initiated by the supplier of the software The Supplier can request RFC services on the behalf of the Client for the continued acceptability of the Client applications. The timing for applying the requested RFC Services are based on several factors: The criticality of the RFC Service The availability of resources at both GoIWx and the developer of the software The availability of the hardware in which the software code resides The written authorization from the Client to GoIWx to perform the RFC Service The availability of the Client to test the software after the RFC Service is performed 6

12 Current hosted services offered in both a Software as a Service (SaaS) and Infrastructure as a Service (IaaS) offering: Microsoft Dynamics CRM Hosting Dedicated, single-tenant hosting, installed with or without an ERP application. Provide Windows and SQL patch management, backup and restore services, self-service user management and service portals. Microsoft Dynamics SL Hosting Dedicated, single-tenant hosting, installed with or without other Independent Software Vendor (ISV), third party or front office applications. Provide Windows and SQL patch management, backup and restore services, self-service user management and service portals. Microsoft Dynamics GP Hosting Dedicated, single-tenant hosting, installed with or without other ISV, third party or front office applications. Provide Windows and SQL patch management, backup and restore services, self-service user management and service portals. Microsoft Dynamics NAV Hosting Dedicated, single-tenant hosting, installed with or without other ISV, third party or front office applications. Provide Windows and SQL patch management, backup and restore services, self-service user management and service portals. Microsoft Dynamics AX Hosting Dedicated, single-tenant hosting, installed with or without other ISV, third party or front office applications. Provide Windows and SQL patch management, backup and restore services, self-service user management and service portals. Infor VISUAL ERP Hosting Dedicated, single-tenant hosting, installed with or without other ISV, third party or front office applications. Provide Windows and SQL patch management, backup and restore services, self-service user management and service portals. Microsoft Exchange Hosting Multi-tenant hosting, backup and restore services, self-service user management and service portals. Includes cloud SPAM and Anti-Virus filtering. Microsoft Office Hosting Dedicated, single-tenant hosting, installed with an ERP application. Provide patch management, backup and restore services. Physical or Virtual Servers (limited basis for partners or existing Clients) Dedicated, private/shared domain, power, bandwidth, patching for both physical/virtual servers. Recovery as a Service Dedicated, Single Tenant, cold site for Clients off site back-up. Other non-hosted services available to GoIWx Clients include ERP and CRM Consulting Services. Control Environment GoIWx is committed to operating at the highest level of integrity by adhering to our ethical values, providing effective management and ensuring processes and procedures exist to carry out management objectives. GoIWx invests in people, processes and tools to deliver this experience for its stakeholders. The general computer and operational control objectives establish a secure, efficient, and a quickly recoverable environment. These objectives include the following: Organization and Management IT Operations Network and Telecommunications Quality Assurance Physical and Environmental Security Logical Security System Software Maintenance and Change Control Disaster Recovery and Business Continuity 7

13 In addition to the above general control objectives, the following procedures, systems and policies are also in force at GoIWx. Control Activities Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achieve the entity s objectives. Control activities, whether automated or manual, have various objectives and are applied at various organizational and functional levels. GoIWx departments are required to implement control activities that help assure the achievement of business objectives associated with: (1) the reliability and security of services provided to its Clients, (2) the efficiency of operations, and (3) compliance with applicable laws and regulations. These control activities are designed to address the specific risks associated with the operations and are reviewed annually as part of the risk assessment process. GoIWx has developed formal policies and procedures covering various security and operational matters. Risk Assessment GoIWx management has incorporated risk management throughout its processes at the enterprise level. Management is responsible for implementing procedures to identify the risks inherent in the business s operations and to implement procedures to monitor and mitigate the risks. The foundation of this process is management s knowledge of its operations, its close working relationship with its user organizations and its understanding of the industries in which it operates. For any significant risks identified, management is responsible for implementing appropriate measures to monitor and manage these risks. GoIWx has placed into operation a risk assessment process to identify and manage risk that could impact our operations or the operations of our Clients. Regularly scheduled Change Advisory Board (CAB) meetings assist in the identification of new or evolving risks. This process requires management to evaluate risks inherent in new and on-going services and to implement measures to mitigate these risks. Monitoring Monitoring is a critical aspect of internal control in evaluating whether controls are operating as intended and whether they are modified as appropriate for changes in conditions. Management and supervisory personnel are responsible for monitoring the quality of internal control performance as a routine part of their activities. To complement these measures, all exceptions related to hardware, software, or procedural problems are logged, reported, and tracked until resolved. Key reports are reviewed by management to help ensure appropriate action is taken. GoIWx has implemented monitoring tools that provide immediate and on-going feedback based on the performance of these controls. Performance statistics are available to key management personnel and they can receive status reports via , text messaging or on line real time. GoIWx management reviews status reports generated by these tools to ensure that problems are logged, reviewed and resolved in a timely fashion. 8

14 Communication Systems and polices have been put in place that allow GoIWx employees and management to quickly and efficiently exchange information regarding problems, Client issues and resolutions. This includes new employee orientation, training and regular employee training updates and staff meetings. Employees are encouraged to use , voic , regularly scheduled meetings, the internal issue tracking system or other written methods to communicate important events and issues. A system is in place that records Client issues and resolutions that can be shared by other GoIWx employees, allowing for a more efficient flow of information. Information and communication systems support the identification, capture, and exchange of information in a form and timeframe that enable people to carry out their responsibilities. Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over everyday operations. Communication systems exist from the entity-level to the department-level. General System Controls Organization and Management Functional and administrative responsibilities at GoIWx are broadly defined and communicated via an organizational chart. All personnel are well informed regarding their job responsibilities and functions via job descriptions. Management has put into place policies and procedures that promote the hiring and retention of quality employees, including a formal hiring process, with background checks and a formal termination process. Logical and physical access to systems is provided to employees by management on an as-needed basis. If an employee s job responsibilities change, system access is modified to reflect that change. These changes are logged by management and documented. Standard employee documentation is collected and maintained in personnel records. All employees must read and sign off on an employee handbook and the sign off sheets are kept in each employee s personnel file by HR. The employee handbook summarizes GoIWx policies and procedures. Each employee must sign a non-disclosure agreement, network computer usage policy, usage and Internet usage guideline document. New employees receive orientation and training on GoIWx policies and procedures. A termination checklist is used to ensure that all GoIWx owned equipment and information is returned to GoIWx. The checklist is used to remove access to network systems, programs, and . Keys, security tokens, security badges and cell phones are returned at termination. Management maintains oversight of all business aspects of GoIWx and is responsible for policy development. Policies in place include computer usage, Internet usage, confidentiality agreements, usage and appropriate usage of all GoIWx systems. These policies are reviewed and modified by management on a regular basis. An organization chart is utilized for management leadership and accountability purposes. Employees have been trained in various aspects of the IT operation and can be utilized as back-up personnel to cover vacation, sick time or in times of a pandemic. Management is responsible for maintaining adequate insurance coverage to minimize the impact of business operations after a disaster. Insurance coverage includes personal property, money and security, valuable papers, utility services, equipment breakdown, personal/advertising, injury liability, tenant liability, and data storage. Management meets regularly to discuss items that might require attention. 9

15 IT Operations The hosted service offerings have been designed as much as possible to operate automatically with little or no employee intervention. This minimizes human error and adds efficiency to these operations. GoIWx management has put monitoring systems in place. In the event of a system malfunction, the monitoring system reports the event and is responded to in a timely fashion. These systems include monitoring for service interruptions, intrusion attempts, environmental incidents and hardware failures. All operation functions are formally documented and only properly authorized employees can access or operate computer systems. While outside vendors rarely need physical or virtual access to the facilities, they are adequately supervised while they are on-site or have system access. Access, performance and change logs are maintained for a reasonable period of time to assist in problem or issue forensics and resolution. A formal Incident Response Policy, Incident Response Team and Change Management process are in place to identify and resolve any requests or Client issues. All Client requests are logged and tracked by GoIWx Customer Care in the GoIWx Service Request Portal. All of the information is made available to management. All Client issues remain open until properly resolved. Formal resolution is reviewed routinely with an internal CAB utilizing GoIWx s standard protocols. System resource utilization reports are generated and evaluated by management to ensure maximum systems efficiency. GoIWx personnel and management meet regularly to discuss issues, problems and resolutions. Network and Telecommunications Uptime via redundancy and preventative maintenance is a cornerstone of the design of GoIWx s product offerings. GoIWx s infrastructure consists of servers, storage systems, switches, routers, firewalls and network cable that allow its Clients to connect to the appropriate server or servers. Client data is stored on both primary and secondary systems with a backup site in Minneapolis, Minnesota. Redundancy extends to data communication with Internet access provided from TW Telecom. These systems have been designed to failover to one another in the event of a mechanical or environmental problem. Firewalls, Intrusion Protection Systems (IPS) protect the systems and data from external threats. Security alerts are forwarded to GoIWx 24/7/365. Data circuits are monitored to detect abuse or network problems. A policy exists which documents the physical and logical security utilized for remote access at the data center. All critical components are maintained regularly by in-house staff or outside vendors as appropriate. A monitoring system exists that alerts for possible and actual network problems and issues. These incidents are logged and handled via an internal trouble issue tracking system. Data circuits are monitored to detect abuse and errors. All critical network components are located within a caged off area, limiting this equipment s exposure to accidental or malicious incidents. Network security procedures include physical and logical safeguards. Default access to the internal network is not allowed. Network controls restrict unauthorized access to open or access ports. External network access is filtered by a firewall. Standard vulnerability testing is conducted as well as monitoring of traffic by an intrusion prevention system. New devices are deployed using a checklist. GoIWx has a documented an issue escalation process that is managed by the GoIWx CAB. The purpose of this process is to ensure a high level quality of service to GoIWx s Client base. 10

16 The Customer Care team and CAB are alerted whenever a suspicious activity or incident is uncovered. GoIWx management is part of this team. Incidents may include actual or suspected security compromises or service interruptions caused by unauthorized access attempts by employees, partners, or other agents. These incidents are logged, investigated, escalated to local police or FBI if warranted, and resolved. Network Security Company leverages multiple firewall platforms to ensure perimeter security. The firewalls are utilized to prevent unauthorized access and to ensure that access is only utilized for business purposes. A third party external penetration test is performed annually to validate our configurations and ensure our required level of security is attained. Logical Access Logical access to GoIWx s IT resources is effectively managed. As part of our normal procedure new employees are granted least privileged access and when staff is no longer employed we execute a termination checklist to ensure access is removed immediately. In addition, all systems require unique user accounts and complex passwords that are changed on a regular basis. Logical Security Ensuring data security is a priority at GoIWx. Firewalls, Intrusion Prevention Systems, network segmentation and data encryption are the foundations of GoIWx s data security environment. In addition to securing access from external threats, employee access to systems and data is restricted by Windows passwords and file access limitations. Appropriate procedures including software and operating system patching, password complexity, account lock out after five unsuccessful attempts and other industry best practices are in place, enforced and monitored. Automated timeouts are set up on remote access sessions and on individual workstation. Managers authorize system access for users by completing an Access Request Form for all new employees and any changes in access rights need to be approved by data owner and properly documented. Application controls are applied to limit employee access to data on an "as needed" basis. Employee access to the network, domain and key systems is based on their job role and is approved by an appropriate level of management. Applications with Client information require users to logon with an authorized ID and password. Operating system and program security updates are applied in a scheduled planned Client outage or when server downtime does not affect Client access. A corporate Information Security Program has been developed and approved by management and documents GoIWx s responsibilities to safeguard our Client s data and to provide system availability. This policy includes both physical and logical security, from internal and external threats. The policy also outlines each employee s responsibilities regarding system access and requires each employee to sign an acknowledgement document that outlines their responsibilities. To ensure that management is aware of and following up on attempted access violations, policies and procedures have been created that require security logs to be reviewed by management as needed. Automated monitoring systems are in place to notify staff members of intrusion attempts, environmental incidents, and hardware failures and these incidents are logged and responded to in a timely fashion. GoIWx administrators research alerts, determine root cause, and resolve the issues in a timely fashion. 11

17 Financial Controls All Clients sign an agreement which outlines the terms and rates. GoIWx s billing policy is provided to each new Client to set clear expectations. In order to ensure billing is timely and accurate GoIWx has segregated duties between operations and finance. At the end of the month, our operations team will run monthly reports of users and/or devices as per the agreement done in collaboration with our Clients. Once confirmed this information is sent to finance for billing purposes. System Software Maintenance and Change Control Hosted services include Client owned and GoIWx owned third-party software applications. GoIWx does not own the source code for these applications. No modifications are made to the source code of these applications by GoIWx. Having the most recent and up to date system software minimizes security breaches and resolves issues uncovered during the life of the software. Changes to application software are reviewed and evaluated by GoIWx s CAB prior to being installed on production servers and systems to determine the impact that these changes will have to operations and to our Clients. These changes are logged and available for review by management as needed. A patch management policy includes Windows Server Update Services server for Windows updates. Network scans are performed to verify that patches are properly applied. Service applications are upgraded, reviewed and applied as needed by management per the policy. Personnel validate access to Client data as part of the upgrade implementation process. Server based applications are tested on lab equipment prior to implementation in the production environment when possible. Disaster Recovery and Business Continuity GoIWx recognizes that our Clients are relying on our services to provide high quality and reliable data access for their users. The GoIWx Business Continuity Plan (BCP) includes risk assessments, risk mitigation, impact analysis and procedures. The Disaster Recovery Plan (DRP) ensures that GoIWx can indeed meet these recovery objectives and requirements. The Disaster Recovery/Business Continuity Planning is an on-going, coordinated program of strategies, plans and procedures that provide guidance to manage and ensure the availability of the company s resources in the event of a disruption to any part of the business operations. It prepares GoIWx to respond to a disruption event and to continue critical business processes to ensure the survivability of the organization. GoIWx has created a Disaster Recovery Plan that requires procedures for creating snap shots and back up s of critical applications and data to redundant systems within the primary data center, and to the contingency facility located in Minnesota. Snap shots and backups are facilitated with the use of SSD and hard disks. No tape drives or other media are utilized. SAN to SAN replication is faster, less expensive and more reliable than tape based backups. All back up data is stored on SAN in encrypted format of the SAN manufacturer. Test restores of virtual machines, databases, etc. are performed as required by policy or requested by a Client. In addition, critical lists containing employee, vendor, and Client contact information are stored at the off-site contingency location. Access to the off-site backups is restricted by physical and logical security. 12

18 TW Telecom Colocation Facilities As mentioned earlier, GoIWx has entered into a Master Services Agreement with TW Telecom for access and use of colocation facilities through the United States. Today GoIWx has infrastructure in two of their locations, both of which are located in the state of Minnesota. TW Telecom is considered as a number one provider and possibly the largest colocation provider in the United States, with 80 locations to choose from. TW specializes in providing secure and available colocation facilities by following stringent guidelines that govern the architecture, build and on-going management of these facilities. TW provides a myriad of services such as colocation services, bandwidth services and much more. GoIWx has used TW services since In that time GoIWx has not experienced any security issue or loss of availability. Security, Surveillance and External Accesses The colocation facilities have on site security personnel 24/7/365. All unmanned entrances have card access with biometrics which logs all entrance and exit activities. Entrances also have card access mantraps, along with digital surveillance cameras through out the facilities. The Minnetonka facility is a single level building with natural wind protection by earth embankments with lightening suppression mounted on top of the building. The Minneapolis facility is a shared location with personnel monitoring the doors from 7:00AM to 11:00PM requiring a signature and picture ID to access. After-hours access is granted by card access with biometrics. There are digital cameras monitoring the facility with video feeds back to the Minnetonka facility that are viewed and recorded digitally. The Minneapolis facility is a multi-story building with the physical colocation space located on the second floor. Bandwidth All services such as Internet, Data, Ethernet, DS1, DS3 and OCn are directly connected to the TW Telecom network via secure and redundant SONET technology. Transport There are (3) redundant Fiber Optic routes into the facilities that do not cross at any point. Fire Suppression VESDA Zoned dry pipe fire suppression is installed in the facilities. It is a two part detection system that identifies which zone has an issue. During phase I of detection, the system will flood the pipe in the affected zone. In phase II of detection the system will send a release signal to the zones with the flooded pipes. Only the zones identified with issues will be released. Diesel Generators The facilities have multiple 2 Megawatt generators. Each diesel generator has a 3000 gallon fuel tank. Winter mix is run year round in all diesel generators which is supplied by (2) suppliers. The diesel generators can run both GoIWx s power needs along with all environmental systems required to maintain a constant temperature and humidity level at the facilities. Under full load the system could run for a minimum of 36 hours. 13

19 UPS Systems In the event of a full commercial power loss, the UPS Systems are designed to operate for a minimum of 15 minutes under full load. While under UPS Systems power, the diesel generators are designed to automatically transfer the power, the transfer happens in 45 to 120 seconds. Facility Preventative Maintenance Inspections Generator, UPS, ATS and HVAC preventative maintenances (PM) are performed at regular intervals with different levels of maintenance at each scheduled interval. The different levels are Monthly/Quarterly/Semi-annual/Annual. All PMs are captured in a task assigned work flow web portal. All task completions are metric reported and visible to Colocation management. They are visible manually at all times and a full report is sent to multiple levels of Colocation management monthly to ensure completion and compliance. Inventory control activities have been implemented to control the GoIWx s assets and to prevent unauthorized removal of GoIWx owned equipment or property. User Control Considerations GoIWx s control objectives and their related controls were designed with the assumption that certain controls would be in place at our Client s organizations. It is not feasible for all of the control objectives related to GoIWx s services to be solely achieved by GoIWx control procedures. Accordingly, user organizations, in conjunction with the services provided by GoIWx, should establish their own internal controls or procedures to complement those of GoIWx. This section describes additional controls that should be in operation at our Client s locations and their users. The following complementary user organization controls should be implemented by user organizations to provide additional assurance that the control objectives described in this report are met. As these items represent only a part of the control considerations that might be pertinent at the user organizations locations, users should exercise judgment in selecting and reviewing these complementary user organization controls. Provide Information Security Training of users on an annual basis. Assure all devices connected to the GoIWx services have the most up to date Anti-Virus and Anti-Malware software subscriptions as possible, and set to full scan at least weekly. Assure all devices connected to the GoIWx services have the most up to date patching for windows and other third party software. The ability to remotely wipe any device at any time in the case of theft or loss by the Client. Passwords are changed every 90 days or less and follow strong password guidelines. End users screen locks require passwords and engage after 15 minutes of inactivity. The Client does not allow the use of shared accounts. third Party access to their systems should be monitored routinely and only allow access to third parties during active projects/support. Formal Information Security Program and/or policies to provide guidance on acceptable use of network, systems and data. Have a policy to provide guidance on the disposition past employee s company data. Copies of passwords and encryption keys are securely stored off-site. Passwords and encryption keys are not shared with others not authorized to have access to them. 14

20 ERP Clients do periodic test restores of data being stored at GoIWx to ensure data and encryption key validity. Client issues with contracted services from GoIWx are reported promptly and in writing to GoIWx for remediation and resolution. Actual or suspected security breaches uncovered by the Client organization that may impact services being provided by GoIWx will be promptly reported to GoIWx. GoIWx Clients should regularly review their Business Continuity Plans (BCP) to ensure that GoIWx provided services continue to meet the organization s needs as outlined in their plans Clients have procedures to address risk and or removal of dormant GoIWx user accounts. This list of user control considerations is not comprehensive and other user controls not listed above may be required. 15