CoreSite A Carlyle Company. 70 Innerbelt Colocation Services

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "CoreSite A Carlyle Company. 70 Innerbelt Colocation Services"

Transcription

1 CoreSite A Carlyle Company 70 Innerbelt Colocation Services Independent Service Auditor s Report on s Placed in Operation and Tests of Operating Effectiveness For the Period of October 1, 2009, to March 31, 2010

2 TABLE OF CONTENTS SECTION 1 INDEPENDENT SERVICE AUDITOR S REPORT... 1 SECTION 2 DESCRIPTION OF CONTROLS PLACED IN OPERATION... 4 OVERVIEW OF OPERATIONS... 5 Company Background... 5 Description of Services Provided... 5 CONTROL ENVIRONMENT... 6 Integrity and Ethical Values... 6 Commitment to Competence... 6 Board of Directors Participation... 6 Management s Philosophy and Operating Style... 7 Organizational Structure and Assignment of Authority and Responsibility... 7 Human Resource Policies and Practices... 7 RISK ASSESSMENT... 7 CONTROL OBJECTIVES AND RELATED CONTROL ACTIVITIES... 8 MONITORING... 8 INFORMATION AND COMMUNICATION SYSTEMS... 8 Information Systems... 8 Communication Systems... 8 COMPLEMENTARY CONTROLS AT USER ORGANIZATIONS... 9 SECTION 3 TESTING MATRICES CONTROL ENVIRONMENT RELIABILITY OF POWER RELIABILITY OF DATA CENTER COOLING SECURITY OF PREMISES TECHNICAL SUPPORT TO COLOCATION CUSTOMERS CoreSite A Carlyle Company Proprietary and Confidential i

3 SECTION 1 INDEPENDENT SERVICE AUDITOR S REPORT CoreSite A Carlyle Company 1

4 INDEPENDENT SERVICE AUDITOR S REPORT To CoreSite A Carlyle Company: We have examined the accompanying description of controls related to the 70 Innerbelt colocation services of CoreSite A Carlyle Company ( CoreSite or the service organization ) performed at the Somerville, Massachusetts, facility. Our examination included procedures to obtain reasonable assurance about whether (1) the accompanying description presents fairly, in all material respects, the aspects of CoreSite s controls that may be relevant to a user organization s internal control as it relates to an audit of financial statements; (2) the controls included in the description were suitably designed to achieve the control objectives specified in the description, if those controls were complied with satisfactorily, and user organizations applied the controls contemplated in the design of CoreSite s controls; and (3) such controls had been placed in operation as of March 31, The control objectives were specified by the management of CoreSite. Our examination was performed in accordance with standards established by the American Institute of Certified Public Accountants and included those procedures we considered necessary in the circumstances to obtain a reasonable basis for rendering our opinion. In our opinion, the accompanying description of the aforementioned 70 Innerbelt colocation services presents fairly, in all material respects, the relevant aspects of CoreSite s controls that had been placed in operation as of March 31, Also, in our opinion, the controls, as described, are suitably designed to provide reasonable assurance that the specified control objectives would be achieved if the described controls were complied with satisfactorily and user organizations applied the controls contemplated in the design of CoreSite s controls. In addition to the procedures we considered necessary to render our opinion as expressed in the previous paragraph, we applied tests to specific controls, listed in Section 3 (the Testing Matrices ), to obtain evidence about their effectiveness in meeting the control objectives, described in the Testing Matrices, during the period from October 1, 2009, to March 31, The specific controls and the nature, timing, extent, and results of the tests are listed in the Testing Matrices. This information has been provided to user organizations of CoreSite and to their auditors to be taken into consideration, along with information about the internal control at user organizations, when making assessments of control risk for user organizations. In our opinion, the controls that were tested, as described in the Testing Matrices, were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives specified in the Testing Matrices were achieved during the period from October 1, 2009, to March 31, The relative effectiveness and significance of specific controls at CoreSite and their effect on assessments of control risk at user organizations are dependent on their interaction with the controls and other factors present at individual user organizations. We have performed no procedures to evaluate the effectiveness of controls at individual user organizations. The description of controls at CoreSite is as of March 31, 2010, and information about tests of the operating effectiveness of specific controls covers the period from October 1, 2009, to March 31, Any projection of such information to the future is subject to the risk that, because of change, the description may no longer portray the controls in existence. The potential effectiveness of specific controls at CoreSite is subject to inherent limitations and, accordingly, errors or fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that changes made to the system or controls, or the failure to make needed changes to the system or controls, may alter the validity of such conclusions. CoreSite A Carlyle Company 2

5 This report is intended solely for use by the management of CoreSite, its user organizations, and the independent auditors of its user organizations. April 23, 2010 CoreSite A Carlyle Company 3

6 SECTION 2 DESCRIPTION OF CONTROLS PLACED IN OPERATION CoreSite A Carlyle Company Proprietary and Confidential 4

7 OVERVIEW OF OPERATIONS Company Background CoreSite - A Carlyle Company ( CoreSite or the company ) partners with customers to provide reliable, secure data centers that improve business continuity and promote the growth of their information and communications infrastructure. The company has built and managed data centers across the United States since 2001, offering more than two million square feet of wholesale data center space and colocation services to more than 500 customers. A Carlyle portfolio company, CoreSite delivers the level of security, service, and network access businesses need to compete in the global marketplace. Description of Services Provided 70 Innerbelt is a 276,000 square-foot data center situated in the Boston, Massachusetts, metropolitan area, bordering Cambridge, Massachusetts and located just outside of Boston's Central Business District. The data center offers diverse fiber points of entry, robust primary and emergency power infrastructure, and an on-site technical staff. CoreSite has over 30,000 square feet of carrier-neutral colocation space available. Customers of CoreSite can license just a single cabinet to up to 10,000 square feet of cage space. Multiple Tier 1 providers will offer bandwidth and communication solutions to Boston colocation customers. In addition to carrier-neutral colocation, 70 Innerbelt has 125,000 square feet is available for wholesale data center project and disaster recovery sites. Colocation Space Customized cage space Single cabinets Colocation Infrastructure Up to 170 breakered Watts/square foot N+1 AC uninterruptible power supply (UPS) N+1 emergency generator power N+1 cooling system Dual-interlock, dry-pipe pre-action fire suppression system Security 24x7 site secure access 24x7 security staffing Internal and external surveillance cameras On-site secure parking Managed Services 24x7 remote hands 24x7 mechanical and electrical monitoring Branch-circuit monitoring system CoreSite A Carlyle Company Proprietary and Confidential 5

8 Certified technicians Turn-key equipment installation Operations outsourcing Network Connection and Peering Opportunities X-Connections to any tenant Connection to Any2 Peering Exchange Carrier-neutral environment Access to over 20 networks and service providers Rooftop Access Space for multiple antenna towers Line-of-site in every direction CONTROL ENVIRONMENT Integrity and Ethical Values The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer, and monitor them. Integrity and ethical values are essential elements of CoreSite s control environment, affecting the design, administration, and monitoring of other components. Integrity and ethical behavior are the product of CoreSite s ethical and behavioral standards, how they are communicated, and how they are reinforced in practices. They include management s actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. They also include the communication of entity values and behavioral standards to personnel through policy statements and codes of conduct, as well by example. Specific control activities that CoreSite has implemented in this area are described below. Documented organizational policy statements and employee procedures communicate entity values and behavioral standards to personnel. Human resources personnel perform employment candidate background checks as a component of the hiring process. Commitment to Competence CoreSite s management defines competence as the knowledge and skills necessary to accomplish tasks that define employees roles and responsibilities. CoreSite s commitment to competence includes management s consideration of the competence levels for particular jobs and how those levels translate into the requisite skills and knowledge. Human resources personnel considers the competence levels for particular jobs and translates required skills and knowledge levels into written position requirements. Board of Directors Participation CoreSite s control consciousness is influenced significantly by its board of directors participation. The board of directors oversees management activities. CoreSite A Carlyle Company Proprietary and Confidential 6

9 Management s Philosophy and Operating Style CoreSite s management philosophy and operating style encompass a broad range of characteristics. Such characteristics include management s approach to taking and monitoring business risks, and management s attitudes toward information processing, accounting functions and personnel. Weekly meetings are conducted to discuss operational and facilities issues. Organizational Structure and Assignment of Authority and Responsibility CoreSite s organizational structure provides the framework within which its activities for achieving entitywide objectives are planned, executed, controlled, and monitored. CoreSite s management believes that establishing a relevant organizational structure includes considering key areas of authority and responsibility and lines of reporting. CoreSite has developed an organizational structure suited to its needs. This organizational structure is based, in part, on its size and the nature of its activities. CoreSite s assignment of authority and responsibility activities include factors such as how authority and responsibility for operating activities are assigned and how reporting relationships and authorization hierarchies are established. It also includes policies relating to business practices, knowledge and experience of key personnel, and resources provided for carrying out duties. In addition, it includes policies and communications directed at ensuring that personnel understand the entity s objectives, know how their individual actions interrelate and contribute to those objectives, and recognize how and for what they will be held accountable. Organizational charts are in place to communicate key areas of authority, responsibility and lines of reporting. Human Resource Policies and Practices CoreSite s human resources policies and practices relate to employee hiring, orientation, training, evaluation, counseling, promotion, compensation, and disciplinary activities. Specific control activities that CoreSite has implemented in this area are described below. Pre-hire screening procedures are required as a component of the hiring process. A new hire checklist is completed as a component of the hiring process. A termination checklist is completed as a component of the termination process. Evaluations are performed for each employee on an annual basis. RISK ASSESSMENT CoreSite has placed into operation a risk assessment process to identify and manage risks that could affect the organization's ability to provide reliable services for user organizations. This process requires management to identify significant risks in their areas of responsibility and to implement measures to address those risks. Risks that are considered during management s formal and informal risk assessment activities may include consideration of the following events: Changes in operating environment New personnel New or revamped information systems Rapid growth New technology CoreSite A Carlyle Company Proprietary and Confidential 7

10 New business models, products, or activities Expanded operations CONTROL OBJECTIVES AND RELATED CONTROL ACTIVITIES CoreSite s control objectives and related control activities are included in Section 3 (the Testing Matrices ) of this report to eliminate the redundancy that would result from listing the items in this section and repeating them in the Testing Matrices. Although the control objectives and related control activities are included in the Testing Matrices, they are, nevertheless, an integral part of CoreSite s description of controls. The description of the service auditor s tests of operating effectiveness and the results of those tests are also presented in the Testing Matrices, adjacent to the service organization s description of controls. The description of the tests of operating effectiveness and the results of those tests are the responsibility of the service auditor and should be considered information provided by the service auditor. MONITORING CoreSite management performs monitoring activities in order to continuously assess the quality of internal control over time. Monitoring activities are performed on a continuous basis and necessary corrective actions are taken as required to correct deviations from company policy and procedures. This process is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Management s close involvement in operations helps to identify significant variances from expectations regarding internal controls. Upper management immediately evaluates the specific facts and circumstances related to any suspected control breakdowns. A decision for addressing any controls weakness is made based on whether the incident was isolated or requires a change in the company s procedures or personnel. INFORMATION AND COMMUNICATION SYSTEMS Information Systems CoreSite provides users with cross-connect and carrier interconnection opportunities including provider companies representing virtually every sector and geographic region in the world. CoreSite offers customers the ability to order copper (Cat-5, Ethernet, T-1, etc.), coaxial (DS-3), and fiber (single or multimode) connections to any other colocation customer within the same facility, regardless of distance. An online provisioning system allows tenants to order cross connections and other services online. This system enables customers to reduce the time to provision a cross connection and track the status of their order. CoreSite does not record, process, summarize, or report the financial transactions of our user organizations. Additionally, CoreSite does not maintain accountability for any client assets, liabilities, or equity. Communication Systems Upper management is involved with day-to-day operations and is able to provide personnel with an understanding of their individual roles and responsibilities pertaining to internal controls. This includes CoreSite A Carlyle Company Proprietary and Confidential 8

11 the extent to which personnel understand how their activities relate to the work of others and the means of reporting exceptions to higher level personnel within the company. CoreSite management believes that open communication channels help ensure that exceptions are reported and acted on. For that reason, formal communication tools such as employee handbooks are in place. Management s communication activities are made electronically, verbally, and through the actions of management. COMPLEMENTARY CONTROLS AT USER ORGANIZATIONS CoreSite s services are designed with the assumption that certain controls will be implemented by user organizations. Such controls are called complementary user organization controls. It is not feasible for all of the control objectives related to CoreSite s services to be solely achieved by CoreSite s control procedures. Accordingly, user organizations, in conjunction with the services, should establish their own internal controls or procedures to complement those of CoreSite. The following complementary user organization controls should be implemented by user organizations to provide additional assurance that the control objectives described within this report are met. As these items represent only a part of the control considerations that might be pertinent at the user organizations locations, user organizations auditors should exercise judgment in selecting and reviewing these complementary user organization controls. Complementary User Organization s: 1. User organizations are responsible for understanding and complying with their contractual obligations to CoreSite. 2. User organizations are responsible for ensuring the supervision, management and control of the use of CoreSite s services by their personnel. 3. User organizations are responsible for ensuring that user accounts and passwords are assigned to only authorized individuals. 4. User organizations are responsible for ensuring the confidentiality of any user accounts and passwords assigned to them for use with CoreSite s systems. 5. User organizations are responsible for notifying CoreSite of terminated employees. 6. User organizations are responsible for immediately notifying CoreSite of any actual or suspected information security breaches, including compromised user accounts. 7. User organizations are responsible for notifying CoreSite of changes made to technical or administrative contact information. 8. User organizations are responsible for designating authorized individuals to issue work requests. 9. User organizations are responsible for maintaining their own system(s) of record. 10. User organizations are responsible for determining whether CoreSite s security infrastructure is appropriate for its needs and for notifying the service organization of any requested modifications. 11. User organizations are responsible for defining and submitting changes to power requirements. 12. User organizations are responsible for developing their own disaster recovery and business continuity plans that address their inability to access or utilize CoreSite s services. CoreSite A Carlyle Company Proprietary and Confidential 9

12 SECTION 3 TESTING MATRICES CoreSite A Carlyle Company Proprietary and Confidential 10

13 MATRIX 1 Objective Specified CONTROL ENVIRONMENT activities provide reasonable assurance that discipline and structure are an integral part of the organization and influence the control consciousness of its personnel. Activity Specified Integrity and Ethical Values 1.1 Documented organizational policy statements and employee procedures communicate entity values and behavioral standards to personnel. 1.2 Human resources personnel perform employment candidate background checks as a component of the hiring process. Commitment to Competence 1.3 Human resources personnel considers the competence levels for particular jobs and translates required skills and knowledge levels into written position requirements. Inspected the employee handbook to determine that organizational policy statements and employee procedures that communicated entity values and behavioral standards were documented. Inquired of the operations manager regarding the performance of background checks to determine that human resources personnel performed employment candidate background checks as a component of the hiring process. Inspected the completed background check for a nonstatistical sample of employees hired during the review period to determine that a background check was completed for each employee sampled. Inspected a nonstatistical sample of written position requirements to determine that human resources personnel considered the competence levels for particular jobs and translated required skills and knowledge levels into written position requirements. CoreSite A Carlyle Company Proprietary and Confidential 11

14 MATRIX 1 Objective Specified CONTROL ENVIRONMENT activities provide reasonable assurance that discipline and structure are an integral part of the organization and influence the control consciousness of its personnel. Activity Specified Board of Directors Participation 1.4 A board of directors oversees management activities. Management s Philosophy and Operating Style 1.5 Weekly meetings are conducted to discuss operations and facilities issues. Inquired of the operations manager regarding the board of directors to determine that a board of directors oversaw management activities. Inspected the board of directors listing to determine that a board of directors oversaw management activities. Inquired of the operations manager regarding management meetings to determine that weekly meetings were held to discuss operations and facilities issues. Inspected the meeting agendas and the calendar entries for a nonstatistical sample of weeks during the review period to determine that meetings were held to discuss operations and facilities issues for each week sampled. CoreSite A Carlyle Company Proprietary and Confidential 12

15 MATRIX 1 Objective Specified CONTROL ENVIRONMENT activities provide reasonable assurance that discipline and structure are an integral part of the organization and influence the control consciousness of its personnel. Activity Specified Organizational Structure and Assignment of Authority and Responsibility 1.6 Organizational charts are in place to communicate key areas of authority, responsibility and lines of reporting. Human Resources Policies and Procedures 1.7 Pre-hire screening procedures are required as a component of the hiring process. Inquired of the operations manager regarding organizational charts to determine that organizational charts were in place to communicate key areas of authority, responsibility and lines of reporting. Inspected the organizational charts to determine that organizational charts were in place. Inquired of the operations manager regarding the hiring process to determine that pre-hire screening procedures were performed as a component of the hiring process. Inspected the pre-hire screening procedures to determine that pre-hire screening procedures were performed as a component of the hiring process. CoreSite A Carlyle Company Proprietary and Confidential 13

16 MATRIX 1 Objective Specified CONTROL ENVIRONMENT activities provide reasonable assurance that discipline and structure are an integral part of the organization and influence the control consciousness of its personnel. Activity Specified 1.8 A new hire checklist is completed as a component of the hiring process. 1.9 A termination checklist is completed as a component of the termination process. Inquired of the operations manager regarding hiring procedures to determine that human resources personnel completed a new hire checklist as a component of the hiring process. Inspected the completed new hire checklists for a nonstatistical sample of employees hired during the review period to determine that a new hire checklist was completed as a component of the hiring process for each employee sampled. Inquired of the operations manager regarding termination procedures to determine that human resources personnel completed a termination checklist as a component of the termination process. Inspected the termination checklist template to determine that a termination checklist was in place for human resources personnel to complete as a component of the termination process. Inspected the termination checklist for a nonstatistical sample of employees terminated during the review period to determine that a termination checklist was completed as a component of the termination process for each employee sampled. The test of the control activity disclosed that no employees were terminated during the review period. CoreSite A Carlyle Company Proprietary and Confidential 14

17 MATRIX 1 Objective Specified CONTROL ENVIRONMENT activities provide reasonable assurance that discipline and structure are an integral part of the organization and influence the control consciousness of its personnel. Activity Specified 1.10 Evaluations are performed for each employee on an annual basis. Inquired of the operations manager regarding employee evaluations to determine that evaluations were performed for each employee on an annual basis. Inspected the evaluations for a nonstatistical sample of employees to determine that evaluations were performed for each employee sampled during the 12 months preceding the end of the review period. CoreSite A Carlyle Company Proprietary and Confidential 15

18 MATRIX 2 Objective Specified RELIABILITY OF POWER activities provide reasonable assurance that the design, maintenance and operation of power infrastructure are sufficient to meet customers power needs. Activity Specified 2.1 The power infrastructure for the colocation facility is configured to provide redundant power to systems. 2.2 Multiple UPS systems are in place to provide temporary power in the event of a power failure and to mitigate the risk of power surges impacting infrastructure in the colocation facility. Inquired of the facilities engineer regarding data center power to determine that the power infrastructure for the colocation facility was configured to provide redundant power to systems. Observed the presence of the UPS systems to determine that the power infrastructure for the colocation facility was configured to provide redundant power to systems. Inquired of the facilities engineer regarding UPS systems to determine that multiple UPS systems were in place to provide temporary power in the event of a power failure and to mitigate the risk of power surges impacting infrastructure in the colocation facility. Observed the presence of the UPS systems to determine that multiple UPS systems were in place in the colocation facility. CoreSite A Carlyle Company Proprietary and Confidential 16

19 MATRIX 2 Objective Specified RELIABILITY OF POWER activities provide reasonable assurance that the design, maintenance and operation of power infrastructure are sufficient to meet customers power needs. Activity Specified 2.3 A third party vendor inspects and maintains UPS systems on a semi-annual basis to ensure proper functioning. 2.4 Multiple diesel generators are in place to provide temporary power in the event of a power failure. 2.5 The generators are inspected on a weekly basis by internal personnel to ensure proper functioning. Inquired of the facilities engineer regarding the UPS systems to determine that a third party vendor inspected and maintained UPS systems on a semi-annual basis to ensure proper functioning. Inspected the most recent third party vendor service agreement and the preventative maintenance results during the review period to determine that a third party vendor inspected and maintained the UPS systems during the review period. Inquired of the facilities engineer regarding diesel generators to determine that multiple diesel generators were in place to provide temporary power in the event of a power failure. Observed the presence of diesel generators to determine that multiple diesel generators were in place. Inquired of the facilities engineer regarding generator inspections to determine that the generators were inspected on a weekly basis by internal personnel to ensure proper functioning. Inspected the generator s inspection log for a nonstatistical sample of weeks during the review period to determine that the generators were inspected by internal personnel for each week sampled. The test of the control activity disclosed that the weekly generator inspection was not completed for one of seven weeks sampled. CoreSite A Carlyle Company Proprietary and Confidential 17

20 MATRIX 2 Objective Specified RELIABILITY OF POWER activities provide reasonable assurance that the design, maintenance and operation of power infrastructure are sufficient to meet customers power needs. Activity Specified 2.6 A third party vendor inspects and maintains the generators on a quarterly basis to ensure proper functioning. 2.7 Power supply equipment is monitored by an automated logic control system. 2.8 The automated logic control system is configured to alert operations personnel when alarms are triggered. Inquired of the facilities engineer regarding the generators inspections to determine that a third party vendor inspected and maintained the generators on a quarterly basis to ensure proper functioning. Inspected the third party vendor service agreement and the preventative maintenance results for a nonstatistical sample of quarters during the review period to determine that a third party vendor inspected and maintained the generators for each quarter sampled. Inspected the automated logic control system configurations to determine that power supply equipment was monitored by an automated logic control system. Inspected a nonstatistical sample of alert notifications to determine that the automated logic control system was configured to alert operations personnel when alarms were triggered. Inspected the listing of operations personnel notified by the automated logic control system to determine that the automated logic control system was configured to alert operations personnel when alarms were triggered. CoreSite A Carlyle Company Proprietary and Confidential 18

21 MATRIX 3 Objective Specified RELIABILITY OF DATA CENTER COOLING activities provide reasonable assurance that the design, maintenance and operation of cooling infrastructure is sufficient to cool customer colocation space. Activity Specified 3.1 Multiple air handlers are in place to cool the colocation facility and provide redundancy. 3.2 A third party vendor inspects and maintains cooling equipment on a quarterly basis to ensure proper functioning. 3.3 An automated logic control system is configured to ensure that the colocation facility environmental measurements do not exceed predefined thresholds for temperature and humidity. Inquired of the facilities engineer regarding air handlers to determine that multiple air handlers were in place to cool the colocation facility and provide redundancy. Observed the presence of multiple air handlers and chiller tanks to determine that multiple air handlers and water chillers were in place. Inquired of the facilities engineer regarding the cooling equipment to determine that a third party vendor inspected and maintained cooling equipment on a quarterly basis to ensure proper functioning. Inspected the third party vendor service agreement and the preventative maintenance results for a nonstatistical sample of quarters during the review period to determine that a third party vendor inspected and maintained cooling equipment for each quarter sampled. Inspected the automated logic control system configurations to determine that an automated logic control system was configured to ensure that the colocation facility environmental measurements did not exceed predefined thresholds for temperature and humidity. CoreSite A Carlyle Company Proprietary and Confidential 19

22 MATRIX 3 Objective Specified RELIABILITY OF DATA CENTER COOLING activities provide reasonable assurance that the design, maintenance and operation of cooling infrastructure is sufficient to cool customer colocation space. Activity Specified 3.4 The automated logic control system is configured to alert operations personnel when alarms are triggered. Inspected a nonstatistical sample of alert notifications to determine that the automated logic control system was configured to alert operations personnel when alarms were triggered. Inspected the listing of operations personnel notified by the automated logic control system to determine that the automated logic control system was configured to alert operations personnel when alarms were triggered. CoreSite A Carlyle Company Proprietary and Confidential 20

23 MATRIX 4 Objective Specified SECURITY OF PREMISES activities provide reasonable assurance that the design, maintenance and operation of security systems are sufficient to secure the premises. Activity Specified 4.1 A security procedures manual guides personnel in carrying out security procedures including the following: Access control system Visitor management Deliveries Property removal Support services 4.2 A third party security company is engaged to monitor physical security at the colocation facility. Inspected the security procedures manual to determine that a security procedures manual was documented to guide personnel in carrying out security procedures including the following: Access control system Visitor management Deliveries Property removal Support services Observed the third party security at the facility to determine that a third party security company was engaged to monitor physical security at the colocation facility. Inspected the third party security company service agreement to determine that a third party security company was engaged to monitor physical security at the colocation facility. CoreSite A Carlyle Company Proprietary and Confidential 21

24 MATRIX 4 Objective Specified SECURITY OF PREMISES activities provide reasonable assurance that the design, maintenance and operation of security systems are sufficient to secure the premises. Activity Specified 4.3 Visitors are issued a visitors badge that is required to be worn while in the colocation facility and returned upon exiting the colocation facility. 4.4 A badge access system is utilized to control access to and within the colocation facility. Inquired of the operations manager regarding visitors badges to determine that visitors were issued a visitors badge that was required to be worn while in the colocation facility and returned upon exiting the colocation facility. Observed the visitor access process determine that visitors were issued a visitors badge upon entering the colocation facility. Observed the badge access system in place throughout the colocation facility to determine that a badge access system was utilized to control access to and within the colocation facility. Inspected the badge access system active user listing, the badge access level listing, and a nonstatistical sample of activity logs to determine a badge access system was utilized to control access to and within the colocation facility. CoreSite A Carlyle Company Proprietary and Confidential 22

25 MATRIX 4 Objective Specified SECURITY OF PREMISES activities provide reasonable assurance that the design, maintenance and operation of security systems are sufficient to secure the premises. Activity Specified 4.5 The ability to administer the badge access system is restricted to user accounts accessible by persons holding the following positions: Operations manager Property manager Third party security guards (12) 4.6 Badge access privileges are revoked from terminated employees as a component of the employee termination process. 4.7 Visitors are required to sign a visitors log prior to gaining access to the facility. Inspected the listing of users with administrative access rights to the badge access system to determine that the ability to administer the badge access system was restricted to user accounts accessible by persons holding the following positions: Operations manager Property manager Third party security guards (12) Inquired of the operations manager regarding the access revocation for terminated employees to determine that badge access privileges were revoked from terminated employees as a component of the employee termination process. Inspected the badge access system user listing and a listing of current employees to determine that all badge access users were current employees. Observed visitor procedures to determine that visitors were required to sign a visitors log prior to gaining access to the facility. Inspected a nonstatistical sample of visitors logs to determine that visitors signed a visitors log during the review period. The test of the control activity, performed in March 2010, disclosed that seven terminated third party security guards had active user accounts for the badge access system. Subsequent testing of the control activity, performed in March 2010, disclosed that the aforementioned third party security guards access was revoked. CoreSite A Carlyle Company Proprietary and Confidential 23

26 MATRIX 4 Objective Specified SECURITY OF PREMISES activities provide reasonable assurance that the design, maintenance and operation of security systems are sufficient to secure the premises. Activity Specified 4.8 A physical key inventory listing is maintained to track physical key assignments. 4.9 An automated help desk system is utilized to process and track requests that include following: Service appointments Deliveries Property removal Construction Access requests, modifications and deletions 4.10 Deliveries are required to be authorized and logged A network video recorder (NVR) camera system is utilized to monitor activity in and around the colocation facility. Inspected the physical key inventory listing to determine that a physical key inventory listing was maintained to track physical key assignments. Inspected the work orders during the review period to determine that an automated help desk system was utilized to process and track requests that included the following: Service appointments Deliveries Property removal Construction Access requests, modifications and deletions Inquired of the operations manager regarding deliveries to determine that deliveries were required to be authorized and logged. Inspected a nonstatistical sample of delivery logs to determine that deliveries were logged. Inquired of the operations manager regarding the NVR camera system to determine that a NVR camera system was utilized to monitor activity in and around the colocation facility. Observed the presence of multiple cameras throughout the colocation facility to determine that a NVR camera system was in place. CoreSite A Carlyle Company Proprietary and Confidential 24

27 MATRIX 4 Objective Specified SECURITY OF PREMISES activities provide reasonable assurance that the design, maintenance and operation of security systems are sufficient to secure the premises. Activity Specified 4.12 NVR images are maintained for at least 30 days. Inquired of the operations manager regarding NVR archives to determine that NVR images were maintained for at least 30 days. Inspected archived NVR images to determine that NVR images were retained for at least 30 days Third party security guards patrol the colocation facility 24 hours per day Security guards are alerted when an alarm panel within the colocation facility is triggered Inquired of the operations manager regarding security guard patrols to determine that third party security guards were scheduled to patrol the colocation facility 24 hours per day. Inspected the third party security company schedule to determine that third party security guards were scheduled to patrol the colocation facility 24 hours per day. Inquired of the operations manager regarding the monitoring of alarm panels to determine that security guards were alerted when an alarm panel within the colocation facility was triggered. Observed on-screen alerts at the security console to determine that security guards were alerted when an alarm panel within the colocation facility was triggered. CoreSite A Carlyle Company Proprietary and Confidential 25

28 MATRIX 5 Objective Specified TECHNICAL SUPPORT TO COLOCATION CUSTOMERS activities provide reasonable assurance that the CoreSite system for customer cabinet and cage installation, provisioning of interconnections, and trouble-ticket response is adhered to in accordance with CoreSite guidelines. Activity Specified 5.1 Documented procedures are maintained to guide personnel in customer installations and trouble shooting. 5.2 On-call operations support is available 24 hours per day. 5.3 Customers enter trouble tickets through the online customer support resource center. Inspected documented procedures to determine that documented procedures were maintained to guide personnel in customer installations and troubleshooting. Inspected the operations shift schedule to determine that on-call operations support was available 24 hours per day. Inspected escalation procedures to determine that customers could contact operations personnel 24 hours per day. Inquired of the operations manager regarding the online customer support resource center to determine that customers entered trouble tickets through the online customer support resource center. Inspected a nonstatistical sample of customer service support resource center tickets to determine that customers entered trouble tickets through the online customer support resource center. CoreSite A Carlyle Company Proprietary and Confidential 26

29 MATRIX 5 Objective Specified TECHNICAL SUPPORT TO COLOCATION CUSTOMERS activities provide reasonable assurance that the CoreSite system for customer cabinet and cage installation, provisioning of interconnections, and trouble-ticket response is adhered to in accordance with CoreSite guidelines. Activity Specified 5.4 Trouble tickets directly entered through the online customer support resource center trigger an immediate containing details of the trouble ticket to the operations group. 5.5 The online customer support resource center is configured to a copy of the trouble ticket to the originator of the trouble ticket. Inspected online customer support resource center notification configurations to determine that trouble tickets directly entered through the online customer support resource center triggered an immediate containing details of the trouble ticket to the operations group. Inspected a nonstatistical sample of notifications to determine that trouble tickets directly entered through the online customer support resource center triggered an immediate containing details of the trouble ticket to the operations group. Inspected the online customer resource center notification configurations to determine that the online customer support resource center was configured to a copy of the trouble ticket to the originator of the trouble ticket. CoreSite A Carlyle Company Proprietary and Confidential 27

30 MATRIX 5 Objective Specified TECHNICAL SUPPORT TO COLOCATION CUSTOMERS activities provide reasonable assurance that the CoreSite system for customer cabinet and cage installation, provisioning of interconnections, and trouble-ticket response is adhered to in accordance with CoreSite guidelines. Activity Specified 5.6 Cabinet and cage installation requests are entered and tracked in the online customer resource center. 5.7 Interconnection requests are entered and tracked in the online customer resource center. Inquired of the operations manager regarding the online customer support resource center to determine that cabinet and cage installation requests were entered and tracked in the online customer resource center. Inspected an example cabinet installation help desk ticket to determine that cabinet and cage installation requests were entered and tracked in the online customer resource center. Inquired of the operations manager regarding the online customer support resource center to determine that interconnection requests were entered and tracked in the online customer resource center. Inspected the interconnection help desk tickets during the review period to determine that interconnection requests were entered and tracked in the online customer resource center. CoreSite A Carlyle Company Proprietary and Confidential 28

31 MATRIX 5 Objective Specified TECHNICAL SUPPORT TO COLOCATION CUSTOMERS activities provide reasonable assurance that the CoreSite system for customer cabinet and cage installation, provisioning of interconnections, and trouble-ticket response is adhered to in accordance with CoreSite guidelines. Activity Specified 5.8 Issues regarding cabinet and cage installation requests, interconnection requests and trouble tickets are reviewed on a daily basis by the operations manager to help ensure proper resolution. 5.9 Closed cabinet and cage installation requests, interconnection requests and trouble tickets are retained in the online customer resource center. Inquired of the operations manager regarding the online customer support resource center to determine that issues regarding cabinet and cage installation requests, interconnection requests and trouble tickets were reviewed on a daily basis by the operations manager to help ensure proper resolution. Inspected the listing of work orders and trouble tickets during the review period to determine that issues regarding cabinet and cage installation requests, interconnection requests, and trouble tickets were reviewed on a daily basis. Inquired of the operations manager regarding the closed cabinet and cage installation requests to determine that the closed cabinet and cage installation requests and trouble tickets were retained in the online customer resource center. Inspected the online customer resource center documentation to determine that closed cabinet and cage installation requests, interconnection requests and trouble tickets were retained in the online customer resource center. CoreSite A Carlyle Company Proprietary and Confidential 29

Tom J. Hull & Company Type 1 SSAE 16 2014

Tom J. Hull & Company Type 1 SSAE 16 2014 Tom J. Hull & Company Type 1 SSAE 16 2014 REPORT ON MANAGEMENT S DESCRIPTION OF TOM J. HULL & COMPANY S SYSTEM AND THE SUITABILITY OF THE DESIGN OF CONTROLS Pursuant to Statement on Standards for Attestation

More information

SYSTRUST CERTIFICATION REPORT FOR COLLOCATION AND DATA CENTER HOSTING SERVICES FOR THE PERIOD FROM JANUARY 1, 2013 TO DECEMBER 31, 2013

SYSTRUST CERTIFICATION REPORT FOR COLLOCATION AND DATA CENTER HOSTING SERVICES FOR THE PERIOD FROM JANUARY 1, 2013 TO DECEMBER 31, 2013 SYSTRUST CERTIFICATION REPORT FOR COLLOCATION AND DATA CENTER HOSTING SERVICES FOR THE PERIOD FROM JANUARY 1, 2013 TO DECEMBER 31, 2013 TABLE OF CONTENTS SECTION I: INDEPENDENT PRACTITIONERS TRUST SERVICES

More information

AND ONLINE SETTLEMENT REPORTING APPLICATION (ACCESSibility)

AND ONLINE SETTLEMENT REPORTING APPLICATION (ACCESSibility) AUTOMATED MidAmerica CLEARINGHOUSE Administrative & Retirement CALL Solutions, Inc. EXCHANGE Plan SETTLMENT Administration Services SYSTEM (ACCESS) AND ONLINE SETTLEMENT REPORTING APPLICATION (ACCESSibility)

More information

MAG DATACENTERS, LLC ( FORTRUST ) Service Organization Controls 3

MAG DATACENTERS, LLC ( FORTRUST ) Service Organization Controls 3 MAG DATACENTERS, LLC ( FORTRUST ) Service Organization Controls 3 Report on FORTRUST s Enterprise Data Center and Colocation Services System Relevant to Security and Availability For the Period October

More information

Siemens Medical Solutions USA, Inc. INVISION ACO and RCO Services

Siemens Medical Solutions USA, Inc. INVISION ACO and RCO Services Siemens Medical Solutions USA, Inc. INVISION ACO and RCO Services Independent Service Auditor s Report on s Placed in Operation and Tests of Operating Effectiveness For the Period of April 1, 2008, to

More information

SOC 2 Report Seattle, WA (SEF)

SOC 2 Report Seattle, WA (SEF) SOC 2 Report Seattle, WA (SEF) October 1, 2013 January 31, 2014 Independent Service Auditor s Report INTERNAP NETWORK SERVICES CORPORATION Company-Controlled Data Center Services Type 2 Report on Controls

More information

SOC 1 (SSAE NO. 16) TYPE 2 REPORT ON CONTROLS PLACED IN OPERATION FOR DATA CENTER SERVICES BROADRIVER INC. AUGUST 1, 2014 TO JULY 31, 2015

SOC 1 (SSAE NO. 16) TYPE 2 REPORT ON CONTROLS PLACED IN OPERATION FOR DATA CENTER SERVICES BROADRIVER INC. AUGUST 1, 2014 TO JULY 31, 2015 SOC 1 (SSAE NO. 16) TYPE 2 REPORT ON CONTROLS PLACED IN OPERATION FOR DATA CENTER SERVICES BROADRIVER INC. AUGUST 1, 2014 TO JULY 31, 2015 BROADRIVER INC. Table of Contents SECTION 1: INDEPENDENT SERVICE

More information

UCS Level 2 Report Issued to

UCS Level 2 Report Issued to UCS Level 2 Report Issued to MSPAlliance Unified Certification Standard (UCS) Report Copyright 2014 www.mspalliance.com/ucs info@mspalliance.com Welcome to the UCS report which stands for Unified Certification

More information

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific

More information

Service Organization Control (SOC 3) Report on a Description of the Data Center Colocation System Relevant to Security and Availability

Service Organization Control (SOC 3) Report on a Description of the Data Center Colocation System Relevant to Security and Availability 15301 Dallas Parkway, Suite 960, Addison, TX 75001 MAIN 214 545 3965 FAX 214 545 3966 www.bkmsh.com Service Organization Control (SOC 3) Report on a Description of the Data Center Colocation System Relevant

More information

Description of the Administration of Verizon Terremark Colocation Services Relevant to Security and Availability

Description of the Administration of Verizon Terremark Colocation Services Relevant to Security and Availability Service Organization Controls 2 Report Description of the Administration of Verizon Terremark Colocation Services Relevant to Security and Availability For the Period from November 1, 2012 to October 31,

More information

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific documents requested,

More information

System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012

System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012 System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012 Moss Adams LLP 9665 Granite Ridge Drive, Suite 600 San Diego, CA 92123

More information

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Information Technology General Controls Review (ITGC) Audit Program Prepared by: Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the

More information

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the

More information

SECTION I: REPORT OF INDEPENDENT SERVICE AUDITORS... 3 SECTION II: MANAGEMENT OF INTERNAP NETWORK SERVICES CORPORATION'S ASSERTION 5

SECTION I: REPORT OF INDEPENDENT SERVICE AUDITORS... 3 SECTION II: MANAGEMENT OF INTERNAP NETWORK SERVICES CORPORATION'S ASSERTION 5 SOC 2 - Availability Report on Internap Network Services Corporation's Description of its SEF Company-Controlled Data Center System and Suitability of Design and Operating of Controls Throughout the Period

More information

Report on FTHC, LLC d/b/a Miami Data Vault s Description of its Data Center System and on the Suitability of the Design and Operating Effectiveness

Report on FTHC, LLC d/b/a Miami Data Vault s Description of its Data Center System and on the Suitability of the Design and Operating Effectiveness Report on FTHC, LLC d/b/a Miami Data Vault s Description of its Data Center System and on the Suitability of the Design and Operating (SOC 1) For the period August 1, 2014 through July 31, 2015 In Accordance

More information

SRA International Managed Information Systems Internal Audit Report

SRA International Managed Information Systems Internal Audit Report SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Stone Vault, LLC SOC 1 (SSAE NO. 16) TYPE 1 REPORT ON CONTROLS PLACED IN OPERATION FOR TAX RETURN AND FINANCIAL STATEMENT PORTAL SERVICES

Stone Vault, LLC SOC 1 (SSAE NO. 16) TYPE 1 REPORT ON CONTROLS PLACED IN OPERATION FOR TAX RETURN AND FINANCIAL STATEMENT PORTAL SERVICES SOC 1 (SSAE NO. 16) TYPE 1 REPORT ON CONTROLS PLACED IN OPERATION FOR TAX RETURN AND FINANCIAL STATEMENT PORTAL SERVICES Stone Vault, LLC JANUARY 31, 2013 STONE VAULT, LLC Table of Contents SECTION 1:

More information

Hosted Testing and Grading

Hosted Testing and Grading Hosted Testing and Grading Technical White Paper July 2014 www.lexmark.com Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or

More information

Service Organization Controls 3 Report. Report on Hyland Software, Inc. s OnBase Online Cloud Platform, relevant to Security and Availability

Service Organization Controls 3 Report. Report on Hyland Software, Inc. s OnBase Online Cloud Platform, relevant to Security and Availability Service Organization Controls 3 Report Report on Hyland Software, Inc. s OnBase Online Cloud Platform, relevant to Security and Availability for the period May 1, 2015 through October 31, 2015 Ernst &

More information

Service Organizations: Auditing Interpretations of Section 324

Service Organizations: Auditing Interpretations of Section 324 Service Organizations 1835 AU Section 9324 Service Organizations: Auditing Interpretations of Section 324 1. Describing Tests of Operating Effectiveness and the Results of Such Tests.01 Question Paragraph.44f

More information

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement Understanding the Entity and Its Environment 1667 AU Section 314 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (Supersedes SAS No. 55.) Source: SAS No. 109.

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

Summary of CIP Version 5 Standards

Summary of CIP Version 5 Standards Summary of CIP Version 5 Standards In Version 5 of the Critical Infrastructure Protection ( CIP ) Reliability Standards ( CIP Version 5 Standards ), the existing versions of CIP-002 through CIP-009 have

More information

Ongoing Help Desk Management Plan

Ongoing Help Desk Management Plan Ongoing Help Desk Management Plan HELP DESK IMPLEMENTATION /MANAGEMENT The Vendor shall provide in its Response to DIR a Help Desk Implementation Plan which shall include, but not be limited to: a. Customer

More information

vcloud SERVICE Virtual Tech in partnership with Equinix - vcloud Service

vcloud SERVICE Virtual Tech in partnership with Equinix - vcloud Service vcloud SERVICES vcloud SERVICE Virtual Tech offers competitive pricing on vcloud hosted services at our world class Tier 4 data centre facility fully equipped with redundant power, cooling, internet connectivity

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

Module 6 Documenting Processes and Controls

Module 6 Documenting Processes and Controls A logical place to begin any comprehensive evaluation of internal controls is at the top entity-level controls that might have a pervasive effect on the organization. This includes a consideration of factors

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

Quality Control for Firms. Audits and Reviews of Historical Financial Information, and Other Assurance and Related Services Engagements

Quality Control for Firms. Audits and Reviews of Historical Financial Information, and Other Assurance and Related Services Engagements * Issued October 2004 Effective as of 15 June 2005* Hong Kong Standard on Quality Control 1 Quality Control for Firms That Perform Audits and Reviews of Historical Financial Information, and Other Assurance

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

Service Organization Control 1 Type II Report

Service Organization Control 1 Type II Report Service Organization Control 1 Type II Report Description of ViaWest, Inc. s Colocation System For the Period October 1, 2012 through September 30, 2013 With Independent Service Auditor s Assurance Report

More information

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM GENERAL: The Technology department is responsible for the managing of electronic devices and software for the District, as well as the Help Desk for resolution of employee-created help tickets. The subgroups

More information

P01 - Information Security Policy

<COMPANY> P01 - Information Security Policy P01 - Information Security Policy Document Reference P01 - Information Security Policy Date 30th September 2014 Document Status Final Version 3.0 Revision History 1.0 09 November 2009: Initial release.

More information

NORFOLK STATE UNIVERSITY INTERNAL AUDIT CHARTER

NORFOLK STATE UNIVERSITY INTERNAL AUDIT CHARTER INTRODUCTION Internal Auditing as defined by the Institute of Internal Auditors, is an independent objective assurance and consulting activity designed to add value and improve an organization s operations.

More information

Exhibit to Data Center Services Service Component Provider Master Services Agreement

Exhibit to Data Center Services Service Component Provider Master Services Agreement Exhibit to Data Center Services Service Component Provider Master Services Agreement DIR Contract No. DIR-DCS-SCP-MSA-002 Between The State of Texas, acting by and through the Texas Department of Information

More information

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 240 THE AUDITOR S RESPONSIBILITY TO CONSIDER FRAUD IN AN AUDIT OF FINANCIAL STATEMENTS CONTENTS

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 240 THE AUDITOR S RESPONSIBILITY TO CONSIDER FRAUD IN AN AUDIT OF FINANCIAL STATEMENTS CONTENTS INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 240 THE AUDITOR S RESPONSIBILITY TO CONSIDER FRAUD IN AN AUDIT OF FINANCIAL STATEMENTS CONTENTS Paragraphs Introduction... 1-3 Characteristics of Fraud...

More information

AUDIT REPORT INTERNAL AUDIT DIVISION. Audit of the Riskmetrics system in the Investment Management Division of UNJSPF

AUDIT REPORT INTERNAL AUDIT DIVISION. Audit of the Riskmetrics system in the Investment Management Division of UNJSPF INTERNAL AUDIT DIVISION AUDIT REPORT Audit of the Riskmetrics system in the Investment Management Division of UNJSPF Overall results relating to the effective implementation of the Riskmetrics system were

More information

FormFire Application and IT Security. White Paper

FormFire Application and IT Security. White Paper FormFire Application and IT Security White Paper Contents Overview... 3 FormFire Corporate Security Policy... 3 Organizational Security... 3 Infrastructure and Security Team... 4 Application Development

More information

INDEPENDENT PRACTITIONER S TRUST SERVICES REPORT LIQUID WEB, INC.

INDEPENDENT PRACTITIONER S TRUST SERVICES REPORT LIQUID WEB, INC. INDEPENDENT PRACTITIONER S TRUST SERVICES REPORT LIQUID WEB, INC. Web Hosting Services Trust Services Report on Management s Assertion (SOC 3) As Of June 30, 2014 LIQUID WEB, INC. Trust Services Report

More information

Guidance Note: Corporate Governance - Board of Directors. March 2015. Ce document est aussi disponible en français.

Guidance Note: Corporate Governance - Board of Directors. March 2015. Ce document est aussi disponible en français. Guidance Note: Corporate Governance - Board of Directors March 2015 Ce document est aussi disponible en français. Applicability The Guidance Note: Corporate Governance - Board of Directors (the Guidance

More information

GOVERNANCE AND SECURITY BEST PRACTICES FOR PAYMENT PROCESSORS

GOVERNANCE AND SECURITY BEST PRACTICES FOR PAYMENT PROCESSORS GOVERNANCE AND SECURITY BEST PRACTICES FOR PAYMENT PROCESSORS A White Paper by i2c, Inc. 1300 Island Drive Suite 105 Redwood City, CA 94065 USA +1 650-593-5400 sales@i2cinc.com www.i2cinc.com Table of

More information

DATA CENTRE DATA CENTRE MAY 2015

DATA CENTRE DATA CENTRE MAY 2015 DATA CENTRE DATA CENTRE MAY 2015 CONCERTHOUSE MUSIC Concerthouse Music Data Centre services are located in the Equinix Internet Business Exchange (IBX ) Centre at Mascot. This IBX offers the highest level

More information

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan SAMPLE TEMPLATE Massachusetts Written Information Security Plan Developed by: Jamy B. Madeja, Esq. Erik Rexford 617-227-8410 jmadeja@buchananassociates.com Each business is required by Massachusetts law

More information

Community Anchor Institution Service Level Agreement

Community Anchor Institution Service Level Agreement Community Anchor Institution Service Level Agreement Date: 3/13/2014 Version: 2.0 Prepared by: DC-Net Table of Contents 1 Service Level Agreement... 3 2 Definitions... 3 3 Service Delivery... 5 3.1 Network

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Improving. Summary. gathered from. research, and. Burnout of. Whitepaper

Improving. Summary. gathered from. research, and. Burnout of. Whitepaper Whitepaper Improving Productivity and Uptime with a Tier 1 NOC Summary This paper s in depth analysis of IT support activities shows the value of segmenting and delegatingg activities based on skill level

More information

Information Security Policy

Information Security Policy Information Security Policy Version August 23, 2010 1 of 8 Table of Contents Introduction Ethics and Acceptable Use Policies Usage Policy Disciplinary Action Protect Stored Data Restrict Access to Data

More information

IT - General Controls Questionnaire

IT - General Controls Questionnaire IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow

More information

Information Technology Operational Audit DEPARTMENT OF STATE. Florida Voter Registration System (FVRS) Report No. 2016-002 July 2015

Information Technology Operational Audit DEPARTMENT OF STATE. Florida Voter Registration System (FVRS) Report No. 2016-002 July 2015 July 2015 Information Technology Operational Audit DEPARTMENT OF STATE Florida Voter Registration System (FVRS) Sherrill F. Norman, CPA Auditor General Secretary of State Section 20.10, Florida Statutes,

More information

Master Document Audit Program

Master Document Audit Program Activity Code 11510 B-1 Planning Considerations Information Technology General System Controls Audit Specific Independence Determination Members of the audit team and internal specialists consulting on

More information

DETAIL AUDIT PROGRAM Information Systems General Controls Review

DETAIL AUDIT PROGRAM Information Systems General Controls Review Contributed 4/23/99 by Steve_Parker/TBE/Teledyne@teledyne.com DETAIL AUDIT PROGRAM Information Systems General Controls Review 1.0 Introduction The objectives of this audit are to review policies, procedures,

More information

MEDICAID COMPLIANCE POLICY

MEDICAID COMPLIANCE POLICY 6232 MEDICAID COMPLIANCE POLICY It is the policy of the Board of Education that all school district s practices regarding Medicaid claims for services be in compliance with all applicable federal and state

More information

Capital One Console Account Manager

Capital One Console Account Manager Capital One Console Account Manager Basic Account Manager Job Responsibilities: Supervise the day to day security operations of CVA Consoles (2) at assigned Capital One site(s). o Currently 2 Consoles

More information

SERVICE ORGANIZATION CONTROL 3 REPORT

SERVICE ORGANIZATION CONTROL 3 REPORT SERVICE ORGANIZATION CONTROL 3 REPORT Digital Certificate Solutions, Comodo Certificate Manager (CCM), and Comodo Two Factor Authentication (Comodo TF) Services For the period April 1, 2013 through March

More information

SITECATALYST SECURITY

SITECATALYST SECURITY SITECATALYST SECURITY Ensuring the Security of Client Data June 6, 2008 Version 2.0 CHAPTER 1 1 Omniture Security The availability, integrity and confidentiality of client data is of paramount importance

More information

Sample Information Security Policies

Sample Information Security Policies Sample Information Security Policies Sample Information Security Policies May 31, 2011 1 13740 Research Blvd Suite 2, Building T Austin, TX 78750 512.351.3700 www.aboundresources.com Boston Austin Atlanta

More information

MACQUARIE INFRASTRUCTURE CORPORATION AUDIT COMMITTEE CHARTER

MACQUARIE INFRASTRUCTURE CORPORATION AUDIT COMMITTEE CHARTER MACQUARIE INFRASTRUCTURE CORPORATION AUDIT COMMITTEE CHARTER A. Purpose The Audit Committee (the Committee ) has been established by the Board of Directors (the Board ) of Macquarie Infrastructure Corporation

More information

Net2EZ Managed Data Centers, Inc.

Net2EZ Managed Data Centers, Inc. Net2EZ Managed Data Centers, Inc. Independent Service Auditor s Report on Management s Description of a Service Organization s System and the Suitability of the Design and Operating Effectiveness of Controls

More information

System Security Plan University of Texas Health Science Center School of Public Health

System Security Plan University of Texas Health Science Center School of Public Health System Security Plan University of Texas Health Science Center School of Public Health Note: This is simply a template for a NIH System Security Plan. You will need to complete, or add content, to many

More information

Standards of. Conduct. Important Phone Number for Reporting Violations

Standards of. Conduct. Important Phone Number for Reporting Violations Standards of Conduct It is the policy of Security Health Plan that all its business be conducted honestly, ethically, and with integrity. Security Health Plan s relationships with members, hospitals, clinics,

More information

Supply Chain Security Audit Tool - Warehousing/Distribution

Supply Chain Security Audit Tool - Warehousing/Distribution Supply Chain Security Audit Tool - Warehousing/Distribution This audit tool was developed to assist manufacturer clients with the application of the concepts in the Rx-360 Supply Chain Security White Paper:

More information

Information Technology Internal Audit Report

Information Technology Internal Audit Report Information Technology Internal Audit Report Report #2014-05 July 25, 2014 Table of Contents Page Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives... 4 Scope and Testing

More information

White paper. SAS Solutions OnDemand Hosting Overview

White paper. SAS Solutions OnDemand Hosting Overview White paper SAS Solutions OnDemand Hosting Overview Contents Overview...1 Cary 1 Facility Specifications...2 Cary 2 Facility Specifications (SAS New Cloud Computing Center)...3 Charlotte 1 Facility Specifications...4

More information

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 240 THE AUDITOR S RESPONSIBILITIES RELATING TO FRAUD IN AN AUDIT OF FINANCIAL STATEMENTS

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 240 THE AUDITOR S RESPONSIBILITIES RELATING TO FRAUD IN AN AUDIT OF FINANCIAL STATEMENTS INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 240 Introduction THE AUDITOR S RESPONSIBILITIES RELATING TO FRAUD IN AN AUDIT OF FINANCIAL STATEMENTS (Effective for audits of financial statements for

More information

GAO. Standards for Internal Control in the Federal Government. Internal Control. United States General Accounting Office.

GAO. Standards for Internal Control in the Federal Government. Internal Control. United States General Accounting Office. GAO United States General Accounting Office Internal Control November 1999 Standards for Internal Control in the Federal Government GAO/AIMD-00-21.3.1 Foreword Federal policymakers and program managers

More information

Data Center Build vs. Buy

Data Center Build vs. Buy 2014 Data Center Build vs. Buy More information available on our website: /page/whitepapers Data Center Build vs. Buy 2014 When considering colocating your data center, first you must understand your technical

More information

Colocation. Scalable Solutions for a Shared IT Infrastructure. Enterprise. Colocation

Colocation. Scalable Solutions for a Shared IT Infrastructure. Enterprise. Colocation Scalable Solutions for a Shared IT Infrastructure Global and domestic competition, rising real estate and power costs, and shrinking IT budgets are causing today s businesses to seek alternatives to building

More information

ISO 27001 COMPLIANCE WITH OBSERVEIT

ISO 27001 COMPLIANCE WITH OBSERVEIT ISO 27001 COMPLIANCE WITH OBSERVEIT OVERVIEW ISO/IEC 27001 is a framework of policies and procedures that include all legal, physical and technical controls involved in an organization s information risk

More information

The Commonwealth of Massachusetts

The Commonwealth of Massachusetts A. JOSEPH DeNUCCI AUDITOR The Commonwealth of Massachusetts AUDITOR OF THE COMMONWEALTH ONE ASHBURTON PLACE, ROOM 1819 BOSTON, MASSACHUSETTS 02108 TEL. (617) 727-6200 No. 2008-1308-4T OFFICE OF THE STATE

More information

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL The auditor general shall conduct post audits of financial transactions and accounts of the state and of all

More information

Chapter 67 ALARM SYSTEMS

Chapter 67 ALARM SYSTEMS Chapter 67 ALARM SYSTEMS 67-1. Title. 67-2. Declaration of purpose. 67-3. Definitions. 67-4. Administrative rules. 67-5. Automatic dialing devices. 67-6. Direct connections to the Police Department. 67-7.

More information

DATA CENTRE DATA CENTRE

DATA CENTRE DATA CENTRE DATA CENTRE DATA CENTRE v. OCT 2014 DJ CENTRAL DJ Central Data Centre services are located in the Equinix Internet Business Exchange (IBX ) Centre at Mascot. This IBX offers the highest level of service

More information

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Managed Hosting & Datacentre PCI DSS v2.0 Obligations Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version

More information

Control Environment and Organizational Structure

Control Environment and Organizational Structure The term control environment refers to an entity s corporate culture, showing how much the entity s leaders value ethical behavior and internal control. The key element in a favorable control environment

More information

POLICY MANUAL. Responsibility: Approved by: Last Approval Date:

POLICY MANUAL. Responsibility: Approved by: Last Approval Date: Page: 1 of 6 Section: SECTION F - Mandates Name: ATCO Audit & Risk Committee Responsibility: Approved by: Last Approval Date: Chair ATCO Audit & Risk ATCO Audit & Risk Committee February 23, Committee

More information

OPERATIONS MANUAL DATA CENTER COLOCATION

OPERATIONS MANUAL DATA CENTER COLOCATION Section I: Introduction and Service Description. OPERATIONS MANUAL DATA CENTER COLOCATION Company means MCI Communications Services, Inc., d/b/a Verizon Business Services, or any affiliated entity designated

More information

Guide to Internal Control Over Financial Reporting

Guide to Internal Control Over Financial Reporting Guide to Internal Control Over Financial Reporting The Center for Audit Quality prepared this Guide to provide an overview for the general public of internal control over financial reporting ( ICFR ).

More information

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Unless otherwise stated, these Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies

More information

4 Testing General and Automated Controls

4 Testing General and Automated Controls 4 Testing General and Automated Controls Learning Objectives To understand the reasons for testing; To have an idea about Audit Planning and Testing; To discuss testing critical control points; To learn

More information

CHAPTER 4. Regulation of Private Alarm Systems

CHAPTER 4. Regulation of Private Alarm Systems CHAPTER 4 Regulation of Private Alarm Systems 5-4-1 Title 5-4-2 Declaration of Purpose 5-4-3 Definitions 5-4-4 Administrative Rules 5-4-5 Automatic Dialing Devices 5-4-6 Direct Connections to the Police

More information

Attachment E. RFP Requirements: Mandatory Requirements: Vendor must respond with Yes or No. A No response will render the vendor nonresponsive.

Attachment E. RFP Requirements: Mandatory Requirements: Vendor must respond with Yes or No. A No response will render the vendor nonresponsive. Attachment E RFP Requirements: Mandatory Requirements: Vendor must respond with Yes or No. A No response will render the vendor nonresponsive. Questions Support for Information Security 1. The Supplier

More information

Chapter 4. Regulation of Alarm Systems

Chapter 4. Regulation of Alarm Systems Chapter 4 Regulation of Alarm Systems 5-4-1 Title 5-4-2 Declaration of Purpose 5-4-3 Definitions 5-4-4 Administrative Rules 5-4-5 Automatic Dialing Devices 5-4-6 Direct Connections to the Police Department

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Information Technology Services Guidelines

Information Technology Services Guidelines Page 1 of 10 Table of Contents 1. Purpose... 2 2. Entities Affected by This Guideline... 2 3. Definitions... 2 4. Guidelines... 3 4.1 Requesting Data Center or... 3 4.2 Requirements for Data Center or...

More information

PBGC Information Security Policy

PBGC Information Security Policy PBGC Information Security Policy 1. Purpose. The Pension Benefit Guaranty Corporation (PBGC) Information Security Policy (ISP) defines the security and protection of PBGC information resources. 2. Reference.

More information

VMware vcloud Air SOC 1 Control Matrix

VMware vcloud Air SOC 1 Control Matrix SOC 1 Control Objectives/Activities Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a variety of industry standard audits,

More information

Level I - Public. Technical Portfolio. Revised: July 2015

Level I - Public. Technical Portfolio. Revised: July 2015 Level I - Public Technical Portfolio Revised: July 2015 Table of Contents 1. INTRODUCTION 3 1.1 About Imaginatik 3 1.2 Taking Information Security Seriously 3 2. DATA CENTER SECURITY 3 2.1 Data Center

More information

INTERNATIONAL STANDARD ON AUDITING 400 RISK ASSESSMENTS AND INTERNAL CONTROL CONTENTS

INTERNATIONAL STANDARD ON AUDITING 400 RISK ASSESSMENTS AND INTERNAL CONTROL CONTENTS INTERNATIONAL STANDARD ON 400 RISK ASSESSMENTS AND INTERNAL CONTROL (This Standard is effective, but will be withdrawn when ISA 315 and 330 become effective) * CONTENTS Paragraph Introduction... 1-10 Inherent

More information

Colocation. Scalable Solutions for Shared IT Infrastructure. Enterprise. Colocation

Colocation. Scalable Solutions for Shared IT Infrastructure. Enterprise. Colocation Scalable Solutions for Shared IT Infrastructure Global competition, rising real estate and power costs, and shrinking IT budgets are causing today s businesses to seek alternatives to building their own

More information

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc. INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc. Copyright 2016 Table of Contents INSTRUCTIONS TO VENDORS 3 VENDOR COMPLIANCE PROGRAM OVERVIEW 4 VENDOR COMPLIANCE

More information

COMPLIANCE PROGRAM FOR XL GROUP PLC

COMPLIANCE PROGRAM FOR XL GROUP PLC 1 COMPLIANCE PROGRAM FOR XL GROUP PLC I. PURPOSE The purpose of the XL Group plc Compliance Program (the Program ) is to (a) help protect XL Group plc companies from financial or reputational harm that

More information

AUDIT REPORT. Cybersecurity Controls Over a Major National Nuclear Security Administration Information System

AUDIT REPORT. Cybersecurity Controls Over a Major National Nuclear Security Administration Information System U.S. Department of Energy Office of Inspector General Office of Audits and Inspections AUDIT REPORT Cybersecurity Controls Over a Major National Nuclear Security Administration Information System DOE/IG-0938

More information

Data Center Application and Equipment Hosting Services Effective April 1, 2009 Revised March 7, 2011

Data Center Application and Equipment Hosting Services Effective April 1, 2009 Revised March 7, 2011 Information Technology Data Center Application and Equipment Hosting Services Effective April 1, 2009 Revised This document outlines the services NUIT provides from the central data centers to host applications

More information

C-TPAT Importer Security Criteria

C-TPAT Importer Security Criteria C-TPAT Importer Security Criteria Importers must conduct a comprehensive assessment of their international supply chains based upon the following C-TPAT security criteria. Where an importer outsources

More information

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget Office of the Auditor General Performance Audit Report Statewide Oracle Database Controls Department of Technology, Management, and Budget March 2015 071-0565-14 State of Michigan Auditor General Doug

More information

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing B o a r d of Governors of the Federal Reserve System Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing January 23, 2013 P U R P O S E This policy statement is being issued

More information