CoreSite A Carlyle Company. 70 Innerbelt Colocation Services

Transcription

1 CoreSite A Carlyle Company 70 Innerbelt Colocation Services Independent Service Auditor s Report on s Placed in Operation and Tests of Operating Effectiveness For the Period of October 1, 2009, to March 31, 2010

2 TABLE OF CONTENTS SECTION 1 INDEPENDENT SERVICE AUDITOR S REPORT... 1 SECTION 2 DESCRIPTION OF CONTROLS PLACED IN OPERATION... 4 OVERVIEW OF OPERATIONS... 5 Company Background... 5 Description of Services Provided... 5 CONTROL ENVIRONMENT... 6 Integrity and Ethical Values... 6 Commitment to Competence... 6 Board of Directors Participation... 6 Management s Philosophy and Operating Style... 7 Organizational Structure and Assignment of Authority and Responsibility... 7 Human Resource Policies and Practices... 7 RISK ASSESSMENT... 7 CONTROL OBJECTIVES AND RELATED CONTROL ACTIVITIES... 8 MONITORING... 8 INFORMATION AND COMMUNICATION SYSTEMS... 8 Information Systems... 8 Communication Systems... 8 COMPLEMENTARY CONTROLS AT USER ORGANIZATIONS... 9 SECTION 3 TESTING MATRICES CONTROL ENVIRONMENT RELIABILITY OF POWER RELIABILITY OF DATA CENTER COOLING SECURITY OF PREMISES TECHNICAL SUPPORT TO COLOCATION CUSTOMERS CoreSite A Carlyle Company Proprietary and Confidential i

3 SECTION 1 INDEPENDENT SERVICE AUDITOR S REPORT CoreSite A Carlyle Company 1

4 INDEPENDENT SERVICE AUDITOR S REPORT To CoreSite A Carlyle Company: We have examined the accompanying description of controls related to the 70 Innerbelt colocation services of CoreSite A Carlyle Company ( CoreSite or the service organization ) performed at the Somerville, Massachusetts, facility. Our examination included procedures to obtain reasonable assurance about whether (1) the accompanying description presents fairly, in all material respects, the aspects of CoreSite s controls that may be relevant to a user organization s internal control as it relates to an audit of financial statements; (2) the controls included in the description were suitably designed to achieve the control objectives specified in the description, if those controls were complied with satisfactorily, and user organizations applied the controls contemplated in the design of CoreSite s controls; and (3) such controls had been placed in operation as of March 31, The control objectives were specified by the management of CoreSite. Our examination was performed in accordance with standards established by the American Institute of Certified Public Accountants and included those procedures we considered necessary in the circumstances to obtain a reasonable basis for rendering our opinion. In our opinion, the accompanying description of the aforementioned 70 Innerbelt colocation services presents fairly, in all material respects, the relevant aspects of CoreSite s controls that had been placed in operation as of March 31, Also, in our opinion, the controls, as described, are suitably designed to provide reasonable assurance that the specified control objectives would be achieved if the described controls were complied with satisfactorily and user organizations applied the controls contemplated in the design of CoreSite s controls. In addition to the procedures we considered necessary to render our opinion as expressed in the previous paragraph, we applied tests to specific controls, listed in Section 3 (the Testing Matrices ), to obtain evidence about their effectiveness in meeting the control objectives, described in the Testing Matrices, during the period from October 1, 2009, to March 31, The specific controls and the nature, timing, extent, and results of the tests are listed in the Testing Matrices. This information has been provided to user organizations of CoreSite and to their auditors to be taken into consideration, along with information about the internal control at user organizations, when making assessments of control risk for user organizations. In our opinion, the controls that were tested, as described in the Testing Matrices, were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives specified in the Testing Matrices were achieved during the period from October 1, 2009, to March 31, The relative effectiveness and significance of specific controls at CoreSite and their effect on assessments of control risk at user organizations are dependent on their interaction with the controls and other factors present at individual user organizations. We have performed no procedures to evaluate the effectiveness of controls at individual user organizations. The description of controls at CoreSite is as of March 31, 2010, and information about tests of the operating effectiveness of specific controls covers the period from October 1, 2009, to March 31, Any projection of such information to the future is subject to the risk that, because of change, the description may no longer portray the controls in existence. The potential effectiveness of specific controls at CoreSite is subject to inherent limitations and, accordingly, errors or fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that changes made to the system or controls, or the failure to make needed changes to the system or controls, may alter the validity of such conclusions. CoreSite A Carlyle Company 2

5 This report is intended solely for use by the management of CoreSite, its user organizations, and the independent auditors of its user organizations. April 23, 2010 CoreSite A Carlyle Company 3

6 SECTION 2 DESCRIPTION OF CONTROLS PLACED IN OPERATION CoreSite A Carlyle Company Proprietary and Confidential 4

7 OVERVIEW OF OPERATIONS Company Background CoreSite - A Carlyle Company ( CoreSite or the company ) partners with customers to provide reliable, secure data centers that improve business continuity and promote the growth of their information and communications infrastructure. The company has built and managed data centers across the United States since 2001, offering more than two million square feet of wholesale data center space and colocation services to more than 500 customers. A Carlyle portfolio company, CoreSite delivers the level of security, service, and network access businesses need to compete in the global marketplace. Description of Services Provided 70 Innerbelt is a 276,000 square-foot data center situated in the Boston, Massachusetts, metropolitan area, bordering Cambridge, Massachusetts and located just outside of Boston's Central Business District. The data center offers diverse fiber points of entry, robust primary and emergency power infrastructure, and an on-site technical staff. CoreSite has over 30,000 square feet of carrier-neutral colocation space available. Customers of CoreSite can license just a single cabinet to up to 10,000 square feet of cage space. Multiple Tier 1 providers will offer bandwidth and communication solutions to Boston colocation customers. In addition to carrier-neutral colocation, 70 Innerbelt has 125,000 square feet is available for wholesale data center project and disaster recovery sites. Colocation Space Customized cage space Single cabinets Colocation Infrastructure Up to 170 breakered Watts/square foot N+1 AC uninterruptible power supply (UPS) N+1 emergency generator power N+1 cooling system Dual-interlock, dry-pipe pre-action fire suppression system Security 24x7 site secure access 24x7 security staffing Internal and external surveillance cameras On-site secure parking Managed Services 24x7 remote hands 24x7 mechanical and electrical monitoring Branch-circuit monitoring system CoreSite A Carlyle Company Proprietary and Confidential 5

8 Certified technicians Turn-key equipment installation Operations outsourcing Network Connection and Peering Opportunities X-Connections to any tenant Connection to Any2 Peering Exchange Carrier-neutral environment Access to over 20 networks and service providers Rooftop Access Space for multiple antenna towers Line-of-site in every direction CONTROL ENVIRONMENT Integrity and Ethical Values The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer, and monitor them. Integrity and ethical values are essential elements of CoreSite s control environment, affecting the design, administration, and monitoring of other components. Integrity and ethical behavior are the product of CoreSite s ethical and behavioral standards, how they are communicated, and how they are reinforced in practices. They include management s actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. They also include the communication of entity values and behavioral standards to personnel through policy statements and codes of conduct, as well by example. Specific control activities that CoreSite has implemented in this area are described below. Documented organizational policy statements and employee procedures communicate entity values and behavioral standards to personnel. Human resources personnel perform employment candidate background checks as a component of the hiring process. Commitment to Competence CoreSite s management defines competence as the knowledge and skills necessary to accomplish tasks that define employees roles and responsibilities. CoreSite s commitment to competence includes management s consideration of the competence levels for particular jobs and how those levels translate into the requisite skills and knowledge. Human resources personnel considers the competence levels for particular jobs and translates required skills and knowledge levels into written position requirements. Board of Directors Participation CoreSite s control consciousness is influenced significantly by its board of directors participation. The board of directors oversees management activities. CoreSite A Carlyle Company Proprietary and Confidential 6

9 Management s Philosophy and Operating Style CoreSite s management philosophy and operating style encompass a broad range of characteristics. Such characteristics include management s approach to taking and monitoring business risks, and management s attitudes toward information processing, accounting functions and personnel. Weekly meetings are conducted to discuss operational and facilities issues. Organizational Structure and Assignment of Authority and Responsibility CoreSite s organizational structure provides the framework within which its activities for achieving entitywide objectives are planned, executed, controlled, and monitored. CoreSite s management believes that establishing a relevant organizational structure includes considering key areas of authority and responsibility and lines of reporting. CoreSite has developed an organizational structure suited to its needs. This organizational structure is based, in part, on its size and the nature of its activities. CoreSite s assignment of authority and responsibility activities include factors such as how authority and responsibility for operating activities are assigned and how reporting relationships and authorization hierarchies are established. It also includes policies relating to business practices, knowledge and experience of key personnel, and resources provided for carrying out duties. In addition, it includes policies and communications directed at ensuring that personnel understand the entity s objectives, know how their individual actions interrelate and contribute to those objectives, and recognize how and for what they will be held accountable. Organizational charts are in place to communicate key areas of authority, responsibility and lines of reporting. Human Resource Policies and Practices CoreSite s human resources policies and practices relate to employee hiring, orientation, training, evaluation, counseling, promotion, compensation, and disciplinary activities. Specific control activities that CoreSite has implemented in this area are described below. Pre-hire screening procedures are required as a component of the hiring process. A new hire checklist is completed as a component of the hiring process. A termination checklist is completed as a component of the termination process. Evaluations are performed for each employee on an annual basis. RISK ASSESSMENT CoreSite has placed into operation a risk assessment process to identify and manage risks that could affect the organization's ability to provide reliable services for user organizations. This process requires management to identify significant risks in their areas of responsibility and to implement measures to address those risks. Risks that are considered during management s formal and informal risk assessment activities may include consideration of the following events: Changes in operating environment New personnel New or revamped information systems Rapid growth New technology CoreSite A Carlyle Company Proprietary and Confidential 7

10 New business models, products, or activities Expanded operations CONTROL OBJECTIVES AND RELATED CONTROL ACTIVITIES CoreSite s control objectives and related control activities are included in Section 3 (the Testing Matrices ) of this report to eliminate the redundancy that would result from listing the items in this section and repeating them in the Testing Matrices. Although the control objectives and related control activities are included in the Testing Matrices, they are, nevertheless, an integral part of CoreSite s description of controls. The description of the service auditor s tests of operating effectiveness and the results of those tests are also presented in the Testing Matrices, adjacent to the service organization s description of controls. The description of the tests of operating effectiveness and the results of those tests are the responsibility of the service auditor and should be considered information provided by the service auditor. MONITORING CoreSite management performs monitoring activities in order to continuously assess the quality of internal control over time. Monitoring activities are performed on a continuous basis and necessary corrective actions are taken as required to correct deviations from company policy and procedures. This process is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Management s close involvement in operations helps to identify significant variances from expectations regarding internal controls. Upper management immediately evaluates the specific facts and circumstances related to any suspected control breakdowns. A decision for addressing any controls weakness is made based on whether the incident was isolated or requires a change in the company s procedures or personnel. INFORMATION AND COMMUNICATION SYSTEMS Information Systems CoreSite provides users with cross-connect and carrier interconnection opportunities including provider companies representing virtually every sector and geographic region in the world. CoreSite offers customers the ability to order copper (Cat-5, Ethernet, T-1, etc.), coaxial (DS-3), and fiber (single or multimode) connections to any other colocation customer within the same facility, regardless of distance. An online provisioning system allows tenants to order cross connections and other services online. This system enables customers to reduce the time to provision a cross connection and track the status of their order. CoreSite does not record, process, summarize, or report the financial transactions of our user organizations. Additionally, CoreSite does not maintain accountability for any client assets, liabilities, or equity. Communication Systems Upper management is involved with day-to-day operations and is able to provide personnel with an understanding of their individual roles and responsibilities pertaining to internal controls. This includes CoreSite A Carlyle Company Proprietary and Confidential 8

11 the extent to which personnel understand how their activities relate to the work of others and the means of reporting exceptions to higher level personnel within the company. CoreSite management believes that open communication channels help ensure that exceptions are reported and acted on. For that reason, formal communication tools such as employee handbooks are in place. Management s communication activities are made electronically, verbally, and through the actions of management. COMPLEMENTARY CONTROLS AT USER ORGANIZATIONS CoreSite s services are designed with the assumption that certain controls will be implemented by user organizations. Such controls are called complementary user organization controls. It is not feasible for all of the control objectives related to CoreSite s services to be solely achieved by CoreSite s control procedures. Accordingly, user organizations, in conjunction with the services, should establish their own internal controls or procedures to complement those of CoreSite. The following complementary user organization controls should be implemented by user organizations to provide additional assurance that the control objectives described within this report are met. As these items represent only a part of the control considerations that might be pertinent at the user organizations locations, user organizations auditors should exercise judgment in selecting and reviewing these complementary user organization controls. Complementary User Organization s: 1. User organizations are responsible for understanding and complying with their contractual obligations to CoreSite. 2. User organizations are responsible for ensuring the supervision, management and control of the use of CoreSite s services by their personnel. 3. User organizations are responsible for ensuring that user accounts and passwords are assigned to only authorized individuals. 4. User organizations are responsible for ensuring the confidentiality of any user accounts and passwords assigned to them for use with CoreSite s systems. 5. User organizations are responsible for notifying CoreSite of terminated employees. 6. User organizations are responsible for immediately notifying CoreSite of any actual or suspected information security breaches, including compromised user accounts. 7. User organizations are responsible for notifying CoreSite of changes made to technical or administrative contact information. 8. User organizations are responsible for designating authorized individuals to issue work requests. 9. User organizations are responsible for maintaining their own system(s) of record. 10. User organizations are responsible for determining whether CoreSite s security infrastructure is appropriate for its needs and for notifying the service organization of any requested modifications. 11. User organizations are responsible for defining and submitting changes to power requirements. 12. User organizations are responsible for developing their own disaster recovery and business continuity plans that address their inability to access or utilize CoreSite s services. CoreSite A Carlyle Company Proprietary and Confidential 9

12 SECTION 3 TESTING MATRICES CoreSite A Carlyle Company Proprietary and Confidential 10

13 MATRIX 1 Objective Specified CONTROL ENVIRONMENT activities provide reasonable assurance that discipline and structure are an integral part of the organization and influence the control consciousness of its personnel. Activity Specified Integrity and Ethical Values 1.1 Documented organizational policy statements and employee procedures communicate entity values and behavioral standards to personnel. 1.2 Human resources personnel perform employment candidate background checks as a component of the hiring process. Commitment to Competence 1.3 Human resources personnel considers the competence levels for particular jobs and translates required skills and knowledge levels into written position requirements. Inspected the employee handbook to determine that organizational policy statements and employee procedures that communicated entity values and behavioral standards were documented. Inquired of the operations manager regarding the performance of background checks to determine that human resources personnel performed employment candidate background checks as a component of the hiring process. Inspected the completed background check for a nonstatistical sample of employees hired during the review period to determine that a background check was completed for each employee sampled. Inspected a nonstatistical sample of written position requirements to determine that human resources personnel considered the competence levels for particular jobs and translated required skills and knowledge levels into written position requirements. CoreSite A Carlyle Company Proprietary and Confidential 11

14 MATRIX 1 Objective Specified CONTROL ENVIRONMENT activities provide reasonable assurance that discipline and structure are an integral part of the organization and influence the control consciousness of its personnel. Activity Specified Board of Directors Participation 1.4 A board of directors oversees management activities. Management s Philosophy and Operating Style 1.5 Weekly meetings are conducted to discuss operations and facilities issues. Inquired of the operations manager regarding the board of directors to determine that a board of directors oversaw management activities. Inspected the board of directors listing to determine that a board of directors oversaw management activities. Inquired of the operations manager regarding management meetings to determine that weekly meetings were held to discuss operations and facilities issues. Inspected the meeting agendas and the calendar entries for a nonstatistical sample of weeks during the review period to determine that meetings were held to discuss operations and facilities issues for each week sampled. CoreSite A Carlyle Company Proprietary and Confidential 12

15 MATRIX 1 Objective Specified CONTROL ENVIRONMENT activities provide reasonable assurance that discipline and structure are an integral part of the organization and influence the control consciousness of its personnel. Activity Specified Organizational Structure and Assignment of Authority and Responsibility 1.6 Organizational charts are in place to communicate key areas of authority, responsibility and lines of reporting. Human Resources Policies and Procedures 1.7 Pre-hire screening procedures are required as a component of the hiring process. Inquired of the operations manager regarding organizational charts to determine that organizational charts were in place to communicate key areas of authority, responsibility and lines of reporting. Inspected the organizational charts to determine that organizational charts were in place. Inquired of the operations manager regarding the hiring process to determine that pre-hire screening procedures were performed as a component of the hiring process. Inspected the pre-hire screening procedures to determine that pre-hire screening procedures were performed as a component of the hiring process. CoreSite A Carlyle Company Proprietary and Confidential 13

16 MATRIX 1 Objective Specified CONTROL ENVIRONMENT activities provide reasonable assurance that discipline and structure are an integral part of the organization and influence the control consciousness of its personnel. Activity Specified 1.8 A new hire checklist is completed as a component of the hiring process. 1.9 A termination checklist is completed as a component of the termination process. Inquired of the operations manager regarding hiring procedures to determine that human resources personnel completed a new hire checklist as a component of the hiring process. Inspected the completed new hire checklists for a nonstatistical sample of employees hired during the review period to determine that a new hire checklist was completed as a component of the hiring process for each employee sampled. Inquired of the operations manager regarding termination procedures to determine that human resources personnel completed a termination checklist as a component of the termination process. Inspected the termination checklist template to determine that a termination checklist was in place for human resources personnel to complete as a component of the termination process. Inspected the termination checklist for a nonstatistical sample of employees terminated during the review period to determine that a termination checklist was completed as a component of the termination process for each employee sampled. The test of the control activity disclosed that no employees were terminated during the review period. CoreSite A Carlyle Company Proprietary and Confidential 14

17 MATRIX 1 Objective Specified CONTROL ENVIRONMENT activities provide reasonable assurance that discipline and structure are an integral part of the organization and influence the control consciousness of its personnel. Activity Specified 1.10 Evaluations are performed for each employee on an annual basis. Inquired of the operations manager regarding employee evaluations to determine that evaluations were performed for each employee on an annual basis. Inspected the evaluations for a nonstatistical sample of employees to determine that evaluations were performed for each employee sampled during the 12 months preceding the end of the review period. CoreSite A Carlyle Company Proprietary and Confidential 15

18 MATRIX 2 Objective Specified RELIABILITY OF POWER activities provide reasonable assurance that the design, maintenance and operation of power infrastructure are sufficient to meet customers power needs. Activity Specified 2.1 The power infrastructure for the colocation facility is configured to provide redundant power to systems. 2.2 Multiple UPS systems are in place to provide temporary power in the event of a power failure and to mitigate the risk of power surges impacting infrastructure in the colocation facility. Inquired of the facilities engineer regarding data center power to determine that the power infrastructure for the colocation facility was configured to provide redundant power to systems. Observed the presence of the UPS systems to determine that the power infrastructure for the colocation facility was configured to provide redundant power to systems. Inquired of the facilities engineer regarding UPS systems to determine that multiple UPS systems were in place to provide temporary power in the event of a power failure and to mitigate the risk of power surges impacting infrastructure in the colocation facility. Observed the presence of the UPS systems to determine that multiple UPS systems were in place in the colocation facility. CoreSite A Carlyle Company Proprietary and Confidential 16

19 MATRIX 2 Objective Specified RELIABILITY OF POWER activities provide reasonable assurance that the design, maintenance and operation of power infrastructure are sufficient to meet customers power needs. Activity Specified 2.3 A third party vendor inspects and maintains UPS systems on a semi-annual basis to ensure proper functioning. 2.4 Multiple diesel generators are in place to provide temporary power in the event of a power failure. 2.5 The generators are inspected on a weekly basis by internal personnel to ensure proper functioning. Inquired of the facilities engineer regarding the UPS systems to determine that a third party vendor inspected and maintained UPS systems on a semi-annual basis to ensure proper functioning. Inspected the most recent third party vendor service agreement and the preventative maintenance results during the review period to determine that a third party vendor inspected and maintained the UPS systems during the review period. Inquired of the facilities engineer regarding diesel generators to determine that multiple diesel generators were in place to provide temporary power in the event of a power failure. Observed the presence of diesel generators to determine that multiple diesel generators were in place. Inquired of the facilities engineer regarding generator inspections to determine that the generators were inspected on a weekly basis by internal personnel to ensure proper functioning. Inspected the generator s inspection log for a nonstatistical sample of weeks during the review period to determine that the generators were inspected by internal personnel for each week sampled. The test of the control activity disclosed that the weekly generator inspection was not completed for one of seven weeks sampled. CoreSite A Carlyle Company Proprietary and Confidential 17

20 MATRIX 2 Objective Specified RELIABILITY OF POWER activities provide reasonable assurance that the design, maintenance and operation of power infrastructure are sufficient to meet customers power needs. Activity Specified 2.6 A third party vendor inspects and maintains the generators on a quarterly basis to ensure proper functioning. 2.7 Power supply equipment is monitored by an automated logic control system. 2.8 The automated logic control system is configured to alert operations personnel when alarms are triggered. Inquired of the facilities engineer regarding the generators inspections to determine that a third party vendor inspected and maintained the generators on a quarterly basis to ensure proper functioning. Inspected the third party vendor service agreement and the preventative maintenance results for a nonstatistical sample of quarters during the review period to determine that a third party vendor inspected and maintained the generators for each quarter sampled. Inspected the automated logic control system configurations to determine that power supply equipment was monitored by an automated logic control system. Inspected a nonstatistical sample of alert notifications to determine that the automated logic control system was configured to alert operations personnel when alarms were triggered. Inspected the listing of operations personnel notified by the automated logic control system to determine that the automated logic control system was configured to alert operations personnel when alarms were triggered. CoreSite A Carlyle Company Proprietary and Confidential 18

21 MATRIX 3 Objective Specified RELIABILITY OF DATA CENTER COOLING activities provide reasonable assurance that the design, maintenance and operation of cooling infrastructure is sufficient to cool customer colocation space. Activity Specified 3.1 Multiple air handlers are in place to cool the colocation facility and provide redundancy. 3.2 A third party vendor inspects and maintains cooling equipment on a quarterly basis to ensure proper functioning. 3.3 An automated logic control system is configured to ensure that the colocation facility environmental measurements do not exceed predefined thresholds for temperature and humidity. Inquired of the facilities engineer regarding air handlers to determine that multiple air handlers were in place to cool the colocation facility and provide redundancy. Observed the presence of multiple air handlers and chiller tanks to determine that multiple air handlers and water chillers were in place. Inquired of the facilities engineer regarding the cooling equipment to determine that a third party vendor inspected and maintained cooling equipment on a quarterly basis to ensure proper functioning. Inspected the third party vendor service agreement and the preventative maintenance results for a nonstatistical sample of quarters during the review period to determine that a third party vendor inspected and maintained cooling equipment for each quarter sampled. Inspected the automated logic control system configurations to determine that an automated logic control system was configured to ensure that the colocation facility environmental measurements did not exceed predefined thresholds for temperature and humidity. CoreSite A Carlyle Company Proprietary and Confidential 19

22 MATRIX 3 Objective Specified RELIABILITY OF DATA CENTER COOLING activities provide reasonable assurance that the design, maintenance and operation of cooling infrastructure is sufficient to cool customer colocation space. Activity Specified 3.4 The automated logic control system is configured to alert operations personnel when alarms are triggered. Inspected a nonstatistical sample of alert notifications to determine that the automated logic control system was configured to alert operations personnel when alarms were triggered. Inspected the listing of operations personnel notified by the automated logic control system to determine that the automated logic control system was configured to alert operations personnel when alarms were triggered. CoreSite A Carlyle Company Proprietary and Confidential 20

23 MATRIX 4 Objective Specified SECURITY OF PREMISES activities provide reasonable assurance that the design, maintenance and operation of security systems are sufficient to secure the premises. Activity Specified 4.1 A security procedures manual guides personnel in carrying out security procedures including the following: Access control system Visitor management Deliveries Property removal Support services 4.2 A third party security company is engaged to monitor physical security at the colocation facility. Inspected the security procedures manual to determine that a security procedures manual was documented to guide personnel in carrying out security procedures including the following: Access control system Visitor management Deliveries Property removal Support services Observed the third party security at the facility to determine that a third party security company was engaged to monitor physical security at the colocation facility. Inspected the third party security company service agreement to determine that a third party security company was engaged to monitor physical security at the colocation facility. CoreSite A Carlyle Company Proprietary and Confidential 21

24 MATRIX 4 Objective Specified SECURITY OF PREMISES activities provide reasonable assurance that the design, maintenance and operation of security systems are sufficient to secure the premises. Activity Specified 4.3 Visitors are issued a visitors badge that is required to be worn while in the colocation facility and returned upon exiting the colocation facility. 4.4 A badge access system is utilized to control access to and within the colocation facility. Inquired of the operations manager regarding visitors badges to determine that visitors were issued a visitors badge that was required to be worn while in the colocation facility and returned upon exiting the colocation facility. Observed the visitor access process determine that visitors were issued a visitors badge upon entering the colocation facility. Observed the badge access system in place throughout the colocation facility to determine that a badge access system was utilized to control access to and within the colocation facility. Inspected the badge access system active user listing, the badge access level listing, and a nonstatistical sample of activity logs to determine a badge access system was utilized to control access to and within the colocation facility. CoreSite A Carlyle Company Proprietary and Confidential 22

25 MATRIX 4 Objective Specified SECURITY OF PREMISES activities provide reasonable assurance that the design, maintenance and operation of security systems are sufficient to secure the premises. Activity Specified 4.5 The ability to administer the badge access system is restricted to user accounts accessible by persons holding the following positions: Operations manager Property manager Third party security guards (12) 4.6 Badge access privileges are revoked from terminated employees as a component of the employee termination process. 4.7 Visitors are required to sign a visitors log prior to gaining access to the facility. Inspected the listing of users with administrative access rights to the badge access system to determine that the ability to administer the badge access system was restricted to user accounts accessible by persons holding the following positions: Operations manager Property manager Third party security guards (12) Inquired of the operations manager regarding the access revocation for terminated employees to determine that badge access privileges were revoked from terminated employees as a component of the employee termination process. Inspected the badge access system user listing and a listing of current employees to determine that all badge access users were current employees. Observed visitor procedures to determine that visitors were required to sign a visitors log prior to gaining access to the facility. Inspected a nonstatistical sample of visitors logs to determine that visitors signed a visitors log during the review period. The test of the control activity, performed in March 2010, disclosed that seven terminated third party security guards had active user accounts for the badge access system. Subsequent testing of the control activity, performed in March 2010, disclosed that the aforementioned third party security guards access was revoked. CoreSite A Carlyle Company Proprietary and Confidential 23

26 MATRIX 4 Objective Specified SECURITY OF PREMISES activities provide reasonable assurance that the design, maintenance and operation of security systems are sufficient to secure the premises. Activity Specified 4.8 A physical key inventory listing is maintained to track physical key assignments. 4.9 An automated help desk system is utilized to process and track requests that include following: Service appointments Deliveries Property removal Construction Access requests, modifications and deletions 4.10 Deliveries are required to be authorized and logged A network video recorder (NVR) camera system is utilized to monitor activity in and around the colocation facility. Inspected the physical key inventory listing to determine that a physical key inventory listing was maintained to track physical key assignments. Inspected the work orders during the review period to determine that an automated help desk system was utilized to process and track requests that included the following: Service appointments Deliveries Property removal Construction Access requests, modifications and deletions Inquired of the operations manager regarding deliveries to determine that deliveries were required to be authorized and logged. Inspected a nonstatistical sample of delivery logs to determine that deliveries were logged. Inquired of the operations manager regarding the NVR camera system to determine that a NVR camera system was utilized to monitor activity in and around the colocation facility. Observed the presence of multiple cameras throughout the colocation facility to determine that a NVR camera system was in place. CoreSite A Carlyle Company Proprietary and Confidential 24

27 MATRIX 4 Objective Specified SECURITY OF PREMISES activities provide reasonable assurance that the design, maintenance and operation of security systems are sufficient to secure the premises. Activity Specified 4.12 NVR images are maintained for at least 30 days. Inquired of the operations manager regarding NVR archives to determine that NVR images were maintained for at least 30 days. Inspected archived NVR images to determine that NVR images were retained for at least 30 days Third party security guards patrol the colocation facility 24 hours per day Security guards are alerted when an alarm panel within the colocation facility is triggered Inquired of the operations manager regarding security guard patrols to determine that third party security guards were scheduled to patrol the colocation facility 24 hours per day. Inspected the third party security company schedule to determine that third party security guards were scheduled to patrol the colocation facility 24 hours per day. Inquired of the operations manager regarding the monitoring of alarm panels to determine that security guards were alerted when an alarm panel within the colocation facility was triggered. Observed on-screen alerts at the security console to determine that security guards were alerted when an alarm panel within the colocation facility was triggered. CoreSite A Carlyle Company Proprietary and Confidential 25

28 MATRIX 5 Objective Specified TECHNICAL SUPPORT TO COLOCATION CUSTOMERS activities provide reasonable assurance that the CoreSite system for customer cabinet and cage installation, provisioning of interconnections, and trouble-ticket response is adhered to in accordance with CoreSite guidelines. Activity Specified 5.1 Documented procedures are maintained to guide personnel in customer installations and trouble shooting. 5.2 On-call operations support is available 24 hours per day. 5.3 Customers enter trouble tickets through the online customer support resource center. Inspected documented procedures to determine that documented procedures were maintained to guide personnel in customer installations and troubleshooting. Inspected the operations shift schedule to determine that on-call operations support was available 24 hours per day. Inspected escalation procedures to determine that customers could contact operations personnel 24 hours per day. Inquired of the operations manager regarding the online customer support resource center to determine that customers entered trouble tickets through the online customer support resource center. Inspected a nonstatistical sample of customer service support resource center tickets to determine that customers entered trouble tickets through the online customer support resource center. CoreSite A Carlyle Company Proprietary and Confidential 26

29 MATRIX 5 Objective Specified TECHNICAL SUPPORT TO COLOCATION CUSTOMERS activities provide reasonable assurance that the CoreSite system for customer cabinet and cage installation, provisioning of interconnections, and trouble-ticket response is adhered to in accordance with CoreSite guidelines. Activity Specified 5.4 Trouble tickets directly entered through the online customer support resource center trigger an immediate containing details of the trouble ticket to the operations group. 5.5 The online customer support resource center is configured to a copy of the trouble ticket to the originator of the trouble ticket. Inspected online customer support resource center notification configurations to determine that trouble tickets directly entered through the online customer support resource center triggered an immediate containing details of the trouble ticket to the operations group. Inspected a nonstatistical sample of notifications to determine that trouble tickets directly entered through the online customer support resource center triggered an immediate containing details of the trouble ticket to the operations group. Inspected the online customer resource center notification configurations to determine that the online customer support resource center was configured to a copy of the trouble ticket to the originator of the trouble ticket. CoreSite A Carlyle Company Proprietary and Confidential 27

30 MATRIX 5 Objective Specified TECHNICAL SUPPORT TO COLOCATION CUSTOMERS activities provide reasonable assurance that the CoreSite system for customer cabinet and cage installation, provisioning of interconnections, and trouble-ticket response is adhered to in accordance with CoreSite guidelines. Activity Specified 5.6 Cabinet and cage installation requests are entered and tracked in the online customer resource center. 5.7 Interconnection requests are entered and tracked in the online customer resource center. Inquired of the operations manager regarding the online customer support resource center to determine that cabinet and cage installation requests were entered and tracked in the online customer resource center. Inspected an example cabinet installation help desk ticket to determine that cabinet and cage installation requests were entered and tracked in the online customer resource center. Inquired of the operations manager regarding the online customer support resource center to determine that interconnection requests were entered and tracked in the online customer resource center. Inspected the interconnection help desk tickets during the review period to determine that interconnection requests were entered and tracked in the online customer resource center. CoreSite A Carlyle Company Proprietary and Confidential 28

31 MATRIX 5 Objective Specified TECHNICAL SUPPORT TO COLOCATION CUSTOMERS activities provide reasonable assurance that the CoreSite system for customer cabinet and cage installation, provisioning of interconnections, and trouble-ticket response is adhered to in accordance with CoreSite guidelines. Activity Specified 5.8 Issues regarding cabinet and cage installation requests, interconnection requests and trouble tickets are reviewed on a daily basis by the operations manager to help ensure proper resolution. 5.9 Closed cabinet and cage installation requests, interconnection requests and trouble tickets are retained in the online customer resource center. Inquired of the operations manager regarding the online customer support resource center to determine that issues regarding cabinet and cage installation requests, interconnection requests and trouble tickets were reviewed on a daily basis by the operations manager to help ensure proper resolution. Inspected the listing of work orders and trouble tickets during the review period to determine that issues regarding cabinet and cage installation requests, interconnection requests, and trouble tickets were reviewed on a daily basis. Inquired of the operations manager regarding the closed cabinet and cage installation requests to determine that the closed cabinet and cage installation requests and trouble tickets were retained in the online customer resource center. Inspected the online customer resource center documentation to determine that closed cabinet and cage installation requests, interconnection requests and trouble tickets were retained in the online customer resource center. CoreSite A Carlyle Company Proprietary and Confidential 29