SOC 1 (SSAE NO. 16) TYPE 2 REPORT ON CONTROLS PLACED IN OPERATION FOR DATA CENTER SERVICES BROADRIVER INC. AUGUST 1, 2014 TO JULY 31, 2015

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "SOC 1 (SSAE NO. 16) TYPE 2 REPORT ON CONTROLS PLACED IN OPERATION FOR DATA CENTER SERVICES BROADRIVER INC. AUGUST 1, 2014 TO JULY 31, 2015"

Transcription

1 SOC 1 (SSAE NO. 16) TYPE 2 REPORT ON CONTROLS PLACED IN OPERATION FOR DATA CENTER SERVICES BROADRIVER INC. AUGUST 1, 2014 TO JULY 31, 2015

2 BROADRIVER INC. Table of Contents SECTION 1: INDEPENDENT SERVICE AUDITORS REPORT... 1 SECTION 2: MANAGEMENT S ASSERTION... 4 SECTION 3: BROADRIVER S DESCRIPTION OF CONTROLS... 6 SCOPE OF REPORT AND DISCLOSURES... 8 Sub-Service Organizations... 8 Significant Changes during the Review Period... 8 Subsequent Events... 8 Using the Work of the Internal Audit Function... 8 OVERVIEW OF OPERATIONS AND THE SYSTEM... 9 Company Overview and Background... 9 Overview of the Data Center Services System... 9 OVERVIEW OF RELEVANT INFRASTRUCTURE Infrastructure Software People Procedures Data RELEVANT ASPECTS OF CONTROL ENVIRONMENT, RISK ASSESSMENT, INFORMATION AND COMMUNICATIONS SYSTEMS, MONITORING, POLICIES AND PRACTICES Control Environment Risk Assessment Information and Communication Systems Policies and Practices CONTROL OBJECTIVES AND RELATED CONTROLS USER ENTITY CONTROL CONSIDERATIONS SECTION 4: CONTROL DESCRIPTIONS, RELATED CONTROLS AND TESTS OF OPERATING EFFECTIVENESS INFORMATION PROVIDED BY THE SERVICE AUDITOR Introduction Tests of Operating Effectiveness Types of Tests Performed Sampling Methodology TESTING MATRICES Physical Security Environmental Security Information Security Systems Availability System Maintenance SECTION 5: INFORMATION PROVIDED BY THE SERVICE ORGANIZATION Testing Exceptions Proprietary and Confidential

3 SECTION 1: INDEPENDENT SERVICE AUDITORS REPORT

4 INDEPENDENT SERVICE AUDITORS REPORT ON THE DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM AND THE SUITABILITY OF THE DESIGN AND OPERATING EFFECTIVENESS OF CONTROLS To BroadRiver Inc.: We have examined BroadRiver Inc. s ( BroadRiver ) description of its Data Center Services system throughout the period August 1, 2014 to July 31, 2015 and the suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in the description. The description indicates that certain control objectives specified in the description can be achieved only if complementary user entity controls contemplated in the design of BroadRiver s controls are suitably designed and operating effectively, along with related controls at the service organization. We have not evaluated the suitability of the design or operating effectiveness of such complementary user entity controls. Within Section 2 of this report, BroadRiver has provided an assertion about the fairness of the presentation of the description and suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description. BroadRiver is responsible for preparing the description and for the assertion, including the completeness, accuracy, and method of presentation of the description and the assertion, providing the services covered by the description, specifying the control objectives and stating them in the description, identifying the risks that threaten the achievement of the control objectives, selecting the criteria, and designing, implementing, and documenting controls to achieve the related control objectives stated in the description. Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, the description is fairly presented and the controls were suitably designed and operating effectively to achieve the related control objectives stated in the description throughout the period August 1, 2014 to July 31, An examination of a description of a service organization s system and the suitability of the design and operating effectiveness of the service organization s controls to achieve the related control objectives stated in the description involves performing procedures to obtain evidence about the fairness of the presentation of the description and the suitability of the design and operating effectiveness of those controls to achieve the related control objectives stated in the description. Our procedures included assessing the risks that the description is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives stated in the description. Our procedures also included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the related control objectives stated in the description were achieved. An examination engagement of this type also includes evaluating the overall presentation of the description and the suitability of the control objectives stated therein, and the suitability of the criteria specified by the service organization and described within BroadRiver s assertion within Section 2 of this report. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. Because of their nature, controls at a service organization may not prevent, or detect and correct, all errors or omissions in processing or reporting transactions. Also, the projection to the future of any evaluation of the fairness of the presentation of the description, or conclusions about the suitability of the design or operating effectiveness of the controls to achieve the related control objectives is subject to the risk that controls at a service organization may become inadequate or fail West Gandy Blvd. Tampa, Florida

5 In our opinion, in all material respects, based on the criteria described in BroadRiver s assertion in the next section of this report: a. the description fairly presents BroadRiver s Data Center Services system that was designed and implemented throughout the period August 1, 2014 to July 31, 2015; b. the controls related to the control objectives of BroadRiver stated in the description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period August 1, 2014 to July 31, 2015, and user entities applied the complementary user entity controls contemplated in the design of BroadRiver s controls throughout the period August 1, 2014 to July 31, 2015; and c. the controls that we tested, which together with the complementary user entity controls referred to in Section 3 of this report, if operating effectively, were those necessary to provide reasonable assurance that the control objectives stated in the description were achieved, operated effectively throughout the period August 1, 2014 to July 31, The specific controls tested and the nature, timing, and results of those tests are listed within Section 4 of the report. This report, including the description of tests of controls and results thereof within Section 4, is intended solely for the information and use of BroadRiver, user entities of BroadRiver s Data Center Services system during some or all of the period August 1, 2014 to July 31, 2015, and the independent auditors of such user entities, who have a sufficient understanding to consider it, along with other information including information about controls implemented by user entities themselves, when assessing the risks of material misstatements of user entities financial statements. This report is not intended to be and should not be used by anyone other than these specified parties. December 16, 2015 Tampa, Florida West Gandy Blvd. Tampa, Florida

6 SECTION 2: MANAGEMENT S ASSERTION

7 MANAGEMENT S ASSERTION December 16, 2015 We have prepared the description of BroadRiver Inc. s ( BroadRiver ) Data Center Services system for user entities of the system during some or all of the period August 1, 2014 to July 31, 2015 and their user auditors who have a sufficient understanding to consider it, along with other information, including information about controls implemented by user entities of the system themselves, when assessing the risks of material misstatements of user entities financial statements. We confirm, to the best of our knowledge and belief, that a. the description fairly presents the Data Center Services system made available to user entities of the system during some or all of the period August 1, 2014 to July 31, 2015 for processing their transactions. The criteria we used in making this assertion were that the description: i. presents how the system made available to user entities of the system was designed and implemented to process relevant transactions as they relate to our environment, including when applicable: 1. the types of services provided; 2. the procedures, within both automated and manual systems, by which services are provided; 3. how the system captures and addresses significant events and conditions, other than transactions; 4. the process used to prepare reports or other information provided to user entities of the system; 5. the specified control objectives and controls designed to achieve those objectives; and 6. other aspects of our control environment, risk assessment process, information and communication systems (including the related business processes), control activities, and monitoring controls that are relevant to user entities of the system. ii. does not omit or distort information relevant to the scope of the Data Center Services system, while acknowledging that the description is presented to meet the common needs of a broad range of user entities of the system and their financial statement auditors, and may not, therefore, include every aspect of the Data Center Services system that each individual user entity of the system and its auditor may consider important in its own particular environment. iii. includes relevant details of changes to the service organization s system during the audit period covered by the description. b. the controls related to the control objectives stated in the description were suitably designed and operated effectively throughout the period August 1, 2014 to July 31, 2015 to achieve those control objectives. The criteria we used in making this assertion were that: /s/ BroadRiver Inc. i. the risks that threaten the achievement of the control objectives stated in the description have been identified by management; ii. the controls identified in the description would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives stated in the description from being achieved; and iii. the controls were consistently applied as designed, including whether manual controls were applied by individuals who have the appropriate competence and authority. Michael L. Oken President Fran Audia Controller

8 SECTION 3: BROADRIVER S DESCRIPTION OF CONTROLS

9 SCOPE OF REPORT AND DISCLOSURES This description of the system of controls provided by BroadRiver Inc. ( BroadRiver ) management, as related to Statement on Standards for Attestation Engagements No. 16 Reporting on Controls at a Service Organization ( SSAE 16 or SOC 1 ), considers the direct and indirect impact of risks and controls that BroadRiver management has determined are likely to be relevant to its user entities internal controls over financial reporting. The scope of management s description of the system of controls covers the general computer controls supporting the Description of Service, and considers the initiation, authorization, recording, processing, and reporting of related transactions. BroadRiver is responsible for identification of risks associated with the system of controls (defined as control objectives), and for the design and operation of controls intended to mitigate those risks. This includes the applicable information technology infrastructure and the supporting processes related to the Data Center Services system. It does not include any other processes used to initiate, authorize, record, process, or report on the financial transactions of its user entities. Additionally, BroadRiver does not maintain accountability for any user entity assets, liabilities, or equity. As part of its overall SOC 1 program, BroadRiver s management sets and determines the scope and timing of each report. This report features the Data Center Services system provided for the Atlanta, Georgia colocation facility. This description of the system of controls has been prepared by BroadRiver management to provide information on controls applicable to the Data Center Services system at the Atlanta, Georgia colocation facility. Sub-Service Organizations BroadRiver does not rely on any sub-service organizations as part of the Data Center Services system included in the scope of this report. Significant Changes during the Review Period Management is not aware of any significant changes that occurred during the review period. Subsequent Events Management is not aware of any relevant events that occurred subsequent to the period covered by management s description included in Section 3 of this report through the date of the service auditor s report that would have a significant effect on management s assertion. Using the Work of the Internal Audit Function The service auditor did not utilize any work of an Internal Audit function in preparing this report. Section 3 Proprietary and Confidential 8

10 OVERVIEW OF OPERATIONS AND THE SYSTEM Company Overview and Background BroadRiver is a privately-held competitive IT solutions company based in Atlanta, Georgia. Since 1999, BroadRiver has been providing a variety of technology solutions with a focus on client care and client satisfaction. On November 9, 2015, BroadRiver sold its subsidiary, BroadRiver Communications Corporation, which provided the telecommunications services. BroadRiver provides data center services spanning various markets throughout the southeastern United States. BroadRiver s goal is to help their clients select the right data center services for their business needs and to deliver those services with quality and value. Overview of the Data Center Services System Data Center Colocation Services BroadRiver s Tier 3 colocation facility is a 15,000 square foot facility that was constructed in 2007 approximately 1 mile from the corporate office facility in Atlanta, Georgia. The colocation facility sits on solid granite with concrete floors, steel frame and concrete block walls with a brick outlay and an insulated membrane roof. The data center within the colocation facility features over 200 fully enclosed racks that are sold in half and full-rack increments. The data center was designed with redundant capacity components and multiple independent distribution paths serving the computer equipment to allow systems to be taken offline for scheduled maintenance without impact to the IT environment. BroadRiver provides the facilities and infrastructure to protect clients systems from physical and environmental security threats including, but not limited to, unauthorized access, fire, harmful temperature and humidity levels and power surges or power failures. Activity related to transactions, such as initiation, authorization, recording, processing, correction, or reporting, are performed by clients. BroadRiver has no responsibility for either activities related to transaction processing or the related accounting records and supporting information for clients, including the correction of incorrect information. Managed Network Services BroadRiver provides Internet connectivity to clients as well as dedicated network segments where clients place their own servers and applications. Services include: Client-specific network segmentation and isolation; Firewall management; and Intrusion detection and prevention systems (IDS / IPS). Section 3 Proprietary and Confidential 9

11 OVERVIEW OF RELEVANT INFRASTRUCTURE The Data Center Services system is comprised of the following components: Infrastructure (facilities, equipment, and networks); Software (systems, applications, and utilities); People (operators, users, and managers); Procedures (automated and manual); and Data (transaction streams, files, databases, and tables). Infrastructure BroadRiver offers facilities and infrastructure to provide colocation and data center services for its clients. The colocation facility is designed with a data center room where client equipment resides. Single racks, cabinets, and / or isolated cages are offered to clients within the several thousand square feet of data center space located at the colocation facility. Some support and management personnel operate out of the headquarters supporting the colocation and data center services at the colocation facility. The following describes the in-scope components supporting the Data Center Services system: System / Application Description Infrastructure Zenoss Network monitoring GNU / Linux Software BroadRiver utilizes Zenoss to provide for network monitoring of the data center facility and services contracted to be provided. Zenoss is the primary application used for monitoring services and has been configured with thresholds and alerts designed to provide management notifications with enough time to adjust and make changes prior to an outage or limitation in services being provided. People The roles and responsibilities of key functions include the following: Michael L. Oken, President and Chief Technology Officer (CTO) Michael founded BroadRiver, and serves as its President and CTO. Michael plays a central role in driving the strategy and direction relative to product and services development, architecture and infrastructure. His experience spans over 28 years in the technology sector with significant experience in datacenter and network architecture. Fran Audia, Controller and Secretary Fran has served as Controller and Secretary of BroadRiver since Fran has over twenty years of experience in accounting, bookkeeping, risk management, and HR. Prior to joining BroadRiver Inc. she served as a Controller at Network Systems Technology Inc., a network integration company. Section 3 Proprietary and Confidential 10

12 Procedures BroadRiver has developed and communicated to its users, procedures to restrict physical access to the BroadRiver colocation facility, its data center, and the critical areas within the colocation facility, as well as procedures to protect the colocation facility from certain environmental threats. Policies include the following: Data BroadRiver Data Center Security Policy; Information Security Policy; Data Center Physical Security; Data Center Environmental Security Policy; and Incident and Response Policy. BroadRiver does not process client s data. The scope of management s description of the system of controls covers the physical and environmental security supporting the Data Center Services system. This includes the applicable information technology infrastructure and the supporting processes related to the Data Center Services system. It does not include any other processes used to initiate, authorize, record, process, or report on the financial transactions of its user entities. Section 3 Proprietary and Confidential 11

13 RELEVANT ASPECTS OF CONTROL ENVIRONMENT, RISK ASSESSMENT, INFORMATION AND COMMUNICATIONS SYSTEMS, MONITORING, POLICIES AND PRACTICES Control Environment The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal controls, providing discipline and structure. Aspects of BroadRiver s control environment that affect the services provided and / or the system of controls are identified in this section. Integrity and Ethical Values The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer, and monitor them. Integrity and ethical values are essential elements of BroadRiver s control environment, affecting the design, administration, and monitoring of other components. Integrity and ethical behavior are the products of BroadRiver s ethical and behavioral standards, how they are communicated, and how they are reinforced in practices. They include management s actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. Organizational policy statements and codes of conduct are documented and communicate entity values and behavioral standards to personnel. Senior Executive Participation BroadRiver s control consciousness is influenced significantly by its senior executives. Senior executives oversee management activities and meet on a regular basis to approve budgets and business plans, address operational concerns and strategic direction and review financial performance metrics. Commitment to Competence BroadRiver s management defines competence as the knowledge and skills necessary to accomplish tasks that define employees roles and responsibilities. Management has considered the competence levels for particular jobs and translated the required skills and knowledge levels into written position requirements. Employees are required to attend security awareness training upon hire and on an annual basis thereafter. Management s Philosophy and Operating Style BroadRiver s management philosophy and operating style encompass a broad range of characteristics. Such characteristics include management s approach to taking and monitoring business risks, and management s attitudes toward information processing, accounting functions, and personnel. BroadRiver s management team is hands-on and involved in the day-to-day operations of the business. Management team members are expected not only to lead but to make hands-on contributions and to know the details in their area of the business. Specific control activities that BroadRiver has implemented in this area are described below. Management is periodically briefed on regulatory and industry changes affecting services provided; and Management meetings are held on a weekly basis to discuss operational issues. Organizational Structure BroadRiver s organizational structure provides the framework within which its activities for achieving entity-wide objectives are planned, executed, controlled, and monitored. BroadRiver s management believes that establishing a relevant organizational structure includes considering key areas of authority and responsibility and lines of reporting. BroadRiver has developed an organizational structure suited to its needs. This organizational structure is based, in part, on its size and the nature of its activities. Section 3 Proprietary and Confidential 12

14 BroadRiver s assignment of authority and responsibility activities include factors such as how authority and responsibility for operating activities are assigned and how reporting relationships and authorization hierarchies are established. It also includes policies relating to business practices, knowledge and experience of key personnel, and resources provided for carrying out duties. In addition, it includes policies and communications directed at ensuring that personnel understand the entity s objectives, know how their individual actions interrelate and contribute to those objectives, and recognize how and for what they will be held accountable. Specific control activities that the service organization has implemented in this area are described below. Organizational charts are in place to communicate key areas of authority, responsibility and lines of reporting; and Management has considered the reporting structure and accountability for certain business functions and segregated responsibilities by functional area. Human Resource Policies and Practices BroadRiver s human resources policies and practices relate to employee hiring, orientation, training, evaluation, counseling, promotion, compensation, and disciplinary activities. Background checks are performed for employment applicants as a component of the hiring process. Termination procedures are in place to help ensure the employee termination process is consistently executed. Section 3 Proprietary and Confidential 13

15 Risk Assessment BroadRiver s risk assessment process is designed to identify and consider the implications of external and internal risk factors concurrent with establishing unit-wide objectives and plans. The likelihood of occurrence and potential monetary impact (or publicity risk) has been evaluated to enhance the reliability of the data center services being provided. Risks are categorized as tolerable or requiring action, and include the following considerations: Changes in the operating environment a change in regulations may necessitate a revision of existing processing. Revisions of existing processing may create the need for additional or revised controls. New personnel new personnel who are responsible for overseeing the IT controls may increase the risk that controls will not operate effectively. New or revamped information systems new functions added into the system that could affect user entities. Rapid growth a rapid increase in the number of new clients may affect the operating effectiveness of certain controls. New technology implementation of new application platforms / technology may operate so differently that it affects user entities. New business models, products, or activities the diversion of resources to new activities from existing activities could affect certain controls. Corporate restructuring a change in ownership or internal reorganization could affect reporting responsibilities or the resources available for services to user entities. New accounting pronouncements the implementation of relevant accounting pronouncements could affect user entities. Government and regulatory changes the implementation of relevant government and regulatory pronouncements could affect user entities. BroadRiver s recognition of risks that could affect the organization s ability to provide reliable data center services for user entities is generally implicit, rather than explicit. Management s involvement in the daily operations allows them to learn about risks related to the data center services through direct personal involvement with employees and outside parties, thus reducing the need for formalized and structured risk assessment processes. Section 3 Proprietary and Confidential 14

16 Information and Communication Systems Information System BroadRiver s hosting infrastructure is located in a colocation facility in Atlanta, Georgia. The site is secured by an electronic biometric enabled card access system at facility entry points and is monitored via a video surveillance system. Power is protected with multiple diesel-powered generators and redundant UPS systems equipped with static transfer switches (STS), while temperature and humidity levels are maintained via redundant air conditioning systems equipped with redundant cooling loops. Private VLANs are configured to segregate client networks and infrastructure based on service offering. Additionally, firewall systems are configured to deny any type of network connection that is not explicitly authorized by a firewall rule. The firewall systems are configured in clusters to provide automatic failover firewall services in the event of a primary firewall failure. Encrypted VPN connections are utilized for remote access to help ensure the privacy and integrity of the data passing over the public network. Communication System BroadRiver s management is involved with day-to-day operations and is able to provide employees with an understanding of their individual roles and responsibilities pertaining to internal controls. This includes the extent to which personnel understand how their activities relate to the work of others and the means of reporting exceptions to a higher level within the organization. Management believes that open communication channels help ensure that exceptions are reported and resolved. Communication activities are made electronically, verbally, and through the actions of management. For that reason, formal communication tools such as organizational charts, job descriptions and an enterprise issue ticketing application are in place. Monitoring Management monitors controls to consider whether they are operating as intended and that the controls are modified for changes in conditions. BroadRiver s management performs monitoring activities to continuously assess the quality of internal control over time. Necessary corrective actions are taken as required to correct deviations from company policy and procedures. Employee activity and adherence to company policies and procedures is also monitored. This process is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Ongoing Monitoring The BroadRiver management team conducts quality assurance monitoring on a regular basis and additional training is provided based upon results of monitoring procedures. Monitoring activities are used to initiate corrective action through department meetings, client conference calls and informal notifications. Examples of BroadRiver s ongoing monitoring activities include the following: Physical Security: The biometric-enabled badge access system creates logs of ingress activity within the data center for review on a scheduled basis. Surveillance cameras are in place to record activity throughout the colocation facility and the data center, and are equipped with searchable digital video retention for review on a scheduled basis. Section 3 Proprietary and Confidential 15

17 Environmental Security An enterprise monitoring application is configured to monitor, log and alert personnel in the event predefined threshold events related to the following environmental conditions occur at various locations throughout the facility: Temperature, humidity, and smoke or fire. Network Infrastructure An enterprise monitoring application is configured to monitor the network core, network edge, and other shared enterprise systems and devices for availability and transmission activity and alert personnel in the event predefined events occur related to the following: Up/down status, resource utilization, and other Simple Network Management Protocol (SNMP)-enabled thresholds per device. A ticketing system is in place to document and managed identified problems and activities impacting client services and systems. Tickets are monitored from creation to resolution. Separate Evaluations Management has daily involvement in BroadRiver s operations to help identify significant variances from expectations regarding internal controls. Controls addressing higher-priority risks and those most essential to reducing a given risk are evaluated more often. Executive management immediately evaluates the specific facts and circumstances related to any suspected control breakdowns. A decision for addressing any controls weakness is made based on whether the incident was isolated or requires a change in the company s procedures or personnel. Section 3 Proprietary and Confidential 16

18 Policies and Practices BroadRiver security systems include badge access authentication at each data center door, logging of door access attempts, and video surveillance for access to and within the BroadRiver data center including the data halls where client equipment resides. Electronic badge access systems and biometric fingerprint readers provide access controls at each data center facility entry point. Video surveillance technology has been implemented to monitor and record access to and activity within the facility. INFRASTRUCTURE MANAGEMENT BroadRiver is responsible for maintaining and implementing information technology general computer controls related to computer processing supporting the Data Center Services. These controls provide the basis for reliance on information / data from the systems used by user entities for financial reporting. Physical Security Documented physical security policies and procedures are in place to guide activities for granting, controlling, and monitoring physical access to the corporate office facility, the colocation facility, and the data center within the colocation facility. Further, to control the physical access of the corporate office facility, the colocation facility, and the data center, the Facility Manager or Technical Operations Manager performs a quarterly access reviews to ensure that access is appropriate based on the individual s role and job function, and that privileged access is only available to authorized users. Corporate Office Facility A receptionist is on-site during normal business hours to monitor the main entrance of the corporate office facility and ensures that visitors sign a visitor log prior to entry. Visitors are provided an identification sticker by receptionist while inside the corporate office facility. The physical access control system at the corporate office facility utilizes key fobs to restrict and track access to the facility. Key fob holders are required to swipe their key fob in order to enter the facility; otherwise, entry is prevented. Successful and unsuccessful entry events are logged for ad hoc review by the technical operations manager. If a series of unsuccessful attempts occur, the technical operations manager would research and identify the issue. Administrative privileges to the electronic key fob access system are restricted to authorized IT personnel. Additionally, the key fob system administrators revoke key fob access system privileges for terminated employees. Unused and unassigned key fobs are stored in a locked file cabinet. Colocation Facility and Data Center The colocation facility and the data center are restricted areas requiring a greater level of control than other non-public spaces. The colocation facility has no exterior signage identification that reference as data center and no exterior data center windows. Only those individuals who are expressly authorized to do so by BroadRiver IT management personnel may enter the colocation facility and the data center. Network operations center (NOC) personnel are stationed at the reception desk to monitor access to the main entrance of the colocation facility during business hours. The NOC personnel ensure that visitors sign a visitor log upon entering the colocation facility. Additionally, visitors are required to be escorted by an employee when in the data center. Access to the colocation facility is restricted via badge access card system to authorized personnel 24 hours per day. The badge access system utilizes pre-defined badge access group to control access privileges to restrict employees and clients to only the areas necessary and authorized. Badge holders are required to swipe their badge access card in order to enter the facility; otherwise, re-entry is systematically prevented. Successful and unsuccessful entry events are logged allowing for ad hoc reviews by the technical operations manager. If a series of unsuccessful attempts occur, the technical operations manager researches and identifies the issue. Administrative privileges to the badge access card system are restricted to authorized IT personnel. Section 3 Proprietary and Confidential 17

19 Access to the raised-floor data center, within the colocation facility, requires both an access badge card and biometric fingerprint scan. Additionally, the badge system administrators revoke badge access for terminated employees. Unused and unassigned badges are stored in a locked file cabinet. Procedures for terminating or revoking data center access include: Canceling of door codes, cardkeys, and removal of fingerprint information from access control systems; Collection of access control credentials and keys from client; and Removing client authorized name(s) from the operations authorized access list. The data center is monitored 24 hours per day utilizing alarms, motion detectors and surveillance cameras. Recordings are retained for 90 days, allowing for ad hoc reviews by data center security personnel. Access to client hardware stored in cabinets is restricted to individual client personnel and authorized BroadRiver personnel. Clients do not have access to other clients equipment within locked cabinets and cabinets do not designate the client name. Environmental Security Environmental security refers to the protection of building sites and equipment (and information and software contained therein) from natural disaster, catastrophes, fire, flood and accidental damage. Documented environmental security policies and procedures are in place to guide personnel in the monitoring of environmental control systems, escalation of status alarms, and the resolution of environmental issues affecting the data center. The data center is equipped with fire detection and fire suppression, including audible and visual fire and smoke alarms; and hand-held fire extinguishers. A third-party specialist is contracted to inspect and maintain the fire detection systems and hand-held fire extinguishers on an annual basis. The data center is equipped with multiple air conditioning units to maintain consistent temperature and humidity levels. If the temperature or humidity level exceeds pre-defined limits, an audible alarm is triggered. A third-party specialist is contracted to inspect and maintain the air conditioning units on a semi-annual basis. Additionally, facilities personnel inspect the air conditioning units on a monthly basis. Water detection systems are in place to detect leakage from the air conditioning units. The data center is connected to an uninterruptable power supply (UPS) system and multiple backup generators to provide electricity in the event of a power outage and to help mitigate the risk of power surges impacting the data center infrastructure. A third-party specialist is contracted to inspect and maintain the UPS system and the backup generators on an annual basis. Additionally, facilities personnel perform load tests on the generators on a quarterly basis. Computer equipment in the data center is maintained in raised rack above the raised floor to help cooling and prevent damage caused by localized flooding. Enterprise monitoring applications are utilized to monitor environmental conditions within the data center that include; temperature and humidity levels, power levels and availability, fire detection systems and alarm status etc. When the predefined thresholds are exceeded NOC personnel are noted via onscreen and alerts. Additionally, facility personnel perform daily patrols to monitor certain environment equipment and document reading. Information Security Documented network security policies and procedures are in place to guide personnel in managing system access and protecting information assets and data. Additionally, the policies and procedures include firewall system administration and maintenance activities. Management reviews the policies and procedures documentation at least annually and update as needed. Section 3 Proprietary and Confidential 18

20 In order to provision logical access to the infrastructure network that is utilized by BroadRiver to provide colocation connectivity to clients, the individuals hiring manager sends an request for system access to the technical operations manager or the senior network engineer. The request contains the individuals name, title, and department of the user and access permissions needed. The requestor enters the users role for access and a justification for the access. Upon approval of the access request , network operations personnel provision the requested access. Network Domain Private virtual local area networks (VLANs) are configured to segregate network traffic and infrastructure of certain clients, based upon service offering. Access to BroadRiver network infrastructure is protected through the use of authentication protocols. Network operations personnel are authenticated to the infrastructure network that is utilized by BroadRiver to provide colocation connectivity to clients via an authorized user account and password before being granted access to the network domain. The network domain is configured to enforce authentication requirements such as minimum password length, minimum password history, password expiration intervals, invalid password account lockout threshold and password complexity requirements. Administrator access privileges within the network domain are restricted to user accounts accessible by authorized IT personnel. Upon termination of an employee, IT operations personnel revoke network accounts assigned to terminated employees as a component of the employee termination process. Firewall System and Remote Connectivity A firewall system is in place to protect BroadRiver network and data. The firewall resides on the network and analyzes data and packets routed to the BroadRiver internal network. A firewall system is configured to deny any type of network connection that is not explicitly authorized by a firewall rule. In the event of primary firewall system failure, a secondary firewall system is in place to provide failover firewall services. Additionally, externally routable internet protocol (IP) addresses are not used within the internal production servers instead the firewall system is configured to utilize network address translation (NAT) functionality to manage internal IP addresses. Encrypted virtual private networks (VPNs) are utilized for remote access to help ensure the privacy and integrity of the data passing over the public network. Administrator access privileges within the firewall and VPN remote access systems are restricted to user accounts accessible by authorized IT personnel. Firewall and VPN administrators are authenticated via a user account and password before being granted access to the systems. BroadRiver uses a Cisco Steel Belted Radius (SBR) server for firewall and VPN device authentication. The firewall and VPN devices on the infrastructure network utilized by BroadRiver to provide colocation connectivity to clients are configured to point to the SBR server for authentication. Individuals attempting to authenticate to the firewalls or VPN devices as administrators are required to be in a specific network domain group in order to be authenticated to the firewall and VPN devices. Systems Availability Network Monitoring Services NOC personnel perform network performance monitoring and reporting services as part of managed network services. The NOC personnel actively monitor devices such as routers, switches, storage area networks (SANs), net flow auditors, wired firewall clusters, and wireless intrusion detection systems. Network monitoring activities are guided by incident response and support policies and procedures that address severity level definitions, escalation reporting, and response time requirements for service alerts. These policies and procedures are reviewed by management on an annual basis and updated as necessary. Section 3 Proprietary and Confidential 19

21 Network operations personnel utilize the Zenoss enterprise monitoring application to monitor the availability of the network, colocation services and ports. Zenoss is configured to identify network issues in real time, including: Device up / down status; Device response time and latency; Device packet loss percentage; Central processing unit (CPU) load percentage; Memory load percentage; Interface up / down status; Interface load percentage; Disk volume usage percentage; Inlet and / or outlet temperature range; Device redundancy / failover triggers; and Application availability. The enterprise monitoring application is configured to send on-screen and alert notifications to network operations personnel when predefined thresholds are exceeded on monitored network devices. Network operations personnel utilize predefined severity levels to categorize and escalate network problems. Additionally, Zenoss is capable of generating reports for ongoing monitoring of performance metrics and SLA adherence, including, but not limited to, the following: Availability; Alert history; and Trend analysis reports. Network Incident Identification and Escalation BroadRiver operates its controlled networks and IT infrastructure on a 24 hour per day basis. During normal business hours (8AM-7PM Eastern Standard Time, Monday-Friday), the network operations personnel in the Atlanta, Georgia, corporate office facility and colocation facility provide identification and processing of client Tier 1, Tier 2 and Tier 3 incidents. Overflow incident escalations during normal business hours, as well as after-hours incidents are routed to the off-site NOC facility for processing and handling. Clients have three methods of contacting BroadRiver to report a problem: Telephone; Internet; and Internet issues are submitted directly to the Help Desk or submitted issues via the clients BroadRiver business center portal. Network issues, failures and anomalies, including those detected by the Zenoss application, and those submitted by clients, are recorded in the IssueTrak automated ticketing system. The IssueTrak system is utilized to document, prioritize, escalate and track the resolution of problems affecting colocation services. BroadRiver has redundant built into network infrastructure that allows alternative equipment in the event of primary system failure. Section 3 Proprietary and Confidential 20

22 System Maintenance The system maintenance process is designed to manage changes to existing client infrastructure, software and hardware with minimal disruptions, risk and complexity, while maintaining agreed-upon service levels. This includes identifying a business reason behind each change and the specific configurations and services affected by the change, planning the change, and where necessary, testing the change, and having a documented back out plan should the change result in an unexpected state of the client infrastructure. Documented change management policies and procedures are in place to guide personnel in the request, documentation, and approval of changes to internal BroadRiver and client infrastructure, including the following: Cisco hardware changes; Juniper M series hardware changes; Firewall hardware changes; Changes to IP routing protocol areas; Changes to transit peering providers; Changes to core network interconnections; OS/IOS revision changes; and Blade and VM chassis backplane changes. Change Request Submittal Clients submit change requests via submission to the help desk address, or via submission to BroadRiver sales and support personnel. Requests submitted to the help desk account result in an automatically generated change request form. BroadRiver sales and support personnel manually generate change request forms for requests received via . Attributes documented in the change requests forms include, but are not limited to, the following: Client name and client representative requesting the change; Change description; Priority level; Change status; and Change history. A change management tracking system is utilized to maintain, manage, and monitor change activities. Infrastructure software or hardware changes request is restricted to pre-authorized client representatives. Specifically, clients with the ability to request infrastructure changes are limited to either the technical contact client personnel listed in the clients contact profile, for technical requests; or, the billing / admin client personnel listed in the clients contact profile for billing and service connection and service disconnection requests. The authorized client representatives are established at the time the clients sign their initial service contracts with BroadRiver. Clients have the ability to update their client contacts via the BroadRiver business portal. Change Request Approval Clients approve infrastructure software or hardware changes via a signed service order form or via a workflow enabled electronic ticketing system prior to implementation; however, clients approval for certain changes is inherent in their initial request. The ticketing system is configured to send client requestors notifications of the following events: Confirmation of receipt of change request; Notes added to change tickets by network engineers; and Section 3 Proprietary and Confidential 21

23 Confirmation that the request is closed and work is completed. Change Testing and Change Implementation For certain infrastructure change requests, operations personnel perform an impact assessment and develop a back out plan that is documented within the change management tracking application. The ability to implement changes to client infrastructure software or hardware is restricted to user accounts accessible by authorized IT personnel. Section 3 Proprietary and Confidential 22

24 CONTROL OBJECTIVES AND RELATED CONTROLS The BroadRiver control objectives and related controls are included in Section 4 of this report, Control Descriptions, Related Controls and Tests of Operating Effectiveness, to eliminate the redundancy that would result from listing them in this section and repeating them in Section 4. Although the control objectives and related controls are included in Section 4, they are, nevertheless, an integral part of the service organization s description of controls. Section 3 Proprietary and Confidential 23

CoreSite A Carlyle Company. 70 Innerbelt Colocation Services

CoreSite A Carlyle Company. 70 Innerbelt Colocation Services CoreSite A Carlyle Company 70 Innerbelt Colocation Services Independent Service Auditor s Report on s Placed in Operation and Tests of Operating Effectiveness For the Period of October 1, 2009, to March

More information

Tom J. Hull & Company Type 1 SSAE 16 2014

Tom J. Hull & Company Type 1 SSAE 16 2014 Tom J. Hull & Company Type 1 SSAE 16 2014 REPORT ON MANAGEMENT S DESCRIPTION OF TOM J. HULL & COMPANY S SYSTEM AND THE SUITABILITY OF THE DESIGN OF CONTROLS Pursuant to Statement on Standards for Attestation

More information

Stone Vault, LLC SOC 1 (SSAE NO. 16) TYPE 1 REPORT ON CONTROLS PLACED IN OPERATION FOR TAX RETURN AND FINANCIAL STATEMENT PORTAL SERVICES

Stone Vault, LLC SOC 1 (SSAE NO. 16) TYPE 1 REPORT ON CONTROLS PLACED IN OPERATION FOR TAX RETURN AND FINANCIAL STATEMENT PORTAL SERVICES SOC 1 (SSAE NO. 16) TYPE 1 REPORT ON CONTROLS PLACED IN OPERATION FOR TAX RETURN AND FINANCIAL STATEMENT PORTAL SERVICES Stone Vault, LLC JANUARY 31, 2013 STONE VAULT, LLC Table of Contents SECTION 1:

More information

MAG DATACENTERS, LLC ( FORTRUST ) Service Organization Controls 3

MAG DATACENTERS, LLC ( FORTRUST ) Service Organization Controls 3 MAG DATACENTERS, LLC ( FORTRUST ) Service Organization Controls 3 Report on FORTRUST s Enterprise Data Center and Colocation Services System Relevant to Security and Availability For the Period October

More information

UCS Level 2 Report Issued to

UCS Level 2 Report Issued to UCS Level 2 Report Issued to MSPAlliance Unified Certification Standard (UCS) Report Copyright 2014 www.mspalliance.com/ucs info@mspalliance.com Welcome to the UCS report which stands for Unified Certification

More information

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM Las Vegas Datacenter Overview Product Overview and Data Sheet Product Data Sheet Maintaining a Software as a Service (SaaS) environment with market leading availability and security is something that Active

More information

Retention & Destruction

Retention & Destruction Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of

More information

SYSTRUST CERTIFICATION REPORT FOR COLLOCATION AND DATA CENTER HOSTING SERVICES FOR THE PERIOD FROM JANUARY 1, 2013 TO DECEMBER 31, 2013

SYSTRUST CERTIFICATION REPORT FOR COLLOCATION AND DATA CENTER HOSTING SERVICES FOR THE PERIOD FROM JANUARY 1, 2013 TO DECEMBER 31, 2013 SYSTRUST CERTIFICATION REPORT FOR COLLOCATION AND DATA CENTER HOSTING SERVICES FOR THE PERIOD FROM JANUARY 1, 2013 TO DECEMBER 31, 2013 TABLE OF CONTENTS SECTION I: INDEPENDENT PRACTITIONERS TRUST SERVICES

More information

Service Organization Control (SOC 3) Report on a Description of the Data Center Colocation System Relevant to Security and Availability

Service Organization Control (SOC 3) Report on a Description of the Data Center Colocation System Relevant to Security and Availability 15301 Dallas Parkway, Suite 960, Addison, TX 75001 MAIN 214 545 3965 FAX 214 545 3966 www.bkmsh.com Service Organization Control (SOC 3) Report on a Description of the Data Center Colocation System Relevant

More information

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Information Technology General Controls Review (ITGC) Audit Program Prepared by: Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the

More information

SITECATALYST SECURITY

SITECATALYST SECURITY SITECATALYST SECURITY Ensuring the Security of Client Data June 6, 2008 Version 2.0 CHAPTER 1 1 Omniture Security The availability, integrity and confidentiality of client data is of paramount importance

More information

SOC 2 Report Seattle, WA (SEF)

SOC 2 Report Seattle, WA (SEF) SOC 2 Report Seattle, WA (SEF) October 1, 2013 January 31, 2014 Independent Service Auditor s Report INTERNAP NETWORK SERVICES CORPORATION Company-Controlled Data Center Services Type 2 Report on Controls

More information

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific

More information

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific documents requested,

More information

AND ONLINE SETTLEMENT REPORTING APPLICATION (ACCESSibility)

AND ONLINE SETTLEMENT REPORTING APPLICATION (ACCESSibility) AUTOMATED MidAmerica CLEARINGHOUSE Administrative & Retirement CALL Solutions, Inc. EXCHANGE Plan SETTLMENT Administration Services SYSTEM (ACCESS) AND ONLINE SETTLEMENT REPORTING APPLICATION (ACCESSibility)

More information

Autodesk PLM 360 Security Whitepaper

Autodesk PLM 360 Security Whitepaper Autodesk PLM 360 Autodesk PLM 360 Security Whitepaper May 1, 2015 trust.autodesk.com Contents Introduction... 1 Document Purpose... 1 Cloud Operations... 1 High Availability... 1 Physical Infrastructure

More information

SRA International Managed Information Systems Internal Audit Report

SRA International Managed Information Systems Internal Audit Report SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...

More information

TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1

TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1 TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1 Table of Contents 1. Operational Security 2. Physical Security 3. Network

More information

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control

More information

VMware vcloud Air SOC 1 Control Matrix

VMware vcloud Air SOC 1 Control Matrix SOC 1 Control Objectives/Activities Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a variety of industry standard audits,

More information

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the

More information

FormFire Application and IT Security. White Paper

FormFire Application and IT Security. White Paper FormFire Application and IT Security White Paper Contents Overview... 3 FormFire Corporate Security Policy... 3 Organizational Security... 3 Infrastructure and Security Team... 4 Application Development

More information

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security

More information

GOVERNANCE AND SECURITY BEST PRACTICES FOR PAYMENT PROCESSORS

GOVERNANCE AND SECURITY BEST PRACTICES FOR PAYMENT PROCESSORS GOVERNANCE AND SECURITY BEST PRACTICES FOR PAYMENT PROCESSORS A White Paper by i2c, Inc. 1300 Island Drive Suite 105 Redwood City, CA 94065 USA +1 650-593-5400 sales@i2cinc.com www.i2cinc.com Table of

More information

Service Organization Controls 3 Report. Report on Hyland Software, Inc. s OnBase Online Cloud Platform, relevant to Security and Availability

Service Organization Controls 3 Report. Report on Hyland Software, Inc. s OnBase Online Cloud Platform, relevant to Security and Availability Service Organization Controls 3 Report Report on Hyland Software, Inc. s OnBase Online Cloud Platform, relevant to Security and Availability for the period May 1, 2015 through October 31, 2015 Ernst &

More information

System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012

System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012 System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012 Moss Adams LLP 9665 Granite Ridge Drive, Suite 600 San Diego, CA 92123

More information

SECTION I: REPORT OF INDEPENDENT SERVICE AUDITORS... 3 SECTION II: MANAGEMENT OF INTERNAP NETWORK SERVICES CORPORATION'S ASSERTION 5

SECTION I: REPORT OF INDEPENDENT SERVICE AUDITORS... 3 SECTION II: MANAGEMENT OF INTERNAP NETWORK SERVICES CORPORATION'S ASSERTION 5 SOC 2 - Availability Report on Internap Network Services Corporation's Description of its SEF Company-Controlled Data Center System and Suitability of Design and Operating of Controls Throughout the Period

More information

Security Whitepaper: ivvy Products

Security Whitepaper: ivvy Products Security Whitepaper: ivvy Products Security Whitepaper ivvy Products Table of Contents Introduction Overview Security Policies Internal Protocol and Employee Education Physical and Environmental Security

More information

Service Organization Control 1 Type II Report

Service Organization Control 1 Type II Report Service Organization Control 1 Type II Report Description of ViaWest, Inc. s Colocation System For the Period October 1, 2012 through September 30, 2013 With Independent Service Auditor s Assurance Report

More information

HOW MX PROTECTS YOUR DATA

HOW MX PROTECTS YOUR DATA HOW MX PROTECTS YOUR DATA Overview MX is passionate about and dedicated to protecting, safeguarding, and securing customer data. To do so, MX has established a strong security program supported by a comprehensive

More information

IT - General Controls Questionnaire

IT - General Controls Questionnaire IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow

More information

Hosted Testing and Grading

Hosted Testing and Grading Hosted Testing and Grading Technical White Paper July 2014 www.lexmark.com Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or

More information

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Unless otherwise stated, these Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

Hosted Exchange. Security Overview. Learn More: Call us at 877.634.2728. www.megapath.com

Hosted Exchange. Security Overview. Learn More: Call us at 877.634.2728. www.megapath.com Security Overview Learn More: Call us at 877.634.2728. www.megapath.com Secure and Reliable Hosted Exchange Our Hosted Exchange service is delivered across an advanced network infrastructure, built on

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

INDEPENDENT PRACTITIONER S TRUST SERVICES REPORT LIQUID WEB, INC.

INDEPENDENT PRACTITIONER S TRUST SERVICES REPORT LIQUID WEB, INC. INDEPENDENT PRACTITIONER S TRUST SERVICES REPORT LIQUID WEB, INC. Web Hosting Services Trust Services Report on Management s Assertion (SOC 3) As Of June 30, 2014 LIQUID WEB, INC. Trust Services Report

More information

Tel: +1 123 456 7890 Fax: +1 123 456 7890 ey.com. Report of Independent Auditors

Tel: +1 123 456 7890 Fax: +1 123 456 7890 ey.com. Report of Independent Auditors Ernst & Young LLP Suite 3300 370 17th Street Denver, Colorado 80202-5663 Tel: +1 123 456 7890 Fax: +1 123 456 7890 ey.com To the Management of NTT America, Inc.: Report of Independent Auditors We have

More information

Network & Information Security Policy

Network & Information Security Policy Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk

More information

Report of Independent Auditors

Report of Independent Auditors Ernst & Young LLP Suite 3300 370 17th Street Denver, Colorado 80202-5663 Tel: +1 720 931 4000 Fax: +1 720 931 4444 www.ey.com Report of Independent Auditors To the Management of NTT America, Inc.: We have

More information

Frankfurt Data Centre Overview

Frankfurt Data Centre Overview Technical Services Briefing Document Frankfurt Data Centre Overview Version 2.1 Contents Introduction... 3 TelecityGroup Data Centre in Frankfurt... 4 Data Centre Characteristics... 4 Technologies in Use

More information

Information Technology Security Policy for IBTS

Information Technology Security Policy for IBTS Information Technology Security Policy for IBTS Pakistan Stock Exchange Limited Table of contents Information Technology Security Policy for IBTS 1- INTRODUCTION AND SCOPE... 3 2- CHARTER OF THE DOCUMENT...

More information

Putnam/Northern Westchester BOCES Internal Audit Report on Information Technology

Putnam/Northern Westchester BOCES Internal Audit Report on Information Technology 6G Putnam/Northern Westchester BOCES Internal Audit Report on Information Technology TABLE OF CONTENTS Page Report on Internal Controls Related to Information Technology Network and Network Security 1

More information

1 Introduction 2. 2 Document Disclaimer 2

1 Introduction 2. 2 Document Disclaimer 2 Important: We take great care to ensure that all parties understand and appreciate the respective responsibilities relating to an infrastructure-as-a-service or self-managed environment. This document

More information

Security Controls for the Autodesk 360 Managed Services

Security Controls for the Autodesk 360 Managed Services Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices

More information

SaaS Security for the Confirmit CustomerSat Software

SaaS Security for the Confirmit CustomerSat Software SaaS Security for the Confirmit CustomerSat Software July 2015 Arnt Feruglio Chief Operating Officer The Confirmit CustomerSat Software Designed for The Web. From its inception in 1997, the architecture

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

Security and Data Center Overview

Security and Data Center Overview Security and Data Center Overview September, 2012 For more information, please contact: Matt McKinney mattm@canadianwebhosting.com 888-821-7888 x 7201 Canadian Web Hosting (www.canadianwebhosting.com)

More information

Understanding Sage CRM Cloud

Understanding Sage CRM Cloud Understanding Sage CRM Cloud Data centre and platform security whitepaper Document version 2016 Table of Contents 1.0 Introduction 3 2.0 Sage CRM Cloud Data centre Infrastructure 4 2.1 Site location 4

More information

SAS 70 Type II Audits

SAS 70 Type II Audits Thinking from IntraLinks SAS 70 Type II Audits SAS 70 Type II Audits Ensuring Data Security, Reliability and Integrity If your organization shares sensitive data over the Internet, you need rigorous controls

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

SSAE 16 SOC 1 Type 2

SSAE 16 SOC 1 Type 2 SSAE 16 SOC 1 Type 2 Independent Service Auditor s Report on Management s Description of a Service Organization s System and the Suitability of the Design and Operating Effectiveness of Controls September

More information

Netop Environment Security. Unified security to all Netop products while leveraging the benefits of cloud computing

Netop Environment Security. Unified security to all Netop products while leveraging the benefits of cloud computing Netop Environment Security Unified security to all Netop products while leveraging the benefits of cloud computing Contents Introduction... 2 AWS Infrastructure Security... 3 Standards - Compliancy...

More information

Report on FTHC, LLC d/b/a Miami Data Vault s Description of its Data Center System and on the Suitability of the Design and Operating Effectiveness

Report on FTHC, LLC d/b/a Miami Data Vault s Description of its Data Center System and on the Suitability of the Design and Operating Effectiveness Report on FTHC, LLC d/b/a Miami Data Vault s Description of its Data Center System and on the Suitability of the Design and Operating (SOC 1) For the period August 1, 2014 through July 31, 2015 In Accordance

More information

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards SCADA Compliance Tools For NERC-CIP The Right Tools for Bringing Your Organization in Line with the Latest Standards OVERVIEW Electrical utilities are responsible for defining critical cyber assets which

More information

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous

More information

Blackboard Collaborate Web Conferencing Hosted Environment Technical Infrastructure and Security

Blackboard Collaborate Web Conferencing Hosted Environment Technical Infrastructure and Security Overview Blackboard Collaborate Web Conferencing Hosted Environment Technical Infrastructure and Security Blackboard Collaborate web conferencing is available in a hosted environment and this document

More information

Famly ApS: Overview of Security Processes

Famly ApS: Overview of Security Processes Famly ApS: Overview of Security Processes October 2015 Please consult http://famly.co for the latest version of this paper Page 1 of 10 Table of Contents 1. INTRODUCTION TO SECURITY AT FAMLY... 3 2. PHYSICAL

More information

Secure, Scalable and Reliable Cloud Analytics from FusionOps

Secure, Scalable and Reliable Cloud Analytics from FusionOps White Paper Secure, Scalable and Reliable Cloud Analytics from FusionOps A FusionOps White Paper FusionOps 265 Santa Ana Court Sunnyvale, CA 94085 www.fusionops.com World-class security... 4 Physical Security...

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Security Document. Issued April 2014 Updated October 2014 Updated May 2015

Security Document. Issued April 2014 Updated October 2014 Updated May 2015 Security Document Issued April 2014 Updated October 2014 Updated May 2015 Table of Contents Issued April 2014... 1 Updated October 2014... 1 Updated May 2015... 1 State-of-the-art Security for Legal Data...

More information

Sample Information Security Policies

Sample Information Security Policies Sample Information Security Policies Sample Information Security Policies May 31, 2011 1 13740 Research Blvd Suite 2, Building T Austin, TX 78750 512.351.3700 www.aboundresources.com Boston Austin Atlanta

More information

KeyLock Solutions Security and Privacy Protection Practices

KeyLock Solutions Security and Privacy Protection Practices KeyLock Solutions Overview KeyLock Solutions hosts its infrastructure at Heroku. Heroku is a cloud application platform used by organizations of all sizes to deploy and operate applications throughout

More information

Best Practices Report

Best Practices Report Overview As an IT leader within your organization, you face new challenges every day from managing user requirements and operational needs to the burden of IT Compliance. Developing a strong IT general

More information

Recommended IP Telephony Architecture

Recommended IP Telephony Architecture Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings

More information

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER 1 Agenda Audits Articles/Examples Classify Your Data IT Control

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

Altus UC Security Overview

Altus UC Security Overview Altus UC Security Overview Description Document Version D2.3 TABLE OF CONTENTS Network and Services Security 1. OVERVIEW... 1 2. PHYSICAL SECURITY... 1 2.1 FACILITY... 1 ENVIRONMENTAL SAFEGUARDS... 1 ACCESS...

More information

State of Texas. TEX-AN Next Generation. NNI Plan

State of Texas. TEX-AN Next Generation. NNI Plan State of Texas TEX-AN Next Generation NNI Plan Table of Contents 1. INTRODUCTION... 1 1.1. Purpose... 1 2. NNI APPROACH... 2 2.1. Proposed Interconnection Capacity... 2 2.2. Collocation Equipment Requirements...

More information

Tk20 Network Infrastructure

Tk20 Network Infrastructure Tk20 Network Infrastructure Tk20 Network Infrastructure Table of Contents Overview... 4 Physical Layout... 4 Air Conditioning:... 4 Backup Power:... 4 Personnel Security:... 4 Fire Prevention and Suppression:...

More information

Perceptive Software Platform Services

Perceptive Software Platform Services Perceptive Software Platform Services CLOUD SOLUTIONS process and content management Perceptive Software Platform Services Perceptive Software process and content management systems have been deployed

More information

KEEN - Reliable Infrastructure, Built to Last

KEEN - Reliable Infrastructure, Built to Last KEEN - Reliable Infrastructure, Built to Last 2 KEEN--Reliable Infrastructure, Built to Last A strong network infrastructure is the underpinning of the Knowledge Elements Education Network (KEEN). It is

More information

Information Technology Branch Access Control Technical Standard

Information Technology Branch Access Control Technical Standard Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,

More information

White paper. SAS Solutions OnDemand Hosting Overview

White paper. SAS Solutions OnDemand Hosting Overview White paper SAS Solutions OnDemand Hosting Overview Contents Overview...1 Cary 1 Facility Specifications...2 Cary 2 Facility Specifications (SAS New Cloud Computing Center)...3 Charlotte 1 Facility Specifications...4

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

System Security Plan University of Texas Health Science Center School of Public Health

System Security Plan University of Texas Health Science Center School of Public Health System Security Plan University of Texas Health Science Center School of Public Health Note: This is simply a template for a NIH System Security Plan. You will need to complete, or add content, to many

More information

BOLDCHAT ARCHITECTURE & APPLICATION CONTROL

BOLDCHAT ARCHITECTURE & APPLICATION CONTROL ARCHITECTURE & APPLICATION CONTROL A technical overview of BoldChat s security. INTRODUCTION LogMeIn offers consistently reliable service to its BoldChat customers and is vigilant in efforts to provide

More information

CounselorMax and ORS Managed Hosting RFP 15-NW-0016

CounselorMax and ORS Managed Hosting RFP 15-NW-0016 CounselorMax and ORS Managed Hosting RFP 15-NW-0016 Posting Date 4/22/2015 Proposal submission deadline 5/15/2015, 5:00 PM ET Purpose of the RFP NeighborWorks America has a requirement for managed hosting

More information

Improving. Summary. gathered from. research, and. Burnout of. Whitepaper

Improving. Summary. gathered from. research, and. Burnout of. Whitepaper Whitepaper Improving Productivity and Uptime with a Tier 1 NOC Summary This paper s in depth analysis of IT support activities shows the value of segmenting and delegatingg activities based on skill level

More information

Level I - Public. Technical Portfolio. Revised: July 2015

Level I - Public. Technical Portfolio. Revised: July 2015 Level I - Public Technical Portfolio Revised: July 2015 Table of Contents 1. INTRODUCTION 3 1.1 About Imaginatik 3 1.2 Taking Information Security Seriously 3 2. DATA CENTER SECURITY 3 2.1 Data Center

More information

Itron Cloud Services Offering

Itron Cloud Services Offering Itron Cloud Services Offering WHITE PAPER TABLE OF CONTENTS Introduction... 3 Types of Services... 3 Software as a Service (SaaS)...3 Managed Services...3 On-site Managed Services...3 Benefits... 3 Infrastructure...

More information

UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM 800.820.5855 1

UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM 800.820.5855 1 UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM 800.820.5855 1 As organizations unlock the true potential of meeting over the web as an alternative to costly and timeconsuming travel,

More information

Security from a customer s perspective. Halogen s approach to security

Security from a customer s perspective. Halogen s approach to security September 18, 2015 Security from a customer s perspective Using a cloud-based talent management program can deliver tremendous benefits to your organization, including aligning your workforce, improving

More information

Standard CIP-006-3c Cyber Security Physical Security

Standard CIP-006-3c Cyber Security Physical Security A. Introduction 1. Title: Cyber Security Physical Security of Critical Cyber Assets 2. Number: CIP-006-3c 3. Purpose: Standard CIP-006-3 is intended to ensure the implementation of a physical security

More information

Intel Enhanced Data Security Assessment Form

Intel Enhanced Data Security Assessment Form Intel Enhanced Data Security Assessment Form Supplier Name: Address: Respondent Name & Role: Signature of responsible party: Role: By placing my name in the box above I am acknowledging that I am authorized

More information

800 319 5581 800 319 5582 Fax www.protectmyministry.com www.mobilizemyministry.com

800 319 5581 800 319 5582 Fax www.protectmyministry.com www.mobilizemyministry.com 800 319 5581 800 319 5582 Fax www.protectmyministry.com www.mobilizemyministry.com Protect My Ministry websites including www.ministryopportunities.org have the following SSL Certificates and protection:

More information

Music Recording Studio Security Program Security Assessment Version 1.1

Music Recording Studio Security Program Security Assessment Version 1.1 Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND

More information

Woodcock-Johnson and Woodcock-Muñoz Language Survey Revised Normative Update Technical and Data Security Overview

Woodcock-Johnson and Woodcock-Muñoz Language Survey Revised Normative Update Technical and Data Security Overview Houghton Mifflin Harcourt - Riverside (HMH - Riverside) is pleased to offer online scoring and reporting for Woodcock-Johnson IV (WJ IV) and Woodcock-Muñoz Language Survey Revised Normative Update (WMLS-R

More information

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,

More information

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee Windows Server Security Best Practices Initial Document Created By: 2009 Windows Server Security Best Practices Committee Document Creation Date: August 21, 2009 Revision Revised By: 2014 Windows Server

More information

Information for Management of a Service Organization

Information for Management of a Service Organization Information for Management of a Service Organization Copyright 2011 American Institute of Certified Public Accountants, Inc. New York, NY 10036-8775 All rights reserved. For information about the procedure

More information

Departmental On-Site Computing Support (DOCS) Server Support SLA

Departmental On-Site Computing Support (DOCS) Server Support SLA 1 General Overview This is a Service Level Agreement ( SLA ) between the customer and Departmental On-site Computing Support (DOCS) to document: The technology services DOCS provides to the campus. The

More information

Information Security Network Connectivity Process

Information Security Network Connectivity Process Information Security Network Connectivity Process Handbook AS-805-D September 2009 Transmittal Letter A. Purpose It is more important than ever that each of us be aware of the latest policies, regulations,

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

Siemens Medical Solutions USA, Inc. INVISION ACO and RCO Services

Siemens Medical Solutions USA, Inc. INVISION ACO and RCO Services Siemens Medical Solutions USA, Inc. INVISION ACO and RCO Services Independent Service Auditor s Report on s Placed in Operation and Tests of Operating Effectiveness For the Period of April 1, 2008, to

More information

4 Testing General and Automated Controls

4 Testing General and Automated Controls 4 Testing General and Automated Controls Learning Objectives To understand the reasons for testing; To have an idea about Audit Planning and Testing; To discuss testing critical control points; To learn

More information

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service) Introduction This document provides a summary of technical information security controls operated by Newcastle University s IT Service (NUIT). These information security controls apply to all NUIT managed

More information

GMS GRAPHICAL MANAGEMENT SYSTEM

GMS GRAPHICAL MANAGEMENT SYSTEM GMS GRAPHICAL MANAGEMENT SYSTEM 1 GMS The integrated security management system for multi-site organizations. Pacom s Graphical Management System (GMS) is the modular client-server application that integrates

More information