Fujitsu A/S

Transcription

1 Fujitsu A/S Independent Service Auditor s Assurance Report on IT General Controls regarding IS CORE Services in Denmark in the period 1 November 2011 to 31 October November 2012

2 Content 1 Service Organisation s Assertion Fujitsu A/S description of IT General Controls for IS CORE Services in Denmark Scope for this report The IS CORE organisation Description of the IS CORE organization Infrastructure Services Solution Group & Project Management Customer Services Service Delivery Management Strategic Outsourcing and Service Sales Supply Management Financial Controlling Security Management Services Service Portfolio Procedures Governance Cooperation model Service Delivery Management Operational reporting Customer Solution Lifecycle (CSLC) The customer s responsibility Service Auditor s Assurance Report Control objectives, controls, tests and related findings Additional information Other information The Act on Processing of Personal Data Certification/Compliance level ITIL/ISO20000 implementation status Global/Nordic cooperation...21 PwC 2 of 21

3 1 Service Organisation s Assertion PwC 3 of 21

4 2 Fujitsu A/S description of IT General Controls for IS CORE Services in Denmark 2.1 Scope for this report The IT general controls which are covered by this report include the following operating systems and the network related to these: Windows Unix/Linux iseries For data centres in Ballerup and Hellerup. 2.2 The IS CORE organisation Description of the IS CORE organization IS CORE is one of three Fujitsu (Fujitsu) delivery organisations based in Denmark (the others are: Application Service and Product & Field Services). The IS CORE organisation is divided into five areas: Infrastructure Services, Solution Group, Customer Services, Service Delivery Management as well as Strategic Outsourcing and Service Sales. It also comprises related staff functions: Supply Management, Security and Financial Controlling. The primary services delivered by the IS CORE delivery organisation are: Hosting, data centre services (Windows/Linux/Unix), Network (WAN/LAN, mobility) and ServiceDesk. Fujitsu currently has two data centres, charged with monitoring and operating approx. 1,700 servers and delivering first level ServiceDesk services to approx. 500 users. As at September 2012, IS CORE had a total of 82 employees Infrastructure Services Infrastructure Services is divided into four departments: Remote Infrastructure Management (RIM), Network & DataCenter Management, System Management and Nordea Service Center. The primary function is to supply professional back office IT services covering a wide spectrum of IT operation and delivery services. RIM, Network & DataCenter Management and System Management operate as IT specialists in the realm of IT technical disciplines involving the delivery apparatus, serving as systems engineer in matters relating to Windows, UNIX, Linux, iseries, Data Management, Backup and Storage management, System management plus network infrastructure handling. They are also responsible for the physical data centre set-up. The individual departments' areas of responsibility are described in detail in the following sections. The Nordea Service Center department supports Nordea in a 24/7 set-up that supplements the IT specialist responsibility with an agreed 24-hour monitoring and operation service. The department is customer-specific and therefore not part of the current statement of warranties and representations. System Management The System Management department delivers backup/restore, desktop deployment, storage and asset management services. The Backup/Restore team is responsible for backing up our hosted servers, and its duties include day-to-day control and troubleshooting. Also, the team is part of a 24/7 shift. The Desktop Deployment team is responsible for customer infrastructure, including application packaging and maintenance, and caters to customers who have purchased this service. PwC 4 of 21

5 Storage is responsible for delivering storage services, including the allocation of storage and maintenance, and caters to customers who have purchased this service. Asset management is responsible for ensuring that our Configuration Management Database (CMDB) is up-todate and for monthly reporting to Service Delivery Management. Network & DataCenter Management The Network department is responsible for any operation and delivery that relate to our network infrastructure, for ensuring availability of the required capacity and that security measures comply with the audit standards for physical as well as logical network security. Data Center Management is responsible for the operation of our two data centres in Ballerup and Hellerup. This responsibility includes comprehensive physical equipment set-up as well as labelling and documenting the physical installation. It is also responsible for servicing and testing the data centre infrastructure (power, cooling, UPS, alarms etc.) and for availability of the required capacity. Remote Infrastructure Management RIM has overall responsibility for the operation, delivery and administration of the various server platforms handled by IS CORE. These include Windows/Intel, Linux, UNIX and iseries. In relation to the various platforms RIM is responsible for the operating system as well as related function areas. These include for instance VMware, Citrix, MS SQL, Oracle, Exchange, Patch Management and SAP Basis. This area comprises implementation, standardisation, optimisation and support in relation to new deliveries and sales, proactive service monitoring, second level support in connection with incident and problem management, regular optimisation, change management and participation in 24/7 day-to-day operation shifts. All these activities are focused on compliance with the contractual terms of the SLA. Within each area, a technical lead has been appointed with primary responsibility for the relevant area, including, e.g., optimisation and ensuring that the area s development plans are adhered to, and participation in new sales activities and additional sales to existing customers. Global Delivery Centre Fujitsu owns 9 Global Delivery Centres (GDC), placed around the world. From these GDC s offerings as Monitoring and Management, SAP Management and Service Desk are delivered. Fujitsu Danmark uses resources from the global Fujitsu-organization Global Delivery Center (GDC) in conjunction with these specific offerings. Fujitsu have since January 2012 started a project, where a number of the service offering, delivered to customers in Denmark, will be delivered using GDC as subcontractor. Before a GDC is used as subcontractor in Fujitsu Denmark, a risk assessment of GDC and the actual delivery have been performed. Fujitsu Denmark customer will continue to have Fujitsu Denmark as primary contact, and will be informed before the transformation of the delivery, as well, as there will be signed a data transfer agreement, according to guidelines from Datatilsynet. If the service covers tasks, that are covered by the European Parlament and of the Council of 25 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, this is handled by Fujitsu and Datatilsynet, se more in section In accordance with increased use of GDC-delivery organization, the Danish organization and department structure have been adjusted. Nordic organization To support and strengthen Fujitsu Global setup, a Nordic organization have been implemented as of 1 st of September 2012, and thereby created a common Nordic business unit. Hereby is secured an increased utilization of resources and knowledge cross the Nordic borders. PwC 5 of 21

6 2.2.3 Solution Group & Project Management Solution Group Solution Group operates as a presales function in relation to Strategic Outsourcing and Service Sales and Service Delivery Management. Solution Group handles the following tasks: Preparation of technical design for existing as well as new customers Preparation of quotations (technical) for customers Preparation of contractual appendices Advice on technical design Service description maintenance Cost calculation Project Management Project Management is responsible for implementing transition projects in accordance with the signed contract. The project plan is the task description for the project manager and the project group. The project manager is authorised to change time schedules for the individual tasks and the persons performing them as long as the master plan is not affected. Changes to the completion of the total project and its phases must be approved by the steering group. The project manager prepares detailed specifications for the tasks to be performed. Content, objectives and time schedules are agreed with the persons performing the individual tasks. The project manager regularly monitors the project development in relation to the approved time schedule. Any deviations from the plan will trigger the required corrective measures. The project manager is responsible for ongoing reporting of progress and identified risks as well as clarifying any required changes Customer Services Customer Services is divided into four departments, ServiceDesk, On-site, Change and Problem Management. The primary function is to deliver professional services covering a wide spectrum of IT operation and delivery services. ServiceDesk operates as a single point of contact (SPOC) for all our customers users. The service may cover specific ServiceDesk services, correcting end-user errors and resolving incidents, or function as an error message point for customers own IT function. On-site operates as an extension to ServiceDesk, performing work tasks that can only be performed directly at the users locations. Task examples include: local troubleshooting or software installation, installation or dismantling of new hardware and general user support. Change Management handles change tasks in IS CORE, and Problem Management handles problems in IS CORE. Both departments use ITIL processes Service Delivery Management Service Delivery Management has the day-to-day responsibility vis-à-vis operating customers to ensure that operations generally follow the agreed processes, that the agreed services are delivered and that the operating status is regularly reported. The ongoing reporting generally follows Fujitsu s standard reporting procedures and contains, e.g., information on SLA compliance, capacity status and financial reporting. Service Delivery Management holds regular status meetings with the customer, clarifying any deviations from the agreement and following up on the project status, among other issues. Service Delivery Management has also the responsibility for ongoing invoicing and performing customer satisfaction interviews. Service Delivery has together with Strategic Outsourcing and Service Sales focus on optimization and growth of existing contracts. PwC 6 of 21

7 2.2.6 Strategic Outsourcing and Service Sales The focus for Strategic Outsourcing and Service Sales is to build Service sales pipeline and expanding the customer portfolio by winning IT service contracts involving outsourcing. The primary focus is on infrastructure services (IS). Our primary segment is customers with more than 250 IT-employees in private and public sector. The main focus of infrastructure services contracts is data centres and desktop-managed service contracts and ServiceDesk offerings to first and second level support. Strategic Outsourcing and Service Sales has together with Service Delivery Management focus on optimization and growth of existing contracts as well as building pipeline for new customers Supply Management Supply Management is the primary accountability for the partnership with the Offshore Supplier and thereby all of the service provided by the Offshore Supplier to FSDK. The responsibility covers meetings, follow up on KPI s and the agreed economic figures in contract Financial Controlling Financial Controlling collects and records accounting data and prepares and delivers accounting and analysis material to the entire IS CORE organisation. Financial Controlling is primarily responsible for presenting budgets and forecasts. Input is collected by cooperating with the management and the persons responsible for customer relations at IS CORE Security Management Internal administrative security function, that ensures the implementation and updating of security and quality procedures. The responsibility for the technical security is placed within the line organisation. Ensuring that security and quality procedures are implemented and updated Primary contact to auditors Monthly/quarterly Self-Assessment Ensuring that risk assessments are performed Assistance in the preparation, updating and testing of contingency plans. IS CORE s security manager represents IS CORE in Fujitsu s information security committee. 2.3 Services Service Portfolio IS CORE has a service portfolio forum called: Service Portfolio Management Forum. IS CORE s Service Portfolio Management Forum comprises the following areas: New services Approved services, part of the service catalogue Discontinued services Regular meetings are held to review IS CORE s service portfolio, including the following points: Launch of the preparation of new service descriptions based on, e.g., input from IS CORE s strategy, sales input and customer requirements Follow-up on launched service design and implementation Review of the service catalogue and an assessment of whether services should be phased out. PwC 7 of 21

8 Service catalogue The service catalogue includes a general overview of all IS CORE service descriptions, including: An overview of all applicable service descriptions An overview of the service description history An overview of coming services The primary and most commonly used standard services are: UK_Server_Management_Service UK_Server_Capacity_Service UK_Hosting_Service UK_SAN_Service UK_NAS_Service UK_Backup_Service UK_AD_Management_Service UK_Database_Management_Service UK_Exchange_Management_Service UK_Firewall_Service UK_Internet_Service UK_Wan_avaliability_service DK_Servicedesk DK_ _Spam_and_Anti-virus_service. UK_Citrix_and_Terminal_Management_Service UK_iSeries_Server_Management_Service For customers, a customer-specific service catalogue can be prepared that includes a brief overview of services as well as sales prices Procedures IS CORE delivers the services specified above using control measurements and control activities as described in Section Governance Cooperation model With a view to ensuring the best possible cooperation relations between the customer and Fujitsu in connection with the delivery of the agreed services, a cooperation organisation is set up that includes a joint meeting structure: Cooperation organisation The cooperation organisation comprises the following levels/groups: Strategic level Steering group The steering group handles overall steering matters such as: Overall contractual matters Follow-up on service objectives as well as financial objectives Cooperation relations, including any conflict resolution Strategic and political plans as well as initiatives Overall proactive advisory services Overall objectives and visions In special cases working groups The steering group comprises responsible decision-makers from the customer as well as Fujitsu Operational level Follow-up on operations Follow-up on projects The operations and project follow-up group has the responsibility for handling general operational and projectrelated issues in relation to services. PwC 8 of 21

9 2.4.2 Service Delivery Management In connection with its taking over of operations, Fujitsu appoints a Service Delivery Manager. Throughout the operation period, the Service Delivery Manager will handle all ongoing tasks mentioned in section and have an escalation responsibility vis-à-vis the customer so that all measures are taken in accordance with the agreed SLA. The Service Delivery Manager is Fujitsu s representative vis-à-vis the customer as concerns contractual aspects and, hence, responsible for compliance in all dealings with the customer. The Service Delivery Manager has the following areas of responsibility: The customer s point of contact in all matters relating to the contract Fujitsu s ambassador vis-à-vis the customer Holding steering group meetings with the customer Holding operating meetings with the customer Holding internal operating meetings Preparing operational reports Asset management Internal escalation Launching new projects Solving problems inside the Fujitsu organisation as well as in relation to the customer Annual customer opinion survey Reporting The Service Delivery Manager is responsible for ensuring regular reporting on recent operational performance Operational reporting Operational reporting is performed at regular intervals as agreed in the contract. Operational reporting is performed in accordance with Fujitsu s standard template and most often contains information on: Status on meeting service objectives SLA and service quality in general Evaluation and follow-up on ongoing tasks and cases Change management Project portfolio overview portfolio management Proactive advisory services, primarily on an operational level Use of capacity, licences and disk space Future and ongoing activities and implementation tasks, including project related long term tasks Status and progress reports on current projects 2.5 Customer Solution Lifecycle (CSLC) Fujitsu uses the international Fujitsu CSLC model in connection with the sale, implementation and delivery of contracts/services. CSLC is a 10-phased model that defines Fujitsu s management of the lifecycle process. It includes the phases from the time when: Opportunities (solutions or services) arise/are identified Via sales, ending with a contract Via implementation/transition To the subsequent operation/maintenance of the solution/services. The model is completed when the contract is terminated. The model is used by everyone involved in the sale, implementation and operation/maintenance, the focus being on approving the individual phases. 2.6 The customer s responsibility The customer is responsible for the preparation of risk assessments and contingency plans to ensure that the customer s business activities can be carried on in a disaster situation. PwC 9 of 21

10 The customer is responsible for the physical safety at its own location, including access and protection of server rooms (such as emergency power and fire detection). Other responsibilities are distributed as agreed between Fujitsu and the customer in contracts/operation manuals. Such responsibilities may include: Hardware Licences User administration Applications Third-party suppliers PwC 10 of 21

11 3 Service Auditor s Assurance Report To the Management of Fujitsu A/S (Fujitsu), Fujitsu s customers of IS CORE Services and their auditors Scope We have been engaged to report on Fujitsu s description in section 2 of IS CORE Services in Denmark throughout the period 1 November 2011 to 31 October 2012 and on the design and operation of controls related to the control objectives stated in the description. Fujitsu A/S responsibilities Fujitsu A/S is responsible for: preparing the description and accompanying assertion in section 2, including the completeness, accuracy and method of presentation of the description and assertion; providing the services covered by the description; stating the control objectives; and designing, implementing and effectively operating controls to achieve the stated control objectives. Service Auditor s responsibilities Our responsibility is to express an opinion on Fujitsu s description and on the design and operation of controls related to the control objectives stated in the description, based on our procedures. We conducted our engagement in accordance with International Standard on Assurance Engagements 3402, Assurance Reports on Controls at a Service Organisation, issued by the International Auditing and Assurance Standards Board. This standard requires that we comply with ethical requirements and plan and perform our procedures to obtain reasonable assurance about whether, in all material respects, the description is fairly presented and the controls are suitably designed and operating effectively. An assurance engagement to report on the description, design and operating effectiveness of controls at a service organisation involves performing procedures to obtain evidence about the disclosures in the service organisation s description of its system, and the design and operating effectiveness of controls. The procedures selected depend on the service auditor s judgment, including the assessment of the risks that the description is not fairly presented, and that controls are not suitably designed or operating effectively. Our procedures included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the control objectives stated in the description were achieved. An assurance engagement of this type also includes evaluating the overall presentation of the description, the suitability of the objectives stated therein and the suitability of the criteria specified by the service organisation. We believe that the evidence we have obtained is sufficient and appropriate to provide a basis for our opinion. Limitations of controls at a service organisation Fujitsu s description is prepared to meet the common needs of a broad range of customers and their auditors and may not, therefore, include every aspect of the IT General Controls that each individual customer may consider important in its own particular environment. Also, because of their nature, controls at a service organisation may not prevent or detect all errors or omissions in processing or reporting transactions. Also, the projection of any evaluation of effectiveness to future periods is subject to the risk that controls at a service organisation may become inadequate or fail. PricewaterhouseCoopers Statsautoriseret Revisionspartnerselskab, CVR-nr Strandvejen 44, 2900 Hellerup T: , F: , 11 of 21

12 PricewaterhouseCoopers Statsautoriseret Revisionspartnerselskab, CVR-nr Strandvejen 44, 2900 Hellerup T: , F: , 12 of 21

13 4 Control objectives, controls, tests and related findings Control objective: Information security policy and risk management Management has prepared an information security policy which sets out clear objectives for IT security, including choice of frame of reference and allocation of resources. The information security policy is maintained with regard to an actual risk assessment. Fujitsu control PwC test Finding Information security policy Fujitsu A/S (Fujitsu) has prepared an information security policy that reflects the enterprise s business areas. This policy is based on the standards that Fujitsu follows: ISO27001:2007/DS484:2005 compliance PCI DSS rel. 2.0 (October 2012) certified. Fujitsu s policy is supported by a detailed set of rules and a set of procedures that are included in Fujitsu s Information Management System. Risk assessment Fujitsu carries out risk assessments of IS CORE s information assets. The risk assessment is carried out systematically using tools. Risk assessments are carried out at least once a year. The risk assessment responsibility is placed with system and data owners who launch the assessment in cooperation with a person responsible for assessment. Change management Change management is planned to ensure stable operations via planning and control so that any addition, removal and modification of equipment/applications are made with the least possible risk of errors and interruptions. Change management is handled via standard methods and procedures to ensure a clear allocation of responsibilities and coordination of all changes. The change management procedure comprises the following steps: registration, assessment, planning, build/testing, performance and approval. We have moreover reviewed the information security policy and inspected that the policy is updated and approved. We have moreover reviewed the risk assessment and inspected that the assessment is made within the latest year. We have moreover verified that the procedure is supported by a system and that the system contains functionality which is necessary to gain an overview of open and closed changes. Using judgemental samples, we have also inspected that changes performed comply with the change management procedure. PwC 13 of 21

14 Control objective: Physical security Operation takes place from rooms which are protected against damage, caused by physical conditions such as fire, water damage, power failure, breaking and entering or vandalism. Fujitsu control PwC test Findings Server room/secure areas All server rooms are provided with raised access computer flooring and are protected against the inflow of water and moisture from the outside. Moisture detectors are installed in all server rooms. Three-phase power supply is provided, and all servers are supplied from two different phases (if possible). To ensure uninterrupted power supply, UPS and emergency power generators have been installed to take over in the event of supply failure. For fire protection purposes, four detector and argonite/inergen fire extinguishing systems have been installed, and an alarm has been connected to an external supplier. Manual fire extinguishers are placed strategically. All server rooms and secure areas are videomonitored. UPS, generators and inergen pressure are controlled on a monthly basis and all installed moisture and temperature sensors are tested. Access to server rooms/secure areas Access to server rooms/secure areas is given based on an assessment of the need for access. IS CORE employees primarily have server room access. We have moreover inspected that preventive systems are present in the server room, including: Raised floor Safeguard against moisture Moisture detectors Servers power supply are redundant UPS and emergency generator Fire fighting system Video surveillance We have also reviewed documentation of continuous maintenance and test of equipment and alerts. During a visit to the server room, we have moreover observed that access to secure areas is restricted through the use of an access system. Using judgemental samples, we have also reviewed the procedures for physical security in secure areas to assess whether access to these areas requires approval from Management. PwC 14 of 21

15 Control objective: Access control Operation takes place from rooms which are protected by physical access controls, limiting the risk of unauthorized access. Fujitsu control PwC test Findings Access control In Fujitsu s buildings, all exterior doors (apart from the main entrance) and the most central interior doors remain locked at all times and can only be opened using the electronic ID card issued to all employees to be worn visibly. Access rights are unique and are allocated to the individual cardholders as agreed with the employees superior officers. Access to secure areas always requires the use of a personal PIN code, and access to other areas requires a personal PIN code outside normal opening hours. All use of access cards to doors and lifts is logged. This log is kept for three months. Logs are regularly reviewed for suspicious activities or events, with particular focus on access outside normal working hours, repeated failed attempts to gain access and sabotage. We have moreover reviewed the access log. In connection with our review performed in the buildings, we have observed that: Indoor locks are locked Access to secure areas requires a PIN code Employees carry a visible ID Access rights are individual PwC 15 of 21

16 Control objective: Networks/Logical security Logical access controls are established, limiting the risk of unauthorised access to networks and servers. Suitable business procedures and controls are also established regarding granting of, following up on and maintenance of access rights to systems and networks. Fujitsu control PwC test Findings Network setup Fujitsu uses 802.1x on the internal administration network, which means that only approved computers with installed certificates will be permitted access to the internal administration network. Only Fujitsu employees who require access to the customer network can gain such access via a VPN client and an RSA token (two-factor authentication). Customers external suppliers will be permitted access via VPN, provided that this has been preordered and approved by the customer. Customer-Fujitsu relations For each customer account it is agreed which type of communication should be used between the customer s location and Fujitsu. In each customer contract it should be specified whether the customer wants a redundant installation in the customer s junction point. Password control Fujitsu s standards do not allow the use of default supplier passwords such passwords must be changed in connection with the installation. A specific procedure is used that describes password requirements, including combination, length and periodic shifts. Server passwords are kept in a separate database, to which access is limited and requires management approval and in which all changes are logged. External access External access to Fujitsu s network requires a VPN connection. Validation of access requires two-factor authentication in the form of an RSA token and a personal code. After three failed log-in attempts, the user is denied access. The used token must then be reset and opened via Fujitsu s ServiceDesk. We have moreover inspected that VPN access and certificate are used to obtain access to the internal administration network. We have also reviewed extractions from relevant network components. We have moreover reviewed contracts with respect to operational deliveries and security level. We have also reviewed regular status reporting to customers concerning performance and security issues. Through analysis of configuration extractions, we have moreover reviewed password settings in Windows, Unix and iseries. We have also observed that the password database is used to store special passwords and that the use of the database is logged. We have moreover observed that the VPN access works via a token and that the user is excluded if a wrong password is entered three times. We have observed that several contracts exist with an incomplete description of the agreed security level. We have also observed that the procedure subsequently has been adjusted. Management has informed that the process is expected implemented by 31 December No further exceptions noted. We have observed weaknesses in relation to the continuous review of users and passwords on specific servers which do not comply with Fujitsu s requirements. We have subsequently been shown a demonstration of an access control system, which will strengthen the validation of users. Management has informed that the implementation of the access control system is due 31 December No further exceptions noted. PwC 16 of 21

17 Control objective: Networks/Logical security Logical access controls are established, limiting the risk of unauthorised access to networks and servers. Suitable business procedures and controls are also established regarding granting of, following up on and maintenance of access rights to systems and networks. Fujitsu control PwC test Findings User access All Fujitsu employees have access to the administrative network. Access to the required customer networks, subject to management approval, is only available to employees working at IS CORE and who have the required password. User access and rights are subject to monthly random checks. Antivirus Fujitsu uses a leading antivirus product for protection against harmful software in all Windows-based workstations and servers. Servers use an adapted policy that matches the relevant system and its role. Incidents are reported via agents to a central log server, which is controlled regularly Firewall Fujitsu uses market-leading products for the firewalls used in the network. Only trusted employees from the network group have access to administer these systems. All access logins are accumulated in an access history log. When implementing a new firewall, the initial set-up is defined in a set of rules. As a starting point, the primary rule is Deny All. All firewalls are documented in an internal system to which only trusted persons have access. Configuration files are regularly backed up. All changes to the set of rules are implemented based solely on an approved request for change (RFC). This procedure applies irrespective of whether the change is requested by Fujitsu, a customer or an application supplier. Firewall changes are subject to monthly Self- Assessment where the approved RFC is matched against the relevant set of rules. Any deviations are recorded and corrective action initiated. We have moreover reviewed the approval procedures for access to customers networks. We have also inspected that Self- Assessment is performed on the basis of judgemental samples. Using random samples, we have observed that antivirus is installed on Windows-based work stations and servers. We have moreover reviewed the anti-virus procedures. Through review of firewall extractions, we have inspected that: Only trusted employees have access to administration of these systems In the implementation of new firewalls, specific rules are applied which as a minimum include the Deny All rule All firewalls are documented in a secure system Changes are implemented on the basis of an approved request for change (RFC) Monthly, review is performed of any changes to the firewall rules We have observed that there is no regular review of users (Fujitsu users) on customers platforms. We have been informed that the implementation of the new access control system, which is due 31 December 2012, will improve the user review. No further exceptions noted. PwC 17 of 21

18 Control objective: Logging Incidents and problems are identified and dealt with. Fujitsu control PwC test Findings Logging If agreed between Fujitsu and the customer, transactions on agreed servers are logged and analyzed. Transactions are logged, with primary focus on events such as failed login, invalid username and failed authentications. Fujitsu is using a centralized logging platform. We have moreover reviewed log settings based on system extractions from platforms and systems. We have observed that the security logging is not activated on all servers. We have subsequently been informed that Fujitsu has initiated corrective action; equipment has been procured and installed, and a project plan for implementation has been prepared. Management has informed that the implementation is due 31 December No further exceptions noted. Control objective: Server management Appropriate business procedures and controls are established regarding operations. Fujitsu control PwC test Findings Installation Servers that must meet ISO27001/DS484 requirements and comply with the PCI standard will be installed in accordance with standards based on best practice so that, e.g., all unnecessary services will be disabled. Server management All installed servers are subject to monthly health checks in accordance with the applicable procedures. Health check output is handled by the Service Delivery Manager, who reports this information to the customer, cf. the standard reporting agreement. procedures/control activities which We have moreover reviewed system extractions from relevant servers. procedures/control activities which We have moreover inspected that health checks are performed, including follow-up thereon. We have observed that the prepared security baselines for Unix and Windows have been incomplete and not implemented. We have subsequently received updated security baselines. Management has informed that baselines initially are implemented when new servers are installed. Additionally a Self- Assessment control is performed to remedy the weakness. No further exceptions noted. We have on Unix servers observed that the SSH protocol allows unauthorized admin access to the network. Management has informed that corrective actions have been initiated. We have observed that security health checks on Unix platforms are not being performed. Management has informed that corrective actions are being implemented by 31 December No further exceptions noted. PwC 18 of 21

19 Server patching Patching is performed in accordance with applicable procedures. In connection with the implementation, it has been agreed with the customer whether patching requires any application supplier s approval. Monitoring Monitoring services cover the monitoring of hardware and operating system, and if additional module monitoring has been purchased, such as SQL or Exchange, special knowledge modules have been installed to handle this. Alarms are generated at different levels, e.g. information, warnings and alarms based on a baseline. procedures/control activities which Based on system extractions from platforms and systems, we have moreover reviewed the patch level. We have also reviewed the patch procedure. procedures/control activities which We have moreover verified that monitoring and necessary alert systems are implemented on all critical systems. We have observed Windows and Unix servers, which did not have the newest patch-level. Management has informed that corrective actions are being implemented by 31 December No further exceptions noted. Backup All equipment handled by Fujitsu, according to specific customer contracts and according to service description is included in backup setup. Backups are controlled on a daily basis, and failed groups will be restarted. Backup tapes are stored in firesafe in separate rooms. Monthly Self-Assessment controls are performed to ensure that restore tests are performed and documented. procedures/control activities which We have moreover observed a sample of system level backup procedures for evidence that they are formally documented. We have observed the physical security features (e.g., restricted physical access) for the off-site storage facilities for evidence that system level backups are stored securely. We have furthermore inspected a sample of backup logs associated with system level backups for evidence that backups have executed successfully or if not, that remedial action was taken. PwC 19 of 21

20 Control objective: Disaster recovery plan Fujitsu is able to continue serving customers in a disaster situation. Fujitsu control PwC test Findings Structure of Fujitsu s disaster recovery The overall disaster recovery plan comprises a disaster management procedure and operational disaster recovery plans for specific disaster areas. The operational disaster recovery plan defines the disaster organisation, including management functions, contact information, warning lists and task force instructions. Detailed task force instructions have been prepared for the individual platforms in the event of reestablishment in an emergency operation situation. procedures/control activities which We have moreover reviewed material concerning the disaster recovery and verified that the organizational and operational IT disaster recovery plan contains managerial function descriptions, contact information, alert lists and instructions. We have observed a lack of restoration plans for both production platforms and client environments. Management has informed that this is expected remedied due Q No further exceptions noted. PwC 20 of 21

21 5 Additional information 5.1 Other information The Act on Processing of Personal Data The Danish Act on Processing of Personal Data (Act no. 429 of 31 May 2000) Guidance to Executive Order no. 528 of 15 June 2000 on Security Measures for the Protection of Personal Data that is Processed for the Public Administration Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Certification/Compliance level Fujitsu has implemented the following process standards Fujitsu has a Business Management System and is certified in accordance with ISO9001:2008 Fujitsu has an Information Management System, which is compliant with DS484:2005 /ISO27001:2007 within the areas in which a risk assessment indicates that its use is relevant and profitable for Fujitsu Fujitsu is certified in accordance with PCI DSS rel 2.0 within the areas in which Fujitsu operates Credit Card Data Each year, Fujitsu publishes an auditor s statement in accordance with RS3402 type 2 Fujitsu has an IT Service Management System, which is compliant with ISO20000:2011 within the areas in which a risk assessment indicates that its use is relevant and profitable for Fujitsu ITIL/ISO20000 implementation status Fujitsu signs two general types of outsourcing contracts. These are: 1. Outsourcing contracts that cover only IS CORE (Infrastructure Outsourcing) 2. Outsourcing contracts that cover IS CORE and AS/AM CORE (Infrastructure og Application Outsourcing) For ITIL processes, this means that Fujitsu works with general ITIL processes in relation to the customers and internal ITIL processes in IS CORE and AS CORE. As of 1 October 2012, the following ITIL procedures will be implemented in IS CORE: Incident management Problem management Change management Configuration management Service portfolio and catalogue management Release management Continuity management Global/Nordic cooperation Fujitsu Global In relation to processes, Fujitsu Denmark is subject to the applicable guidelines issued from time to time by the global Fujitsu organisation. Fujitsu Global Business Group sets out general guidelines to be implemented by the individual regions to the extent that this is relevant for the individual business areas. Fujitsu Denmark is placed under the Nordic Region. Fujitsu Denmark cooperates with the other Nordic countries in the process area. Procedures Fujitsu Denmark s process system will always reflect the set of rules to be followed by Danish employees, irrespective of whether the rules are initialled globally, from the Nordic Region or locally from Denmark. PwC 21 of 21