SOC 1 (SSAE NO. 16) TYPE 2 REPORT ON CONTROLS PLACED IN OPERATION FOR DATA CENTER SERVICES BROADRIVER INC. AUGUST 1, 2014 TO JULY 31, 2015

Transcription

1 SOC 1 (SSAE NO. 16) TYPE 2 REPORT ON CONTROLS PLACED IN OPERATION FOR DATA CENTER SERVICES BROADRIVER INC. AUGUST 1, 2014 TO JULY 31, 2015

2 BROADRIVER INC. Table of Contents SECTION 1: INDEPENDENT SERVICE AUDITORS REPORT... 1 SECTION 2: MANAGEMENT S ASSERTION... 4 SECTION 3: BROADRIVER S DESCRIPTION OF CONTROLS... 6 SCOPE OF REPORT AND DISCLOSURES... 8 Sub-Service Organizations... 8 Significant Changes during the Review Period... 8 Subsequent Events... 8 Using the Work of the Internal Audit Function... 8 OVERVIEW OF OPERATIONS AND THE SYSTEM... 9 Company Overview and Background... 9 Overview of the Data Center Services System... 9 OVERVIEW OF RELEVANT INFRASTRUCTURE Infrastructure Software People Procedures Data RELEVANT ASPECTS OF CONTROL ENVIRONMENT, RISK ASSESSMENT, INFORMATION AND COMMUNICATIONS SYSTEMS, MONITORING, POLICIES AND PRACTICES Control Environment Risk Assessment Information and Communication Systems Policies and Practices CONTROL OBJECTIVES AND RELATED CONTROLS USER ENTITY CONTROL CONSIDERATIONS SECTION 4: CONTROL DESCRIPTIONS, RELATED CONTROLS AND TESTS OF OPERATING EFFECTIVENESS INFORMATION PROVIDED BY THE SERVICE AUDITOR Introduction Tests of Operating Effectiveness Types of Tests Performed Sampling Methodology TESTING MATRICES Physical Security Environmental Security Information Security Systems Availability System Maintenance SECTION 5: INFORMATION PROVIDED BY THE SERVICE ORGANIZATION Testing Exceptions Proprietary and Confidential

3 SECTION 1: INDEPENDENT SERVICE AUDITORS REPORT

4 INDEPENDENT SERVICE AUDITORS REPORT ON THE DESCRIPTION OF THE SERVICE ORGANIZATION S SYSTEM AND THE SUITABILITY OF THE DESIGN AND OPERATING EFFECTIVENESS OF CONTROLS To BroadRiver Inc.: We have examined BroadRiver Inc. s ( BroadRiver ) description of its Data Center Services system throughout the period August 1, 2014 to July 31, 2015 and the suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in the description. The description indicates that certain control objectives specified in the description can be achieved only if complementary user entity controls contemplated in the design of BroadRiver s controls are suitably designed and operating effectively, along with related controls at the service organization. We have not evaluated the suitability of the design or operating effectiveness of such complementary user entity controls. Within Section 2 of this report, BroadRiver has provided an assertion about the fairness of the presentation of the description and suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description. BroadRiver is responsible for preparing the description and for the assertion, including the completeness, accuracy, and method of presentation of the description and the assertion, providing the services covered by the description, specifying the control objectives and stating them in the description, identifying the risks that threaten the achievement of the control objectives, selecting the criteria, and designing, implementing, and documenting controls to achieve the related control objectives stated in the description. Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, the description is fairly presented and the controls were suitably designed and operating effectively to achieve the related control objectives stated in the description throughout the period August 1, 2014 to July 31, An examination of a description of a service organization s system and the suitability of the design and operating effectiveness of the service organization s controls to achieve the related control objectives stated in the description involves performing procedures to obtain evidence about the fairness of the presentation of the description and the suitability of the design and operating effectiveness of those controls to achieve the related control objectives stated in the description. Our procedures included assessing the risks that the description is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives stated in the description. Our procedures also included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the related control objectives stated in the description were achieved. An examination engagement of this type also includes evaluating the overall presentation of the description and the suitability of the control objectives stated therein, and the suitability of the criteria specified by the service organization and described within BroadRiver s assertion within Section 2 of this report. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. Because of their nature, controls at a service organization may not prevent, or detect and correct, all errors or omissions in processing or reporting transactions. Also, the projection to the future of any evaluation of the fairness of the presentation of the description, or conclusions about the suitability of the design or operating effectiveness of the controls to achieve the related control objectives is subject to the risk that controls at a service organization may become inadequate or fail West Gandy Blvd. Tampa, Florida

5 In our opinion, in all material respects, based on the criteria described in BroadRiver s assertion in the next section of this report: a. the description fairly presents BroadRiver s Data Center Services system that was designed and implemented throughout the period August 1, 2014 to July 31, 2015; b. the controls related to the control objectives of BroadRiver stated in the description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period August 1, 2014 to July 31, 2015, and user entities applied the complementary user entity controls contemplated in the design of BroadRiver s controls throughout the period August 1, 2014 to July 31, 2015; and c. the controls that we tested, which together with the complementary user entity controls referred to in Section 3 of this report, if operating effectively, were those necessary to provide reasonable assurance that the control objectives stated in the description were achieved, operated effectively throughout the period August 1, 2014 to July 31, The specific controls tested and the nature, timing, and results of those tests are listed within Section 4 of the report. This report, including the description of tests of controls and results thereof within Section 4, is intended solely for the information and use of BroadRiver, user entities of BroadRiver s Data Center Services system during some or all of the period August 1, 2014 to July 31, 2015, and the independent auditors of such user entities, who have a sufficient understanding to consider it, along with other information including information about controls implemented by user entities themselves, when assessing the risks of material misstatements of user entities financial statements. This report is not intended to be and should not be used by anyone other than these specified parties. December 16, 2015 Tampa, Florida West Gandy Blvd. Tampa, Florida

6 SECTION 2: MANAGEMENT S ASSERTION

7 MANAGEMENT S ASSERTION December 16, 2015 We have prepared the description of BroadRiver Inc. s ( BroadRiver ) Data Center Services system for user entities of the system during some or all of the period August 1, 2014 to July 31, 2015 and their user auditors who have a sufficient understanding to consider it, along with other information, including information about controls implemented by user entities of the system themselves, when assessing the risks of material misstatements of user entities financial statements. We confirm, to the best of our knowledge and belief, that a. the description fairly presents the Data Center Services system made available to user entities of the system during some or all of the period August 1, 2014 to July 31, 2015 for processing their transactions. The criteria we used in making this assertion were that the description: i. presents how the system made available to user entities of the system was designed and implemented to process relevant transactions as they relate to our environment, including when applicable: 1. the types of services provided; 2. the procedures, within both automated and manual systems, by which services are provided; 3. how the system captures and addresses significant events and conditions, other than transactions; 4. the process used to prepare reports or other information provided to user entities of the system; 5. the specified control objectives and controls designed to achieve those objectives; and 6. other aspects of our control environment, risk assessment process, information and communication systems (including the related business processes), control activities, and monitoring controls that are relevant to user entities of the system. ii. does not omit or distort information relevant to the scope of the Data Center Services system, while acknowledging that the description is presented to meet the common needs of a broad range of user entities of the system and their financial statement auditors, and may not, therefore, include every aspect of the Data Center Services system that each individual user entity of the system and its auditor may consider important in its own particular environment. iii. includes relevant details of changes to the service organization s system during the audit period covered by the description. b. the controls related to the control objectives stated in the description were suitably designed and operated effectively throughout the period August 1, 2014 to July 31, 2015 to achieve those control objectives. The criteria we used in making this assertion were that: /s/ BroadRiver Inc. i. the risks that threaten the achievement of the control objectives stated in the description have been identified by management; ii. the controls identified in the description would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives stated in the description from being achieved; and iii. the controls were consistently applied as designed, including whether manual controls were applied by individuals who have the appropriate competence and authority. Michael L. Oken President Fran Audia Controller

8 SECTION 3: BROADRIVER S DESCRIPTION OF CONTROLS

9 SCOPE OF REPORT AND DISCLOSURES This description of the system of controls provided by BroadRiver Inc. ( BroadRiver ) management, as related to Statement on Standards for Attestation Engagements No. 16 Reporting on Controls at a Service Organization ( SSAE 16 or SOC 1 ), considers the direct and indirect impact of risks and controls that BroadRiver management has determined are likely to be relevant to its user entities internal controls over financial reporting. The scope of management s description of the system of controls covers the general computer controls supporting the Description of Service, and considers the initiation, authorization, recording, processing, and reporting of related transactions. BroadRiver is responsible for identification of risks associated with the system of controls (defined as control objectives), and for the design and operation of controls intended to mitigate those risks. This includes the applicable information technology infrastructure and the supporting processes related to the Data Center Services system. It does not include any other processes used to initiate, authorize, record, process, or report on the financial transactions of its user entities. Additionally, BroadRiver does not maintain accountability for any user entity assets, liabilities, or equity. As part of its overall SOC 1 program, BroadRiver s management sets and determines the scope and timing of each report. This report features the Data Center Services system provided for the Atlanta, Georgia colocation facility. This description of the system of controls has been prepared by BroadRiver management to provide information on controls applicable to the Data Center Services system at the Atlanta, Georgia colocation facility. Sub-Service Organizations BroadRiver does not rely on any sub-service organizations as part of the Data Center Services system included in the scope of this report. Significant Changes during the Review Period Management is not aware of any significant changes that occurred during the review period. Subsequent Events Management is not aware of any relevant events that occurred subsequent to the period covered by management s description included in Section 3 of this report through the date of the service auditor s report that would have a significant effect on management s assertion. Using the Work of the Internal Audit Function The service auditor did not utilize any work of an Internal Audit function in preparing this report. Section 3 Proprietary and Confidential 8

10 OVERVIEW OF OPERATIONS AND THE SYSTEM Company Overview and Background BroadRiver is a privately-held competitive IT solutions company based in Atlanta, Georgia. Since 1999, BroadRiver has been providing a variety of technology solutions with a focus on client care and client satisfaction. On November 9, 2015, BroadRiver sold its subsidiary, BroadRiver Communications Corporation, which provided the telecommunications services. BroadRiver provides data center services spanning various markets throughout the southeastern United States. BroadRiver s goal is to help their clients select the right data center services for their business needs and to deliver those services with quality and value. Overview of the Data Center Services System Data Center Colocation Services BroadRiver s Tier 3 colocation facility is a 15,000 square foot facility that was constructed in 2007 approximately 1 mile from the corporate office facility in Atlanta, Georgia. The colocation facility sits on solid granite with concrete floors, steel frame and concrete block walls with a brick outlay and an insulated membrane roof. The data center within the colocation facility features over 200 fully enclosed racks that are sold in half and full-rack increments. The data center was designed with redundant capacity components and multiple independent distribution paths serving the computer equipment to allow systems to be taken offline for scheduled maintenance without impact to the IT environment. BroadRiver provides the facilities and infrastructure to protect clients systems from physical and environmental security threats including, but not limited to, unauthorized access, fire, harmful temperature and humidity levels and power surges or power failures. Activity related to transactions, such as initiation, authorization, recording, processing, correction, or reporting, are performed by clients. BroadRiver has no responsibility for either activities related to transaction processing or the related accounting records and supporting information for clients, including the correction of incorrect information. Managed Network Services BroadRiver provides Internet connectivity to clients as well as dedicated network segments where clients place their own servers and applications. Services include: Client-specific network segmentation and isolation; Firewall management; and Intrusion detection and prevention systems (IDS / IPS). Section 3 Proprietary and Confidential 9

11 OVERVIEW OF RELEVANT INFRASTRUCTURE The Data Center Services system is comprised of the following components: Infrastructure (facilities, equipment, and networks); Software (systems, applications, and utilities); People (operators, users, and managers); Procedures (automated and manual); and Data (transaction streams, files, databases, and tables). Infrastructure BroadRiver offers facilities and infrastructure to provide colocation and data center services for its clients. The colocation facility is designed with a data center room where client equipment resides. Single racks, cabinets, and / or isolated cages are offered to clients within the several thousand square feet of data center space located at the colocation facility. Some support and management personnel operate out of the headquarters supporting the colocation and data center services at the colocation facility. The following describes the in-scope components supporting the Data Center Services system: System / Application Description Infrastructure Zenoss Network monitoring GNU / Linux Software BroadRiver utilizes Zenoss to provide for network monitoring of the data center facility and services contracted to be provided. Zenoss is the primary application used for monitoring services and has been configured with thresholds and alerts designed to provide management notifications with enough time to adjust and make changes prior to an outage or limitation in services being provided. People The roles and responsibilities of key functions include the following: Michael L. Oken, President and Chief Technology Officer (CTO) Michael founded BroadRiver, and serves as its President and CTO. Michael plays a central role in driving the strategy and direction relative to product and services development, architecture and infrastructure. His experience spans over 28 years in the technology sector with significant experience in datacenter and network architecture. Fran Audia, Controller and Secretary Fran has served as Controller and Secretary of BroadRiver since Fran has over twenty years of experience in accounting, bookkeeping, risk management, and HR. Prior to joining BroadRiver Inc. she served as a Controller at Network Systems Technology Inc., a network integration company. Section 3 Proprietary and Confidential 10

12 Procedures BroadRiver has developed and communicated to its users, procedures to restrict physical access to the BroadRiver colocation facility, its data center, and the critical areas within the colocation facility, as well as procedures to protect the colocation facility from certain environmental threats. Policies include the following: Data BroadRiver Data Center Security Policy; Information Security Policy; Data Center Physical Security; Data Center Environmental Security Policy; and Incident and Response Policy. BroadRiver does not process client s data. The scope of management s description of the system of controls covers the physical and environmental security supporting the Data Center Services system. This includes the applicable information technology infrastructure and the supporting processes related to the Data Center Services system. It does not include any other processes used to initiate, authorize, record, process, or report on the financial transactions of its user entities. Section 3 Proprietary and Confidential 11

13 RELEVANT ASPECTS OF CONTROL ENVIRONMENT, RISK ASSESSMENT, INFORMATION AND COMMUNICATIONS SYSTEMS, MONITORING, POLICIES AND PRACTICES Control Environment The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal controls, providing discipline and structure. Aspects of BroadRiver s control environment that affect the services provided and / or the system of controls are identified in this section. Integrity and Ethical Values The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer, and monitor them. Integrity and ethical values are essential elements of BroadRiver s control environment, affecting the design, administration, and monitoring of other components. Integrity and ethical behavior are the products of BroadRiver s ethical and behavioral standards, how they are communicated, and how they are reinforced in practices. They include management s actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. Organizational policy statements and codes of conduct are documented and communicate entity values and behavioral standards to personnel. Senior Executive Participation BroadRiver s control consciousness is influenced significantly by its senior executives. Senior executives oversee management activities and meet on a regular basis to approve budgets and business plans, address operational concerns and strategic direction and review financial performance metrics. Commitment to Competence BroadRiver s management defines competence as the knowledge and skills necessary to accomplish tasks that define employees roles and responsibilities. Management has considered the competence levels for particular jobs and translated the required skills and knowledge levels into written position requirements. Employees are required to attend security awareness training upon hire and on an annual basis thereafter. Management s Philosophy and Operating Style BroadRiver s management philosophy and operating style encompass a broad range of characteristics. Such characteristics include management s approach to taking and monitoring business risks, and management s attitudes toward information processing, accounting functions, and personnel. BroadRiver s management team is hands-on and involved in the day-to-day operations of the business. Management team members are expected not only to lead but to make hands-on contributions and to know the details in their area of the business. Specific control activities that BroadRiver has implemented in this area are described below. Management is periodically briefed on regulatory and industry changes affecting services provided; and Management meetings are held on a weekly basis to discuss operational issues. Organizational Structure BroadRiver s organizational structure provides the framework within which its activities for achieving entity-wide objectives are planned, executed, controlled, and monitored. BroadRiver s management believes that establishing a relevant organizational structure includes considering key areas of authority and responsibility and lines of reporting. BroadRiver has developed an organizational structure suited to its needs. This organizational structure is based, in part, on its size and the nature of its activities. Section 3 Proprietary and Confidential 12

14 BroadRiver s assignment of authority and responsibility activities include factors such as how authority and responsibility for operating activities are assigned and how reporting relationships and authorization hierarchies are established. It also includes policies relating to business practices, knowledge and experience of key personnel, and resources provided for carrying out duties. In addition, it includes policies and communications directed at ensuring that personnel understand the entity s objectives, know how their individual actions interrelate and contribute to those objectives, and recognize how and for what they will be held accountable. Specific control activities that the service organization has implemented in this area are described below. Organizational charts are in place to communicate key areas of authority, responsibility and lines of reporting; and Management has considered the reporting structure and accountability for certain business functions and segregated responsibilities by functional area. Human Resource Policies and Practices BroadRiver s human resources policies and practices relate to employee hiring, orientation, training, evaluation, counseling, promotion, compensation, and disciplinary activities. Background checks are performed for employment applicants as a component of the hiring process. Termination procedures are in place to help ensure the employee termination process is consistently executed. Section 3 Proprietary and Confidential 13

15 Risk Assessment BroadRiver s risk assessment process is designed to identify and consider the implications of external and internal risk factors concurrent with establishing unit-wide objectives and plans. The likelihood of occurrence and potential monetary impact (or publicity risk) has been evaluated to enhance the reliability of the data center services being provided. Risks are categorized as tolerable or requiring action, and include the following considerations: Changes in the operating environment a change in regulations may necessitate a revision of existing processing. Revisions of existing processing may create the need for additional or revised controls. New personnel new personnel who are responsible for overseeing the IT controls may increase the risk that controls will not operate effectively. New or revamped information systems new functions added into the system that could affect user entities. Rapid growth a rapid increase in the number of new clients may affect the operating effectiveness of certain controls. New technology implementation of new application platforms / technology may operate so differently that it affects user entities. New business models, products, or activities the diversion of resources to new activities from existing activities could affect certain controls. Corporate restructuring a change in ownership or internal reorganization could affect reporting responsibilities or the resources available for services to user entities. New accounting pronouncements the implementation of relevant accounting pronouncements could affect user entities. Government and regulatory changes the implementation of relevant government and regulatory pronouncements could affect user entities. BroadRiver s recognition of risks that could affect the organization s ability to provide reliable data center services for user entities is generally implicit, rather than explicit. Management s involvement in the daily operations allows them to learn about risks related to the data center services through direct personal involvement with employees and outside parties, thus reducing the need for formalized and structured risk assessment processes. Section 3 Proprietary and Confidential 14

16 Information and Communication Systems Information System BroadRiver s hosting infrastructure is located in a colocation facility in Atlanta, Georgia. The site is secured by an electronic biometric enabled card access system at facility entry points and is monitored via a video surveillance system. Power is protected with multiple diesel-powered generators and redundant UPS systems equipped with static transfer switches (STS), while temperature and humidity levels are maintained via redundant air conditioning systems equipped with redundant cooling loops. Private VLANs are configured to segregate client networks and infrastructure based on service offering. Additionally, firewall systems are configured to deny any type of network connection that is not explicitly authorized by a firewall rule. The firewall systems are configured in clusters to provide automatic failover firewall services in the event of a primary firewall failure. Encrypted VPN connections are utilized for remote access to help ensure the privacy and integrity of the data passing over the public network. Communication System BroadRiver s management is involved with day-to-day operations and is able to provide employees with an understanding of their individual roles and responsibilities pertaining to internal controls. This includes the extent to which personnel understand how their activities relate to the work of others and the means of reporting exceptions to a higher level within the organization. Management believes that open communication channels help ensure that exceptions are reported and resolved. Communication activities are made electronically, verbally, and through the actions of management. For that reason, formal communication tools such as organizational charts, job descriptions and an enterprise issue ticketing application are in place. Monitoring Management monitors controls to consider whether they are operating as intended and that the controls are modified for changes in conditions. BroadRiver s management performs monitoring activities to continuously assess the quality of internal control over time. Necessary corrective actions are taken as required to correct deviations from company policy and procedures. Employee activity and adherence to company policies and procedures is also monitored. This process is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Ongoing Monitoring The BroadRiver management team conducts quality assurance monitoring on a regular basis and additional training is provided based upon results of monitoring procedures. Monitoring activities are used to initiate corrective action through department meetings, client conference calls and informal notifications. Examples of BroadRiver s ongoing monitoring activities include the following: Physical Security: The biometric-enabled badge access system creates logs of ingress activity within the data center for review on a scheduled basis. Surveillance cameras are in place to record activity throughout the colocation facility and the data center, and are equipped with searchable digital video retention for review on a scheduled basis. Section 3 Proprietary and Confidential 15

17 Environmental Security An enterprise monitoring application is configured to monitor, log and alert personnel in the event predefined threshold events related to the following environmental conditions occur at various locations throughout the facility: Temperature, humidity, and smoke or fire. Network Infrastructure An enterprise monitoring application is configured to monitor the network core, network edge, and other shared enterprise systems and devices for availability and transmission activity and alert personnel in the event predefined events occur related to the following: Up/down status, resource utilization, and other Simple Network Management Protocol (SNMP)-enabled thresholds per device. A ticketing system is in place to document and managed identified problems and activities impacting client services and systems. Tickets are monitored from creation to resolution. Separate Evaluations Management has daily involvement in BroadRiver s operations to help identify significant variances from expectations regarding internal controls. Controls addressing higher-priority risks and those most essential to reducing a given risk are evaluated more often. Executive management immediately evaluates the specific facts and circumstances related to any suspected control breakdowns. A decision for addressing any controls weakness is made based on whether the incident was isolated or requires a change in the company s procedures or personnel. Section 3 Proprietary and Confidential 16

18 Policies and Practices BroadRiver security systems include badge access authentication at each data center door, logging of door access attempts, and video surveillance for access to and within the BroadRiver data center including the data halls where client equipment resides. Electronic badge access systems and biometric fingerprint readers provide access controls at each data center facility entry point. Video surveillance technology has been implemented to monitor and record access to and activity within the facility. INFRASTRUCTURE MANAGEMENT BroadRiver is responsible for maintaining and implementing information technology general computer controls related to computer processing supporting the Data Center Services. These controls provide the basis for reliance on information / data from the systems used by user entities for financial reporting. Physical Security Documented physical security policies and procedures are in place to guide activities for granting, controlling, and monitoring physical access to the corporate office facility, the colocation facility, and the data center within the colocation facility. Further, to control the physical access of the corporate office facility, the colocation facility, and the data center, the Facility Manager or Technical Operations Manager performs a quarterly access reviews to ensure that access is appropriate based on the individual s role and job function, and that privileged access is only available to authorized users. Corporate Office Facility A receptionist is on-site during normal business hours to monitor the main entrance of the corporate office facility and ensures that visitors sign a visitor log prior to entry. Visitors are provided an identification sticker by receptionist while inside the corporate office facility. The physical access control system at the corporate office facility utilizes key fobs to restrict and track access to the facility. Key fob holders are required to swipe their key fob in order to enter the facility; otherwise, entry is prevented. Successful and unsuccessful entry events are logged for ad hoc review by the technical operations manager. If a series of unsuccessful attempts occur, the technical operations manager would research and identify the issue. Administrative privileges to the electronic key fob access system are restricted to authorized IT personnel. Additionally, the key fob system administrators revoke key fob access system privileges for terminated employees. Unused and unassigned key fobs are stored in a locked file cabinet. Colocation Facility and Data Center The colocation facility and the data center are restricted areas requiring a greater level of control than other non-public spaces. The colocation facility has no exterior signage identification that reference as data center and no exterior data center windows. Only those individuals who are expressly authorized to do so by BroadRiver IT management personnel may enter the colocation facility and the data center. Network operations center (NOC) personnel are stationed at the reception desk to monitor access to the main entrance of the colocation facility during business hours. The NOC personnel ensure that visitors sign a visitor log upon entering the colocation facility. Additionally, visitors are required to be escorted by an employee when in the data center. Access to the colocation facility is restricted via badge access card system to authorized personnel 24 hours per day. The badge access system utilizes pre-defined badge access group to control access privileges to restrict employees and clients to only the areas necessary and authorized. Badge holders are required to swipe their badge access card in order to enter the facility; otherwise, re-entry is systematically prevented. Successful and unsuccessful entry events are logged allowing for ad hoc reviews by the technical operations manager. If a series of unsuccessful attempts occur, the technical operations manager researches and identifies the issue. Administrative privileges to the badge access card system are restricted to authorized IT personnel. Section 3 Proprietary and Confidential 17

19 Access to the raised-floor data center, within the colocation facility, requires both an access badge card and biometric fingerprint scan. Additionally, the badge system administrators revoke badge access for terminated employees. Unused and unassigned badges are stored in a locked file cabinet. Procedures for terminating or revoking data center access include: Canceling of door codes, cardkeys, and removal of fingerprint information from access control systems; Collection of access control credentials and keys from client; and Removing client authorized name(s) from the operations authorized access list. The data center is monitored 24 hours per day utilizing alarms, motion detectors and surveillance cameras. Recordings are retained for 90 days, allowing for ad hoc reviews by data center security personnel. Access to client hardware stored in cabinets is restricted to individual client personnel and authorized BroadRiver personnel. Clients do not have access to other clients equipment within locked cabinets and cabinets do not designate the client name. Environmental Security Environmental security refers to the protection of building sites and equipment (and information and software contained therein) from natural disaster, catastrophes, fire, flood and accidental damage. Documented environmental security policies and procedures are in place to guide personnel in the monitoring of environmental control systems, escalation of status alarms, and the resolution of environmental issues affecting the data center. The data center is equipped with fire detection and fire suppression, including audible and visual fire and smoke alarms; and hand-held fire extinguishers. A third-party specialist is contracted to inspect and maintain the fire detection systems and hand-held fire extinguishers on an annual basis. The data center is equipped with multiple air conditioning units to maintain consistent temperature and humidity levels. If the temperature or humidity level exceeds pre-defined limits, an audible alarm is triggered. A third-party specialist is contracted to inspect and maintain the air conditioning units on a semi-annual basis. Additionally, facilities personnel inspect the air conditioning units on a monthly basis. Water detection systems are in place to detect leakage from the air conditioning units. The data center is connected to an uninterruptable power supply (UPS) system and multiple backup generators to provide electricity in the event of a power outage and to help mitigate the risk of power surges impacting the data center infrastructure. A third-party specialist is contracted to inspect and maintain the UPS system and the backup generators on an annual basis. Additionally, facilities personnel perform load tests on the generators on a quarterly basis. Computer equipment in the data center is maintained in raised rack above the raised floor to help cooling and prevent damage caused by localized flooding. Enterprise monitoring applications are utilized to monitor environmental conditions within the data center that include; temperature and humidity levels, power levels and availability, fire detection systems and alarm status etc. When the predefined thresholds are exceeded NOC personnel are noted via onscreen and alerts. Additionally, facility personnel perform daily patrols to monitor certain environment equipment and document reading. Information Security Documented network security policies and procedures are in place to guide personnel in managing system access and protecting information assets and data. Additionally, the policies and procedures include firewall system administration and maintenance activities. Management reviews the policies and procedures documentation at least annually and update as needed. Section 3 Proprietary and Confidential 18

20 In order to provision logical access to the infrastructure network that is utilized by BroadRiver to provide colocation connectivity to clients, the individuals hiring manager sends an request for system access to the technical operations manager or the senior network engineer. The request contains the individuals name, title, and department of the user and access permissions needed. The requestor enters the users role for access and a justification for the access. Upon approval of the access request , network operations personnel provision the requested access. Network Domain Private virtual local area networks (VLANs) are configured to segregate network traffic and infrastructure of certain clients, based upon service offering. Access to BroadRiver network infrastructure is protected through the use of authentication protocols. Network operations personnel are authenticated to the infrastructure network that is utilized by BroadRiver to provide colocation connectivity to clients via an authorized user account and password before being granted access to the network domain. The network domain is configured to enforce authentication requirements such as minimum password length, minimum password history, password expiration intervals, invalid password account lockout threshold and password complexity requirements. Administrator access privileges within the network domain are restricted to user accounts accessible by authorized IT personnel. Upon termination of an employee, IT operations personnel revoke network accounts assigned to terminated employees as a component of the employee termination process. Firewall System and Remote Connectivity A firewall system is in place to protect BroadRiver network and data. The firewall resides on the network and analyzes data and packets routed to the BroadRiver internal network. A firewall system is configured to deny any type of network connection that is not explicitly authorized by a firewall rule. In the event of primary firewall system failure, a secondary firewall system is in place to provide failover firewall services. Additionally, externally routable internet protocol (IP) addresses are not used within the internal production servers instead the firewall system is configured to utilize network address translation (NAT) functionality to manage internal IP addresses. Encrypted virtual private networks (VPNs) are utilized for remote access to help ensure the privacy and integrity of the data passing over the public network. Administrator access privileges within the firewall and VPN remote access systems are restricted to user accounts accessible by authorized IT personnel. Firewall and VPN administrators are authenticated via a user account and password before being granted access to the systems. BroadRiver uses a Cisco Steel Belted Radius (SBR) server for firewall and VPN device authentication. The firewall and VPN devices on the infrastructure network utilized by BroadRiver to provide colocation connectivity to clients are configured to point to the SBR server for authentication. Individuals attempting to authenticate to the firewalls or VPN devices as administrators are required to be in a specific network domain group in order to be authenticated to the firewall and VPN devices. Systems Availability Network Monitoring Services NOC personnel perform network performance monitoring and reporting services as part of managed network services. The NOC personnel actively monitor devices such as routers, switches, storage area networks (SANs), net flow auditors, wired firewall clusters, and wireless intrusion detection systems. Network monitoring activities are guided by incident response and support policies and procedures that address severity level definitions, escalation reporting, and response time requirements for service alerts. These policies and procedures are reviewed by management on an annual basis and updated as necessary. Section 3 Proprietary and Confidential 19

21 Network operations personnel utilize the Zenoss enterprise monitoring application to monitor the availability of the network, colocation services and ports. Zenoss is configured to identify network issues in real time, including: Device up / down status; Device response time and latency; Device packet loss percentage; Central processing unit (CPU) load percentage; Memory load percentage; Interface up / down status; Interface load percentage; Disk volume usage percentage; Inlet and / or outlet temperature range; Device redundancy / failover triggers; and Application availability. The enterprise monitoring application is configured to send on-screen and alert notifications to network operations personnel when predefined thresholds are exceeded on monitored network devices. Network operations personnel utilize predefined severity levels to categorize and escalate network problems. Additionally, Zenoss is capable of generating reports for ongoing monitoring of performance metrics and SLA adherence, including, but not limited to, the following: Availability; Alert history; and Trend analysis reports. Network Incident Identification and Escalation BroadRiver operates its controlled networks and IT infrastructure on a 24 hour per day basis. During normal business hours (8AM-7PM Eastern Standard Time, Monday-Friday), the network operations personnel in the Atlanta, Georgia, corporate office facility and colocation facility provide identification and processing of client Tier 1, Tier 2 and Tier 3 incidents. Overflow incident escalations during normal business hours, as well as after-hours incidents are routed to the off-site NOC facility for processing and handling. Clients have three methods of contacting BroadRiver to report a problem: Telephone; Internet; and Internet issues are submitted directly to the Help Desk or submitted issues via the clients BroadRiver business center portal. Network issues, failures and anomalies, including those detected by the Zenoss application, and those submitted by clients, are recorded in the IssueTrak automated ticketing system. The IssueTrak system is utilized to document, prioritize, escalate and track the resolution of problems affecting colocation services. BroadRiver has redundant built into network infrastructure that allows alternative equipment in the event of primary system failure. Section 3 Proprietary and Confidential 20

22 System Maintenance The system maintenance process is designed to manage changes to existing client infrastructure, software and hardware with minimal disruptions, risk and complexity, while maintaining agreed-upon service levels. This includes identifying a business reason behind each change and the specific configurations and services affected by the change, planning the change, and where necessary, testing the change, and having a documented back out plan should the change result in an unexpected state of the client infrastructure. Documented change management policies and procedures are in place to guide personnel in the request, documentation, and approval of changes to internal BroadRiver and client infrastructure, including the following: Cisco hardware changes; Juniper M series hardware changes; Firewall hardware changes; Changes to IP routing protocol areas; Changes to transit peering providers; Changes to core network interconnections; OS/IOS revision changes; and Blade and VM chassis backplane changes. Change Request Submittal Clients submit change requests via submission to the help desk address, or via submission to BroadRiver sales and support personnel. Requests submitted to the help desk account result in an automatically generated change request form. BroadRiver sales and support personnel manually generate change request forms for requests received via . Attributes documented in the change requests forms include, but are not limited to, the following: Client name and client representative requesting the change; Change description; Priority level; Change status; and Change history. A change management tracking system is utilized to maintain, manage, and monitor change activities. Infrastructure software or hardware changes request is restricted to pre-authorized client representatives. Specifically, clients with the ability to request infrastructure changes are limited to either the technical contact client personnel listed in the clients contact profile, for technical requests; or, the billing / admin client personnel listed in the clients contact profile for billing and service connection and service disconnection requests. The authorized client representatives are established at the time the clients sign their initial service contracts with BroadRiver. Clients have the ability to update their client contacts via the BroadRiver business portal. Change Request Approval Clients approve infrastructure software or hardware changes via a signed service order form or via a workflow enabled electronic ticketing system prior to implementation; however, clients approval for certain changes is inherent in their initial request. The ticketing system is configured to send client requestors notifications of the following events: Confirmation of receipt of change request; Notes added to change tickets by network engineers; and Section 3 Proprietary and Confidential 21

23 Confirmation that the request is closed and work is completed. Change Testing and Change Implementation For certain infrastructure change requests, operations personnel perform an impact assessment and develop a back out plan that is documented within the change management tracking application. The ability to implement changes to client infrastructure software or hardware is restricted to user accounts accessible by authorized IT personnel. Section 3 Proprietary and Confidential 22

24 CONTROL OBJECTIVES AND RELATED CONTROLS The BroadRiver control objectives and related controls are included in Section 4 of this report, Control Descriptions, Related Controls and Tests of Operating Effectiveness, to eliminate the redundancy that would result from listing them in this section and repeating them in Section 4. Although the control objectives and related controls are included in Section 4, they are, nevertheless, an integral part of the service organization s description of controls. Section 3 Proprietary and Confidential 23