Siemens Medical Solutions USA, Inc. INVISION ACO and RCO Services

Transcription

1 Siemens Medical Solutions USA, Inc. INVISION ACO and RCO Services Independent Service Auditor s Report on s Placed in Operation and Tests of Operating Effectiveness For the Period of April 1, 2008, to September 30, 2008

2 TABLE OF CONTENTS SECTION 1 INDEPENDENT SERVICE AUDITOR S REPORT... 1 SECTION 2 DESCRIPTION OF CONTROLS PLACED IN OPERATION... 4 OVERVIEW OF OPERATIONS... 5 Company Background... 5 Description of Other Services Provided... 5 CONTROL ENVIRONMENT... 6 Integrity and Ethical Values... 6 Commitment to Competence... 6 Senior Executive and Audit Committee Participation... 7 Management s Philosophy and Operating Style... 7 Organizational Structure and Assignment of Authority And Responsibility... 7 Human Resource Policies and Practices... 9 RISK ASSESSMENT CONTROL OBJECTIVES AND RELATED CONTROL ACTIVITIES MONITORING INFORMATION AND COMMUNICATION SYSTEMS Information Systems Communication Systems COMPLEMENTARY CONTROLS AT USER ORGANIZATIONS SECTION 3 TESTING MATRICES PHYSICAL SECURITY ENVIRONMENTAL SECURITY COMPUTER OPERATIONS INFORMATION SECURITY APPLICATION CHANGE CONTROL DATA COMMUNICATIONS PATIENT ACCOUNTING GENERAL LEDGER ACCOUNTS PAYABLE HUMAN RESOURCES (PAYROLL) SECTION 4 OTHER INFORMATION PROVIDED BY MANAGEMENT REGULATORY AND COMPLIANCE STRATEGIC SUPPORT OF DISASTER RECOVERY MANAGEMENT S RESPONSE TO TESTING EXCEPTIONS Siemens Medical Solutions USA, Inc. Proprietary and Confidential i

3 SECTION 1 INDEPENDENT SERVICE AUDITOR S REPORT Siemens Medical Solutions USA, Inc. 1

4 INDEPENDENT SERVICE AUDITOR S REPORT To Siemens Medical Solutions USA, Inc.: We have examined the accompanying description of controls related to the INVISION ACO and RCO services of Siemens Medical Solutions USA, Inc. ( Siemens or the service organization ) performed at the Malvern, Pennsylvania, facility. Our examination included procedures to obtain reasonable assurance about whether (1) the accompanying description presents fairly, in all material respects, the aspects of Siemens controls that may be relevant to a user organization s internal control as it relates to an audit of financial statements; (2) the controls included in the description were suitably designed to achieve the control objectives specified in the description, if those controls were complied with satisfactorily, and user organizations applied the controls contemplated in the design of Siemens controls; and (3) such controls had been placed in operation as of September 30, The control objectives were specified by the management of Siemens. Our examination was performed in accordance with standards established by the American Institute of Certified Public Accountants and included those procedures we considered necessary in the circumstances to obtain a reasonable basis for rendering our opinion. In our opinion, the accompanying description of the aforementioned INVISION ACO and RCO services presents fairly, in all material respects, the relevant aspects of Siemens controls that had been placed in operation as of September 30, Also, in our opinion, the controls, as described, are suitably designed to provide reasonable assurance that the specified control objectives would be achieved if the described controls were complied with satisfactorily and user organizations applied the controls contemplated in the design of Siemens controls. In addition to the procedures we considered necessary to render our opinion as expressed in the previous paragraph, we applied tests to specific controls, listed in Section 3 (the Testing Matrices ), to obtain evidence about their effectiveness in meeting the control objectives, described in the Testing Matrices, during the period from April 1, 2008, to September 30, The specific controls and the nature, timing, extent, and results of the tests are listed in the Testing Matrices. This information has been provided to user organizations of Siemens and to their auditors to be taken into consideration, along with information about the internal control at user organizations, when making assessments of control risk for user organizations. In our opinion, the controls that were tested, as described in the Testing Matrices, were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives specified in the Testing Matrices were achieved during the period from April 1, 2008, to September 30, However, the scope of our engagement did not include tests to determine whether control objectives not listed in the Testing Matrices were achieved; accordingly, we express no opinion on the achievement of control objectives not included in the Testing Matrices. The relative effectiveness and significance of specific controls at Siemens and their effect on assessments of control risk at user organizations are dependent on their interaction with the controls and other factors present at individual user organizations. We have performed no procedures to evaluate the effectiveness of controls at individual user organizations. The description of controls at Siemens is as of September 30, 2008, and information about tests of the operating effectiveness of specific controls covers the period from April 1, 2008, to September 30, Any projection of such information to the future is subject to the risk that, because of change, the description may no longer portray the controls in existence. The potential effectiveness of specific controls at Siemens is subject to inherent limitations and, accordingly, errors or fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that changes made to the system or controls, or the failure to make needed changes to the system or controls, may alter the validity of such conclusions. Siemens Medical Solutions USA, Inc. 2

5 The information in Section 4 is presented by Siemens to provide additional information and is not a part of Siemens description of controls that may be relevant to a user organization s internal control as it relates to an audit of financial statements. Such information has not been subjected to the procedures applied in the examination of the description of the INVISION ACO and RCO services, and accordingly, we express no opinion on it. This report is intended solely for use by the management of Siemens, its user organizations, and the independent auditors of its user organizations. November 7, 2008 Siemens Medical Solutions USA, Inc. 3

6 SECTION 2 DESCRIPTION OF CONTROLS PLACED IN OPERATION Siemens Medical Solutions USA, Inc. Proprietary and Confidential 4

7 OVERVIEW OF OPERATIONS Company Background Siemens Medical Solutions of Siemens AG (Siemens) (NYSE: SI), with headquarters in Malvern, Pennsylvania and Erlangen, Germany, is one of the largest suppliers to the healthcare industry in the world. The company is known for bringing together innovative medical technologies, healthcare information systems, consulting, and support services to help customers achieve tangible, sustainable, clinical, and financial outcomes. In 2007, Siemens finalized the acquisition on Bayer Diagnostics as well as Dade Behring Holdings, Inc., making Siemens Medical Solutions Diagnostics the largest clinical diagnostics company in the world. As the world s first full-service diagnostics company, Siemens is committed to addressing the complex challenges facing the healthcare industry, today and tomorrow. Siemens Medical Solutions employs approximately 15,000 people in the United States and 48,000 people worldwide in over 130 countries and is a key business unit of Siemens AG (Munich, Germany, NYSE: SI), a leading global electronics and engineering company. Siemens Medical Solutions reported 2007 fiscal year revenue of billion EURO. From imaging systems for diagnosis, to therapy equipment for treatment, to patient monitors and hearing instruments and beyond, Siemens innovations contribute to the health and well-being of people across the globe, while improving operational efficiencies and optimizing workflow in hospitals, clinics, and doctors offices. Siemens also offers a variety of data management solutions for customers and is currently a leading Application Service Provider in the healthcare industry. Also headquartered in Malvern, the healthcare information technology (IT) division of Siemens Medical Solutions is Siemens Medical Solutions USA (Siemens Health Services). The contributions of this division have been widely recognized among industry leaders. Holding the leadership position in healthcare IT for over 35 years, Siemens Health Services is committed to helping health organizations achieve proven outcomes and improve quality of care, financial performance, and strategic position through innovative, workflow-based solutions. The group operates one of the health industry s largest processing environments including the Siemens Health Services Information Systems Center (ISC) and Health Information Network for application hosting, E-commerce, enterprise systems management, and managed Internet and infrastructure services. As a leading Application Service Provider (ASP) in healthcare, the company operates health applications for over 1,000 health providers with connections to over 500,000 customer workstations, and processes 157 million transactions each day. Description of Other Services Provided Siemens Health Services products are offered to healthcare facilities of all types (urban, teaching, suburban, rural, specialty, proprietary hospital companies, not-for-profit multi-entity groups, and integrated health networks). These products include a full range of software systems that use diverse computing and networking technologies including remote processing, distributed processing systems, and onsite systems. Siemens Health Services also provides professional services related to its information processing systems business. Domestically, Siemens Health Services markets its products and provides installation services and ongoing technical and educational support with a field staff working from branch offices. The Siemens Health Services Corporate Headquarters and ISC are based in Chester County, Pennsylvania, residing on a 116-acre campus. The Siemens Health Services customer service staff, applications specialists, and communications and computer operations personnel who assist customers in their day-to-day use of Siemens Health Services products are located at the Corporate Headquarters. System designers and programmers, who work to enhance existing programs and develop additional data processing products, are also located at the Corporate Headquarters. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 5

8 INVISION Financials INVISION Financials is a cost-effective billing and receivables management solution that presents clear, concise patient accounting information. Access to patient accounting information can be gained through a Web-enabled browser enabling online access across the enterprise. INVISION Financials helps streamline your patient accounting processes by improving the way you look at and analyze data. Relevant information is captured on main screens with one-click access to supporting data. All patient accounting information can be selected by the appropriate patient view from a single top-level navigator area. The information screens reside at the same level and are accessible from one navigation point; no pathways are hidden from your view. And by offering online access across the enterprise, INVISION Financials helps the patient accounting team communicate and collaborate. INVISION Financials is complemented by and integrated with other Siemens Patient Financial Service solutions including INVISION Contract Management. This full suite of solutions supports a variety of care settings with insurance processing, billing, claims, and collection solutions. CONTROL ENVIRONMENT Integrity and Ethical Values The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer, and monitor them. Integrity and ethical values are essential elements of Siemens control environment, affecting the design, administration, and monitoring of other components. Integrity and ethical behavior is the product of Siemens ethical and behavioral standards, how they are communicated, and how they are reinforced in practices. They include management s actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. They also include the communication of entity values and behavioral standards to personnel through policy statements and codes of conduct. Specific control activities that Siemens has implemented in this area are described below. Management maintains documented standards of performance and conduct that communicate entity values and behavioral standards. Management requires employees to sign a series of acknowledgment forms indicating that they have been given access to the company policies and understand their responsibility for adhering to the policies and procedures. Management requires that employees sign a confidentiality statement agreeing not to disclose proprietary or confidential information, including client information, to unauthorized parties. Management performs background checks for employment candidates as a component of the hiring process. Management performs drug screenings for employment candidates as a component of the hiring process. Commitment to Competence Siemens management defines competence as the knowledge and skills necessary to accomplish tasks that define employees roles and responsibilities. Siemens commitment to competence includes management s consideration of the competence levels for particular jobs and how those levels translate into requisite skills and knowledge. Siemens has an internal education department responsible for educating Siemens employees on Siemens products and new technologies. Siemens employees also attend industry trade shows, conferences, seminars, and external education classes. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 6

9 Siemens tuition reimbursement programs encourage employees to continue their educational development. Specific control activities that Siemens has implemented in this area are described below. Management considers the competence levels for particular jobs and translates required skills and knowledge levels into written position requirements. Management maintains processes to assess job candidates to determine whether the candidates possess the requisite level of competence to hold positions. Management provides training sessions to employees in the Hosting and Support Services departments (EHS and CSC) to maintain and advance the skill level of personnel. Senior Executive and Audit Committee Participation Siemens control consciousness is influenced significantly by the participation of Siemens senior executives and audit committee. Specific control activities that Siemens has implemented in this area are described below. The senior executive team (SET) oversees the health services (HS) management activities and meets on a monthly basis to discuss matters pertinent to the HS operations. Management utilizes internal audits to assess the effectiveness of internal controls and management s compliance with organizational objectives. Management s Philosophy and Operating Style Siemens management philosophy and operating style encompasses a broad range of characteristics. Such characteristics include management s approach to taking and monitoring business risks; and management s attitudes toward information processing, accounting functions and personnel. A written set of accounting policies and procedures has been developed and updated when needed. Frequent analysis and review is performed on all financial reporting. Internal leadership meetings are held to discuss current operations and forecast projects. There are also management meetings among the various operational business units. Specific control activities that Siemens has implemented in this area are described below. Management is periodically briefed on regulatory and industry changes affecting services provided. Management requires employees to complete online compliance training. Enterprise hosting services (EHS) senior management meetings are held on a monthly basis to discuss operational issues. Additionally, EHS managers meet weekly to discuss operational and training issues. Management has implemented a compliance hotline for worldwide employees to contact regarding questions related to compliance. Organizational Structure and Assignment of Authority and Responsibility Siemens organizational structure provides the framework within which its activities for achieving entitywide objectives are planned, executed, controlled, and monitored. Siemens management believes that establishing a relevant organizational structure includes considering key areas of authority and responsibility and appropriate lines of reporting. Siemens has developed an organizational structure suited to its needs. This organizational structure is based, in part, on its size and the nature of its activities. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 7

10 Siemens assignment of authority and responsibility activities include factors such as how authority and responsibility for operating activities are assigned and how reporting relationships and authorization hierarchies are established. It also includes policies relating to appropriate business practices, knowledge and experience of key personnel, and resources provided for carrying out duties. In addition, it includes policies and communications directed at ensuring that all personnel understand the entity s objectives, know how their individual actions interrelate and contribute to those objectives, and recognize how and for what they will be held accountable. Specific control activities that Siemens has implemented in this area are described below. Management utilizes organizational charts to communicate key areas of authority, responsibility and lines of reporting to personnel. Management establishes segregation of duties for key areas of authority, job responsibilities and lines of reporting. The Siemens Health Services organizational control structure (see Figures 1 and 2 below) is divided into four primary areas as it relates to the INVISION ACO and RCO product lines: Global Services (GS) is responsible for Enterprise Hosting Solutions (including Systems Administration & Operations) and the Customer Service Center. Foundation Enterprise Systems (FES) is responsible for application development and support, software management, and application quality control. Business Administration is responsible for Siemens Health Services accounting and finance, and legal, functions. Health Services Human Resources reports into a Siemens Health Services Human Resources organization, but is matrixed to the President and CEO of Health Services. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 8

11 Figure 1 Siemens Health Services Organization Chart (Malvern, Pennsylvania) Figure 2 Siemens AG (Germany) Organization Chart Human Resource Policies and Practices Siemens human resources policies and practices relate to employee hiring, orientation, training, evaluation, counseling, promotion, compensation, and disciplinary activities. Siemens employs a number of policies and procedures to standardize the hiring process and employee performance and conduct. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 9

12 Siemens uses a third party vendor to verify information listed on the Siemens Application for Employment. Specific control activities that Siemens has implemented in this area are described below. Management completes annual performance evaluations for employees. Management has established employee termination procedures to guide personnel in the termination process. RISK ASSESSMENT Siemens management has placed into operation a risk assessment process to identify and manage risks that could affect the organization's ability to provide reliable transaction processing for user organizations. This process requires management to identify significant risks in their areas of responsibility and to implement appropriate measures to address those risks. Risks that are considered during management s risk assessment activities include consideration of the following events: Changes in operating environment New personnel New or revamped information systems Rapid growth New technology New business models, products, or activities Corporate restructurings Expanded operations New accounting pronouncements Management s recognition of risks that could affect the organization s ability to provide reliable transaction processing for its user organizations is generally implicit, rather than explicit. Management s involvement in the daily operations allows them to learn about risks related to transaction processing through direct personal involvement with employees and outside parties, thus reducing the need for formalized and structured risk assessment processes. CONTROL OBJECTIVES AND RELATED CONTROL ACTIVITIES Siemens control objectives and related control activities are included in Section 3 (the Testing Matrices ) of this report in order to eliminate the redundancy that would result from listing them in this section and repeating them in the Testing Matrices. Although the control objectives and related control activities are included in the Testing Matrices, they are, nevertheless, an integral part of the description of controls. The description of the service auditor s tests of operating effectiveness and the results of those tests are also presented in the Testing Matrices, adjacent to the service organization s description of controls. The description of the tests of operating effectiveness and the results of those tests are the responsibility of the service auditor and should be considered information provided by the service auditor. Note: The scope of this service auditor s report is limited to the INVISION ACO services (also known as the Auxiliary Computing Option ) and the INVISION RCO (also known as the Remote Computing Option and Application ). The following control objectives relate to RCO services only: Computer Operations, Information Security, Application Change and Data Communications. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 10

13 MONITORING Monitoring is generally performed through active hands-on management, including the monthly management meeting to discuss operational issues, key performance statistics such as daily sales volume, customer service call volume and response rate, chargeback ratios, etc. Members of executive management, including the chief executive officer and chief operating officer/president, visit satellite offices on a regular basis and hold Town Hall Meetings to convey an open culture, discuss issues with employees, and to ensure businesses are operating at management s expectation. Executive management is hands on, and extremely active in the business. Siemens monitors business units and other auditable entities throughout the organization utilizing a risk-based approach in the selection of its audit population to ensure that enterprise-wide risks are prioritized and addressed in order of significance. Results from these audits are documented in formal communications to executive management and other relevant parties. INFORMATION AND COMMUNICATION SYSTEMS Information Systems The healthcare information systems Siemens offers gives customers flexibility when setting up and configuring their computing alternatives. Customers select their transaction processing options and activate related audit trails. Similarly, each customer has the ability to verify the accuracy of transaction processing activity through the use of control reports or other audit trails. The ISC serves as the central processing site for Siemens Health Services. The ISC is a 94,000 square foot facility housing servers, online disk storage (DASD), tape management, tape library, production, and distribution. Office space in the ISC is dedicated to ISC support personnel. The ISC and its support areas are responsible for all data processing. The physical construction of the building is designed to provide the security and integrity of a 24 hour per day, 365 days per year processing operation. The building is made of precast and poured concrete with firewalls separating computer operations to minimize potential fire damage through containment. Exterior emergency exit doors are made of steel and designed to prohibit outside access. All exterior doors are secured and monitored by an electronic alarm system and surveillance cameras. The main entrance to the ISC is equipped with a cardkey reader and a biometric palm scanner to restrict access to authorized personnel. Additional cardkey readers are installed throughout the building to provide access to restricted areas by authorized personnel. The only exterior windows are located in the second floor offices, cafeteria, and first floor reception area. The ISC is equipped with redundant environmental control systems to provide for continuous, uninterrupted operation. The following is a description of the functional and support areas of the organizations that participate in the development, operations, and support of the INVISION product: Systems Management and Operations. This group ensures that all processing is performed for customers 24 hours/day, seven days/week. This includes supporting all Siemens Health Services product lines that run in the ISC as well as all environments required for development and support of these products. Operations are also responsible for ensuring the integrity of the Data Storage Facility, and for printing and distributing patient statements, reports, and CD-ROM. o Change Administration. As a subgroup within Systems Management and Operations, this group is responsible for reviewing all change requests for approval and performs updates to source and executable program libraries upon authorization and approval. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 11

14 Business Recovery Services and Security. o o Business Recovery Services. As a subgroup within Business Recovery Services and Security, this group is responsible for the business recovery planning process for ISCbased Siemens Health Services products. Security. As a subgroup within Business Recovery Services and Security, Security consists of two groups, the Security Analysts and the Security Admins. The Security Analysts are responsible for coordinating company-wide standards and guidelines for Information Security safeguards pertaining to data residing in the ISC. They provide support for the review, counsel, education, and communication of computer security administration procedures. Information Security implements and maintains Security software products. The Security Admins administer security rights and privileges in accordance with the standards and guidelines developed by the Security Analysts. Systems and R&D. This group is responsible for the installation, maintenance, and support of the operating systems, network, and all other third party software. The Systems and R&D groups maintain high availability and performance for the ISC by providing appropriate hardware and software products. The Systems and R&D groups consist of the following: o o o Storage & Backup Technologies. This group is responsible for the storage subsystem and for backup technologies. zseries Systems and Networking. This group is responsible for the administration of CICS systems. This includes systems maintenance, availability, performance, support, and related software development. Infrastructure. This group is responsible for providing the third party software products to run as the infrastructure for the hosted products in the ISC. Network Support Center. This group is responsible for the support of Siemens Health Services customer data network and Siemens Health Services data and voice networks. Foundation Enterprise Systems. This group is responsible for developing and implementing new applications and maintaining and enhancing current applications. Within this group are the General Ledger, Patient Accounting, Human Resources (Payroll), Accounts Payable, and Online Architectural Software Groups. Siemens does not record, process, summarize, or report the financial transactions of our user organizations. Additionally, Siemens does not maintain accountability for any client assets, liabilities, or equity. Communication Systems Siemens Health Services has implemented various methods of communication to help ensure that significant events are communicated in a timely manner and that employees understand their roles and responsibilities regarding transaction processing and controls. These methods include orientation and training programs for newly hired employees and the use of electronic and voice mail messages to communicate time-sensitive messages. Siemens Health Services managers also hold regular staff meetings to communicate these matters. Employees are responsible for communicating significant issues in a timely manner to an appropriate higher level within the organization or through the Compliance Hotline. Siemens Health Services has also implemented various methods of communication to notify user organizations of the role and responsibilities of Siemens Health Services in processing their transactions and to notify customers of significant concerns in a timely manner. These methods include onsite training, periodic newsletters, product announcements, and a Relationship Manager who maintains contact with customers to inform them of new issues and developments. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 12

15 Customer questions and problems communicated to Customer Service Representatives are logged and tracked until resolved; and the resolution is reported to the user organizations. COMPLEMENTARY CONTROLS AT USER ORGANIZATIONS Siemens services are designed with the assumption that certain controls will be implemented by user organizations. Such controls are called complementary user organization controls. It is not feasible for all of the control objectives related to Siemens services to be solely achieved by Siemens control procedures. Accordingly, user organizations, in conjunction with the services, should establish their own internal controls or procedures to complement those of Siemens. The following complementary user organization controls should be implemented by user organizations to provide additional assurance that the control objectives described within this report are met. As these items represent only a part of the control considerations that might be pertinent at the user organizations locations, users auditors should exercise judgment in selecting and reviewing these complementary user organization controls. Complementary User Organization s: 1. User organizations are responsible for informing Siemens of any regulatory issues that may affect the services provided by Siemens to the user organization. 2. User organizations are responsible for understanding and complying with their contractual obligations to Siemens. 3. User organizations are responsible for maintaining their own system(s) of record. 4. User organizations are responsible for notifying Siemens, in a timely manner, when changes are made to technical, billing or administrative contact information. 5. User organizations are responsible for developing their own disaster recovery and business continuity plans that address their inability to access or utilize Siemens services. 6. User organizations are responsible for defining the communications method utilized to connect to Siemens systems (e.g., direct connections, over public networks, etc.). 7. User organizations are responsible for ensuring that user ids and passwords are assigned to only authorized individuals and that the roles assigned to the user account are appropriate. Each user should have a unique ID to ensure adequate accountability. 8. User organizations are responsible for ensuring that users have appropriate access within the application. 9. User organizations are responsible for maintaining sufficient documentation to support existing user access capabilities. 10. User organizations are responsible for ensuring the confidentiality of any user IDs and passwords assigned to them for use with Siemens systems. 11. User organizations are responsible for changing the default passwords associated with the standard IDs provided with the system. 12. User organizations are responsible for ensuring that Siemens is notified of any required user account maintenance in a timely manner. 13. User organizations are responsible for immediately notifying Siemens of any actual or suspected information security breaches, including compromised user accounts. 14. User organizations are responsible for determining whether Siemens security infrastructure is appropriate for its needs and for notifying the service organization of any requested modifications. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 13

16 15. User organizations are responsible for reviewing all client reports generated via the OAS reporting tools, or from other environments not included within the scope of this review, to ensure the completeness and accuracy of information processed. 16. User organizations are responsible for ensuring that access to the various OAS Builders is restricted to only appropriate personnel. 17. User organizations are responsible for establishing standards, procedures, and controls for using each of the OAS builders to help ensure that the builders are used in accordance with management s control objectives. 18. User organizations are responsible for regularly reviewing OAS logs to ensure that only authorized Siemens Health Services account representatives are using the SMSMAS ID within their system, that all use is appropriate and authorized, and that there are no unauthorized access attempts. 19. User organizations are responsible for ensuring that access is restricted to the VSAM transfer utility by removing the menu option from user profiles or by creating an access rule that only allows certain users to use the tool. 20. User organizations are responsible for producing and reviewing all automated balancing reports (ABS) and reconcile daily processing activities to source documentation and/or input control totals. 21. User organizations are responsible for producing and reviewing the transaction control and error (TCE) report to identify transaction errors and processing rejects on a daily basis. Appropriate procedures should be implemented to ensure the timely correction of these items. 22. User organizations are responsible for ensuring that their employees are adequately trained to use Siemens Health Services applications. 23. User organizations are responsible for understanding all application control features, system options, and reporting capabilities of the Siemens Health Services Patient Accounting, General Ledger, Accounts Payable, Human Resources (Payroll), and OAS applications and ensure that application parameters, log files, and reporting options are set in a manner that promotes adequate control and are set in accordance with management s control objectives. 24. User organizations are responsible for checking the customer memo Intranet site daily to receive customer memo information. 25. User organizations are responsible for reviewing the transmittal summary reports to ensure that the payroll totals were accurate and matched the payroll day end processing report totals. 26. User organizations are responsible for submitting accurate and complete payroll data. 27. User organizations are responsible for implementing appropriate controls to ensure that the W-2 master files are complete and accurate for tax reporting purposes. 28. User organizations are responsible for determining that parameters within the General Ledger application, which permit debits to equal (not equal) credits for all entries, have been properly set in accordance with management s objectives. 29. User organizations are responsible for ensuring that the General Ledger Master File and the various conversion tables for interfacing products are error free. This includes reviewing and disposing of information submitted from Accounts Payable, Human Resources (Payroll), or other applications to the General Ledger default account numbers to ensure that information is accurately recorded. It is the user organization s responsibility to properly address and dispose of all noted errors. 30. User organizations are responsible for ensuring that all appropriate General Ledger and Statistical account numbers have been included in the appropriate report lines. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 14

17 31. User organizations are responsible for reviewing their GC or general queue daily for error, balancing and reconciliation reports. 32. User organizations are responsible for reviewing the Accounts Payable Register (AP-REG) for Accounts Payable Data Collection, Accounts Payable Online Invoice File Maintenance Report (APPOMAR), the Balance Report (APBAL) to reconcile the ending balances, and the Accounts Payable Update-Error List Report (APREGER) for transmissions errors. 33. User organizations are responsible for ensuring that AP related invoices are entered into the system at the individual invoice level rather than summary form to provide an appropriate level of accountability over invoice activity. 34. User organizations are responsible for ensuring that appropriate physical security controls, with respect to Accounts Payable and Human Resources (Payroll) check printing activities, are in place to promote an adequate physical security environment over check stock, signature plates, and check printing areas, and adequate segregation of duties over check printing activities. 35. User organizations are responsible for ensuring that the AP related option is activated to enable checking for duplicate voucher numbers. 36. User organizations are responsible for ensuring that the AP 1099 master files are complete and accurate for tax reporting purposes. 37. User organizations are responsible for ensuring that the electronic AP information forwarded by Siemens Health Services to the IRS or relevant third parties, such as financial institutions, is complete and accurate and reconciles to their 1099 records. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 15

18 SECTION 3 TESTING MATRICES Siemens Medical Solutions USA, Inc. Proprietary and Confidential 16

19 MATRIX 1 Objective Specified : PHYSICAL SECURITY activities provide reasonable assurance that business premises and information systems are protected from unauthorized access, damage and interference. 1.1 Management maintains Information Service Center (ISC) physical security policies and procedures that define requirements for access, authentication and monitoring. 1.2 Security personnel monitor access to the ISC facility 24 hours per day. 1.3 Surveillance cameras monitor and record activity at entrances and throughout the ISC. 1.4 ISC visitors are required to register with security personnel and provide valid government issued identification before gaining access to the facility. Inspected the ISC physical security policies to determine that ISC physical security policies and procedures defined requirements for access and authentication. Inspected the CCTV Monitoring Facilities Policies and Procedures to determine that policies and procedures defined requirements for monitoring. Inspected the ISC surveillance monitoring procedures and security personnel work schedules to determine that security personnel monitored access to the ISC facility 24 hours per day. Observed ISC surveillance cameras to determine that surveillance cameras monitored and recorded activity at entrances and throughout the ISC. Observed visitor procedures to determine that ISC visitors registered with security personnel and provided valid government issued identification before gaining access to the facility. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 17

20 MATRIX 1 Objective Specified : PHYSICAL SECURITY activities provide reasonable assurance that business premises and information systems are protected from unauthorized access, damage and interference. 1.4 (Cont.) Inspected the electronic ISC visitor log to determine that visitors registered with security personnel when accessing the facility during the review period. 1.5 Visitors to the ISC are required to be escorted by an employee assigned to the ISC. 1.6 The ability to perform tours of the ISC is restricted to the following personnel: Senior director of information technology Director of information technology Operations analyst (5) 1.7 Vendor access to the ISC is restricted to vendors listed on an authorized vendor list. Observed visitor access procedures to determine that visitors to the ISC were escorted by an employee assigned to the ISC. Inspected the authorized tour guide list to determine that the ability to perform tours of the ISC was restricted to the following personnel: Senior director of information technology Director of information technology Operations analyst (5) Inspected tour logs for a nonstatistical sample of tours performed during the review period to determine that each tour sampled was performed by an authorized tour guide. Inquired of the IT director regarding vendor access to determine that vendor access to the ISC was restricted to an authorized vendor list. Inspected a nonstatistical sample of vendors from the data center badge access list and compared to the authorized vendor access list to determine that vendor badge access holders were listed on the authorized vendor list. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 18

21 MATRIX 1 Objective Specified : PHYSICAL SECURITY activities provide reasonable assurance that business premises and information systems are protected from unauthorized access, damage and interference. 1.8 Management maintains badge access policies and procedures that define requirements for badge access request, approval and assignment. 1.9 Management utilizes standardized request forms for the assignment of badge access privileges. Managers must approve ISC access level requests Management utilizes a two factor electronic badge access system to control access to and within the ISC. Authentication requires a physical badge and valid pin code Predefined physical security zones are utilized to define role based badge access privileges The senior director and the director of IT perform a monthly review of ISC badge access privileges. Inspected the badge access policies and procedures to determine that management maintained badge access policies and procedures that defined requirements for badge access request, approval and assignment. Inspected a nonstatistical sample of employees with ISC badge access and traced to completed standardized request forms to determine that standardized request forms were utilized for the assignment of badge access privileges and were approved by management for each sampled employee with ISC badge access. Observed the electronic access system to determine that a two factor electronic badge access system controlled access to and within the ISC and required a physical badge and valid pin code. Inspected the badge access listing and the zone description to determine that predefined physical security zones were utilized to define role based badge access privileges. Inspected badge access reviews for a nonstatistical sample of months during the review period to determine that the senior director and the director of IT performed a review of ISC badge access privileges for each month sampled. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 19

22 MATRIX 1 Objective Specified : PHYSICAL SECURITY activities provide reasonable assurance that business premises and information systems are protected from unauthorized access, damage and interference The badge access system logs access activity Inquired of the security specialist regarding badge access exception monitoring to determine that security personnel investigated suspicious access exceptions reported. that is traceable to the individual cardholder and reports access exceptions including expired, deleted, suspended and invalid badge access attempts. Security personnel investigate suspicious access exceptions reported. Inspected an example badge access log to determine that the badge access system logged access activity that was traceable to the individual cardholder ISC walls are continuous from floor to ceiling. Observed the ISC to determine that the walls were continuous from floor to ceiling There are no exterior windows in the ISC. Observed the ISC to determine that no exterior windows were in the ISC. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 20

23 MATRIX 2 Objective Specified : ENVIRONMENTAL SECURITY activities provide reasonable assurance that critical information technology infrastructure is protected from certain environmental threats. 2.1 An engineer is on-call 24 hours per day to provide environmental system support. Fire Detection and Suppression 2.2 The ISC is protected by fire detection and suppression controls that include the following: A cross-zoned fire detection system Automatic dry pipe sprinkler system Dual-zone Halon system 2.3 ISC operators monitor fire alarm systems 24 hours per day. Inquired of the assistant chief operating engineer regarding the engineer work schedules to determine that engineers were staffed or on-call 24 hours per day. Inspected the engineering personnel work schedules for a nonstatistical sample of months during the review period to determine that engineers were staffed or on-call 24 hours per day for each month sampled. Inquired of the IT director regarding the fire detection and suppression system to determine that the ISC was protected by fire detection and suppression controls that included the following: A cross-zoned fire detection system Automatic dry pipe sprinkler system Dual-zone Halon system Observed the ISC to determine that the ISC was protected by a fire detection and suppression system. Inquired of the assistant chief operating engineer regarding the monitoring activities of the ISC operators to determine that ISC operators monitored fire alarm systems 24 hours per day. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 21

24 MATRIX 2 Objective Specified : ENVIRONMENTAL SECURITY activities provide reasonable assurance that critical information technology infrastructure is protected from certain environmental threats. 2.3 (Cont.) Inspected ISC operators work schedules to determine that the ISC was staffed 24 hours per day. 2.4 A third party vendor inspects the fire suppression and alarm systems on an annual basis. 2.5 A third party vendor inspects the fire suppression and alarm systems on an annual basis. 2.6 A third party vendor inspects the fire extinguishers on an annual basis. Temperature and Humidity 2.7 The data center is equipped with dedicated Heating, Ventilation, and Air-Conditioning (HVAC) units. Inspected the most recent inspection report to determine that fire suppression and alarm systems were inspected during the 12 months preceding the end of the review period. Inspected the most recent inspection report to determine that fire suppression and alarm systems were inspected during the 12 months preceding the end of the review period. Inspected fire extinguisher inspection tags to determine that a third party vendor inspected the fire extinguishers during the 12 months preceding the end of the review period. Observed the data center to determine that the data center was equipped with multiple HVAC units. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 22

25 MATRIX 2 Objective Specified : ENVIRONMENTAL SECURITY activities provide reasonable assurance that critical information technology infrastructure is protected from certain environmental threats. 2.8 The dedicated HVAC units are configured to notify data center personnel in the event that defined thresholds are exceeded. 2.9 A third party vendor performs inspections and preventative maintenance of the HVAC units on a quarterly basis ISC operators perform preventative maintenance of the HVAC units on a bi-monthly basis The ISC equipment is placed on a raised tile floor to facilitate cooling and protect production equipment from localized flooding Water detection sensors are located beneath the raised flooring in the data center. Inquired of the assistant chief operating engineer regarding HVAC alert notification to determine that the HVAC unit alarm was configured to notify ISC personnel in the event that defined thresholds were exceeded. Inspected the HVAC unit alarm configuration to determine that the dedicated HVAC units were configured to notify data center personnel in the event that defined thresholds were exceeded. Inspected service reports for a nonstatistical sample of quarters during the review period to determine that a third party vendor performed inspections and preventative maintenance of the HVAC units for each quarter sampled. Inspected maintenance reports for a nonstatistical sample of months during the review period to determine that preventative maintenance was performed on a bi-monthly basis for each month sampled. Observed the ISC raised flooring to determine that the ISC equipment was placed on a raised tile floor. Observed the water detection sensors to determine that the data center was equipped with water detection sensors located beneath the raised flooring. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 23

26 MATRIX 2 Objective Specified : ENVIRONMENTAL SECURITY activities provide reasonable assurance that critical information technology infrastructure is protected from certain environmental threats (Cont.) Inspected the most recent annual water detection sensor test report to determine that the data center was equipped with water detection sensors ISC operators perform maintenance of the water detection sensors on an annual basis The ISC is connected to redundant uninterruptible power supply (UPS) systems to provide temporary electricity in the event of a power outage ISC operators perform inspections of the primary and secondary UPS systems on a daily basis A third party vendor inspects the secondary UPS systems batteries on a quarterly basis. Inspected the most recent annual water detection sensor test report to determine that maintenance of the water detection sensors was performed during the 12 months preceding the end of the review period. Inquired of the IT director regarding the UPS system to determine that redundant UPS systems were in place to provide power in the event of a primary unit s failure. Observed the UPS systems to determine that redundant UPS systems were in place. Inspected UPS maintenance logs for a nonstatistical sample of days during the review period to determine that inspections of the primary and secondary UPS systems were performed for each day sampled. Inspected the UPS battery inspection report for a nonstatistical sample of quarters during the review period to determine that a third party vendor inspected the secondary UPS systems batteries for each quarter sampled. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 24

27 MATRIX 2 Objective Specified : ENVIRONMENTAL SECURITY activities provide reasonable assurance that critical information technology infrastructure is protected from certain environmental threats An enterprise monitoring application is configured to monitor the UPS systems and alert ISC operators via audible alarms and text pages when the application detects a power failure The ISC is equipped with four diesel power generators to provide power in the event of an extended power outage A third party vendor inspects the diesel power generators batteries on an annual basis ISC operators perform diesel power generators load testing on a weekly basis. Inquired of the assistant chief operating engineer regarding the enterprise monitoring application to determine that an enterprise monitoring application was configured to monitor the UPS systems and alert ISC operators via audible alarms and text pages when the application detects a power failure. Inspected captured screen images of the enterprise monitoring system to determine that an enterprise monitoring application was configured to monitor the UPS systems. Observed the four diesel power generators to determine that the ISC was equipped with four diesel power generators in the event of an extended power outage. Inspected the most recent inspection report to determine that a third party vendor inspected the diesel power generators during the 12 months preceding the end of the review period. Inspected weekly generator load test checklists for a nonstatistical sample of weeks during the review period to determine that the diesel power generators were load tested for each week sampled. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 25

28 MATRIX 2 Objective Specified : ENVIRONMENTAL SECURITY activities provide reasonable assurance that critical information technology infrastructure is protected from certain environmental threats Data center personnel perform a daily walkthrough to monitor environmental equipment including, but not limited to, the following: UPS systems HVAC Units Chillers Gas Alarms Halon units Inspected daily walk-through reports for a nonstatistical sample of days during the review period to determine that a daily walk-through was performed to monitor environmental equipment that included following: UPS systems HVAC Units Chillers Gas Alarms Halon units Siemens Medical Solutions USA, Inc. Proprietary and Confidential 26

29 MATRIX 3 Objective Specified : COMPUTER OPERATIONS activities provide reasonable assurance of timely system backups of critical files, off-site backup storage, and regular off-site rotation of backup files. 3.1 Data backup policies and procedures are maintained that address the following: Manual and automated vaulting operations Operational maintenance procedures Off-site vaulting Media handling, labeling and coding Backup schedule and retention of files 3.2 Information technology personnel rotate backup media off-site on a daily basis to a third party media vaulting company. 3.3 The ability to recall backup media from the third party media vaulting company is restricted to operations personnel (19). Inspected policy documentation to determine that data backup policies and procedures addressed the following: Manual and automated vaulting operations Operational maintenance procedures Off-site vaulting Media handling, labeling and coding Backup schedule and retention of files Inspected the backup media rotation forms for a nonstatistical sample of days during the review period to determine that backup media was rotated off-site for each day sampled. Inspected the third party storage agreement with the third party media vaulting company to determine that a third party media vaulting company was utilized for off-site storage of backup media. Inspected the access listing to determine that the ability to recall backup media from the third party vaulting company was restricted to operations personnel (19). Siemens Medical Solutions USA, Inc. Proprietary and Confidential 27

30 MATRIX 3 Objective Specified : COMPUTER OPERATIONS activities provide reasonable assurance of timely system backups of critical files, off-site backup storage, and regular off-site rotation of backup files. 3.4 The automated backup system centrally maintains an inventory of backup media. 3.5 Each application utilizes an automated backup system to perform scheduled system backups of production datasets on a daily basis. 3.6 The automated backup system performs full backups of source code on a weekly basis. Inspected captured screen images of the backup media inventory and the restore process for a nonstatistical sample of application datasets to determine that the automated backup system centrally maintained an inventory of backup media for each dataset sampled. Inspected the automated backup system configuration and example backup job logs for a nonstatistical sample of production datasets and customer regions to determine that an automated backup system was utilized to perform scheduled system backups of each application s production datasets on a daily basis for each dataset sampled. Inquired of storage management personnel regarding the backup of source code to determine that the automated backup system performed full backups of source code on a weekly basis. Inspected the source code backup process and example backup job logs for a nonstatistical sample of weeks during the review period to determine that the automated backup system performed full backups of source code for each week sampled. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 28

31 MATRIX 4 Objective Specified : COMPUTER OPERATIONS activities provide reasonable assurance that systems are maintained in a manner that helps ensure system availability. 4.1 Documented computer operations policies and procedures are maintained that address the following: Operations server rebooting Incident response and resolution Escalation procedures Customer approval and satisfaction Down system standards Outage management Production Monitoring 4.2 The outage management team is on site 24 hours per day, 365 days per year, to respond to incidents and provide escalation support. 4.3 Operations personnel maintain an outage history report for historical analysis and problem resolution. Inspected policy documentation to determine that documented computer operations policies and procedures addressed the following: Operations server rebooting Incident response and resolution Escalation procedures Customer approval and satisfaction Down system standards Outage management Inquired of the IT manager regarding the outage management team to determine that the outage management team was on site 24 hours per day, 365 days per year, to respond to incidents and provide escalation support. Inspected the outage management team schedule to determine that outage management team was on site to respond to incidents and provide escalation support 24 hours per day, 365 days per year. Inspected the outage history report to determine that an outage history report was maintained. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 29

32 MATRIX 4 Objective Specified : COMPUTER OPERATIONS activities provide reasonable assurance that systems are maintained in a manner that helps ensure system availability. 4.4 An enterprise monitoring application is utilized to monitor the performance and availability of production sites, servers and devices. Incident Tracking and Response 4.5 An events tracking system (EVTS) is utilized to log, document and monitor production incidents, response and resolution. 4.6 The EVTS system generates open ticket reports for daily review by the Hosting and Support Services departments (EHS and CSC) and account managers. 4.7 Technology services personnel hold weekly meetings to discuss system incidents and maintenance. Observed the enterprise monitoring application to determine that the application was used to monitor the performance and availability of production sites, servers and devices. Inspected captured screen images of an example EVTS tracking ticket to determine that an EVTS was utilized to log, document and monitor production incidents, response and resolution. Inquired of the technical operations and integration support director regarding the EVTS daily status report to determine that the EVTS generated open ticket reports for daily review by the EHS, CSC and account managers. Inspected an open ticket report to determine that the EVTS system generated daily open ticket reports. Inspected maintenance meeting minutes for a nonstatistical sample of weeks during the review to determine that a meeting was held for each week sampled. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 30

33 MATRIX 4 Objective Specified : COMPUTER OPERATIONS activities provide reasonable assurance that systems are maintained in a manner that helps ensure system availability. Patch Management 4.8 Documented patch management policies are maintained that address the following: Monitoring of releases Evaluation of risk Notification of patch updates Testing Job Scheduling 4.9 A scheduling application is utilized to perform automated job scheduling The job scheduling application alerts operations personnel in the event of irregularities. Operations personnel create an EVTS ticket for irregularities that require second level support. Inspected the documented patch management policy to determine that documented patch management procedures addressed the following: Monitoring of releases Evaluation of risk Notification of patch updates Testing Inspected job schedules and job logs to determine that a scheduling application performed automated job scheduling. Inquired of an analyst regarding the job scheduling alerts to determine that the job scheduling application alerted operations personnel in the event of an irregularity and that operations personnel created an EVTS ticket for irregularities that required second level support. Inspected example job irregularity alerts and a nonstatistical sample of EVTS tickets to determine that the job scheduling application alerted operations personnel in the event of an irregularity and that operations personnel created an EVTS ticket for irregularities that required second level support. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 31

34 MATRIX 4 Objective Specified : COMPUTER OPERATIONS activities provide reasonable assurance that systems are maintained in a manner that helps ensure system availability The job scheduling application logs processing irregularities Enterprise hosting services (EHS) change management analysts review changes to processing on a daily basis and change the production schedule based on approval by management and instructions from the Application Area Team Leaders. Inspected a nonstatistical sample of scheduled job logs created during the review period to determine that the job scheduling application logged processing irregularities for each job log sampled. Inspected a nonstatistical sample of production job schedule changes that occurred during the review period to determine that EHS change management analysts reviewed changes to processing for each change sampled and changed the production schedule based on approval by management and instructions from the Application Area Team Leaders for each change sampled. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 32

35 MATRIX 5 Objective Specified : INFORMATION SECURITY activities provide reasonable assurance that system information, once entered into the system, is protected from unauthorized or unintentional use, modification, addition or deletion. 5.1 Customers are configured with a unique hospital region code for each customer information control system (CICS) region. 5.2 Human resources (HR) personnel distribute a daily list of employee terminations and transfers. Information security personnel revoke or modify user access permissions upon notification from human resources personnel. Inspected the listing of CICS regions and hospital region codes to determine that customers were configured with a unique hospital region code for each CICS region. Inquired of the information security analyst regarding termination notifications to determine that human resources personnel distributed a daily list of employee terminations and transfers and that information security personnel modified user access permissions upon notification from human resources personnel. Inspected HR notifications for a nonstatistical sample of days to determine that human resources personnel distributed a daily list of employee terminations and transfers for each day sampled. Inspected Siemens access permissions and compared to the current employee list to determine that only current employees were granted access. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 33

36 MATRIX 5 Objective Specified : INFORMATION SECURITY activities provide reasonable assurance that system information, once entered into the system, is protected from unauthorized or unintentional use, modification, addition or deletion. Mainframe Access s 5.3 The mainframe environment requires users to authenticate via a user account and password. The mainframe is configured to enforce the following password controls: Minimum password length Password expiration set to 15 days Invalid password account lockout threshold 5.4 ACF2 security settings require mainframe user passwords to conform to minimum history requirements that prevent the user from reusing a set amount of previously used passwords. Inspected the ACF2 user profile, configuration report and a capture screen image of the logon process to determine that the mainframe environment required users to authenticate via a user account and password and that the mainframe was configured to enforce the following password controls: Minimum password length Password expiration set to 15 days Invalid password account lockout threshold Inspected captured screen images of a user changing the password to determine that ACF2 security settings required mainframe user passwords to conform to minimum history requirements that prevent the user from reusing a set amount of previously used passwords. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 34

37 MATRIX 5 Objective Specified : INFORMATION SECURITY activities provide reasonable assurance that system information, once entered into the system, is protected from unauthorized or unintentional use, modification, addition or deletion. 5.5 Managers must submit an electronic CICS access request form to the ACF2 administrator for new employees prior to obtaining access to production datasets. 5.6 Management utilizes the ACF2 security application to provide authentication and access control to mainframe resources. 5.7 The ability to administer the ACF2 security application is restricted to security analysts (5). Inquired of the information security analyst regarding mainframe request forms to determine that managers were required to submit an electronic CICS access request form to the ACF2 administrator for new employees prior to obtaining access to production datasets. Inspected the CICS access request forms for Siemens INVISION financials application users hired during the review period to determine that managers submitted an electronic CICS access request form to the ACF2 administrator for new employees prior to obtaining access to production datasets. Inspected the ACF2 configuration report to determine that the ACF2 security application provided authentication and access control to mainframe resources. Inspected a listing of users with the security attribute to determine that the ability to administer the ACF2 security application was restricted to security analysts (5). Siemens Medical Solutions USA, Inc. Proprietary and Confidential 35

38 MATRIX 5 Objective Specified : INFORMATION SECURITY activities provide reasonable assurance that system information, once entered into the system, is protected from unauthorized or unintentional use, modification, addition or deletion. Mainframe Auditing and Logging s 5.8 Information security personnel review daily security violation reports identifying the responsible logon and terminal name of the security violation. Online Architecture Software (OAS) s 5.9 OAS checks the user account and password against a list of authorized users set up and maintained by the customer. If the user account and password are not authorized, then access is denied. Inquired of the information security analyst to determine that information security personnel reviewed daily security violation reports identifying the responsible logon and terminal name of the security violation. Inspected dataset violation reports for a nonstatistical sample of days to determine that a security violation report was in place and identified the responsible logon and terminal name of security violations for each day sampled. Inspected captured screen images of the logon process in the test environment for an authorized user, unauthorized user, and an invalid password to determine that if the user account and password entered were not authorized, access was denied. The test of the control activity, performed in August 2008, disclosed that evidence of analyst review for user account security violations was not available for one of ten security violation report reviewed. Additional testing of the control activity, performed in October 2008, disclosed that security violation reports were not reviewed in September Siemens Medical Solutions USA, Inc. Proprietary and Confidential 36

39 MATRIX 5 Objective Specified : INFORMATION SECURITY activities provide reasonable assurance that system information, once entered into the system, is protected from unauthorized or unintentional use, modification, addition or deletion OAS provides customer configurable password functionality to enforce the following user account and password controls: Minimum password length Password history requirements Maximum invalid login attempts Prevent passwords from being equal to account names 5.11 OAS restricts a user account from simultaneous signons within a single hospital customer code. Inquired of the IT senior manager regarding OAS password security to determine that OAS provided customer configurable password functionality to enforce the following user account and password controls: Minimum password length Password history requirements Maximum invalid login attempts Prevent passwords from being equal to user account names Inspected captured screen images of demonstrated password restriction functions to determine that OAS provided customer configurable password functionality to enforce the following password controls: Minimum password length Password history requirements Maximum invalid login attempts Prevent passwords from being equal to user account names Inspected captured screen images examples of simultaneous signons to determine that OAS restricted a user account from simultaneous signons within a single hospital customer code. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 37

40 MATRIX 5 Objective Specified : INFORMATION SECURITY activities provide reasonable assurance that system information, once entered into the system, is protected from unauthorized or unintentional use, modification, addition or deletion Invalid password attempts are logged and reported in online and batch security reports OAS provides customers the option to partially or completely restrict SMSMAS access The application logs the use of the SMSMAS authority to the security log file Security Builder provides security reports that include, but are not limited to, the following: User account User name Action performed User privileges Inspected example online and batch security reports to determine that invalid password attempts were logged and reported in online and batch security reports. Inquired of an IT senior manager regarding SMSMAS authority to determine that OAS provided customers the option to partially or completely restrict SMSMAS access. Inspected captured screen images demonstrating the ability to completely or partially restrict SMSMAS access to determine that OAS provided customers the option to partially or completely restrict SMSMAS access. Inspected example security log files to determine that the application logged the use of the SMSMAS authority to the security log file. Inspected example security reports to determine that Security Builder provided security reports that included the following: User account User name Action performed User privileges Siemens Medical Solutions USA, Inc. Proprietary and Confidential 38

41 MATRIX 6 Objective Specified : APPLICATION CHANGE CONTROL activities provide reasonable assurance that unauthorized changes are not made to production application systems. 6.1 Change control policies and procedures are maintained in a quality management system (QMS) and address the request, approval and testing of normal and emergency changes and migration to the production environment. Change Request Initiation and Assessment 6.2 Management utilizes a software tracking system (STS) to control change requests, workflow, testing and approvals throughout the development lifecycle. 6.3 The STS system prevents incomplete change requests from further processing and performs edit checks including, but not limited to, the following: Completeness of a description of the change Proposed resolution Verification procedures Apply procedures Inspected the online QMS policy documentation to determine that change control policies and procedures were maintained in a QMS and that they addressed the request, approval, testing of normal and emergency changes and migration to the production environment. Inspected STS move requests for a nonstatistical sample of changes implemented during the review period to determine that an STS system was utilized to control change requests, workflow, testing and approvals of each change sampled. Inspected incomplete change request attempts to determine that the STS system prevented incomplete change requests from further processing and performed edit checks including the following: Completeness of a description of the change Proposed resolution Verification procedures Apply procedures Siemens Medical Solutions USA, Inc. Proprietary and Confidential 39

42 MATRIX 6 Objective Specified : APPLICATION CHANGE CONTROL activities provide reasonable assurance that unauthorized changes are not made to production application systems. 6.4 Software management and change management approves change requests for testing. Emergency Changes 6.5 Emergency change requestors utilize standardized electronic request forms for emergency change requests. 6.6 Change management requires emergency requests include the following prior to approval: Exception type Environments affected Apply procedures Test results Recovery procedures Move request Inspected STS move requests for a nonstatistical sample of changes implemented during the review period to determine that software management and change management approved each change sampled. Inspected requests forms for a nonstatistical sample of emergency changes implemented during the review period to determine that standardized electronic request forms were utilized for each emergency change sampled. Inspected requests forms for a nonstatistical sample of emergency changes implemented during the review period to determine that each emergency request sampled included the following: Exception type Environments affected Apply procedures Test results Recovery procedures Move request Siemens Medical Solutions USA, Inc. Proprietary and Confidential 40

43 MATRIX 6 Objective Specified : APPLICATION CHANGE CONTROL activities provide reasonable assurance that unauthorized changes are not made to production application systems. 6.7 A change management database tracks the request, approval, workflow, testing and implementation of emergency changes. 6.8 Change management approves emergency change requests prior to implementation. 6.9 Monthly implementation windows are maintained to perform changes and an update schedule is published annually that defines timeline requirements Management maintains a test environment that is logically separate from the production environment. Inspected the change management database for a nonstatistical sample of emergency changes implemented during the review period to determine that a change management database tracked the request, approval, workflow, testing and implementation of each emergency change sampled. Inspected request forms for a nonstatistical sample of emergency changes implemented during the review period to determine that change management approved each emergency change sampled. Inspected the update schedule to determine that monthly implementation windows were maintained and an update schedule was published annually. Inquired of an operations analyst regarding application environments to determine that management maintained a test environment that was logically separate from the production environment. Inspected application environments for a nonstatistical sample of hospitals to determine that management maintained a logically separate test environment for each hospital sampled. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 41

44 MATRIX 6 Objective Specified : APPLICATION CHANGE CONTROL activities provide reasonable assurance that unauthorized changes are not made to production application systems Software management performs installation and batch regression testing of changes prior to implementation Management maintains documented policies and procedures that address documentation standards for development The ability to approve and promote changes to production is managed via a software management tool that is restricted to user accounts accessible by software management personnel (4) Developers have logged access to production data sets to provide third level support. An EVTS ticket documents the authorized activities performed in production by the developers. Inspected STS move requests for a nonstatistical sample of changes implemented during the review period to determine that software management performed installation and batch regression testing for each change sampled. Inspected policy documentation to determine that documented policies and procedures addressed documentation standards for development. Inspected user access permissions to determine that the ability to approve and promote changes to production was managed via a software management tool that was restricted to user accounts accessible by software management personnel (4). Inspected STS move requests for a nonstatistical sample of changes implemented during the review period to determine that software management personnel approved and promoted each change sampled. Inquired of the IT senior manager regarding developer access to production to determine that developers were granted logged access to production data sets to provide third level support and that an EVTS ticket documents the activities performed in production by the developers. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 42

45 MATRIX 6 Objective Specified : APPLICATION CHANGE CONTROL activities provide reasonable assurance that unauthorized changes are not made to production application systems (Cont.) Inspected a report of the developer logons to production CICS regions during the review period to determine that developers access to production libraries and data sets was logged. Inspected a report of the developer logons to production CICS regions during the review period and traced to a nonstatistical sample of EVTS tickets to determine that an EVTS ticket documented the authorized activities performed in production by the developers for each EVTS ticket sampled. The test of the control activity disclosed that the activities performed by developers in production were not documented in an EVTS ticket for two of 38 EVTS tickets sampled. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 43

46 MATRIX 7 Objective Specified : DATA COMMUNICATIONS activities provide reasonable assurance that data maintains its integrity and security as it is transmitted between third parties and the service organization. Firewall Systems 7.1 A firewall system is in place to filter unauthorized inbound network traffic from the Internet. 7.2 A high-availability firewall system is in place to provide failover firewall services in the event of a primary firewall failure. 7.3 The firewall system is configured to allow only specific services to specific destinations. 7.4 Network Address Translation (NAT) services are enabled on perimeter firewall systems. Inspected the firewall ruleset to determine that a firewall system was in place to filter unauthorized inbound network traffic from the Internet. Observed the network diagram to determine that a high-availability firewall system was in place. Inspected an example firewall ruleset to determine that a failover firewall is in place in the event of a primary firewall failure. Inspected the firewall ruleset to determine that the firewall system was configured to allow only specific services to specific destinations. Inquired of the senior IT manager regarding NAT services to determine that NAT services were enabled on the perimeter firewall systems. Inspected an example firewall ruleset to determine that NAT services were enabled on perimeter firewall systems. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 44

47 MATRIX 7 Objective Specified : DATA COMMUNICATIONS activities provide reasonable assurance that data maintains its integrity and security as it is transmitted between third parties and the service organization. 7.5 Management restricts firewall administrator access to user accounts accessible by network administrators (18). 7.6 Management requires firewall administrator account passwords to be changed every 90 days. 7.7 The firewall system is configured to log network activity including, but not limited to, the following: Built connections Failed connections TCP/IP anomalies TCP SYN floods DoS attacks Event time stamp Affected objects Action(s) taken Critical errors Network analysts review the firewall logs on a daily basis Inquired of the network administrator regarding the firewall administrator access privileges to determine that management restricted firewall administrator access to user accounts accessible by network administrators (18). Inspected an example firewall ruleset to determine that NAT services were enabled on perimeter firewall systems. Inspected the password configuration to determine that firewall administrator account passwords were configured to require a change every 90 days. Inquired of the senior IT manager regarding firewall log reviews to determine that the firewall system was configured to log network activity and that network analysts reviewed the firewall logs on a daily basis. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 45

48 MATRIX 7 Objective Specified : DATA COMMUNICATIONS activities provide reasonable assurance that data maintains its integrity and security as it is transmitted between third parties and the service organization. 7.7 (Cont.) Inspected the firewall logging configuration and example firewall log to determine that the firewall system was configured to log network activity that included the following: Built connections Failed connections TCP/IP anomalies TCP SYN floods DoS attacks Event time stamp Affected objects Action(s) taken Critical errors 7.8 Firewall change requests are completed utilizing a ticketing system. Management restricts access to approve firewall change requests within the third party application to user accounts accessible by the following personnel: Senior IT manager Director of IT Network analyst Systems analyst (2) Technical project manager IT architect Inquired of the senior IT manager regarding firewall change requests to determine that firewall change requests were completed utilizing a ticketing system and that management restricted access to approve firewall change requests in the ticketing system to user accounts accessible by the following personnel: Senior IT manager Director of IT Network analyst Systems analyst (2) Technical project manager IT architect Siemens Medical Solutions USA, Inc. Proprietary and Confidential 46

49 MATRIX 7 Objective Specified : DATA COMMUNICATIONS activities provide reasonable assurance that data maintains its integrity and security as it is transmitted between third parties and the service organization. 7.8 (Cont.) Inspected the ticketing system access list and an example firewall change request to determine that firewall change requests were completed utilizing a ticketing system and that management restricted access to approve firewall change requests to user accounts accessible by the following personnel: Senior IT manager Director of IT Network analyst Systems analyst (2) Technical project manager IT architect 7.9 Inbound Internet traffic terminates at a host in the demilitarized zone (DMZ) which is separate from the production network Management utilizes an intrusion detection system (IDS) to analyze network events and report possible or actual network security breaches. Observed the network diagram to determine that the DMZ was separate from the production network. Inspected a nonstatistical sample of firewall rulesets to determine that inbound Internet traffic terminated at a host in the DMZ for each ruleset sample. Inspected the IDS configuration to determine that an IDS was in place to analyze network events and reported possible or actual network security breaches. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 47

50 MATRIX 7 Objective Specified : DATA COMMUNICATIONS activities provide reasonable assurance that data maintains its integrity and security as it is transmitted between third parties and the service organization A Top Intruder List is automatically generated daily to identify unauthorized access attempts. Information Security and the NSC investigate the source IP addresses of unauthorized access attempts Network security personnel perform patch scans of the network servers on at least a bi-monthly basis. Remote and Wireless Access 7.13 Management maintains documented remote access policies Remote users, including wireless connections, authenticate via VPN and RSA security technology to access the Citrix NT terminal server through the Internet. Inquired of the senior IT manager regarding the Top Intruder List to determine that Information Security and the NSC investigated the source IP addresses of unauthorized access attempts. Inspected an example denied by access list report to determine that the list was automatically generated and included information to identify unauthorized access attempts. Inspected patch scan reports for a nonstatistical sample of months during the review period to determine that network security personnel performed patch scans of the network servers for each month sampled. Inspected the remote access policy and the backup Virtual Private Network (VPN) policy to determine that documented remote access policies were maintained. Inspected the remote access policy and a captured screen image of a remote logon to determine that remote users authenticated via VPN and RSA security technology to access the Citrix NT terminal server through the Internet. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 48

51 MATRIX 7 Objective Specified : DATA COMMUNICATIONS activities provide reasonable assurance that data maintains its integrity and security as it is transmitted between third parties and the service organization The ability to modify the VPN system or configuration is restricted to network administrators (18) Wireless access points utilize Wired Equivalent Privacy (WEP) to access the network. Antivirus 7.17 Antivirus software is configured to monitor traffic within the internal network, as well as communications with external networks, and detect and prevent the transmission of data or files that contain virus signatures recognized by the antivirus software The antivirus software monitors for updates to antivirus definitions every two hours. Inspected the VPN administrator user listing to determine that the ability to modify the VPN system or configuration was restricted to network administrators (18). Inspected a captured screen image of the wireless access utility to determine that wireless access points utilized WEP to access the network. Inquired of the senior IT manager regarding antivirus software to determine that antivirus software was configured to monitor traffic within the internal network, as well as communications with external networks, and detect and prevent the transmission of data or files that contain virus signatures recognized by the antivirus software. Inspected the antivirus server configurations and a listing of registered servers to determine that production servers were configured with antivirus software. Inspected the antivirus configuration to determine that the antivirus software monitored for updates to antivirus definitions every two hours. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 49

52 MATRIX 7 Objective Specified : DATA COMMUNICATIONS activities provide reasonable assurance that data maintains its integrity and security as it is transmitted between third parties and the service organization The antivirus software is configured to scan incoming files and perform a scheduled scan of servers and workstations on a weekly basis. Inspected the antivirus software configuration to determine that the antivirus software was configured to scan incoming files and perform a scheduled scan of servers and workstations on a weekly basis. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 50

53 MATRIX 8 Objective Specified : PATIENT ACCOUNTING activities provide reasonable assurance that transactions are authorized, complete, and accurate. 8.1 User organizations are provided with documented policies and procedures to guide users through the patient accounting application. 8.2 The application is configured with security groups to define and manage access privileges of users. 8.3 The application logs the account name and the date/time stamp of the user that performed the online transaction to the tank reports. Inspected the policies and procedures manual to determine that a documented policies and procedures manual was available to guide users through the patient accounting application. Inspected the default security groups defined within the application to determine that the application was configured with security groups to define and manage access privileges of users. Inspected screen captures of an example user s access within the test environment to determine that security groups defined and managed access privileges of users. Inspected example tank reports to determine that the application logged the account name and the date/time stamp of the user that performed the online transaction to the tank reports. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 51

54 MATRIX 8 Objective Specified : PATIENT ACCOUNTING activities provide reasonable assurance that transactions are authorized, complete, and accurate. 8.4 The application is configured to perform onscreen edits of patient accounting transactions before the transaction is posted for nightly batch processing. The edits include, but are not limited to, the following: Self-check digits Service code validation Required field completion Service date validation Inquired of the senior software engineer regarding patient accounting transactions to determine that the application was configured to perform on-screen edits of patient accounting transactions before the transaction was posted for nightly batch processing and that the edits included the following: Self-check digits Service code validation Required field completion Service date validation Inspected screen captures of example on-screen edits to determine that the application was configured to perform the following edits before the transaction was posted for nightly batch processing: Self-check digits Service code validation Required field completion Service date validation Siemens Medical Solutions USA, Inc. Proprietary and Confidential 52

55 MATRIX 8 Objective Specified : PATIENT ACCOUNTING activities provide reasonable assurance that transactions are authorized, complete, and accurate. 8.5 Transactions are batched and processed through a series of edits based on client specific profiles and standardized data formats on a daily basis. The edits include, but are not limited to, the following: Inspected screen captures of example edits to determine that transactions were batched and processed through a series of edits based on client specific profiles and standardized data formats including the following: Allowable late charge after registration date Valid outpatient discharge date Insurance plan validation Allowable late charge after registration date Valid outpatient discharge date Insurance plan validation If the edit fails, the transaction is listed on an error report. Inspected screen captures of example edits and the corresponding daily reports to determine that transactions that failed a series of edits based on client specific profiles and standardized data formats were listed on an error report. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 53

56 MATRIX 9 Objective Specified : GENERAL LEDGER activities provide reasonable assurance that transactions are authorized, complete, and accurate. 9.1 User organizations are provided with documented policies and procedures to guide users through the general ledger application. 9.2 The application is configured with security groups to define and manage access privileges of users. 9.3 The application logs the user account and the date/time stamp of the online transaction to the daily journal report. 9.4 The application logged the user account and date/time stamp of the batch transaction within the tankfile prior to batch processing. If the daily batch processing produced a transaction error, the application logged the operator name and date on the transmission control error report. Inspected the policies and procedures manual to determine that a documented policies and procedures manual was available to guide users through the general ledger application. Inspected the default security groups defined within the application to determine that the application was configured with security groups to define and manage access privileges of users. Inspected captured screen images of an example user s access within the test environment to determine that security groups defined and managed access privileges of users. Inspected an example daily journal report to determine that the application logged the user account and the date/time stamp of the online transaction to the daily journal report. Inspected captured screen images of the tankfile and an example transmission control error report to determine that the application logged the user account and date/time stamp of the batch transaction within the tankfile prior to batch processing and that if the daily batch processing produced a transaction error, the application logged the operator name and date on the transmission control error report. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 54

57 MATRIX 9 Objective Specified : GENERAL LEDGER activities provide reasonable assurance that transactions are authorized, complete, and accurate. 9.5 The application is configured to perform onscreen edits of general ledger transactions before the transaction is posted for nightly batch processing or online processing. The edits include, but are not limited to, the following: Journal entry date validation Valid general ledger account Dollar amount validation Maximum dollar limit Required field completion Reserved source code Inquired of the senior software engineer regarding general ledger transactions to determine that the application was configured to perform on-screen edits of general ledger transactions before the transaction was posted for nightly batch processing or online processing and that the edits included the following: Journal entry date validation Valid general ledger account Dollar amount validation Maximum dollar limit Required field completion Reserved source code Inspected captured screen images of example on-screen edits to determine that the application was configured to perform on-screen edits of general ledger transactions before the transaction was posted for nightly batch processing or online processing and that the edits included the following: Journal entry date validation Valid general ledger account Dollar amount validation Maximum dollar limit Required field completion Reserved source code Siemens Medical Solutions USA, Inc. Proprietary and Confidential 55

58 MATRIX 9 Objective Specified : GENERAL LEDGER activities provide reasonable assurance that transactions are authorized, complete, and accurate. 9.6 Batch transactions are edited against client specific profiles during the nightly batch processing. The edits include, but are not limited to, the following: Valid general ledger account Existing general ledger account Delete general ledger account with activity Request year-to-date trail balance If the edit fails, the transaction is listed on an error report. 9.7 Online and batch transactions that post with no errors are written to the daily journal. Inspected captured screen images of example batch transactions to determine that batch transactions were edited against client specific profiles including the following: Valid general ledger account Addition of existing general ledger account Delete a general ledger account with activity Request year-to-date trail balance Inspected captured screen images of example batch transactions and batch processing reports to determine that batch transactions that failed the edits against client specific profiles during the nightly batch processing were listed on an error report. Inspected captured screen images of example online and batch posted transactions and the daily journal to determine that online and batch transactions that posted with no errors were written to the daily journal. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 56

59 MATRIX 10 Objective Specified : ACCOUNTS PAYABLE activities provide reasonable assurance that transactions are authorized, complete, and accurate User organizations are provided with documented policies and procedures to guide users through the accounts payable application The application is configured with security groups to define and manage access privileges of users The application logs the account name and the date/time stamp of users performing transactions. The reports include, but were not limited to, the following: Accounts payable (AP) online invoice maintenance report AP batch vendor maintenance report Dayend Express Check Register Transmission control error report Inspected the policies and procedures manual to determine that a documented policies and procedures manual was available to guide users through the accounts payable application. Inspected the default security groups defined within the application to determine that the application was configured with security groups to define and manage access privileges of users. Inspected captured screen images of example online transactions and matched to example reports to determine that the application logged the account name and the date/time stamp of users performing transactions and the reports included the following reports: AP online invoice maintenance report AP batch vendor maintenance report Dayend Express Check Register Transmission control error report Siemens Medical Solutions USA, Inc. Proprietary and Confidential 57

60 MATRIX 10 Objective Specified : ACCOUNTS PAYABLE activities provide reasonable assurance that transactions are authorized, complete, and accurate The application is configured to perform onscreen edits of modifications to the accounts payable vendor file before the online transaction is posted. The edits include, but are not limited to, the following: Self-check digits Required field completion Duplicate vendor Inquired of the senior software engineer regarding accounts payable transactions to determine that the application was configured to perform on-screen edits of modifications to the accounts payable vendor file before the online transaction was posted and that the edits included the following: Self-check digits Required field completion Duplicate vendor Inspected captured screen images of example online transactions to determine that the application was configured to perform on-screen edits including the following: Self-check digits Required field completion Duplicate vendor Siemens Medical Solutions USA, Inc. Proprietary and Confidential 58

61 MATRIX 10 Objective Specified : ACCOUNTS PAYABLE activities provide reasonable assurance that transactions are authorized, complete, and accurate The application is configured to perform onscreen edits of online accounts payable invoice transactions before the transaction is posted. The edits include, but are not limited to, the following: Vendor validation General ledger account validation Duplication invoice Invoice payment greater than hospital profile Unapproved invoice 10.6 Batch transactions are edited against client specific profiles during the nightly batch processing. The edits include, but are not limited to, the following: Duplicate invoice Invoice without an approval code Vendor validation Vendor maintenance If the edit fails, the transaction is listed on an error report. Inspected captured screen images of example online transactions to determine that the application was configured to perform on-screen edits that included the following: Vendor validation General ledger account validation Duplication invoice Invoice payment greater than hospital profile Unapproved invoice Inspected captured screen images of example batch transactions to determine that batch transactions were edited against client specific profiles that included the following: Duplicate Invoice Invoice without an approval code Vendor validation Vendor maintenance Inspected captured screen images of example batch transactions and batch processing reports to determine that batch transactions that failed the edits against client specific profiles during the nightly batch processing were listed on an error report. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 59

62 MATRIX 11 Objective Specified : HUMAN RESOURCES (PAYROLL) activities provide reasonable assurance that transactions are authorized, complete, and accurate User organizations are provided with documented policies and procedures to guide users through the human resources payroll application The application is configured with security groups to define and manage access privileges of users The application logs the account name and the date/time stamp of the user performing the online transaction to the online employee maintenance audit report and the online payroll profile maintenance report. The transactions that are logged include, but are not limited to, the following: Employee data changes Hospital profile changes Inspected the policies and procedures manual to determine that a documented policies and procedures manual was available to guide users through the human resources payroll application. Inspected the default security groups defined within the application to determine that the application was configured with security groups to defined and manage access privileges of users. Inspected captured screen images of an example user s access within the test environment to determine that security groups defined and managed access privileges of users. Inspected captured screen images of an example online profile maintenance test transaction and example online employee maintenance reports to determine that the application logged the account name and the date/time stamp of the user performing the online transaction and the transactions that were logged included the following: Employee data changes Hospital profile changes Siemens Medical Solutions USA, Inc. Proprietary and Confidential 60

63 MATRIX 11 Objective Specified : HUMAN RESOURCES (PAYROLL) activities provide reasonable assurance that transactions are authorized, complete, and accurate The application logs the account name and the date/time stamp of the batch transaction to the batch sequence report and the payroll employee master file maintenance report. The transactions that are logged include, but are not limited to, the following: Employee name and/or address changes Employee payroll data changes Employee tax data changes Inspected an example detailed batch report to determine that the application logged the account name and the date/time stamp of the batch transaction and the transactions that were logged included the following: Employee name and/or address changes Employee payroll data changes Employee tax data changes Siemens Medical Solutions USA, Inc. Proprietary and Confidential 61

64 MATRIX 11 Objective Specified : HUMAN RESOURCES (PAYROLL) activities provide reasonable assurance that transactions are authorized, complete, and accurate The application is configured to perform onscreen edits of modifications to the human resources payroll files before the online transactions are posted. The edits include, but are not limited to, the following: Allowable value Field format validation Required fields Cost center validation Inquired of the software product analyst regarding human resources payroll transactions to determine that the application was configured to perform on-screen edits of modifications to the human resources payroll files before the online transactions were posted and that the edits included the following: Allowable value Field format validation Required fields Cost center validation Inspected captured screen images of example online transactions to determine that the application was configured to perform on-screen edits of modifications to the human resources payroll files before the online transactions were posted and the edits included the following: Allowable value Field format validation Required fields Cost center validation Siemens Medical Solutions USA, Inc. Proprietary and Confidential 62

65 MATRIX 11 Objective Specified : HUMAN RESOURCES (PAYROLL) activities provide reasonable assurance that transactions are authorized, complete, and accurate The application is configured to perform onscreen edits of batch human resource payroll transactions before the transactions are posted. The edits include, but are not limited to, the following: Employee number validation Field format validation Required field Payroll hours validation 11.7 Batch transactions are edited against client specific profiles during the nightly batch processing. The edits include, but are not limited to, the following: Pay period validation Salary limit State tax code validation Cost center validation If the edit fails, the transaction is listed on an error report. Inspected captured screen images of example batch transactions to determine that the application was configured to perform on-screen edits of batch human resource payroll transactions before the transactions were posted and the edits included the following: Employee number validation Field format validation Required field Payroll hours validation Inspected captured screen images of example batch transactions to determine that batch transactions were edited against client specific profiles during the nightly batch processing and the edits included the following: Pay period validation Salary limit State tax code validation Cost center validation Inspected captured screen images of example batch transactions and batch processing reports to determine that batch transactions that failed the edits against client specific profiles during the nightly batch processing were listed on an error report. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 63

66 MATRIX 12 Objective Specified : HUMAN RESOURCES (PAYROLL) activities provide reasonable assurance that federal, state and local tax tables are kept current and updates are completely and accurately applied to the HR system in a timely manner The software engineer logs the tax changes received via from a third party vendor to a spreadsheet to track tax changes The software engineer tests the tax changes in a test environment before the change is implemented to production. Inquired of the software engineer regarding tax changes to determine that the software engineer logged the tax changes received via from a third party vendor to a spreadsheet to track tax changes. Inspected the regulatory spreadsheet and notifications for a nonstatistical sample of tax changes during the review period to determine that a third party sent notifications for each change sampled. Inquired of the software engineer regarding the tax change tests to determine that the software engineer tested the tax changes in a test environment before the change was implemented to production. Inspected evidence of testing for a nonstatistical sample of tax changes that occurred during the review period to determine that each change sampled was tested before the change was implemented to production. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 64

67 MATRIX 12 Objective Specified : HUMAN RESOURCES (PAYROLL) activities provide reasonable assurance that federal, state and local tax tables are kept current and updates are completely and accurately applied to the HR system in a timely manner The software product analyst submits a customer memo to the Intranet notifying customers of the tax change The software engineer completes a move request to notify change management to move the tax change to the production environment. Inquired of the software product analyst regarding the customer memos to determine that the software product analyst submitted a customer memo to the Intranet notifying customers of the tax change. Inspected the customer memo for a nonstatistical sample of tax changes during the review period to determine that a customer memo was submitted for each change sampled. Inspected the move requests for a nonstatistical sample of tax changes during the review period to determine that a move request was completed for each change sampled. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 65

68 MATRIX 13 Objective Specified : HUMAN RESOURCES (PAYROLL) activities provide reasonable assurance that transmission of the HR electronic deposit files to relevant financial institutions is complete, accurate, timely, and secure The Direct Line department contacts the financial institution via a secured line to provide direct deposit payroll control totals to match the transmitted file The direct deposit file is automatically created by scheduled jobs. The financial institution retrieves the direct deposit file from a secured mailbox after the control totals are provided. Inquired of the software product analyst and the direct line manager regarding the control totals to determine that the Direct Line department contacted the financial institution via a secured line to provide direct deposit payroll control totals to match the transmitted file. Inspected the ACH control total telephone instructions to determine that the financial institution was contacted via a secured automated telephone system to provide direct deposit payroll control totals. Inquired of the software product analyst regarding the direct deposit file transmissions to determine that the direct deposit file was automatically created by scheduled jobs and that the financial institution retrieved the direct deposit file from a secured mailbox after the control totals were provided. Inspected the direct deposit transmission log file, the automated job schedule and a nonstatistical sample of hospital pay period profile tables to determine that the direct deposit file was automatically created by scheduled jobs according to the job schedule. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 66

69 MATRIX 13 Objective Specified : HUMAN RESOURCES (PAYROLL) activities provide reasonable assurance that transmission of the HR electronic deposit files to relevant financial institutions is complete, accurate, timely, and secure The payroll run and transmission date/time stamp are captured in a log file that is available for ad hoc review purposes The financial institution contacts authorized support personnel if the control totals phoned in do not match the transmitted file. Management restricts authorization access to software engineers (4). Inquired of the software product analyst regarding the direct deposit file transmissions to determine that the payroll run and transmission date/time stamp were captured in a log file that was available for ad hoc review purposes. Inspected the direct deposit transmission log file and a nonstatistical sample of hospital pay period profile tables to determine that the direct deposit file was automatically transmitted to the financial institution after each payroll run sampled and that the payroll run and transmission date/time stamp were captured in a log file. Inquired of the software product analyst regarding the authorization list to determine that the financial institution contacted authorized support personnel if the control totals phoned in did not match the transmitted file and management restricted authorization access to software engineers (4). Inspected the ACH authorized list and the authorized list instructions to determine that authorized support personnel were listed for ACH support. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 67

70 MATRIX 14 Objective Specified : HUMAN RESOURCES (PAYROLL) activities provide reasonable assurance that annual W-2 and quarterly 941 processing is complete and accurate and occurs on a timely basis User organizations are provided with documented procedures to guide users through the federal W-2 electronic filing process The project management office creates the annual W-2 project schedule and tracks the progress of the project The software product analyst researches W-2 updates from the Internal Revenue Service and the Social Security websites. Inspected the electronic filing procedures to determine that user organizations were provided with documented procedures to guide users through the federal W-2 electronic filing process. Inquired of the software product analyst regarding the W-2 annual project to determine that the project management office created the annual W-2 project schedule and tracked the progress of the project. Inspected the 2007 W-2 project schedule to determine that a project schedule was created during the 12 months preceding the end of the review period to track the project. Inquired of the software product analyst regarding the W-2 updates to determine that the software product analyst researched W-2 updates from the Internal Revenue Service and the Social Security websites. Inspected the 2007 W-2 project schedule to determine that a task was included for the software product analyst to research W-2 updates from the Internal Revenue Service and the Social Security websites during the 12 months preceding the end of the review period. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 68

71 MATRIX 14 Objective Specified : HUMAN RESOURCES (PAYROLL) activities provide reasonable assurance that annual W-2 and quarterly 941 processing is complete and accurate and occurs on a timely basis The development team tests the W-2 changes in a test environment according to a formal test procedure A testing summary and formal testing signoff are obtained prior to implementing the change to production The software product analyst submits a customer memo to the Intranet notifying customers of the W-2 changes and the date the change will be moved to production. Inspected the 2007 W-2 test procedure to determine that the development team tested the W-2 changes in a test environment according to a formal test procedure during the 12 months preceding the end of the review period. Inspected the 2007 testing summary and formal testing signoff to determine that a testing summary and formal testing signoff were obtained prior to implementing changes to production during the 12 months preceding the end of the review period. Inspected the 2007 W-2 Customer Memo and a screen capture of the memo on the Intranet to determine that the software product analyst submitted a customer memo to the Intranet during the 12 months preceding the end of the review period. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 69

72 MATRIX 14 Objective Specified : HUMAN RESOURCES (PAYROLL) activities provide reasonable assurance that annual W-2 and quarterly 941 processing is complete and accurate and occurs on a timely basis An automated job creates the 941 quarterly file of the wage and employee information and copies the information to the state preferred media. Inquired of the software product analyst and the direct line manager regarding the 941 quarterly jobs to determine that an automated job created the 941 quarterly file of the wage and employee information and copied the information to the state preferred media and that the Direct Line department sent the media to the state by the middle of the month after quarter end. Inspected the automated job log, job configuration and example transmittal reports to determine that the automated job ran quarterly and that the transmittal report included a summary of the media information. Inspected example transmittal reports and matched to the system file to determine that the state preferred media was submitted when the state required the submittal. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 70

73 SECTION 4 OTHER INFORMATION PROVIDED BY MANAGEMENT Siemens Medical Solutions USA, Inc. Proprietary and Confidential 71

74 REGULATORY AND COMPLIANCE Every Siemens Health Services customer is responsible for ensuring its own compliance with applicable laws and regulatory requirements. Although Siemens Health Services is not responsible for ensuring its customers compliance with regulatory requirements, Siemens Health Services is committed to providing products and services that help its customers to satisfy specified regulatory requirements. Accordingly, as a routine part of the Siemens Health Services annual tactical planning activities, Product Planners identify potential regulatory requirements that may hold implication for Siemens Health Services products and/or service offerings, the delivery of service offerings, or its business operations. The Product Planners then work with Product Developers to determine how Siemens Health Services will accommodate the requirements. The regulatory issues and their impact on the design and specification of products and services are often confirmed and validated with customer advisory panels. Product Developers then incorporate the resulting design considerations into their technical designs and resource estimates, along with other product enhancements and new product features and functions. During each tactical planning cycle, Siemens Health Services determines how its resources are to be allocated against the array of development tasks to be completed. Siemens Health Services tracks relevant regulations and monitors statutory and regulatory developments that could have implications for it and for products and services provided to customers. Siemens Health Services actively participates in standards setting organizations that have been assigned special duties as part of either regulatory or statutory requirements. In addition, Siemens Health Services maintains individual and corporate memberships in relevant professional and trade associations and product-specific advisory boards to, among other things, access and exchange a wide range of information on regulations, including those at State and local levels. Siemens Health Services presence in Washington, D.C. allows it to monitor and seek clarification of potential new federal statutory and regulatory requirements as those requirements are promulgated. The Human Resources and Legal departments jointly maintain responsibility for monitoring regulatory activities that affect employee conduct and responsibilities. Internal communications are initiated to notify appropriate Siemens Health Services employees of relevant regulatory considerations and to allow them to initiate further investigations or clarifications. Siemens Health Services uses customer advisory panels and user groups as a forum for informing and validating Siemens Health Services understanding of applicable regulatory requirements and to allow customers to voice concerns or suggestions for addressing important matters, including client concerns on regulatory issues. Siemens Health Services also works with professional and trade associations to validate its understanding as well as to learn of industry-wide approaches to addressing the applicable requirements. Regulatory impact information on products or services is confirmed and validated with customer advisory panels and relevant user group memberships. Once the need for a change is identified, whether due to a regulation, technology change, error correction, or process enhancement, established Change Management procedures are followed to implement the change. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 72

75 STRATEGIC SUPPORT OF DISASTER RECOVERY The Hosting Services provided from the Siemens Medical Solutions - Health Services Malvern based Information Systems Center (ISC) are a strategic and integral part of the Siemens services portfolio. Siemens Health Services (SHS) recognizes and acknowledges that the protection of this valuable asset and associated customer operations is a major responsibility of its employees and management, and is a valuable commodity to the business associates and customers that we service. Therefore, it is a policy of SHS that a viable Disaster Recovery Program be maintained for all ISC customer-hosted applications, data and systems. To this end, SHS supports a viable Disaster Recovery Program to support the required availability of timesensitive data processing functions through the development and implementation of technology resumption plans for use in the event of a catastrophic disruption of ISC based customer hosted data processing capabilities. The Disaster Recovery Program is based on acceptable industry best practices, and is consistent with the provisions and direction of Siemens Medical Solutions overall strategic and tactical vision. As an ongoing commitment to ensure the availability of service to its customers, SHS has created and staffed a full Disaster Recovery Team, and a Disaster Recovery Product Manager position to oversee the continued creation, implementation and maintenance of disaster recovery standards and procedures that protect the valuable information within its systems. Current Status of SHS Disaster Recovery Readiness Internal compliance audits have identified that Siemens has adequate processes, procedures and plans in place to recover ISC processing in the event of a disaster. In addition, SHS continues implementing ongoing enhancements to its Disaster Recovery strategy to include solutions that will enable SHS to maintain compliance for its future production business processes and product offerings. SHS has taken great strides in assuring that all critical customer and hosting computing, data, and network infrastructure will be recovered in an acceptable time frame in the event of a major disaster that renders the ISC data center inoperable. The goal is the recovery of all critical processes in an efficient and timely manner in keeping with the expectations and requirements of the end user. The strategy to meet this objective is to recover critical processing with a commercial third party hot-site provider, with all customer network traffic re-routed from the SHS data center to the hot-site upon activation of the recovery plan. The third party hot site hardware and telecommunications configurations are reviewed continuously and the hot-site is exercised and tested a minimum of twice a year, with the results documented for internal compliance review. The following is a detailed overview of SHS risk mitigation and recovery provisions and practices designed to facilitate the continuity of service to our customers. Alternate Recovery Site Siemens maintains a commercial alternate recovery site subscription with a leading third party provider of disaster recovery facilities and services. The subscription includes floor space and the necessary hardware to recover all of the retail hosted customers and technology systems within the ISC data center. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 73

76 Disaster Recovery Team Staffing Siemens has a full time team of experienced analysts dedicated to disaster recovery planning. This group is responsible for maintaining the plan and procedures, conducting tests, and managing the ongoing disaster recovery program. Disaster Recovery staff members are encouraged to maintain industry certifications. Customer Service Center Business Continuity The Customer Service Center (CSC) staffs a team of experienced personnel dedicated to business recovery planning on a full time basis. This team is responsible for maintaining extensive Business Continuity plans and as well as conducting Business Continuity exercises throughout the year. Averages of 10 exercises are conducted each year to validate and exercise the planning activities and capabilities. Recovery Procedures and Testing Siemens has developed and maintains extensive disaster recovery procedures, as well as automated recovery tools. Alternate recovery site testing, using these procedures, is conducted twice annually at a minimum. Multiple localized testing in lab and round-table environments is also conducted throughout the year. Recovery Network The Retail Customer Health Information Network is considered to be the largest private healthcare information network in the world. SHS is a Cisco Partner, and is recognized as having one of the largest Cisco Powered Networks in Healthcare. Siemens has built a dedicated Remote Network Recovery Node within the hot-site that mirrors the production Retail Customer Health Information Network. The Remote Network Recovery Node is designed to duplicate the functionality and configuration of Siemens production network. Its design eliminates customer intervention and requirements to reconfigure the network. Telecommunications Service Priority (TSP) Level 3 Certification Siemens is currently registered with the FCC as a Level Three within the Telecommunications Service Priority (TSP) program, which provides national security and emergency preparedness. Users priority activation of telecommunications services that are vital to coordinating and responding to crises such as natural disasters such as hurricanes, floods, earthquakes, and man-made disasters. During these events telecommunications service vendors may become overwhelmed with requests for new telecommunications services and requirements to restore existing telecommunications services. With a level three TSP certification, Siemens is assured of receiving the full attention of the telecommunications vendors before a non-tsp service. Off-Site Vaulting Siemens stores multiple backup copies of systems and customer data on magnetic tape. One generation is kept in an environmentally conditioned off-site storage facility that is secured and guarded 24 hours/day. Trained and authorized Siemens personnel enter the vault daily to perform tape storage rotation as appropriate. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 74

77 Physical Security Access to the ISC is strictly controlled. An electronic badge and biometric system controls limit access through the main entrance to authorized Siemens employees. Within the building, the system is programmed to permit only persons who have appropriate security clearance to enter critical areas. On premise security guards monitor building access and facility events. CCTV is utilized throughout the interior and also serves to monitor the main entrance, nearby parking areas, and other specific critical areas outside of the ISC data center. For perimeter security, heavy gage iron fencing is utilized and monitored to mitigate physical intrusion and to prevent unauthorized access or intrusion onto the data center grounds. Fire Protection The ISC is constructed of pre-cast and poured concrete, with firewalls separating computer operations areas to minimize fire damage through containment. The ISC fire protection system consists of modern equipment that is regularly reviewed and updated. It consists of smoke detectors (with remote enunciators and zone indicators), automatic sprinkler systems, and a redundant Halon fire suppression system in the computer and tape library areas. Each of these areas has a separate supply of Halon. In the event of loss of public water service, the ISC has a system of on-site water tanks and wells as a backup. Water detection devices and drains are installed under all raised floor areas. Power Systems The ISC has multiple levels of power backup designed to provide uninterrupted operation of the Data Center in the event of power loss. The main power is furnished through the local Power Company. Multiple feeds from different processing stations provide four to five times the power needed to run the entire ISC. Two levels of Uninterruptible Power Systems (UPS) are installed, providing smooth transition to the automatic start-up and use of four large diesel generators in the event of an extended power company outage. These systems are regularly maintained and undergo periodic live testing. Equipment Cooling / Air Conditioning The ISC has multiple levels of protection against the loss of cooling systems. The primary backup system provides 400 tons of redundant cooling capacity. The secondary backup system consists of ice storage units, which provide continuous cooling capability during a power outage. Computer Equipment The ISC has internal redundant equipment that can maintain production operations in the event of a production hardware failure. Included are backup CPUs, DASD, tape, front-end processors, routers, printer capacity, etc. In addition, the ISC has documented recovery procedures, which enable personnel to rapidly switch to backup hardware and even completely remotely operate the data center for limited periods of time in the event of an evacuation or environmental catastrophe. Change Siemens manages a strict change control process in handling hardware and software environments. Responsibilities of personnel are clearly defined. The EHS Business Recovery Services Team, working in partnership with various SHS departments and support organizations, strives to maintain and continuously improve Siemens' business and disaster recovery capabilities. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 75

78 MANAGEMENT S RESPONSE TO TESTING EXCEPTIONS Test Applied by the Service Auditor Management s Response Information Security 5.8 Information security personnel review daily security violation reports identifying the responsible logon and terminal name of the security violation. Inspected dataset violation reports for a nonstatistical sample of days to determine that a security violation report was in place and identified the responsible logon and terminal name of security violations for each day sampled. The test of the control activity, performed in August 2008, disclosed that evidence of analyst review for user account security violations was not available for one of ten security violation report reviewed. Additional testing of the control activity, performed in October 2008, disclosed that security violation reports were not reviewed in September The control was being administered by one person. When that person left, there was an uncovered gap. The control has since been changed so that the responsibility for administering the task is shared across more individuals. It has also been tightened with added oversight on the reviews. The risk of the violations not being reviewed over the course of a month has been mitigated. The control is being revamped to review trends once a week due to a lockout failsafe for multiple retries. Application Change 6.14 Developers have logged access to production data sets to provide third level support. An events tracing system (EVTS) ticket documents the authorized activities performed in production by the developers. Inspected a report of the developer logons to production CICS regions during the review period and traced to a nonstatistical sample of EVTS tickets to determine that an EVTS ticket documented the authorized activities performed in production by the developers. The test of the control activity disclosed that the activities performed by developers in production were not documented in an EVTS ticket for two of 38 EVTS tickets sampled. The two access issues had separate causes. One was a compliance issue that was addressed by reeducating an employee on the controls regarding employee access for third level support. The other required a tightening of a control regarding third level support access for pro-active work. Siemens Medical Solutions USA, Inc. Proprietary and Confidential 76