Net2EZ Managed Data Centers, Inc.

Transcription

1 Net2EZ Managed Data Centers, Inc. Independent Service Auditor s Report on Management s Description of a Service Organization s System and the Suitability of the Design and Operating Effectiveness of Controls January 1, 2011 December 31, 2011

2 Net2EZ Managed Data Centers, Inc. TABLE OF CONTENTS I. INDEPENDENT SERVICE AUDITOR S REPORT... 3 II. INFORMATION PROVIDED BY NET2EZ MANAGED DATA CENTERS, INC DESCRIPTION OF RELEVANT CONTROLS PROVIDED BY NET2EZ... 7 Management Assertions Letter... 7 Company Overview... 9 RELEVANT ASPECTS OF THE CONTROL ENVIRONMENT, RISK ASSESSMENT, MONITORING, AND INFORMATION AND COMMUNICATION Control Environment Risk Assessment Monitoring Information Systems Communication User Control Considerations III. INFORMATION PROVIDED BY SAS 70 CPA CONTROL OBJECTIVES, RELATED CONTROLS, AND TESTS OF OPERATING EFFECTIVENESS Control Objective 1 Organization and Administration Control Objective 2 Human Resources Security Control Objective 3 Environment Security Control Objective 4 Physical Access Control Objective 5 Backup Operations Control Objective 6 Computer Operations Control Objective 7 Logical Access Control Objective 8 Infrastructure Change Management Control Objective 9 Support Operations Net2EZ Managed Data Centers, Inc.

3 I. INDEPENDENT SERVICE AUDITOR S REPORT 3 Net2EZ Managed Data Centers, Inc.

4 INDEPENDENT SERVICE AUDITOR S REPORT Pervez Delawalla Chief Executive Officer Net2EZ Managed Data Centers, Inc Avenue of the Stars Suite 1011 Los Angeles, CA We have examined the Net2EZ Managed Data Centers, Inc. (the Company or Net2EZ) description of its information technology and managed data center services throughout the period January 1, 2011 to December 31, 2011 and the suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in the description. The description indicates that certain control objectives specified in the description can be achieved only if complementary user entity controls contemplated in the design of the Company s controls are suitably designed and operating effectively, along with related controls at the service organization. We have not evaluated the suitability of the design or operating effectiveness of such complementary user entity controls. Beginning in Section II of the description, the Company has provided an assertion about the fairness of the presentation of the description and suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description. The Company is responsible for preparing the description and for the assertion, including the completeness, accuracy, and method of presentation of the description and the assertion, providing the services covered by the description, specifying the control objectives and stating them in the description, identifying the risks that threaten the achievement of the control objectives, selecting the criteria and designing, implementing, and documenting controls to achieve the related control objectives stated in the description. Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, the description is fairly presented and the controls were suitably designed and operating effectively to achieve the related control objectives stated in the description throughout the period January 1, 2011 to December 31, An examination of a description of a service organization s system and the suitability of the design and operating effectiveness of the service organization s controls to achieve the related control objectives stated in the description involves performing procedures to obtain evidence about the fairness of the presentation of the description and the suitability of the design and operating effectiveness of those controls to achieve the related control objectives stated in the description. Our procedures included assessing the risks that the description is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives stated in the description. Our procedures also included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the related control objectives stated in the description were achieved. An examination engagement of this type also includes evaluating the overall presentation of the description and the suitability of the control objectives stated therein, and the suitability of the criteria specified by the service organization and described beginning in Section II. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. 4 Net2EZ Managed Data Centers, Inc.

5 Because of their nature, controls at a service organization may not prevent, or detect and correct, all errors or omissions in processing or reporting transactions. Also, the projection to the future of any evaluation of the fairness of the presentation of the description, or conclusions about the suitability of the design or operating effectiveness of the controls to achieve the related control objectives is subject to the risk that controls at a service organization may become inadequate or fail. Net2EZ maintains data center facilities in the following locations: three in California (LAX1, LAX4, LAX6), three in Virginia (IAD1, IAD3, IAD4), and one in New Jersey (EWR1). We conducted onsite audit procedures and tests of controls at the following locations: LAX4 and EWR1. Testing of the other facilities was conducted by inspection of corroborating documentation and information obtained from management as well as through interviews with staff and management. In our opinion, in all material respects, based on the criteria described in the Company s assertion in Section II, a. the description fairly presents the Information Technology and managed data center services that were designed and implemented throughout the period January 1, 2011 to December 31, b. the controls related to the control objectives stated in the description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period January 1, 2011 to December 31, 2011 and user entities applied the complementary user entity controls contemplated in the design of the Company s controls throughout the period January 1, 2011 to December 31, c. the controls tested, which together with the complementary user entity controls referred to in the scope paragraph of this report, if operating effectively, were those necessary to provide reasonable assurance that the control objectives stated in the description were achieved, operated effectively throughout the period January 1, 2011 to December 31, The specific controls tested and the nature, timing, and results of those tests are listed in Section III. This report, including the description of tests of controls and results thereof in Section III, is intended solely for the information and use of Net2EZ, user entities of the Net2EZ information technology and managed data center services during some or all of the period January 1, 2011 to December 31, 2011, and the independent auditors of such user entities, who have a sufficient understanding to consider it, along with other information including information about controls implemented by user entities themselves, when assessing the risks of material misstatements of user entities financial statements. This report is not intended to be and should not be used by anyone other than these specified parties. SAS 70 CPA SAS 70 CPA 2997-A Alt 19 Palm Harbor, FL March 16, Net2EZ Managed Data Centers, Inc.

6 II. INFORMATION PROVIDED BY NET2EZ MANAGED DATA CENTERS, INC. 6 Net2EZ Managed Data Centers, Inc.

7 DESCRIPTION OF RELEVANT CONTROLS PROVIDED BY NET2EZ Management Assertions Letter We have prepared the description of Net2EZ s information technology and managed data center services for user entities of these services during all or some of the period January 1, 2011 to December 31, 2011, and their user auditors who have sufficient understanding to consider it, along with other information, including information about controls implemented by user entities of the system themselves, when assessing the risks of material misstatements of user entities financial statements. We confirm to the best of our knowledge and belief, that: a. The description fairly presents the system made available to user entities of the system during some or all of the period January 1, 2011 to December 31, 2011 for providing its managed data center services. The criteria we used in making this assertion were that the description: i. Presents how the system made available to user entities of the system was designed and implemented to provide relevant services, including: 1) the types of services provided. 2) how the system captures and addresses significant events and conditions. 3) the process used to prepare reports or other information provided to user entities of the system. 4) specified control objectives and controls designed to achieve those objectives, including complementary user entity controls contemplated in the design of controls. 5) other aspects of the control environment, risk assessment process, information and communication systems (including the related business processes), control activities, and monitoring controls that are relevant to providing managed data center services to user entities of the system. ii. Does not omit or distort information relevant to the scope of the managed data center system, while acknowledging that the description is prepared to meet the common needs of a broad range of user entities of the system and the independent auditors of those user entities, and may not, therefore, include every aspect of the managed data center system that each individual user entity of the system and its auditor may consider important in its own particular environment. b. The description includes relevant details of changes to the service organization s system during the period covered by the description when the description covers a period of time. 7 Net2EZ Managed Data Centers, Inc.

8 c. The controls related to the control objectives stated in the description were suitably designed and operated effectively throughout the period January 1, 2011 to December 31, 2011 to achieve those control objectives. The criteria we used in making this assertion were that: i. the risks that threaten the achievement of the control objectives stated in the description have been identified by the service organization, ii. iii. the controls identified in the description would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives stated in the description from being achieved; and the controls were consistently applied as designed, including whether manual controls were applied by individuals who have the appropriate competence and authority. By: /S/ Pervez Delawalla Pervez Delawalla Chief Executive Officer March 16, Net2EZ Managed Data Centers, Inc.

9 Company Overview Founded in 2001 to support the exponential growth of social networking, Net2EZ continues to power the growth of today's net-centric business with high power, high performance, and high value managed data centers. Leading social networks, enterprises, finance, content companies, and communications service providers rely on Net2EZ for uninterruptable operation to support their mission critical applications. With strategic footprint and access to key network interconnection points in North America, Net2EZ Managed Network Services provide site diversity and redundancy. Net2EZ data centers are expressly designed to meet or exceed the most stringent requirements of uninterruptable operation of most demanding high power and high density systems. Since 2006, Net2EZ has achieved 100% availability through continued adherence to a principal philosophy to serve its customers with uncompromising quality with best in class data centers. The company is headquartered in Los Angeles, and is privately held with strong profitable financial performance. Net2EZ Products and Services Overview Colocation Solutions Net2EZ offers its clients industry-leading service and support with real dependability, 24x7x 365. Net2EZ s clients have the option of choosing their own preferred carrier or, taking advantage of its redundant bandwidth, piped in from the industry's leaders. The Company s flexible bandwidth options are designed to deliver the bandwidth required at an affordable price. Rack Space/Secured Shared Area Net2EZ offers introductory rack space sizes anywhere between 1U-40U within a secured community cage. Secured Cabinets (24w x 42d x 84h, or 24w x 36d x 84h) Secure cabinets are available in full, half, or one-third sizes, and come with flexible power configurations and optional cross-connections (between cabinets). Individual cabinets feature a proprietary, impenetrable electronic locking system, as well as front, rear, or center rail mounts. Custom Cage Space Net2EZ offers high-grade woven mesh custom wire cages with full open racks mounted within. Customized cages are available by the square foot (based upon power density) and offer a variety of management options. Network Services Net2EZ offers managed network services to keep customer networks up and operational in accordance with guaranteed service levels 24x7x365. The Company s dedicated team of professionals provides around-the-clock monitoring and troubleshooting of network services and environmental control systems to ensure optimum efficiency. The Company directly peers with over 20 other networks. Network Service Options Bandwidth Solutions Metro Ethernet MPLS Services Dark Fiber Remote Peering Managed Professional Services Net2EZ offers a wide range of managed professional services catered to organizations of all sizes and scopes. The Company brings greater than 15 years of experience in the fields of data center design and business continuity planning for the financial and telecom industries. Through the 9 Net2EZ Managed Data Centers, Inc.

10 delivery of a full spectrum of services, the Company maintains the expertise to direct clients in the implementation of industry best practices. Service offerings include, but are not limited to, the following: IT security enterprise assessment Server architecture and implementation Business and technology profile compliance assessment Information availability assessment Technical security assessment Technology migration Business impact analysis HIPAA and SOX compliance assessment Security Services Net2EZ provides clients with a modular platform consistent with the next generation of security and VPN services. Several tailored packages have been developed to address unique customer needs via the following versions: Enterprise Edition: Comprised of four location-specific sub-editions (i.e. Firewall Edition, IPS Edition, Anti-X Edition, and VPN Edition); each edition combines a focused set of services designed to meet the needs of specific environments within the enterprise network. These packages deliver superior protection by providing the right set of services for any given location. At the same time, Net2EZ enables standardization upon a single platform to reduce the overall operational cost of security, thereby increasing its affordability. Business Edition: Net2EZ s Business Edition provides small and medium-sized companies with comprehensive gateway security and VPN connectivity. With its combined firewall and anti-x capabilities, Net2EZ is able to stop threats at the gateway before they enter the network and impact business operations. The same level of service is extended to remote access users, providing a VPN connection, which is well-protected against threats. Disaster Recovery At Net2EZ, information availability means far more than merely recovering the IT environment. Clients can get systems, business processes, and employees back in a position where they are able to restore business continuity. Net2EZ has designed a set of solutions to make that a reality. Net2EZ Disaster Recovery Services include: Backup and recovery Network services High information availability services Data storage and vaulting Testing Assessment and improvement of the recoverability of critical infrastructure and business processes. 10 Net2EZ Managed Data Centers, Inc.

11 RELEVANT ASPECTS OF THE CONTROL ENVIRONMENT, RISK ASSESSMENT, MONITORING, AND INFORMATION AND COMMUNICATION Control Environment The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. The control environment has a pervasive influence on the way business activities are structured, objectives are established, and risks are assessed. It influences control activities, information and communication systems, and monitoring procedures. The control environment is influenced by an entity s history and managerial culture. Effectively controlled entities strive to have competent people, instill an enterprise-wide attitude of integrity and control consciousness, and set a positive corporate direction. These entities establish appropriate controls which foster shared values and teamwork in pursuit of the organization s objectives. Control environment elements include the following, and the extent to which each element is addressed at Net2EZ is described below: Management Controls, Philosophy, and Operating Style Integrity and Ethical Values Organizational Structure Assignment of Authority and Responsibility Standard Operating Controls Audit Risk Management Monitoring Management Controls, Philosophy, and Operating Style Management is responsible for directing and controlling operations, establishing, communicating, and monitoring control policies and procedures, as well as setting the tone for the organization. Importance is placed on accuracy and integrity, maintaining written and updated procedures, security and privacy, and establishing and maintaining sound internal controls over all functional aspects of operations. Management s philosophy and operating style affect the way the entity is managed, including the kinds of business risks accepted. Net2EZ places a great deal of importance on working to help ensure that the integrity of its systems are the primary focus and that controls are maximized to mitigate risk in the daily operations. Management and specific teams are structured to help ensure the highest level of integrity and efficiency in customer support, colocation services, and manages data center services. Organizational values, ethics, and behavior standards are communicated through formal job descriptions and through regular team meetings and staff interactions. Personnel operate under Net2EZ policies and procedures, including confidentiality agreements and security policies. Periodic training is conducted to communicate regulations and the importance of privacy and security. Management is committed to being aware of regulatory and economic changes that affect lines of business and continually monitoring the customer base for trends, changes, and anomalies.. Competence should reflect the knowledge and skills needed to accomplish tasks that define an individual s job. Through consideration of an entity s objectives and the strategies and plans for achievement of those objectives, management must determine how well these tasks need to be accomplished. Management has 11 Net2EZ Managed Data Centers, Inc.

12 identified the competence levels for particular jobs and translated those levels into requisite knowledge and skills. Integrity and Ethical Values Maintaining a climate, which demands integrity and ethical values, is critical to the establishment and maintenance of an effectively controlled organization. The effectiveness of internal controls cannot rise above the integrity and ethical values of the people, who create, administer, and monitor them. Net2EZ has programs and policies designed to promote and ensure integrity and ethical values in their environment. Net2EZ desires to maintain a safe, pleasant, and cooperative working environment and expects employees to have high standards of performance, integrity, productivity, and professionalism. Net2EZ has developed professional conduct policies, which set forth policies of particular importance to all employees, relating to ethics, values, and conduct. All employees are expected to know and adhere to these standards, as well as to generally accepted norms of conduct and courtesy at all times. While managers are responsible for understanding, communicating, and enforcing Company policies, this does not override or diminish an employee s individual responsibility to be aware of and adhere to these policies. Violations of these policies, or other forms of misconduct, may lead to disciplinary or corrective action up to and including dismissal. Standards of Conduct The Company has implemented standards of conduct to guide all employee and contractor behavior. Management monitors behavior closely, and exceptions to these standards lead to immediate corrective action, as defined by Human Resources (HR) policies and procedures. Additionally, all employees must sign confidentiality agreements prior to employment. Any employee found to have violated Net2EZ s ethics policy may be subject to disciplinary action, up to and including termination of employment. Commitment to Competence Net2EZ has formal job descriptions which define roles and responsibilities and the experience and background required to perform jobs in a professional and competent fashion. Net2EZ analyzes the knowledge and skills needed to perform job duties and responsibilities and hires for that skill set and job requirement. Management monitors employee and contractor performance and formally evaluates it on a periodic basis to determine that standards are met or exceeded. Organization Structure An entity s organizational structure provides the framework within which its activities for achieving entitywide objectives are planned, executed, controlled, and monitored. Significant aspects of establishing a relevant organizational structure include defining key areas of authority and responsibility, and establishing appropriate lines of reporting. Significant cross-training between management positions and between staff positions exists to help ensure smooth operations and maintenance of controls during staff or management absence. 12 Net2EZ Managed Data Centers, Inc.

13 Roles and Responsibilities The following organization chart depicts the Net2EZ corporate structure. Led by Executive Management, Net2EZ is organized into the following departments: Administration, Network Engineering, Network Operations, Infrastructure Engineering, and National Accounts. Assignment of Authority and Responsibility The control environment is greatly influenced by the extent to which individuals recognize that they will be held accountable. This holds true for everyone who has ultimate responsibility for activities within an entity, including the internal control system. This includes assignment of authority and responsibility for operating activities, and establishment of reporting relationships and authorization protocols. Net2EZ management encourages individuals and teams to use initiative in addressing issues and resolving problems. Policies describing appropriate business practices, knowledge and experience of key personnel, and available resources are provided to employees in order to assist them in carrying out their duties. Net2EZis led by a team of senior executives that assign authority and responsibility to key management personnel with the skills and experience necessary to carry out their assignments. Such assignments commonly relate to achieving corporate objectives, oversight of operating functions, and any compliance with applicable regulatory requirements. Open dialogue and individual initiative is encouraged as a fundamental part of the Company s goal to deliver client service. Executive Management This department is responsible for developing and establishing organizational goals, strategic vision, organizational direction, client strategy, client acquisition, market positioning, and company growth. Administration This department is responsible for Net2EZ Accounting, Administration, Accounts Payable/Receivable, Payroll, Human Resources, and Corporate Benefits. Administration consists of a Controller, Bookkeeper, and an Executive Assistant reporting directly to the Director of Administration and Net2EZ President on the Executive Level. Network Engineering This department is responsible for all Net2EZ network infrastructure, hardware acquisition, and customer/internal connectivity. Network Engineering oversees all customer and internal network performance, security, incident mitigation, as well as assisting with post and pre-sales network engineering, planning, implementation, and management. Led by the Director of Network Engineering, the department oversees a bi-coastal team of junior and senior network engineers and reports directly to the Net2EZ CEO. 13 Net2EZ Managed Data Centers, Inc.

14 Network Operations This department is responsible for all 24x7x365 network operations center (NOC) staff, policies, operating procedures, scheduling, hiring and terminations, department capital expenditure and operational expenditure budget, purchasing, and contract negotiations. Network Operations manages planning and implementation of all internal and customer-facing information technology (IT) systems, maintenance, reporting, managed service allocation/billing, inventory and Company IT initiatives. The department serves as a liaison between sales, customers, and functions as an escalation point for all IT related issues. Led by the Director of Network Operations, the department manages a bi-coastal team of 20 NOC technicians, two site managers, and reports directly to the Net2EZ CEO. Infrastructure Engineering This department is responsible for all Net2EZ data center critical infrastructure, capacity planning, and reporting customer contracted infrastructure implementation and scheduling. Infrastructure Engineering oversees customer installations and expansions, procurement and contract negotiations for all data center infrastructure and vendor management. Led by the Director of Infrastructure Engineering, the department manages a bi-coastal team of facility engineers and reports directly to the Net2EZ CEO. National Accounts This department is responsible for all sales activities, customer contract negotiations, business forecasting and trending, sales and marketing campaigns, revenue generation, and metric reporting. The National Accounts team consists of five account representatives reporting directly to the Net2EZ Vice President. Standard Operating Controls Net2EZ management sends guidance to employees regarding expected levels of integrity, ethical behavior, and competence. Such practices relate to hiring, orientation, training, evaluation, counseling, promotion, compensation, and remedial actions. Net2EZ has hiring practices that are designed to help ensure that new employees are qualified for their job responsibilities. Net2EZ invests significant resources in employee development by providing on-the-job training and other learning opportunities. New employees participate in an orientation program, which acquaints them with the Net2EZ organization, its affiliated companies, functions, values, products, and selected policies. Thereafter, development activities include providing more challenging assignments, training programs, and seminars. Additionally, employees are provided with measurable objectives and are subject to periodic performance reviews to help ensure competence. Managers give each of their employees at least one formal written performance appraisal per year. Human Resource Practices Net2EZ has hiring practices that are designed to help ensure that new employees are qualified for their job responsibilities. HR practices are designed to allow management to recruit, develop, and retain sufficiently competent personnel to achieve the Company s business and control objectives. All prospective employees complete a comprehensive and detailed employment application, and employment is contingent on rigorous interviewing (and testing if applicable), successful reference checks, and background checks. These screening procedures allow the Company to employ individuals that are a good fit for the position and the Company. Audit Net2EZ management performs periodic audits of procedures with a focus on security compliance and holds scheduled compliance meetings with staff to review current and new procedures. 14 Net2EZ Managed Data Centers, Inc.

15 Risk Assessment Net2EZ has a cross functional risk assessment process that utilizes management, as well as staff, to identify risks that could affect Net2EZ s ability to meet its contractual obligations. Risk assessment efforts include analyses of threats, probabilities of occurrence, potential business impacts, and associated mitigation plans. Risk mitigation strategies include prevention and elimination through the implementation of internal controls and transference through commercial general and umbrella policies. Team leaders are required to identify significant risks related to their areas of responsibility and implement measures to mitigate those risks. The management team meets regularly to identify any risks and develop corrective steps to minimize the impact of these risks. The Company employs numerous methods to assess and manage risk, including policies, procedures, team structure, recurring meetings, and automated error detection controls. Net2EZ strives to identify and prevent risks at an early stage through policy and procedure adherence, in addition to mitigating relevant risks as discovered through team structure, meetings, or notifications. Monitoring Net2EZ Executive Management meets on a regular basis to review the operational and financial performance of the Company. Reports are distributed detailing the information discussed. Management monitors internal controls as part of normal business operations. Net2EZ uses a series of management reports and processes to monitor the results of the various business processes. The management team regularly reviews the reports, and all exceptions to normal processing activities are logged, reported, and resolved. The Company uses software to track daily maintenance activities, facility and infrastructure changes, and customer requests, which are maintained in a system and tracked until completion. Management performs regular reviews of tasks assigned to their departments. Tasks that are not addressed in a timely manner are manually escalated and resolved. Information Systems Core Network Description Net2EZ s primary core network architecture is Ethernet over fiber providing a high-speed reliable link to the Internet. The fiber link is a secure, dedicated, always-on service intended for e-commerce applications, streaming multimedia, and other latency sensitive applications such as VoIP (Voice-over- IP). Redundant fiber connections provide bandwidth to Internet applications for Net2EZ s customers. Net2EZ uses high-end enterprise class routers for backbone routing. These routers receive full routing tables from all of Net2EZ s backbone providers. Net2EZ announces its routers to all of its backbone providers to ensure redundant communications paths are maintained to the providers. High Availability Internet (HAI) Net2EZ has a high availability network and Internet strategy. Firewalls are utilized for performance, availability, and scalability. Net2EZ operates a series of redundant components to ensure high availability and optimal responsiveness at all of its data center locations. Redundant hardware includes routers, switches, and servers. Single-mode, 48-strand fiber is utilized between the building s Point of Entry (POE) 15 Net2EZ Managed Data Centers, Inc.

16 and Main Data Feed (MDF) areas. Security appliances guard Internet connectivity with redundant access to network carriers. Security policies and procedures are maintained and applied to all servers and network devices. Net2EZ offers its customers an infrastructure that is fully redundant. Each router, firewall, content switch, and switch is duplicated, eliminating a single point of failure. The majority of the devices utilized at each facility core have been standardized ensuring commonality and ease of support. Infrastructure standards: Routers A pair of routers run in tandem connected to the Ethernet feeds. Each router runs full BGP-4 routing tables with HSRP into the interior. If a link or router fails, the other router is capable of managing the full load. Load Balancers A pair of load balancers in a master/slave configuration front-end the Web firewalls manage load balancing of Web servers when required. Switches Throughout the high availability infrastructure, there are redundant or tandem Layer 2 and Layer 3 switches. These switches interconnect in a fully-meshed configuration to provide alternate paths from the Internet through to the customer s cabinets. Network Attributes Non-blocking architecture The optical fiber backbone operates on native Ethernet technology. Nonblocking architecture features include: 4.8 terabits per second network switching capacity. Double redundancy in switching locations and POP sites. Standards-based Ethernet backbone for wire-speed switching. Wire-speed switching performance Effectively means zero latency, or only a few milliseconds, to complete a ping. Wire-speed means that the Net2EZ network switching and electronics operate as fast as the glass cable that is used to interconnect network devices delivering port-to-port latency of 10 to 20 milliseconds. All access/backbone trunks are carried over high-quality, single-mode fiber. Quality-of-service and bandwidth management are performed in-hardware, with no impact on network performance. Transparent Layer 2 Functionality The Net2EZ network has been engineered to provide transparent Layer 2 functionality providing for increased performance and security including: Standards-based VLAN technology as per 802.1q Point-to-point and multi-point-to-multi-point connectivity over any kind of interface Multiple VLANs can be provided over one physical port Completely transparent and interoperable with customers standards-based network protocols, applications, and spanning tree configurations Security The Net2EZ network architecture has been designed to be secure for enabling mission-critical applications and data transfers through the utilization of tamper-resistant, fiber optic cable in the network core. Additionally, broadcast domains are restricted to individual VLANs and will not leak between them and provide 24x7x365 network surveillance. 16 Net2EZ Managed Data Centers, Inc.

17 Reliability Net2EZ utilizes mesh network architecture. Should a fiber cut happen, service will not be interrupted. The self-healing attributes within the fiber infrastructure prevent service interruptions. The Net2EZ backbone is built around fiber ring topologies. The ring protocols in place allow for sub-second failover and recovery. Physical Security Overview The data centers are located in non-descript hardened facilities. Strict access controls are in place at all facilities to prevent unauthorized access. Perimeter walls of all raised floor areas are constructed to true ceilings to prevent any attempts of elevated entry. Security controls are reviewed periodically by facility service providers. Access Control Systems Data center access is controlled by access control systems that utilize a combination of proximity cards and biometric scans. Biometric security enforced through a fingerprint scan offers one of the most accurate, noninvasive security measures to ensure only authorized individuals enter facilities. Additionally, mantraps are utilized at the facilities to further control access to data center areas. Video Surveillance All access entries to data centers are monitored and recorded via high resolution cameras and digital video management systems. Security cameras incorporate low-light technology to allow clear visibility at night. Images are stored for a minimum of 60 days. Remote viewing has been configured at many locations, and tests of the ACS and camera systems are performed periodically whereby remote technicians are granted access to certain spaces by another technician in another facility. The test procedures are designed to ensure adequate cross training, system proficiency, and enforce standards across the facilities. Data Center Visitors Colocation customers, contractors, and visitors must contact the Net2EZ NOC prior to arrival. Site managers receive confirmation from local security personnel when visitors arrive and positive identification is verified. Visitors are escorted for the duration of their visit. Security personnel will validate each customer representative against a list of approved personnel in order to provide customer access to colocation areas. The customer representative must show proper company and/or government-issued photo identification. Customer will not be granted access without proper identification and without being named on the approved personnel list. Locked Cabinets Customers either have a combination or key for their cage or cabinet. The NOC retains, for emergency purposes, extra keys to all colocation areas. These extra keys are kept in a separate secured area, which is only accessible by approved Company personnel. Cabinets are checked as part of the periodic rounds performed by Company personnel and discrepancies reported. 17 Net2EZ Managed Data Centers, Inc.

18 Security Monitoring All data center facilities are monitored 24x7x365 by Net2EZ personnel and third party security services. Physical access alarms are reported to security personnel who, in turn, report to Net2EZ s management as required. Additionally, rounds are performed at each facility by Net2EZ personnel of all managed areas. All door entry attempts are logged by the access control systems. Environmental Security Data Center Power Data center utility power is filtered through N+1 UPS systems to provide a steady stream of conditioned power to cabinets and to prevent power fluctuations. Each facility is equipped with backup diesel generators. UPS systems have been engineered to provide sufficient run time to allow for the generators to start, synchronize with the circuits, and begin providing power. Each generator contains adequate fuel capacity for extended outages and can be refueled for indefinite utilization if needed. Cabinets have been configured with power bars consisting of redundant components. Readings are taken as part of the facility rounds. Remote Power Panels (RPPs) are used to manage the power feed from UPS systems to the cabinets. Tests and inspections of UPS and generator systems are performed by third party technicians to ensure proper operation. Data Center Cooling Data center environments are conditioned through the use of N+1 Computer Room Air Conditioner (CRAC) units to provide an optimal operating environment for computing systems. The CRAC units are rotated according to a schedule to ensure evenly distributed system usage times. Hot/Cold aisle configurations are used to ensure an ample supply of cool air to the front of systems with hot air exhausted to the opposing aisle and returned through the ceiling plenum for recirculation. Facilities are equipped with a closed loop glycol or water chiller system with redundant pumps or utility water supplies. Redundant components are rotated according to maintenance schedules. All components of the cooling systems are inspected and readings recorded as part of the facility rounds. Data Center Fire Detection and Suppression Data center facilities are equipped with sensors to detect the presence of smoke and flame. Sensors are located in the ceiling and under raised floors in plenum spaces. All sensors are incorporated into the facility monitoring systems and are monitored continuously by facility maintenance departments. Data center facilities are equipped with pre-action, dry-pipe, water-based sprinkler systems. Sensors are used to trigger the charging of the water lines to the sprinkler heads. The sprinkler heads then discharge individually when temper thresholds at the head are reached, whereby minimizing the impact to unaffected areas. The sprinklers systems are engineered as a last line of defense should alternate methods such as handheld extinguishers not sufficiently extinguish the fire. Regular inspections of all fire equipment are performed by Net2EZ personnel and licensed external third parties. 18 Net2EZ Managed Data Centers, Inc.

19 Fire detection and suppression features include: Smoke sensors Heat sensors Remote 24x7x365 monitoring Handheld fire extinguishers Fixed sprinkler system Facility Monitoring For the purposes of facility building, management utilizes notification panels and monitoring systems for centralized monitoring and alerting. The panel is connected to sensors in the various data center systems and monitored remotely by building management. When a system begins functioning outside of normal parameters an audible and visual alarm is triggered at the panel. This alert is displayed to building management personnel who provide an appropriate response. The system has been configured for positive contact meaning it continues to alarm until the alert is acknowledged. Data center technicians are tasked with performing a visual inspection of the panel as part of shift walkthrough procedures. Systems monitored by the notification panel include: Security sensors including door, motion, and glass break. Fire sensors below floors and in the ceiling Fixed fire suppression systems Backup power systems (generator and UPS operation) Temperature sensors Moisture sensors Testing and Maintenance Colocation facilities chosen by Net2EZ have dedicated maintenance personnel who regularly test, inspect, and maintain or coordinate the maintenance of all environmental systems required for data center operations 24x7x365. Information Security At Net2EZ, security is critical to the physical network, facilities, computer operating systems, and application programs. Each area offers its own set of security issues and risks. An Information Security program is necessary to serve statutory goals pertaining to government organizations, healthcare organizations, financial organizations, and facilities. These goals include: Ensure continuity of operations Protect the safety and integrity of confidential information Prevent unauthorized access to confidential information Ensure proper use of communications areas Assign responsibility for efficient and economical management of confidential records Protect company data Net2EZ implements a comprehensive security program that offers a high level of protection commensurate with the value of the assets. The information security program provides reasonable protection against unauthorized access, disclosure, modification, or destruction, as well as to assure the availability, integrity, 19 Net2EZ Managed Data Centers, Inc.

20 usability, authenticity, and confidentiality of information. This applies to all systems that manage or store data. Computer Operations Systems Monitoring Net2EZ s regularly monitors the network for capacity, performance, and hardware failure. Overall database health and capacity planning are monitored daily to ensure the system will meet the needs of the Net2EZ and its clients. IT monitors security access violations, including server logs and reports. Monitoring policies and procedures are utilized for addressing issues relating to outages of critical services or other issues needing immediate action. These procedures vary based on the defined severity level of the problem. Net2EZ administrators use several monitoring tools to identify and provide alerts to the following conditions: A system has exceeded a predefined performance or load threshold. A system has suffered an error condition. A system has detected a hardware element that is expected to fail in the near future. A system is no longer in communication with the monitoring infrastructure. A system has entered a condition previously specified by Net2EZ administrators as operating outside of a threshold. Issue Tracking and Reporting Net2EZ uses its proprietary EZNoc software for tracking support issues and maintaining historical records. Net2EZ has configured the application with multiple queues for each specialized group. Customers can submit work orders via a Web portal and receive a response from the support group for follow up. Customers can also directly or call in during regular business hours. The incoming ticket queue is monitored by data center technicians on a rotating basis 24x7x365. Tickets are triaged by the on-call staff member and troubleshooting steps taken. The ticket follows an escalation path to senior staff and managers should the first level not find a resolution. Each facility maintains onsite technicians to provide immediate hands-on support for critical issues. Patch Deployment Net2EZ takes a proactive approach to patch management of network communication equipment and support systems. Net2EZ engineers regularly monitor various Web sites, message boards, and mailing lists where advanced notification of bug and related patches is often disclosed prior to public announcement by the vendor. This allows Net2EZ to plan well ahead for upcoming patches. Net2EZ engineers subscribe to vendor-specific distributions designed to alert them to new patches becoming available. Net2EZ engineers consider each patch carefully and independently to determine if it is necessary to deploy it within the production environment. In many cases, the vulnerability being addressed by the patch has been mitigated through any number of other countermeasures already in place such as firewalls, the intrusion prevention system, or an aspect of their hardening process. In these cases, patches may be deferred until they 20 Net2EZ Managed Data Centers, Inc.

21 are included in a future version. If Net2EZ engineers decide that the patch is necessary and should be deployed, the patch is tested. Once the patch has been thoroughly tested, it is approved for deployment. Logical Access Access to resources and data are granted to individuals based on their job responsibilities. New user accounts are established only upon receipt of properly authorized requests. The Director of Network Operations is the security administrator and is responsible for ensuring adherence to the security policy which addresses logical access control procedures. Unique user IDs and passwords are assigned to each individual user. Password rules are established according to the Net2EZ security policy which requires a minimum of alphanumeric characters with password complexity requirements. Passwords are systematically required to be changed periodically. The system administrator sets the user s initial password. The user is required to change the password at first logon. Individual access capabilities are removed immediately by IT upon the notification of termination of employment, change of responsibilities, or termination of a contract with a client that uses the system. User accounts and access rights are managed on the Domain Controllers employing the Internet-standard Kerberos network authentication protocol to authenticate both the client and the network, and to protect against the possibility of unauthorized users impersonating a server to enter the network. Database software maintains their respective client databases. The databases are only accessible through the software application and are protected from unauthorized access. No direct network access is granted to this software or the servers that it runs on to anyone other than those granted by management. Incident Control Plans Net2EZ has a formal Incident Control Plan (ICP) and Standard Operating Procedures (SOP) customized for each location as well as Companywide response procedures whereby responsibilities regarding notifications and actions to be taken are clearly defined. Red, Yellow, and Green alert levels have been identified to prioritize certain conditions, outages, or threats as well as define the response procedures for each condition. Security incidents are handled by various members of IT management and IT engineers. Managers of the respective department are responsible for keeping management apprised of an incident s status through resolution. The ICPs and SOPs provide guidance and documentation on computer security incident response handling and communication efforts. The plan is activated whenever a computer security incident occurs, and guides the responses to all incidents whose severity is such that they could affect a company s ability to do business or undermine its reputation. The inevitability that attempts (possibly successful) will be made to compromise system and network security dictates these plans and procedures are in place. Infrastructure Change Management Net2EZ has a formal change management policy and guideline in place to ensure only authorized updates and changes are implemented in the production environment. Controls are in place to properly authorize, test, and implement the change. Net2EZ has developed a change ticket process whereby no changes to the infrastructure or production systems can take place without the proper approval and scheduling. Change tickets dealing with operational changes typically originate from internal staff and frontline support staff. 21 Net2EZ Managed Data Centers, Inc.

22 Once logged in the issue tracking system, change tickets are routed to the appropriate technical group for assessment and approval. Once approved, the work is put on the calendar to be carried out by a qualified technician. Data Backup and Restore Backup The Company has developed a multi-layered strategy for protecting critical corporate data files and systems to meet business requirements. This strategy includes using full, incremental, and snap shot job types. Jobs are stored to either tape media or hard disk media for archiving. The backup practices include computers within Net2EZ, which are expected to have their data backed up. These systems are typically servers but are not necessarily limited to servers. Servers backed up include the file servers, application servers, database servers, mail servers, and security support servers. Restore Restores are frequently performed to test the effectiveness of backup data sets. The tests are performed as part of an operational need or to a secure test environment for development activities. Communication Net2EZ uses a variety of methods for communication to ensure that significant events and issues are conveyed in a timely manner and that staff understand their role and responsibility over service and controls. These methods include the following: new hire training, ongoing training, policy and process updates, departmental meetings, use of and paging to communicate time sensitive information, instant messaging, and the documentation and storage of historical data in internal repositories for business and support activities. The Company maintains systems that manage the flow of information and facilitate communication with its customers. Information Flow from Senior Management to Operations Staff Employee manuals are provided upon hire, which communicate all relevant policies and procedures concerning employee conduct. Security of the physical premises and logical security of systems are reinforced by training and through awareness programs. The communication system between senior management and operations staff includes the use of the office system, written memos when appropriate, and weekly meetings. Periodic department meetings between each manager and their staff are held to discuss new Company policies and procedures and other business issues. Staff and training meetings are utilized to inform staff of new policy and technology updates. Communication is encouraged at all levels to promote the operating efficiency of Net2EZ. Control Objectives and Related Controls Net2EZ s control objectives and related control activities are included in Section III of this report to eliminate the redundancy that would result from listing them here in Section II and repeating them in Section III. Although the control objectives and related control activities are included in Section III, they are, nevertheless, an integral part of Net2EZ s description of controls. User Control Considerations The Company s applications are designed with the assumption that certain controls would be implemented by user organizations. In certain situations, the application of specific controls at the user organization is necessary to achieve control objectives included in this report. 22 Net2EZ Managed Data Centers, Inc.

23 This section describes additional controls that should be in operation at user organizations to complement the controls at the company. User auditors should consider whether or not the following controls have been placed in operation at the user organizations: Controls are in place for user organizations to ensure compliance with contractual requirements. Controls are in place to ensure that user organizations adopt strong operating system and application password management procedures, including using passwords that cannot be easily compromised and are required to change on a regular basis. Controls are in place to provide reasonable assurance of the compatibility of software not provided by Net2EZ. Controls are in place to provide reasonable assurance that the customer has procedures in place for developing, maintaining, and testing their own business continuity plans or contracting with Net2EZ for this service. Controls are in place to provide reasonable assurance that Net2EZ is notified in advance of any equipment or other shipments they will be sending or receiving. Controls are in place to provide reasonable assurance of the transmission and receipt of information not provided by Net2EZ. Controls are in place to provide reasonable assurance that, in conjunction with advice from Net2EZ personnel, the customer communicates their Internet protocol (IP) connectivity needs permitting Net2EZ personnel to design managed firewall solutions when elected. Customers are responsible for communicating changes in these needs in a timely manner to permit timely changes in firewall configurations. Controls are in place to provide reasonable assurance that data is backed up, or that Net2EZ has been contracted to perform these services. Controls are in place to approve the telecommunications infrastructure between itself and Net2EZ. Controls are in place to control the detection and proliferation of malware, viruses, and malicious traffic or contracting with Net2EZ to perform these services. The list of user organization control considerations presented above and those presented with certain specified control objectives do not represent a comprehensive set of all the controls that should be employed by user organizations. Other controls may be required at user organizations. Providing managed data center services for customers by Net2EZ covers only a portion of the overall internal control structure of each customer. The Net2EZ products and services were not designed to be the only control component in the internal control environment. Additional control procedures must be implemented at the customer level. It is not feasible for all of the control objectives relating to the processing of transactions to be completely achieved by Net2EZ. Therefore, each customer s system of internal controls must be evaluated in conjunction with the internal control structure described in this report. 23 Net2EZ Managed Data Centers, Inc.

24 III. INFORMATION PROVIDED BY SAS 70 CPA 24 Net2EZ Managed Data Centers, Inc.

25 CONTROL OBJECTIVES, RELATED CONTROLS, AND TESTS OF OPERATING EFFECTIVENESS Control Objective 1 Organization and Administration CO1 Controls provide reasonable assurance that management provides oversight, segregation of duties, and guides consistent implementation of security practices. Controls Specified by Net2EZ Testing Performed by SAS 70 CPA Results of Tests C1.1 The organization has a corporate information security policy that describes the security posture and practices of Net2EZ. Inspected the corporate security policy and conducted corroborative inquiry of management to determine that the Company had a corporate information security policy that described the security posture and practices during the audit period under review. C1.2 An organizational chart is in place to communicate key areas of authority, responsibility, appropriate lines of reporting to personnel, and is updated on a periodic basis. Inspected the organizational chart and conducted corroborative inquiry of management to determine that documentation was in place to communicate key areas of authority, responsibility, and appropriate lines of reporting to personnel and that it was updated on a periodic basis. C1.3 The Company is segregated into separate and distinct functional areas for the purposes of the management of customer information, the processing of the information, and to ensure adequate separation of duties. Inspected the organizational chart and conducted corroborative inquiry of management to determine that the Company was segregated into separate, logical, and distinct functional areas and that a reasonable separation of duties existed. C1.4 The Company has an employee handbook that describes management's philosophy, operating style, and provides HR policy guidance to employees. Inspected the employee handbook and conducted corroborative inquiry of management to determine that the Company had an employee handbook that described management's philosophy, operating style, and provided HR policy guidance to employees. 25 Net2EZ Managed Data Centers, Inc.

26 Control Objective 1 Organization and Administration (Continued) CO1 Controls provide reasonable assurance that management provides oversight, segregation of duties, and guides consistent implementation of security practices. Controls Specified by Net2EZ Testing Performed by SAS 70 CPA Results of Tests C1.5 The organization has documented standards of conduct that guide employees on the organization s ethical principles and conduct. Inspected the standards of conduct and conducted corroborative inquiry of management to determine that documentation was in place to guide employees on the organization s ethical principles and conduct. C1.6 Corporate policies are reviewed yearly, updated when required, and approved by management to remain current. Inspected in-scope policies and conducted corroborative inquiry of management to determine that corporate policies were reviewed, updated as needed, and approved by management annually. C1.7 The organization has documented job descriptions that describe the roles and responsibilities of the position. Inspected a selection of job descriptions and conducted corroborative inquiry of management to determine they were in place and described the roles and responsibilities of the position. C1.8 Management meetings are held on a regular basis to discuss operational issues. Inspected calendar schedules and conducted corroborative inquiry of management to determine that management meetings were held on a regular basis to discuss operational issues. 26 Net2EZ Managed Data Centers, Inc.

27 Control Objective 1 Organization and Administration (Continued) CO1 Controls provide reasonable assurance that management provides oversight, segregation of duties, and guides consistent implementation of security practices. Controls Specified by Net2EZ Testing Performed by SAS 70 CPA Results of Tests C1.9 The Company maintains insurance policies to mitigate losses and transfer risks: Commercial General Liability Physical Property Non-Owned Auto Umbrella Liability Errors & Omissions Inspected insurance policy declaration pages and internal insurance spreadsheets, and conducted corroborative inquiry of management to determine that management maintained the following insurance policies to mitigate losses and transfer risks: Commercial General Liability Physical Property Non-Owned Auto Umbrella Liability Errors & Omissions 27 Net2EZ Managed Data Centers, Inc.

28 Control Objective 2 Human Resources Security CO2 Controls are in place to ensure that employees, contractors, and third party users understand their responsibilities, are suitable for the roles they are considered for, and exit the organization or change employment in an orderly manner. Controls Specified by Net2EZ Testing Performed by SAS 70 CPA Results of Tests C2.1 New hire checklists are used to ensure new staff receive the appropriate level of access to information systems and facilities. Inspected a sample of new hire checklists and conducted corroborative inquiry of management to determine that during the period under review, checklists were utilized to ensure the appropriate access levels to systems and facilities were assigned. C2.2 Management ensures employees are subjected to a background check during the hiring process. Inspected a sample of background check invoices and conducted corroborative inquiry of management to determine that each employee was subjected to a background check prior to employment. C2.3 Employees must sign a confidentiality agreement as acknowledgement not to disclose proprietary or confidential information, including client information, to unauthorized parties. Inspected a sample of confidentiality agreements and conducted corroborative inquiry of management to determine that employees were required to sign an agreement not to disclose proprietary or confidential information, including client information, to unauthorized parties. C2.4 There is a formal disciplinary process for employees who are suspected of rule infractions or violations of company policies. Inspected the disciplinary procedures as contained in the Employee Handbook and conducted corroborative inquiry of management to determine that formal disciplinary procedures were in place and communicated to staff. 28 Net2EZ Managed Data Centers, Inc.

29 Control Objective 2 Human Resources Security (Continued) CO2 Controls are in place to ensure that employees, contractors, and third party users understand their responsibilities, are suitable for the roles they are considered for, and exit the organization or change employment in an orderly manner. Controls Specified by Net2EZ Testing Performed by SAS 70 CPA Results of Tests C2.5 Management utilizes and retains termination checklists as a confirmation of revocation of system and facility access privileges as a component of the employee termination process. Inspected a sample of termination checklists and conducted corroborative inquiry of management to determine that management utilized and retained termination checklists as a confirmation of revocation of system and facility access privileges when terminated. 29 Net2EZ Managed Data Centers, Inc.

30 Control Objective 3 Environment Security CO3 Controls provide reasonable assurance that information technology infrastructure in the data centers are secured from certain environmental threats. Controls Specified by Net2EZ Testing Performed by SAS 70 CPA Results of Tests C3.1 The data centers are equipped with raised flooring. Observed the configuration of the raised floor throughout the data centers and conducted corroborative inquiry of management to determine that during the period under review raised flooring was in place. C3.2 The raised flooring in the data centers is grounded to reduce the occurrence of electrostatic buildup. Observed the grounding devices of the raised floor and conducted corroborative inquiry of management to determine a grounding system was in place. C3.3 Continuous monitoring devices are used at all data center locations that alert building management to the presence of water, UPS low voltage conditions, high air temperature, and high or low humidity. Observed the facility monitoring centers and conducted corroborative inquiry of management to determine that environmental systems were monitored on a continuous basis. C3.4 The data centers are equipped with a fixed fire suppression system. Observed the configuration of the fire suppression system and conducted corroborative inquiry of management to determine that a fixed suppression system was in place. C3.5 The data centers are equipped with sensors to detect the presence of smoke and fire. Observed the configuration of the fire detection system and conducted corroborative inquiry of management to determine that a fire detection system was in place. 30 Net2EZ Managed Data Centers, Inc.

31 Control Objective 3 Environment Security (Continued) CO3 Controls provide reasonable assurance that information technology infrastructure in the data centers are secured from certain environmental threats. Controls Specified by Net2EZ Testing Performed by SAS 70 CPA Results of Tests C3.6 Periodic inspections of fire detection and suppression systems are performed and documented. Inspected recent service tags and conducted corroborative inquiry of management to determine that periodic inspections of fire detection and suppression systems were conducted and documented. C3.7 The data centers are equipped with redundant HVAC systems used to control temperature and humidity. Observed the HVAC configurations and conducted corroborative inquiry of management to determine that the data centers were equipped with redundant HVAC systems to maintain consistent temperature and humidity. C3.8 The data centers are configured with hot and cold aisles to maximize cooler airflow to the front of the systems. Observed the hot and cold aisle configuration used in the data centers and conducted corroborative inquiry of management to determine that cooler air was routed to the front of the systems. C3.9 Uninterruptible Power Supply (UPS) and generator systems are utilized to provide alternate power in the event of a momentary and extended interruption in commercial power. Observed the UPS and generator systems and conducted corroborative inquiry of management to determine that they were in place to provide alternate power in the event of a momentary and extended interruption in commercial power. C3.10 Data centers are configured with the ability to provide redundant power circuits to cabinets. Observed the configuration of power distribution systems and conducted corroborative inquiry of management to determine that the data centers were configured with the ability to provide redundant power circuits to cabinets 31 Net2EZ Managed Data Centers, Inc.

32 Control Objective 4 Physical Access CO4 Controls provide reasonable assurance that physical access to the data center facilities are monitored and limited to authorized personnel. Controls Specified by Net2EZ Testing Performed by SAS 70 CPA Results of Tests C4.1 Onsite security personnel are utilized to monitor building entrances and security systems 24x7x365 at the facilities. Observed security personnel and conducted corroborative inquiry of management to determine that during the period under review data centers had onsite security 24x7x365. C4.2 Access is restricted and requires two-factor authentication entry includes a proximity card system or fingerprint scan. (Two-factor authentication is not required at IAD3). Observed data centers access procedures and conducted corroborative inquiry of management to determine that two-factor authentication was required utilizing a proximity card or fingerprint scan. C4.3 Visitors are required to check in, sign a visitor log, display a visitor badge, and be escorted for the duration of their visit. Positive government identification is verified at the time of each visit. Observed the visitor procedures and conducted corroborative inquiry of management to determine that, after providing a government issued ID, visitors were checked in, signed a visitor log, displayed a photo visitor badge, and were accompanied by an employee during their visit. C4.4 Mantraps are utilized at data center facilities to provide controlled entry. (LAX1 and IAD3 are not configured with mantraps.) Observed the data center locations and conducted corroborative inquiry of management to determine that mantraps were in use to control entry in to data center areas. C4.5 All data center facilities are manned 24x7x365 by Net2EZ data center technicians. Observed data center technicians and conducted corroborative inquiry of management to determine that each facility was staffed 24x7x Net2EZ Managed Data Centers, Inc.

33 Control Objective 4 Physical Access (Continued) CO4 Controls provide reasonable assurance that physical access to the data center facilities are monitored and limited to authorized personnel. Controls Specified by Net2EZ Testing Performed by SAS 70 CPA Results of Tests C4.6 Loading docks at each of the data center facilities are secured at all times. Observed data center loading docks and conducted corroborative inquiry of management to determine that loading docks were secured at all times. C4.7 Surveillance cameras record activities at the facility entrances and other areas within the facilities. Observed the surveillance cameras and security monitors and conducted corroborative inquiry of management to determine that surveillance cameras recorded activities at the facility entrances and other areas within the facility. C4.8 Facility management maintains access control systems in secure locations with restricted access. Observed data center facilities and conducted corroborative inquiry of management to determine that access control systems were maintained in controlled areas. C4.9 The badge access systems have been configured with restricted zones for critical areas that require an elevated level of access. Observed a test of access controls with Net2EZ personnel attempting to access non-company spaces and conducted corroborative inquiry of management to determine security zones were in place. C4.10 Customer equipment is stored in individually locked cabinets and cages to prevent unauthorized access. Observed data center locations and conducted corroborative inquiry of management to determine that locked cabinets and cages were utilized for storing customer equipment. 33 Net2EZ Managed Data Centers, Inc.

34 Control Objective 4 Physical Access (Continued) CO4 Controls provide reasonable assurance that physical access to the data center facilities are monitored and limited to authorized personnel. Controls Specified by Net2EZ Testing Performed by SAS 70 CPA Results of Tests C4.11 Spare keys to cabinets and cages are kept in a secure location with restricted access. Observed the storage locations at the data centers and conducted corroborative inquiry of management to determine that spare keys were kept in a secure location. 34 Net2EZ Managed Data Centers, Inc.

35 Control Objective 5 Backup Operations CO5 Controls provide reasonable assurance that timely system backups of corporate data, including daily backups of critical files, and tape handling for customers occurs timely, accurately, and securely. Controls Specified by Net2EZ Testing Performed by SAS 70 CPA Results of Tests C5.1 Automated backup systems are utilized to perform the scheduled system backups. Observed the automated backup system and conducted corroborative inquiry of management to determine that during the period under review, a system was utilized to perform scheduled backups. C5.2 Restores from backup media are performed as a component of normal business operations to verify that system components can be recovered from backup media. Inspected restore job results and conducted corroborative inquiry of management to determine that restores from backup media were performed as a component of normal business operations to verify that system components could be recovered from backup media. C5.3 Offsite replication of TACACS+ and DNS configurations are replicated offsite daily. Inspected the replication configuration and conducted corroborative inquiry of management to determine daily offsite replication occurred for TACACS+ and DNS servers. C5.4 Router configurations are analyzed for changes every four hours with alerts sent to engineers when a change is detected. Inspected configuration comparisons and observed a walkthrough of the utility used to perform the four-hour comparisons, inspected a sample of alerts, and conducted corroborative inquiry of management to determine the systems were in place and performing analysis and alerting when a change was detected. 35 Net2EZ Managed Data Centers, Inc.

36 Control Objective 6 Computer Operations CO6 Controls provide reasonable assurance that systems are maintained and monitored in a manner that helps ensure system availability. Controls Specified by Net2EZ Testing Performed by SAS 70 CPA Results of Tests C6.1 A monitoring application is utilized to monitor network devices and network traffic flow 24x7x365. Inspected the configuration and observed a walkthrough of the monitoring systems and conducted corroborative inquiry of management to determine that during the period under review, applications were utilized to monitor network devices and network traffic flow. C6.2 A monitoring application sends alert notifications to engineers when predefined thresholds are exceeded on monitored network devices. Inspected alerts from the monitoring systems and conducted corroborative inquiry of management to determine that the applications sent alert notifications to engineers when predefined thresholds were exceeded on monitored network devices. C6.3 Management reviews status reports from the enterprise monitoring applications, which include the following events: Inspected a sample of reports from the monitoring system and conducted corroborative inquiry of management to determine that status reports were available and included the following events: Network performance Bandwidth utilization Web site availability Network performance Bandwidth utilization Web site availability C6.4 The organization has Incident Control Plans in place to provide policy and procedure guidance for responding to and reporting security breaches. Inspected the Incident Control Plans and conducted corroborative inquiry of management to determine that documentation was in place for responding to and reporting security breaches. 36 Net2EZ Managed Data Centers, Inc.

37 Control Objective 6 Computer Operations (Continued) CO6 Controls provide reasonable assurance that systems are maintained and monitored in a manner that helps ensure system availability. Controls Specified by Net2EZ Testing Performed by SAS 70 CPA Results of Tests C6.5 The network communications infrastructure is configured with redundant components and diverse path switching. A mesh topology is utilized for all critical components of the communications infrastructure to prevent single points of failure. Observed the components of the network communications infrastructure, configuration, and conducted corroborative inquiry of management to determine that redundant components and diverse path switching were utilized. C6.6 DNS data is replicated every two hours to ensure all components of the DNS infrastructure are up to date. Observed the configuration of the DNS replication topology and conducted corroborative inquiry of management to determine that DNS data was replicated every two hours. 37 Net2EZ Managed Data Centers, Inc.

38 Control Objective 7 Logical Access CO7 Controls provide reasonable assurance that network logical security settings prevent unauthorized access to the network, limit access to network resources based on business need, and provide management with an audit trail of certain events that occur within the network. Controls Specified by Net2EZ Testing Performed by SAS 70 CPA Results of Tests C7.1 Administrative access rights to network components are restricted to authorized personnel. Inspected the TACACS+ configuration and conducted corroborative inquiry of management to determine that during the period under review administrator rights to network components were restricted to certain authorized personnel. C7.2 Domain passwords must conform to minimum requirements as designed by management and established by the network operating system. Inspected the network operating system configuration and conducted corroborative inquiry of management to determine that network passwords conformed to the requirements as designed by management and established by the network operating system. C7.3 Network security event logging is configured on the TACACS+ system to log security events on network components. Inspected the TACACS+ audit settings, a sample of reports, and conducted corroborative inquiry of management to determine that settings were configured to log security events on network components. C7.4 Administrative access rights to Company domains are restricted to only authorized personnel. Inspected the members in the domain administrators group and conducted corroborative inquiry of IT management to determine that network domain administrator rights were restricted to certain authorized personnel. C7.5 Security groups are configured and enforced by the network operating system and servers to ensure access is restricted to sensitive data stored on the network. Inspected the configuration of the network operating system and conducted corroborative inquiry of IT management to determine that security groups were in use to ensure that access was restricted to sensitive data stored on the network. 38 Net2EZ Managed Data Centers, Inc.

39 Control Objective 7 Logical Access (Continued) CO7 Controls provide reasonable assurance that network logical security settings prevent unauthorized access to the network, limit access to network resources based on business need, and provide management with an audit trail of certain events that occur within the network. Controls Specified by Net2EZ Testing Performed by SAS 70 CPA Results of Tests C7.6 Monitoring audits of all user account rights assignments are performed periodically to ensure staff have the correct level of access to target systems for their job responsibilities. Inspected user rights audit results and conducted corroborative inquiry of IT management to determine that monitoring audits of all user account rights assignments were performed periodically to ensure staff had the correct level of access to target systems for their job responsibilities. C7.7 Production application access is controlled through the use of unique user ID s and passwords. Administrative access is restricted to only authorized personnel. Inspected the user account management configuration for the production applications used for processing target data and conducted corroborative inquiry of IT management to determine that user account management practices were in place to restrict access to the applications. C7.8 Termination procedures are in place for the removal of access to all systems upon notification of the termination. Inspected users accounts for employees reported as terminated by management results and conducted corroborative inquiry of IT management to determine that the associated network and application accounts had been disabled or removed. C7.9 Administrative access to customer systems and equipment requires the generation of an EZ NOC ticket. Inspected a sample of access request tickets and conducted corroborative inquiry of management to determine that administrative and equipment access was logged. 39 Net2EZ Managed Data Centers, Inc.

40 Control Objective 8 Infrastructure Change Management CO8 Controls provide reasonable assurance that new infrastructure and changes to existing infrastructure are authorized, tested, approved, properly implemented, and documented. Controls Specified by Net2EZ Testing Performed by SAS 70 CPA Results of Tests C8.1 The company has a documented change management process to manage changes across relevant functions and manage the integration of processes, procedures and technologies. Inspected the change management documentation and conducted corroborative inquiry of management to determine that during the period under review, processes were documented and described the processes to manage changes across relevant functions and manage the integration of processes, procedures, and technologies. C8.2 Changes to the network are logged in a work order system. Inspected a sample of change requests completed during the reviewed period and conducted corroborative inquiry of management to determine that changes were logged in a ticketing system. C8.3 Critical changes are reviewed by engineers for feasibility and subsequently approved by management prior to provisioning the change. Inspected a sample of change request notes and conducted corroborative inquiry of management to determine that changes were properly reviewed and approved prior to implementation. C8.4 Changes are tested as required prior to being released into the production environment. Inspected a sample of change request notes and conducted corroborative inquiry of management to determine that changes were successfully tested before release into the production environment. 40 Net2EZ Managed Data Centers, Inc.

41 Control Objective 8 Infrastructure Change Management (Continued) CO8 Controls provide reasonable assurance that new infrastructure and changes to existing infrastructure are authorized, tested, approved, properly implemented, and documented. Controls Specified by Net2EZ Testing Performed by SAS 70 CPA Results of Tests C8.5 Hardware and software maintenance for networking equipment is scheduled and managed according to the change management process. Downtime and maintenance windows are communicated to customers. Inspected policy documentation, a sample of scheduled maintenance notifications, and conducted corroborative inquiry of management to determine that hardware and software maintenance for networking equipment was scheduled and managed according to the change management process and that clients were notified. 41 Net2EZ Managed Data Centers, Inc.

42 Control Objective 9 Support Operations CO9 Controls provide reasonable assurance that customer support requests received are properly investigated and completed in a timely manner. Controls Specified by Net2EZ Testing Performed by SAS 70 CPA Results of Tests C9.1 Management has documented support operations procedures to outline how customer reported issues are addressed and resolved. Inspected the support procedures documentation and conducted corroborative inquiry of management to determine that management had documented support operations procedures to outline how customer reported issues were addressed and resolved during the audit period under review. C9.2 Customer-reported problems are entered into a trouble ticket system. Tickets are opened, investigated, escalated as needed, and resolved. Inspected a sample of trouble tickets and conducted corroborative inquiry of management to determine that the tickets were opened, investigated, escalated as needed, and resolved. C9.3 Dedicated support staff are utilized to monitor incoming requests and manage the support request through completion. Inspected staff schedules and conducted corroborative inquiry of management to determine that dedicated support staff were utilized to monitor incoming requests and manage the support request through completion. C9.4 Escalation procedures are in place to assign tickets to technical personnel that require an elevated level of support. Inspected documented escalation procedures and conducted corroborative inquiry of management to determine that escalation procedures were in place when issues required an elevated level of support. 42 Net2EZ Managed Data Centers, Inc.

43 Control Objective 9 Support Operations (Continued) CO9 Controls provide reasonable assurance that customer support requests received are properly investigated and completed in a timely manner. Controls Specified by Net2EZ Testing Performed by SAS 70 CPA Results of Tests C9.5 SLAs and statements of work are used to ensure timely resolution of issues within existing guidelines and that business requirements specified by the client are met. Inspected SLAs and statements of work and conducted corroborative inquiry of management to determine that SLAs and statements of work were used to ensure timely resolution of issues within existing guidelines and that business requirements specified by the client were met. 43 Net2EZ Managed Data Centers, Inc.