System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012

Transcription

1 System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012 Moss Adams LLP 9665 Granite Ridge Drive, Suite 600 San Diego, CA (858)

2 Report on Controls at a Service Organization Relevant to Security and Availability (SOC 2) November 1, 2011 through April 30, 2012 TABLE OF CONTENTS I. Independent Practioner s Trust Services Report 1 II. Management of American Internet Services Assertion Regarding Its Data Center System Based on the AICPA/CICA Trust Services Criteria for Security and Availability 3 III. Description of American Internet Services Data Center System For the Period November 1, 2011, to April 30, A. System Overview 4 1. Background 4 2. Infrastructure 4 3. Software 5 4. People 5 5. Procedures 7 6. Data 7 B. Complementary User Entity Controls 8 MOSS ADAMS LLP

3 I. INDEPENDENT PRACTIONER S TRUST SERVICES REPORT American Internet Services, LLC 9305 Lightwave Avenue San Diego, California To the Management of American Internet Services, LLC: We have examined management s assertion that during the period November 1, 2011 through April 30, 2012, American Internet Services maintained effective controls over its Data Center System to provide reasonable assurance that: the system was protected against unauthorized access (both physical and logical); and the system was available for operation and use, as committed or agreed; based on the AICPA and CICA trust services security and availability criteria. American Internet Services management is responsible for this assertion. Our responsibility is to express an opinion based on our examination. Management s description of the aspects of the Data Center System covered by its assertion is attached. We did not examine this description, and accordingly, we do not express an opinion on it. Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included (1) obtaining an understanding of American Internet Services relevant controls over the security and availability of the Data Center System; (2) testing and evaluating the operating effectiveness of the controls; and (3) performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. Because of the nature and inherent limitations of controls, American Internet Services ability to meet the aforementioned criteria may be affected. For example, controls may not prevent or detect and correct error or fraud, unauthorized access to systems and information, or failure to comply with internal and external policies or requirements. Also, the projection of any conclusions based on our findings to future periods is subject to the risk that changes may alter the validity of such conclusions. MOSS ADAMS LLP 1

4 Independent Service Auditor s Report In our opinion, management s assertion referred to above is fairly stated, in all material respects, based on the AICPA and CICA trust services security and availability criteria. The SOC 3 SysTrust for Service Organizations Seal on American Internet Services web site constitutes a symbolic representation of the contents of this report and is not intended, nor should it be constructed, to update this report or provide additional assurance. San Diego, California June 25, 2012 MOSS ADAMS LLP 2

5 II. MANAGEMENT OF AMERICAN INTERNET SERVICES ASSERTION REGARDING ITS DATA CENTER SYSTEM BASED ON THE AICPA/CICA TRUST SERVICES CRITERIA FOR SECURITY AND AVAILABILITY During the period November 1, 2011 through April 30, 2012, American Internet Services, in all material respects, maintained effective controls over security and availability of its Data Center System to provide reasonable assurance that: the system was protected against unauthorized access (both physical and logical); and the system was available for operation and use, as committed or agreed; based on the AICPA and CICA trust services security and availability criteria. Out attached System Description of the Data Center System summarizes those aspects of the system covered by our assertion. Tim Caulfied Chief Executive Officer American Internet Services, LLC Frank Gaff Director Service Delivery and Client Services American Internet Services, LLC June 25, 2012 MOSS ADAMS LLP 3

6 III. DESCRIPTION OF AMERICAN INTERNET SERVICES DATA CENTER SYSTEM FOR THE PERIOD NOVEMBER 1, 2011, TO APRIL 30, 2012 A. SYSTEM OVERVIEW 1. Background American Internet Services (AIS) has been working to provide business to business high end Internet services such as collocation, transit/transport connectivity and hosting solutions for over 15 years. AIS provides a complete offering of Internet data center collocation and connectivity solutions for small, medium and large business clients from its five data center facilities in San Diego (Lightwave, Scranton, Fiber Alley), Los Angeles (One Wilshire), and Phoenix, Arizona (Van Buren). This includes design, engineering, implementation, and technical support services. 2. Infrastructure AIS provides collocation services to user entities through several different data center facilities. The in scope locations are listed below: Lightwave Data Center (LWDC) (San Diego, California) San Diego Tech Center (SDTC) (San Diego, California) Fiber Alley Data Centers #1/#2/#3 (FADC) (San Diego, California) One Wilshire Point of Presence (OWPOP) (Los Angeles, California) Van Buren Data Center (VBDC) (Phoenix, Arizona) The Los Angeles facility does not contain any user entity systems or devices. The Los Angeles facility serves as a location to provide backup communication equipment. AIS has an internal operational software system known as The Automated System (TAS) which employees access through their desktop on company supplied computers or through a Citrix Access Gateway. Data communications between the different facilities offices are encrypted with virtual private networking (VPN) technology. The Data Center System is comprised of the following five components: Infrastructure (facilities, equipment, and networks) Software (systems, applications, and utilities) People (developers, operators, user, and managers) Procedures (automated and manual) Data (transaction streams, files, databases and tables) The following sections of this description define each of the five components comprising the Data Center System. MOSS ADAMS LLP 4

7 Description of American Internet Services System For the Period November 1, 2011, to April 30, 2012 System Overview 3. Software AIS uses TAS as a multi level, highly scalable Customer Relationship Management (CRM) system which is a resource tool for both internal AIS systems and for clients, and handles a wide variety of issues, including monitoring activities, billing, and facilitating both internal and external trouble tickets. TAS also serves as the online portal for clients to access their information. TAS is a proprietary built system, with all functional change management activities being handled and facilitated by dedicated AIS engineers. All changes to the TAS system require documentation within the system itself for ensuring acceptable change management policies and procedures are being followed. 4. People AIS has a staff of approximately 70 employees organized in the following functional areas: Senior Leadership Team o Chief Executive Officer o Chief Financial Officer o Vice President of Sales o Director of Service Delivery and Client Services o Vice President of Data Center Engineering and Operations o Vice President of Network and Managed Services Critical Infrastructure Responsible for ensuring reliability, availability, sustainability and productivity for the AIS data centers; concurrently responsible for ensuring sustainable supporting environments. Specific data center operations and engineering responsibilities include the following: physical security, fire suppression system operational readiness, collocation production including space, power distribution, connectivity cabling, environmental support systems and production environmental standards maintenance, enterprise infrastructure systems operational readiness, and contingency response planning and implementation. Network and Managed Services (NMS) Responsible for growth and operation of AIS network and software systems, including routers, switches, optical networking/transport, network security, public facing applications, and internal IT. Responsible for network and systems DR/BC planning, emergency response, and sparing inventory. Sales Responsible for identifying the needs and requirements of new and existing customers of targeted companies in the San Diego and Phoenix areas. The sales department works closely with the marketing, finance and provisioning teams to ensure the company's products or services are marketed and sold to target consumers. For example, it is important for AIS that they focus on healthcare, life sciences and high technology companies in order to achieve their desired growth and revenue projections. MOSS ADAMS LLP 5

8 Description of American Internet Services System For the Period November 1, 2011, to April 30, 2012 System Overview Service Delivery Responsible for ensuring the implementation of customer solutions/systems/services/orders are carried out in a timely manner. Client Services Responsible for providing onsite customer support for the LWDC, FADC and SDTC data centers on a 24x7x365 basis. The VBDC facility has weekday onsite customer support from 6 a.m. to 6 p.m. and after hours and weekend support on an as needed basis with onsite support available within 15 minutes. The Client Services team provides essential security monitoring as well as overseeing physical access controls to ensure that only authorized individuals have access to the various physical data center facilities in accordance with AIS and customer access procedures. Client Services personnel, located in the Operations and Control Center (OCC) in each of the AIS data centers, perform a wide variety of additional customer support functions and services consisting of, but not limited to: o Remote hands providing server reboots or direct problem troubleshooting with customers over the phone. o Providing racking and stacking of customer equipment. o Performing customer tape rotations and offsite tape storage coordination. o Maintaining inventory control of customer equipment. o Ticket tracking of customer requests and troubleshooting activities. o Monitoring customer bandwidth and connectivity. o Responding to customer e mail, phone and/or portal inquiries. In addition, the Client Services team monitors critical network and infrastructure equipment and services provided by each of the data centers. Accounting, Finance and Human Resources Responsible for a large array of issues, including payment of organizational fixed and variable costs, building cash flow projection models, budgeting and regulatory compliance, collecting payments from clients and maintaining all other financial management activities. Risk assessment concerning cash flows and the ability to meet mandatory expenses is constantly monitored and evaluated. Issues such as lines of credit, cash reserves, and other financial issues are studied by senior management on a regular basis. MOSS ADAMS LLP 6

9 Description of American Internet Services System For the Period November 1, 2011, to April 30, 2012 System Overview 5. Procedures The following Key Indicator Reports are reviewed on a regular basis: 1. Financials 2. Bank Statements 3. AP/AR Reports 4. Sales Reports 5. Client Attrition Reports 6. Microsoft Dynamics Sales Reporting System 7. Quarterly Forecasting Reports 8. Bank Compliance Reporting 9. Federal, State and Local Tax Reporting 10. Annual Financial Statement Auditing Process Additionally, the Human Resources Department is responsible for supporting employees, including training, compensation, promotion, performance appraisal and review, and the overall work environment at AIS. The collocation services provided by AIS include: Power, cooling, and fire suppression equipment to help mitigate risks that might be caused by environmental threats. Online portal access for managing important account information. Redundant network connections to multiple data center facilities to mitigate risks that might result from network downtime. Authorization, changes to, and termination of information system physical access. Monitoring security controls. These services are supported by AIS s Client Services Team 24 hours a day, 7 days a week, and 365 days a year. The key support services include: Help desk for system users Infrastructure support Datacenter operations and performance monitoring Physical security administration and auditing Incident management Change management Maintenance and support of the security system and necessary back ups and offline storage 6. Data AIS does not have access to any user entity data. AIS solely provides collocation services such as physical security controls to ensure that unauthorized personnel cannot access user entity devices that are stored within the AIS data center facilities. MOSS ADAMS LLP 7

10 Description of American Internet Services System For the Period November 1, 2011, to April 30, 2012 B. COMPLEMENTARY USER ENTITY CONTROLS AIS Data Center System at all five data centers was designed with the assumption that additional controls would be implemented by the user entities. These controls should be in operation at user entities to complement AIS s controls. The complementary user entity controls presented below should not be regarded as a comprehensive list of all controls which should be employed by user entities: Implementation of sound and consistent internal controls regarding general IT system access, and system usage appropriateness for all internal user entity components associated with AIS. Timely removal of user accounts for any users who have been terminated and were previously involved in any material functions or activities associated with AIS data center products and services. Transactions for user entities relating to AIS data center products and services are appropriately authorized, and transactions are secure, timely, and complete. For user entities sending data to AIS, data must be protected by appropriate methods for ensuring confidentiality, privacy, integrity, availability, and nonrepudiation. User entities should implement controls requiring additional approval procedures for critical transactions relating to AIS data center products and services. User entities should report to AIS in a timely manner any material changes to their overall control environment that may adversely affect services being performed by AIS. User entities are responsible for notifying AIS in a timely manner of any changes to personnel directly involved with services performed by AIS. These personnel may be involved in financial, technical, or ancillary administrative functions directly associated with services provided by AIS. User entities are responsible for adhering to the terms and conditions stated within their contracts with AIS. User entities are responsible for developing and, if necessary, implementing a business continuity and disaster recovery plan that will aid in the continuation of services provided by AIS. MOSS ADAMS LLP 8

11