Report of Independent Auditors



Similar documents
Tel: Fax: ey.com. Report of Independent Auditors

Report of Independent Accountants. To the Management of Verizon Communications Inc. Verizon Business IP Application Hosting:

State of Texas. TEX-AN Next Generation. NNI Plan

Service Organization Control 3 Report

CISCO IOS NETWORK SECURITY (IINS)

Service Organization Controls 3 Report. Report on Hyland Software, Inc. s OnBase Online Cloud Platform, relevant to Security and Availability

CRITICAL INFRASTRUCTURE: Strategies for Effective NOC Management for Business Success

Tk20 Network Infrastructure

SYSTRUST CERTIFICATION REPORT FOR COLLOCATION AND DATA CENTER HOSTING SERVICES FOR THE PERIOD FROM JANUARY 1, 2013 TO DECEMBER 31, 2013

Service Description DDoS Mitigation Service

CTS2134 Introduction to Networking. Module Network Security

Autodesk PLM 360 Security Whitepaper

Service Organization Control (SOC 3) Report on a Description of the Data Center Colocation System Relevant to Security and Availability

Name. Description. Rationale

SolarWinds Certified Professional. Exam Preparation Guide

Basics of Internet Security

Seven Pillars of Carrier Grade Security in the AT&T Global IP/MPLS Network

Managed Internet Service

Cisco Change Management: Best Practices White Paper

Troubleshooting and Maintaining Cisco IP Networks Volume 1

How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address

StratusLIVE for Fundraisers Cloud Operations

DDoS Overview and Incident Response Guide. July 2014

Network monitoring systems & tools

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM

MEDIAROOM. Products Hosting Infrastructure Documentation. Introduction. Hosting Facility Overview

SERVICE LEVEL AGREEMENT

Service Organization Control 1 Type II Report

mbits Network Operations Centrec

Introduction to Network Monitoring and Management

ICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.

Product Overview. Product Family. Product Features. Powerful intrusion detection and monitoring capacity

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

UCS Level 2 Report Issued to

BridgeConnex Statement of Work Managed Network Services (MNS) & Network Monitoring Services (NMS)

March

Network Security Policy: Best Practices White Paper

INDEPENDENT PRACTITIONER S TRUST SERVICES REPORT LIQUID WEB, INC.

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

How To Understand and Configure Your Network for IntraVUE

Ensuring IP Telephony Performance Through Remote Monitoring

Smart Business Architecture for Midsize Networks Network Management Deployment Guide

SITECATALYST SECURITY

Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid clouds.

Ayla Networks, Inc. SOC 3 SysTrust 2015

Network Security Guidelines. e-governance

Network Performance Monitoring at Minimal Capex

Vistara Lifecycle Management

NETWORK TO NETWORK INTERFACE PLAN

Lab Configure IOS Firewall IDS

PCISS-1. Job Description: Key Responsibilities: I. Perform troubleshooting& support:

Secure Software Programming and Vulnerability Analysis

Strategies to Protect Against Distributed Denial of Service (DD

Secospace elog. Secospace elog

Troubleshooting Network Performance with Alpine

Application Notes for Configuring Dorado Software Redcell Enterprise Bundle using SNMP with Avaya Communication Manager - Issue 1.

Cisco Certified Security Professional (CCSP)

CAREN NOC MONITORING AND SECURITY

WHITE PAPER September CA Nimsoft For Network Monitoring

Campus LAN at NKN Member Institutions

Network Management Deployment Guide

Course Contents CCNP (CISco certified network professional)

System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Recommended IP Telephony Architecture

Network Management & Monitoring Overview

Avaya TM G700 Media Gateway Security. White Paper

Avaya G700 Media Gateway Security - Issue 1.0

FormFire Application and IT Security. White Paper

Report of Independent Auditor

Cornerstones of Security

ACL Compliance Director FAQ

White Paper. The Ten Features Your Web Application Monitoring Software Must Have. Executive Summary

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

Welcome to SoftLayer. Welcome. How to Get Started. Portal Overview. Support Guidelines. Technical Resources. First 48 Hours

How To Set Up Foglight Nms For A Proof Of Concept

Security Toolsets for ISP Defense

CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY

Global IP Network Overview

Lumos Parallel Network Operations Centers: Protected Network Monitoring

OMNITURE MONITORING. Ensuring the Security and Availability of Customer Data. June 16, 2008 Version 2.0

Network Monitoring and Management Introduction to Networking Monitoring and Management

Security Policy JUNE 1, SalesNOW. Security Policy v v

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Integrating with IBM Tivoli TSOM

IP SLAs Overview. Finding Feature Information. Information About IP SLAs. IP SLAs Technology Overview

Network Router Monitoring & Management Services

Spyders Managed Security Services

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Network provider filter lab

Transcription:

Ernst & Young LLP Suite 3300 370 17th Street Denver, Colorado 80202-5663 Tel: +1 720 931 4000 Fax: +1 720 931 4444 www.ey.com Report of Independent Auditors To the Management of NTT America, Inc.: We have examined management s assertion that NTT America, Inc. (NTTA), during the period October 1, 2009 through September 30, 2010, maintained effective controls to provide reasonable assurance that the, a tier 1 IP backbone (the Network) was available for operation and use, as committed and agreed based on the American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA) Trust Services Availability Criteria, which are available at www.webtrust.org. This assertion is the responsibility of NTTA management. Our responsibility is to express an opinion based on our examination. Our examination was conducted in accordance with attestation standards established by the AICPA and, accordingly, included (1) obtaining an understanding of NTTA s relevant availability controls, (2) testing and evaluating the operating effectiveness of those controls, and (3) performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. Because of the inherent limitations of controls, errors or fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that the validity of such conclusions may be altered because of changes made to the system or controls, the failure to make needed changes to the system or controls, or deterioration in the degree of effectiveness of the controls. In our opinion, NTTA management s assertion referred to above is fairly stated, in all material respects, based on the AICPA/CICA Trust Services Availability Criteria. The SysTrust Seal on NTTA s website constitutes a symbolic representation of the contents of this report, and is not intended, nor should it be construed, to update this report or provide any additional assurance. ey December 17, 2010 1 A member firm of Ernst & Young Global Limited

Description of Company Overview NTT America is the U.S. subsidiary of NTT Communications Corporation (NTT Communications), the global hosting, data, and IP services arm of the Fortune Global 500 telecom leader: Nippon Telegraph & Telephone Corporation (NTT). NTT America provides world-class Enterprise Solutions, network, and IP networking for global enterprises and service providers. Managed Web Hosting Services are offered through NTT America s Enterprise Solutions business unit, which provides secure facilities to host a variety of web-enabled solutions in an environment engineered for reliable operations and dedicated high-speed internet connections. NTT Com s global Tier 1 IP backbone, the (the Network), provides the backbone connecting each NTT Communications Group Data Center. The Network was designed and built by NTT Com engineers using the latest technologies to provide fast, efficient, and accurate data transport. It is designed with numerous direct paths, routing options, and private peering points. The Network features OC12, OC48, GE, 10GE, and primarily OC192, circuits, along with Cisco and Juniper Networks routers. The Network carries only data; there are no voice ride-alongs to inhibit data traffic. Regular upgrades are performed to help ensure top network performance. The Network features diverse fiber paths between most major network points, both domestically and internationally. From the beginning, redundancy has been the main focal point in building connections. Connections are diversified by multiple carriers at many of the major points in the Network and are not reliant on one vendor. These geographic and carrier redundancies help ensure that data will keep moving, even if a link fails. The has multiple, highly secure, carrier-class Points of Presence (POP). As a global tier 1 Internet Service Provider (ISP), NTT Communications maintains private peering relationships with other U.S. and global tier 1 ISPs. These private peering relationships provide multiple routing paths for continuous, uninterrupted transport of customer data as shown on the next page. 3

4

SYSTEM AVAILABILITY Policies Formal processes related to system availability are fundamental to NTTA s internal control structure. Each department or group critical to the availability of the Network has created policies to help govern and instruct personnel in the performance of their duties. Policies are created by the applicable business or operations team, and are approved by management, which includes the director or vice president overseeing those departments. Policies cover access to Data Centers, POP servers, Network Operations Center (NOC), diagnostic measurement servers, and network and data center routers. Policies and escalation procedures are also in place for monitoring of environmental equipment and network components related to network availability. Communications NTTA has established several means of communication with both customers and their employees. Availability information and service level agreements (SLA) are posted on the NTTA website. The SLAs establish performance objectives in the following four areas: Availability, Latency, Packet Loss, and Jitter. Measurements for the SLAs are reported on the http://www.nttamerica.com/support/sla/ website, along with a mechanism to apply for a credit. The Certified Engineering Center (CEC) provides 24/7/365 assistance to customers through Monitoring, Technical Support, Customer Service, System Administration, and Network Administration functions. The CEC is staffed 24/7/365 with professionally trained and certified Windows, Exchange, Solaris, Linux, and Network administrators. In addition to contacting the CEC, customers can also report problems and check on system status through their PowerPortal. An intranet site is used to post NTTA s policies and is accessible to all employees. Weekly and monthly meetings are held by management and their department members to help ensure policies are being followed and issues are addressed and escalated. These periodic meetings are held with the Data Centers, NOC, and with the IP Engineering groups. 5

People The is maintained by the following groups: The IP Operations group oversees the Global NOC and the Security Abuse Team (SAT). The NOC is responsible for monitoring the global backbone network, as well as the U.S. regional networks, 24 hours a day. They are also responsible for maintenance of the network, and for the tracking and escalation of outages. SAT is responsible for handling various security, abuse, and compliance issues, such as monitoring network traffic for possible attacks and taking action against identified attackers. The IP Engineering and the NTTA Network Engineers are responsible for the configuration, security, and maintenance of the Network and IP Backbone routers. The Network Engineering group is responsible for the configuration, security, and maintenance of the routers within the Data Centers. The Vice President of Engineering and Operations oversees the Data Center operations. Within the Data Center, the Director of Technical Operations and staff are responsible for the maintenance and security of the Data Center and environmental equipment, day to day operations, including the provisioning of new customer orders. The CEC provides monitoring of customer servers and the Network, resolves customer issues through their technical support team, and also provides system and network administration. Procedures Availability of NTTA s systems is critical to its customers. The Data Centers are equipped with environmental systems including cooling systems, UPS (uninterruptible power supply) devices, fire suppression and/or detection systems, backup generators, and electrical distribution systems, to help ensure customer systems remain available in the event of an emergency or power loss. NTTA contracts with external service firms to perform regular preventative and corrective maintenance of environmental infrastructure equipment to help identify equipment in need of maintenance or replacement prior to an actual failure. System availability is measured and monitored using several different tools: Netcool is a tool that monitors various systems, including network devices. Netcool is used by NTTA to monitor and alert the Certified Engineering Team and the NOC of any potential events. Netcool incorporates probes that scan network devices periodically to detect early warning signs of system problems. When a probe identifies a problem (e.g., a router is not responsive), it creates an event in the Netcool Object Server. The Netcool client software in turn displays a visual event, color-coded based on criticality. After each event is verified, the Certified Engineering Team opens a problem ticket which is 6

automatically populated with the details of the event from Netcool. The Certified Engineers and Network Engineers continually monitor Netcool for reported events and respond accordingly. DataTrax monitors Data Center environmental systems in order to identify any systems operating outside of a preset tolerance window. If any abnormalities are detected, DataTrax alerts NTT America personnel to the problem via automated emails and text pages. DataTrax monitors environmental systems including cooling systems, UPS devices, fire suppression and/or detection systems, backup generators, and electrical distribution systems. Measurements for SLA statistics are recorded by Indicative agents at 28 of NTT s major POP locations. Indicative is a licensed software tool, developed by Agilent Technologies, which runs on the Diagnostic Measurement Server (DMS) to monitor network performance. The DMS compiles the measurement information obtained from these 28 agent locations. Each of these 28 locations has an integrated system of agents, switches, and routers that are connected directly to the layer 2 backbone switches in the POP. The architecture is fully redundant so that a failure in any given DMS, agent, switch, or router will not cause loss of data or availability. Netflow data is used by the SAT in determining traffic anomalies, signifying Denial of Service (DOS) and Distributed Denial of Service (DDOS) attacks. IP Backbone Network The core architecture of the IP backbone network includes Cisco and Juniper routers and Cisco switches. Redundancy has been built into the architecture to help eliminate a single point of failure with these devices. NTTA has programmed a series of tool servers, which act as the primary interface between the IP Engineers and the IP backbone and ensures all routers have the same configuration file. Separate configuration servers exist for the IP Engineering group and for the customer engineers to promote proper segregation of duties and to restrict access. Access to these IP backbone devices is restricted to authorized personnel in the IP Engineering group and the NTTA Network Engineers. The Director of IP Engineering approves any changes in access for new and existing users. Formal change control, configuration standards, and administration procedures are followed to ensure router and switch devices are configured in a consistent manner in order to provide optimal service and security. Approved users must authenticate to the routers and switches through an access control server (TACACS+). The TACACS+ server requires all users to have a unique user name and password. The TACACS+ server logs all user activity, including failed login attempts. The log file is reviewed periodically by management for unusual activity. Other users (e.g., Network 7

Engineers) must authenticate to a separate configuration server in order to access the IP backbone. If the TACACS+ server is down or fails, each device has a backup account which all of the authorized IP Engineering and NTTA Network Engineers can access. The backup account has an encrypted password that uses a high-level encryption algorithm for added protection. The router and switch configurations have activated the enable secret service to require an additional password for administrative-level (i.e., root) access. These passwords also use a sophisticated encryption algorithm. Each device uses access control lists (ACLs) to filter source and destination data traffic. One access control list allows only specific IP addresses to authenticate to the router using secure shell (SSH) or Telnet. Another ACL restricts simple network management protocol (SNMP) to specific servers (read only) and also prevents port scanning using SNMP services. The ACLs are activated through the router and switch configuration files. Changes to router and switch configurations follow standard Methods and Procedures and are tracked and logged by a third-party software package called RANCID. RANCID runs hourly via an automated cron job. When a configuration change is detected, RANCID automatically sends an email notification to a predefined list of administrators including the Director of IP Engineering. The email provides a detailed description of the device and the changes that were made. Global Solutions Network The Network Engineering group maintains the routers within the Data Centers. The core architecture at the Data Centers includes Cisco routers, which connect to the Network. Access to the network devices is restricted to authorized personnel in the Network Engineering group through a TACACS+ server where each authorized user must have a unique ID and password. The manager of Network Engineering approves any changes in access for new and existing users. Administration and maintenance of network devices were tracked through the ticketing system and must be approved by the Network Engineering manager. Maintenance is conducted at off-peak hours. Configuration standards are stored on a separate configuration server and changes to baseline configurations are tracked using a version control system. ACLs are utilized at several levels to restrict network traffic. All hosts are automatically denied access to the Network devices unless they are defined to an ACL. SSH and Telnet access is only allowed from known NTT Com and NTT America IP addresses. 8

Monitoring Tools Network events are identified through the use of Netcool and other monitoring tools or through communications with customers. These events are tracked using ticket management software that helps to ensure timely resolution of each ticket. NTTA personnel are responsible for managing the event resolution process to its conclusion. Netcool, working in conjunction with other utilities, is a tool used by NTTA to monitor various systems and alert the CEC of any potential events or issues with the IP backbone, internal networks, and customer networks. Netcool incorporates probes that scan network devices periodically to look for warning signs of possible problems. When a probe identifies a problem, it reports the event to the Netcool Object Server. The Netcool client software, in turn, displays the event, color-coded based on criticality, to the individuals monitoring the system. Indicative, running on the DMS, monitors the polling agents. It sends e-mail notifications to Internet Security Systems (ISS) and SNMP traps to the NOC. It is reviewed by NOC personnel to make sure measurements are taken by the agents. The DMS compiles the measurement information obtained from 28 different agents running on the POPs. Nightly SLA reports are sent out to the NOC and representatives from each department within the Global IP Network (GIN). The report notes anomalies detected by the SLA agents. Issues are documented in a ticketing system and escalated as needed. Various tools and scripts are used to help detect when changes have been made to IP Backbone and Data Center routers. The changes and the results of the changes are reviewed by the Network Engineering Manager or IP Engineering for appropriateness. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information