Service Organization Control 3 Report Description of Cbeyond Cloud Services IT Outsourcing Services relevant to Security and Availability For the period January 1, 2011 through August 31, 2011 with the Independent Service Auditor s Report including Tests Performed and Results Thereof
Cbeyond Cloud Services (formerly MaximumASP) IT Outsourcing Services TABLE OF CONTENTS Report of Cbeyond Cloud Services IT Outsourcing Services System based on the AICPA/CICA Trust Services Principles and Criteria for Security and Availability... 1 Report of Independent Accountants... 3 Cbeyond Cloud Services IT Outsourcing Services relevant to Security and Availability for the period January 1, 2011 through August 31, 2011... 6
Report of Cbeyond Cloud Services controls over the IT Outsourcing Services System based on the AICPA/CICA Trust Services Principles and Criteria for Security and Availability 1
Report of Cbeyond Cloud Services controls over the IT Outsourcing Services System based on the AICPA/CICA Trust Services Principles and Criteria for Security and Availability Cbeyond Cloud Services, an operating division of Cbeyond Communications, LLC, maintained effective controls over the security and availability of the IT Outsourcing Services system ( System ) to provide reasonable assurance that: The System was protected against unauthorized access (both physical and logical); and The System was available for operation and use as committed or agreed during the period January 1, 2011 through August 31, 2011, based on the AICPA/CICA Trust Services Security and Availability criteria. Our Description of the System summarizes those aspects of the System covered by our assertion. Cbeyond Cloud Services, March 27, 2012 2
Report of Independent Accountants 3
Ernst & Young LLP Suite 1000 55 Ivan Allen Jr. Boulevard Atlanta, GA 30308 Tel: +1 404 874 8300 Fax: +1 404 817 5589 www.ey.com Report of Independent Accountants To the Board of Directors of Cbeyond, Inc. We have examined management s assertion that Cbeyond Cloud Services, an operating division of Cbeyond Communications LLC, during the period January 1, 2011 through August 31, 2011, maintained effective controls to provide reasonable assurance that: Cbeyond Cloud Services IT Outsourcing System was protected against unauthorized access (both physical and logical); and Cbeyond Cloud Services IT Outsourcing System was available for operation and use as committed or agreed based on the AICPA/CICA Trust Services Security and Availability criteria (applicable trust services criteria). Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly included: (1) obtaining an understanding of Cbeyond Cloud Services relevant security and availability controls; (2) testing and evaluating the operating effectiveness of the controls; and (3) performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. Because of inherent limitations in controls, error or fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that the validity of such conclusions may be altered because of changes made to the system or controls, the failure to make needed changes to the system or controls or deterioration in the degree of effectiveness of the controls. In our opinion, Cbeyond Cloud Services management assertion referred to above is fairly stated, in all material respects, based on the AICPA/CICA Trust Services Security and Availability criteria. 4 A member firm of Ernst & Young Global Limited
The SOC 3 SysTrust for Service Organization Seal on Cloud Services web site constitutes a symbolic representation of the contents of this report and it is not intended, nor should it be construed, to update this report or provide any additional assurance. March 27, 2012 Atlanta, GA 5 A member firm of Ernst & Young Global Limited
Cbeyond Cloud Services IT Outsourcing Services relevant to Security and Availability for the period January 1, 2011 through August 31, 2011 6
Cbeyond Cloud Services Overview Cbeyond Cloud Services, an operating division of Cbeyond Communications LLC, ( Cloud Services or the company ) provides cloud computing, managed hosting and colocation services to organizations worldwide. These services are primarily provided from the data center facility in Louisville, Kentucky with secondary services provided from the data center facility located in Chicago, Illinois. Types of services provided Cbeyond Cloud Services provides the following services within the scope of this report; however, customers can choose which of these services to purchase or to inactivate portion(s) of a service. Therefore, users of this report are recommended to confirm via the control panel, an internally developed system that provides for order entry, service provisioning and billing of Cloud Services solutions, or with their Cbeyond account executive which services are included within their contract. Managed Dedicated Hosting o Dedicated Hosting and Private Cloud o Database administration o OS Patch Management o Managed Backups o Managed Intrusion Protection System (IPS) o Managed Load Balancing o Managed Firewalling & Virtual Private Network (VPN) o Database-as-a-Service Virtual Hosting o Cloud Computing (Sites and/or Servers) o Database administration o OS Patch Management o Managed Backups o Managed Intrusion Protection System (IPS) o Managed Load Balancing o Managed Virtual Firewalling o Database-as-a-Service Colocation services 7
Components of the system providing the defined services Infrastructure Services are provided to users using IT equipment located primarily in the Louisville data center facility with failover services provided from the secondary data center facility in Chicago. These services are provided using a range of platforms, including Dell servers, Compellent Storage Area Networks (SANs) and Juniper Networking Equipment. Software Cbeyond Could Services provides IT outsourcing services using the above hardware, which then supports a range of operating system and database software. These provide common or dedicated platforms that are maintained by Cbeyond Cloud Services. In addition, for certain customers that have contracted with Cbeyond Cloud Services to perform these services, Cbeyond Cloud Services will also provide server backups, managed dedicated firewalling and managed load-balancing. People Services are provided by the Cbeyond Cloud Services Network Operations, Security, Support, Sales, Billing, Retention, Product Development, Information Technology (IT), Facilities and Executive Management teams located in Louisville, Kentucky, Chicago, Illinois and Atlanta, Georgia. All teams are recruited and managed using Cbeyond s policies and procedures. Procedures All teams are expected to adhere to the Cbeyond Cloud Services policies that define how services should be delivered. These policies are located on the company s intranet and can be accessed by any Cbeyond Cloud Services team member. Data Customer data is held in accordance with the relevant data protection and other regulations, with any specific requirements being set out in the customer contract. This data is held in a range of database technologies. Services covered by this report This scope of this report includes the network, servers and core systems significant to the services provided to customers with primary servers hosted in the Louisville data center facility and failover servers hosted in the Chicago data center facility, where support is provided by Cbeyond Cloud Services teams based in these locations and also in Cbeyond s corporate facility in Atlanta. The services provided are those identified above. This includes servers in their originally deployed state utilizing Cbeyond Cloud Services standard images and any additional specifications requested by the customer. 8
Administrator level access held by customers to their respective environment(s) is done via email to the primary address associated with the customer account. It is a uniquely generated password that follows the Cloud Services standard for secure passwords (at least 8 characters, lower and uppercase letters, one number and one symbol). This must also be paired with the customer s account information to be used. In addition, although recommended, it is at the customer s discretion that the uniquely generated initial password associated with the customer s user id is changed upon initial login. Since Dedicated and Virtual customers have administrator level access to most configurations and have the ability to perform logical security administration functions for their respective environments, any customer initiated changes or modifications to servers, services (including anti-virus definitions) or logical access entitlements are excluded from the scope of this report. Hypervisors are not used on dedicated servers unless enabled. Cloud Services requires that a customer be behind a dedicated firewall and on a customized network in order to implement a hypervisor. It is the customer s responsibility to maintain hypervisors where installed and this process is excluded from the scope of this report. Since customers are assigned keys to the server racks in which their servers reside, any server maintenance activities initiated and performed by customers are excluded from the scope of this report. 9