SOC 3 for Security and Availability



Similar documents
SOC 3 for Security and Availability

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

Telemedicine: Opportunities and Challenges

Report of Independent Accountants. To the Management of Verizon Communications Inc. Verizon Business IP Application Hosting:

Information for Management of a Service Organization

Service Organization Controls 3 Report

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

Cloud Security Trust Cisco to Protect Your Data

HP and netforensics Security Information Management solutions. Business blueprint

Implement a unified approach to service quality management.

Cloud Computing An Auditor s Perspective

Incident Management & Communications. Top 8 Focus Areas to Mitigate Risk

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS

Service Organization Control (SOC 3) Report on a Description of the Data Center Colocation System Relevant to Security and Availability

SECURITY AND EXTERNAL SERVICE PROVIDERS

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

Ayla Networks, Inc. SOC 3 SysTrust 2015

Independent Service Auditors Report

SECURITY AND REGULATORY COMPLIANCE OVERVIEW

Top 10 reasons to move to the cloud

Service Organization Controls 3 Report. Report on Hyland Software, Inc. s OnBase Online Cloud Platform, relevant to Security and Availability

SYSTRUST CERTIFICATION REPORT FOR COLLOCATION AND DATA CENTER HOSTING SERVICES FOR THE PERIOD FROM JANUARY 1, 2013 TO DECEMBER 31, 2013

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

STREAM Cyber Security

CHECKLIST: Top 10 reasons to move to the cloud

BMC s Security Strategy for ITSM in the SaaS Environment

Starbucks Creating a Connected Organization through Critical Communications

Cloud models and compliance requirements which is right for you?

Securing the Microsoft Cloud

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Cybersecurity and the AICPA Cybersecurity Attestation Project

A Flexible and Comprehensive Approach to a Cloud Compliance Program

8 Best Practices for IT Incident Management

Report of Independent Auditors

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013

All Clouds Are Not Created Equal THE NEED FOR HIGH AVAILABILITY AND UPTIME

SECURITY AND REGULATORY COMPLIANCE OVERVIEW

The SMB IT Decision Maker s Guide: Choosing a SaaS Service Management Solution

Agio Remote Monitoring and Management

Strategic Plan FY

Security Information & Policies

Third Party Risk Management 12 April 2012

Service Organization Controls 3 Report

Securing the Service Desk in the Cloud

VERISIGN DDoS PROTECTION SERVICES CUSTOMER HANDBOOK

With Eversync s cloud data tiering, the customer can tier data protection as follows:

Understanding ISO and Preparing for the Modern Era of Cloud Security

Moving your enterprise systems to the cloud? What do you need to know to manage the risks? Jamie Levitt, Director

Live Guide System Architecture and Security TECHNICAL ARTICLE

twilio cloud communications SECURITY ARCHITECTURE

NEC Contact Centres (Genesys)

Xerox Print Monitoring Service (XPMS)

Cloud Services Overview

Caretower s SIEM Managed Security Services

Anypoint Platform Cloud Security and Compliance. Whitepaper

Cloud Computing What Auditors need to know

Reliable, Repeatable, Measurable, Affordable

LANDesk Service Desk Certified in All 15 ITIL. v3 Suitability Requirements. LANDesk demonstrates capabilities for all PinkVERIFY 3.

Seeing Though the Clouds

Ecom Infotech. Page 1 of 6

RMS. Privacy Policy for RMS Hosting Plus and RMS(one) Guiding Principles

Protecting Data and Privacy in the Cloud

The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011

HIPAA and HITRUST - FAQ

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

Information Technology: This Year s Hot Issue - Cloud Computing

HITRUST CSF Assurance Program

Microsoft s Compliance Framework for Online Services

Computer Security Incident Response Plan. Date of Approval: 23- FEB- 2015

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

Quattra s Cloud Vision & Framework Value

Cyber Risks in the Boardroom

Risky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid clouds.

Transcription:

SOC 3 for Security and Availability Independent Practioner s Trust Services Report For the Period October 1, 2014 through September 30, 2015 Independent SOC 3 Report for the Security and Availability Trust Principles for Everbridge, Inc.

EVERBRIDGE, INC. INDEPENDENT PRACTIONER S TRUST SERVICES REPORT SOC 3 Table of Contents SECTION ONE: INDEPENDENT PRACTIONER S TRUST SERVICES REPORT... 1 SECTION TWO: EVERBRIDGE, INC. S ASSERTION REGARDING ITS EVERBRIDGE SUITE SYSTEM... 2 SECTION THREE: DESCRIPTION OF EVERBRIDGE, INC. S EVERBRIDGE SUITE SYSTEM... 3 1 OVERVIEW OF THE EVERBRIDGE OPERATIONS... 3 2 OVERVIEW OF THE SYSTEM AND APPLICATIONS... 3

SECTION ONE: INDEPENDENT PRACTIONER S TRUST SERVICES REPORT To the Management of Everbridge, Inc.: Scope We have examined management s assertion that during the period October 1, 2014 through September 30, 2015, Everbridge, Inc. (the Company ) maintained effective controls over its Everbridge Suite System, based on the American Institute of Public Accountants ( AICPA ) and CPA Canada trust services security and availability criteria to provide reasonable assurance that: the system was protected against unauthorized access (both physical and logical); and the system was available for operation and use, as committed or agreed. The Company is responsible for this assertion. Our responsibility is to express an opinion based on our examination. The Company s management description of the aspects of the Everbridge Suite System covered by their respective assertion is outlined within the report. Our examination was conducted in accordance with attestation standards established by the AICPA and, accordingly, included (1) obtaining an understanding of the Company s relevant controls over security and availability of the Everbridge Suite System; (2) testing and evaluating the operating effectiveness of the controls; and (3) performing such other procedures as we considered necessary during our examination. We believe that our examination provides a reasonable basis for our opinion. Because of the nature and inherent limitations of controls, the Company s ability to meet the aforementioned criteria may be affected. For example, controls may not prevent, or detect and correct errors or fraud, unauthorized access to systems and information, or failure to comply with internal and external policies or requirements. Also, the projection of any conclusions based on our findings to future periods is subject to the risk that changes may alter the validity of such conclusions. In our opinion, the Company s assertion referred to above are fairly stated, in all material respects, based on the AICPA and CPA Canada trust services security and availability criteria. Everbridge s use of the SysTrust for Service Organizations Seal constitutes a symbolic representation of the contents of this report and is not intended, nor should it be construed, to update this report or provide any additional assurance. SSAE 16 Professionals, LLP December 1, 2015 Orange, California 1

SECTION TWO: EVERBRIDGE, INC. S ASSERTION REGARDING ITS EVERBRIDGE SUITE SYSTEM December 1, 2015 During the period October 1, 2014 through September 30, 2015, the Company, in all material respects maintained effective controls over the Everbridge Suite System, as defined by the System Description attached within the report, to provide reasonable assurance that: the system was protected against unauthorized access (both physical and logical); and the system was available for operation and use, as committed or agreed. Further, the Company confirms that to the best of our knowledge and belief, that the controls related to the trust services criteria were suitably designed and operating effectively during the period October 1, 2014 through September 30, 2015, to achieve those control objectives. The criteria we used in making this assertion were that: The risks that threaten the achievement of the controls related to the trust services criteria have been identified by the Company; and The controls related to the trust services criteria would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives stated in the trust services criteria from being achieved. Everbridge, Inc. 2

SECTION THREE: DESCRIPTION OF EVERBRIDGE, INC. S EVERBRIDGE SUITE SYSTEM 1 Overview of the Everbridge Operations Everbridge is a global provider of SaaS-based unified critical communications solutions. During mission-critical business events or man-made or natural disasters, the Everbridge platform enables customers to quickly and reliably deliver the right message and reach the right people, on the right device, in the right location, at the right time. Utilizing sophisticated communications technologies, Everbridge has the ability to deliver and verify messages in near real-time to more than 100 different communication devices, in over 200 countries and territories, in multiple languages all simultaneously. Everbridge is based in Boston and Los Angeles, with additional offices in San Francisco, Beijing and London. 2 Overview of the System and Applications System Overview Since inception, the Everbridge SaaS-based unified critical communications system (the platform) was architected on a single code base to deliver multi-tenant capability and the speed, scale and resilience necessary to communicate globally when a serious event occurs. The Everbridge platform is designed to address both the emergency and operational components of a critical communications program. The Everbridge platform is capable of providing two-way communications and verified delivery in accordance with our customers escalation policies. The platform has multi-modal communications reach, including redundant global SMS and voice delivery capabilities, and is designed to comply with local, technical and regulatory requirements. The System is comprised of the following components: Infrastructure: The physical and virtual components of a Hybrid Cloud (facilities, server, storage, and networks); Software: The programs and operating software of a system (systems, applications, and utilities); People: The personnel involved in the operation and use of a system (developers, operators, users, and managers); Procedures: The automated and manual procedures involved in the operation of a system; and Data: The information used and supported by a system (transaction streams, files, databases, and tables). 3

Infrastructure To provide highly scalable and global solutions, Everbridge employs redundant, geographically diverse production implementations and built its platform infrastructure in multiple SOC 2-compliant data center facilities in North America and Europe. Within each data center, Everbridge utilizes a hybrid-cloud architecture that allows us to enable ondemand capacity and performance. Everbridge s hybrid-cloud architecture enables its customers to select the location in which to store their contact data, allowing for compliance with local and international data privacy laws. The architecture also enables our platform to dynamically determine the best location from which to deliver critical communications on behalf of our customers and solves many international communications delivery challenges by utilizing in-country or in-region telephony, messaging and data communication providers. The Everbridge infrastructure is continuously maintained and monitored by dedicated engineers based in redundant network operations centers in the Los Angeles and Boston areas. Software & Applications Everbridge s unified critical communications platform delivers reliable enterprise-ready applications that provide organizations with the ability to deliver contextual communications. Our applications include: Mass Notification- a secure, scalable and reliable Mass Notification application is Everbridge s most established application and enables enterprises and governmental entities to send contextually aware notifications to individuals or groups to keep them informed before, during and after critical events. This application provides analytics, map-based targeting, flexible group management, distributed contact data, language localization, multiple options for contact data management and a globally-optimized approach to voice and SMS routing. Incident Communications an incident management application enables organizations to automate workflows and make their communications contextually relevant using drag and drop business rules to determine who should be contacted, how they should be contacted and what information is required. This application also supports cross-account collaboration and situational intelligence sharing during crises for corporations and communities. IT Alerting an IT alerting application enables IT professionals to alert and communicate with key members of their teams during an IT incident or outage, including during a cyber security breach. The application integrates with IT service management platforms and uses automatic escalation of alerts, on-call scheduling and mobile alerting to automate manual tasks and keep IT teams collaborating during an incident. This application also provides shift calendars with integrated on- 4

call notifications to help users better manage employee resources and get the right message to the right person, at the right time through automated staffing. Secure Mobile Communications (HipaaBridge and SecureBridge) secure mobile messaging applications meet the compliance and security requirements of organizations that need to provide an alternative way for their employees to communicate and share nonpublic information. HipaaBridge, which is designed for medical professionals, facilitates HIPAA-compliant communications that eliminates the need for pagers and other single use devices. HipaaBridge also facilitates telemedicine by allowing medical professionals to hold video conferences with patients and other medical professionals as well as share medical imaging, lab results and other critical information. SecureBridge, enables financial services organizations employees and customers to securely communicate via text, voice, and video, while remaining Financial Industry Regulator Authority (FINRA) compliant. Internet of Things - an IoT Communications application enables customers to extend traditional machine-to-machine communication to people when required. Through the Everbridge secure communications channels, the Everbridge critical communications engines can integrate directly with medical devices, workplace security controls, public infrastructure and other systems to either activate the device, confirm activation, or mobilize people for interaction and response. Community Engagement - a community engagement application integrates emergency management and community outreach by providing local governments with a unified solution to connect residents to both their public safety department, public information resources, and neighbors via social media and mobile applications. This creates a stronger and more engaged community improving the communication reach for emergency personnel, while providing residents with realtime emergency and community information, and allows residents to anonymously opt-in and provide tips. People Everbridge s operational functions are organized into the following departments: The SaaS Operations team includes system administrators, database administrators, application and technical analysts, release management, governance and security and the service desk which collectively are responsible for maintaining the availability, confidentiality, and integrity of all information systems. The Network Operations Center (NOC) team includes systems engineers which monitor the Everbridge solutions for faults and performance on a 24x7x 365 bases from redundant NOCs located in Boston and Los Angeles 5

The Customer Technical Support team interfaces directly with customers during the on boarding and training process and addresses any and all issues quickly and with confidence to provide the outstanding customer service. Software Development creates quality solutions that meet the business needs, maintain existing software components, support IT operations, and commit to continuous improvements. Quality Assurance utilizes several methodologies of testing to ensure the highest quality product is being delivered. The Product Management team is responsible for determining the strategy for the Product Portfolio based on the Everbridge organization s business goals as well as collecting and prioritizing system enhancements and discovered defects and defining requirements for approved projects. Procedures Everbridge s operational service procedures are based on the Information Technology Infrastructure Library (ITIL). These ITIL based procedures for service management are divided into procedures for the management of problems, incidents, service levels, availability, capacity, supplier, change/configuration, asset, and deployment. Everbridge s security and data privacy and protection procedures are based on the Federal Information Security Management Act (FISMA) risk management framework defined by the National Institute of Standards and Technology, or NIST, special publication, or SP, 800-37. To meet the rigorous standards of our enterprise and government customers, an independent and accredited third-party security assessment firm annually verifies our compliance security and data protection requirements detailed in NIST SP 800-53. Through this process, we map our compliance with other security and data privacy frameworks including ISO 27001 and HIPAA. In addition, we operate in accordance with the TRUSTe Data Privacy Seal and EU/US Safe Harbor Framework for personal data. The Everbridge unified critical communications platform received designation under the Support Antiterrorism by Fostering Effective Technology Act of 2002, or SAFETY ACT, and certification by DHS that places us on the approved product list for homeland security and provides Everbridge with the highest level of liability protection available under the SAFETY ACT. Everbridge also procedurally complies with the standards of the Cloud Security Alliance (CSA) Security, Trust and Assurance Registry (STAR). For more information on Everbridge Security and Data Protection programs visit - http://www.everbridge.com/aboutus/privacy-security-compliance/ 6

Data Everbridge customers can use the Everbridge platform to send notifications to recipients where the content of the notification or message is completely determined by the customer. For message recipients, the Everbridge system stores and processes the contact data for each recipient. The recipient contact data may be classified as Personally Identifiable Information (PII). This information may include: first name, last name, address, phone numbers (home, work, mobile, etc.), email addresses, fax and pager numbers as well as contact attributes associated with communication preferences, language spoken, technical certifications, on-call status, etc. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information