Description of the Administration of Verizon Terremark Colocation Services Relevant to Security and Availability

Service Organization Controls 2 Report Description of the Administration of Verizon Terremark Colocation Services Relevant to Security and Availability For the Period from November 1, 2012 to October 31, 2013 With Independent Service Auditor s Report including Tests Performed and Results Thereof We Are VERIZON INTEGRITY - RESPECT - PERFORMANCE - EXCELLENCE - ACCOUNTABILITY

Verizon Communications Inc. Description of the Administration of Verizon Terremark Colocation Services Relevant to Security and Availability for the Period from November 1, 2012 to October 31, 2013 Table of Contents Verizon Communications Inc. s Management Assertion... 1 Independent Service Auditor s Report... 4 Description of the Administration of Verizon Terremark Colocation Services for the Period from November 1, 2012 to October 31, 2013... 8 Company Overview... 8 Boundaries of the System... 8 Components of the System... 10 Description of the Control Environment, Control Activities, Information Communication, Monitoring and Risk Assessment Processes... 12 Control Environment... 12 Management Controls... 12 Monitoring... 14 Risk Assessment... 14 Information and Communication... 14 and Controls... 14 Physical Security... 15 Environmental Safeguards... 17 Network Availability... 18 Business Continuity and Disaster Recovery... 19 Certain User Entity Obligations (CUO)... 19 Description of, Controls, Tests,... 20 Tests Performed of Entity-Level Controls... 20 and Controls... 20 Security and Availability Policies... 21 Security and Availability Communications... 23 Security and Availability Procedures... 28 Security and Availability Monitoring... 46 Other Information Provided by Verizon Communications, Inc.... 49 APPENDIX A Required Policy Components... 49 1304-1059738

Verizon Communications Inc. s Management Assertion February 21, 2014 We have prepared the accompanying Description of the Administration of Verizon Terremark Colocation Services for the period from November 1, 2012 to October 31, 2013 (Description) of Verizon Communications Inc. (Service Organization) based on the criteria in items (a)(i)-(ii) below, which are the criteria for a description of a service organization s system set forth in paragraph 1.34 of the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy (the description criteria). The Description is intended to provide users with information about the Administration of Verizon Terremark Colocation Services (System), particularly system controls, intended to meet the criteria for the security and availability principle(s) set forth in the AICPA s TSP section 100, Trust Services Principles,, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (applicable Trust Services criteria). Verizon Terremark Colocation Services data centers included in the Description are in the following geographic locations: Amsterdam, The Netherlands Bogota, Colombia Culpeper, VA Istanbul, Turkey Miami, FL Richardson, TX Santa Clara, CA Sao Paulo, Brazil The management of Verizon Communications Inc. confirms, to the best of its knowledge and belief, that: a. the Description fairly presents the System throughout the period from November 1, 2012 to October 31, 2013, based on the following description criteria: i. the Description contains the following information: (1) The types of services provided. (2) The components of the System used to provide the services, which are the following: Infrastructure. The physical and hardware components of a system (facilities, equipment, and networks). Software. The programs and operating software of a system (systems, 1304-1059738 1

applications, and utilities). People. The personnel involved in the operation and use of a system (developers, operators, users, and managers). Procedures. The automated and manual procedures involved in the operation of a system. Data. The information used and supported by a system (transaction streams, files, databases, and tables). (3) The boundaries or aspects of the System covered by the Description. (4) How the System captures and addresses significant events and conditions. (5) The process used to prepare and deliver reports and other information to user entities or other parties. (6) If information is provided to, or received from other parties, how such information is provided or received; the role of the other parties; and the procedures performed to determine that such information and its processing, maintenance, and storage are subject to appropriate controls. (7) For each principle being reported on, the applicable Trust Services criteria and the related controls designed to meet those criteria, including, as applicable, certain user entity obligations contemplated in the design of the Service Organization s System. (8) Any applicable Trust Services criteria that are not addressed by a control at the Service Organization and the reasons therefore. (9) Other aspects of the Service Organization s control environment, risk assessment process, information and communication systems, and monitoring of controls that are relevant to the services provided and the applicable Trust Services criteria. (10) Relevant details of changes to the Service Organization s System during the period covered by the Description. ii. the Description does not omit or distort information relevant to the Service Organization s System while acknowledging that the Description is prepared to meet the common needs of a broad range of users and may not, therefore, include every aspect of the System that each individual user may consider important to his or her own particular needs. b. the controls stated in the Description, together with the user entity obligations described in the Description if operating effectively, were suitably designed throughout the specified period to meet the applicable Trust Services criteria. 1304-1059738 2

c. Verizon Communications Inc. s controls stated in the Description operated effectively throughout the specified period to meet the applicable Trust Services criteria. Verizon Communications Inc. One Verizon Way Basking Ridge, NJ 07920 1304-1059738 3

Ernst & Young LLP One Commerce Square Suite 700 2005 Market Street Philadelphia, PA 19103 Tel: +1 215 448 5000 Fax: +1 215 448 5500 ey.com Board of Directors Verizon Communications Inc. Scope Independent Service Auditor s Report We have examined Verizon Communications Inc. s accompanying Description of the Administration of Verizon Terremark Colocation Services for the period from November 1, 2012 to October 31, 2013 (Description) of its Administration of Verizon Terremark Colocation Services System for data center colocation hosting throughout the period November 1, 2012 to October 31, 2013, based on the criteria set forth in paragraph 1.34 of the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy (the description criteria) and the suitability of the design and operating effectiveness of controls described therein to meet the criteria for the security and availability principle(s) set forth in the AICPA s TSP section 100, Trust Services Principles,, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (applicable Trust Services ) throughout the period from November 1, 2012 to October 31, 2013. The Description indicates that certain applicable Trust Services criteria specified in the Description can be met only if certain user entity obligations contemplated in the design of Verizon Communications Inc. s controls are suitably designed and operating effectively, along with related controls at the Service Organization. We have not evaluated the suitability of the design or operating effectiveness of such user entity obligations. Verizon Terremark Colocation Services data centers included in the Description are in the following geographic locations: Amsterdam, The Netherlands Bogota, Colombia Culpeper, VA Istanbul, Turkey Miami, FL Richardson, TX Santa Clara, CA Sao Paulo, Brazil 1304-1059738 4

The information in the accompanying Other Information Provided by Verizon Communications Inc. is presented by the Company to provide additional information and is not part of Verizon s Description. Such information has not been subjected to the procedures applied in our examination of the Description. Verizon Communications Inc. s responsibilities Verizon Communications Inc. has provided the accompanying assertion titled, Verizon Communications Inc. s Management Assertion (Assertion) about the fairness of the presentation of the Description based on the description criteria and suitability of the design and operating effectiveness of the controls described therein to meet the applicable Trust Services criteria. Verizon Communications Inc. is responsible for (1) preparing the Description and Assertion; (2) the completeness, accuracy, and method of presentation of the Description and Assertion; (3) providing the services covered by the Description; (4) specifying the controls that meet the applicable Trust Services criteria and stating them in the Description; and (5) designing, implementing, and documenting the controls to meet the applicable Trust Services criteria. Service auditor s responsibilities Our responsibility is to express an opinion on the fairness of the presentation of the Description based on the description criteria and on the suitability of the design and operating effectiveness of the controls described therein to meet the applicable Trust Services criteria, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, (1) the Description is fairly presented based on the description criteria, and (2) the controls described therein are suitably designed and operating effectively to meet the applicable Trust Services criteria throughout the period from November 1, 2012 to October 31, 2013. An examination of a description of a service organization s system and the suitability of the design and operating effectiveness of the service organization s controls, involves performing procedures to obtain evidence about the fairness of the presentation of the Description based on the description criteria and the suitability of the design and operating effectiveness of those controls to meet the applicable Trust Services criteria. Our procedures included assessing the risks that the Description is not fairly presented and that the controls were not suitably designed or operating effectively. Our procedures also included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the applicable Trust Services criteria were met. Our examination also included evaluating the overall presentation of the Description. We believe that the evidence we have obtained is sufficient and appropriate to provide a reasonable basis for our opinion. 1304-1059738 5

Inherent limitations The Description is prepared to meet the common needs of a broad range of users and may not, therefore, include every aspect of the system that each individual user may consider important to its own particular needs. Because of their nature and inherent limitations, controls at a service organization may not always operate effectively to meet the applicable Trust Services criteria. Also, the projection to the future of any evaluation of the fairness of the presentation of the Description, or conclusions about the suitability of the design or operating effectiveness of the controls to meet the applicable Trust Services criteria is subject to the risk that the system may change or that controls at a service organization may become ineffective or fail. Opinion In our opinion, in all material respects, based on the description criteria and the applicable Trust Services criteria: a. the Description fairly presents the Administration of Verizon Terremark Colocation Services System that was designed and implemented throughout the period from November 1, 2012 to October 31, 2013. b. the controls stated in the Description were suitably designed to provide reasonable assurance that the applicable Trust Services criteria would be met if the controls operated effectively throughout the period from November 1, 2012 to October 31, 2013 and if user entities applied the user entity obligations contemplated in the design of Verizon Communications Inc. s controls throughout the period from November 1, 2012 to October 31, 2013. c. the controls tested, which, together with the user entity obligations referred to in the scope paragraph of this report if operating effectively, were those necessary to provide reasonable assurance that the applicable Trust Service criteria were met, operated effectively throughout the period from November 1, 2012 to October 31, 2013. Description of tests of controls The specific controls tested and the nature, timing, and results of those tests are listed in the accompanying Description of Control Objectives, Controls, Tests, (Description of Tests and Results). Restricted use This report, including the description of tests of controls and results thereof in the Description of Tests and Results, is intended solely for the information and use of Verizon Communications Inc., user entities of Verizon Communications Inc. s System, and prospective user entities, independent auditors and practitioners providing services to such user entities, and regulators who have sufficient knowledge and understanding of the following: 1304-1059738 6

The nature of the service provided by the Service Organization How the Service Organization s System interacts with user entities or other parties Internal control and its limitations Certain user entity obligations and how they interact with related controls at the Service Organization to meet the applicable Trust Services criteria The applicable Trust Services criteria The risks that may threaten the achievement of the applicable Trust Services criteria and how controls address those risks This report is not intended to be and should not be used by anyone other than these specified parties. February 21, 2014 Philadelphia, Pennsylvania 1304-1059738 7

Description of the Administration of Verizon Terremark Colocation Services for the Period from November 1, 2012 to October 31, 2013 Company Overview Verizon Terremark (the Company) is one of three operating units of Verizon Communications Inc. (NYSE: VZ). The Company delivers advanced IP, data, voice and wireless solutions to a majority of the Fortune 500 businesses and government agencies in more than 200 state-of-theart data centers in 23 countries across five continents. Verizon Terremark global IP footprint serves 4,000+ networks in 142 countries and territories, including non-verizon Terremark connections from more than 60 network providers globally. Verizon Terremark provides information technology deployments with advanced infrastructure and managed service offerings that deliver the scale, security, and reliability necessary to meet the requirements of enterprises and governments around the world. Boundaries of the System Verizon Terremark s core business function is to provide strategically positioned data centers around the world within which customers/potential customers can host their computing, storage, telecommunications and application server hardware. Verizon Terremark Colocation Services include providing hardware, software, network technology, physical security, and environmental safeguards necessary to offer customers a comprehensive colocation hosting solution. Verizon Terremark facilities offer choices and redundancies in communication infrastructure. Verizon Terremark data centers are connected to multiple domestic fiber backbones, undersea cables and over 160 carriers providing customers access to virtually any location in the world. Colocation customers have the ability to contract services directly with carriers in the Verizon Terremark facilities for the connectivity and redundancy they require. Depending on customer requirements, racks, cabinets, or customized caged floor spaces are available across a global footprint of hardened and secure facilities. Verizon Terremark configures the customer site either in a locked server cabinet/rack or a cage which consists of multiple server racks/cabinets that are based on each individual customer s specifications. Verizon Terremark is responsible for setting up each individual customer s environment including the customer cabinets and cages, providing network connectivity and power for the environment, administering physical access to the environment and managing the environmental safeguard systems. Once the customer environment has been set up, Verizon Terremark turns over the environment to the customer who is then responsible for building/staging the remainder of its own infrastructure and establishing physical access control lists. Verizon Terremark does not control customer-specific hardware, operating systems, databases, applications, or any other content loaded on the customer hardware. Verizon Terremark does not administer or access customer systems at the operating system, database, or application levels. Data Centers The hardened facilities sit on top of Tier 1 networks. The data centers provide the physical security for sensitive business applications and n+2 redundant power and cooling backed by service level agreements (SLAs). Verizon Terremark provides ongoing monitoring and on-site 1304-1059738 8 1304-1059738

Description of the Administration of Verizon Terremark Colocation Services for the Period from November 1, 2012 to October 31, 2013 technical support. The specific Verizon Terremark Colocation Services included within the scope are in the following geographic locations: Amsterdam, The Netherlands Bogota, Colombia Culpeper, VA Istanbul, Turkey Miami, FL Richardson, TX Santa Clara, CA Sao Paulo, Brazil Network Verizon Terremark provides customers network connectivity, with plug-and-play access to leading global carriers, delivering a competitive marketplace of connectivity that allows customers to strategically select the connectivity service best suited to their business. Verizon Terremark s peering fabric brings together providers from around the world to a common location for handing off traffic and making connections. Verizon Terremark provides zero mile connectivity to the world. Service Delivery Platform (SDP) Service Management Verizon Terremark s next generation SDP Service Management system is driven by a focus on computing, network design, operations and management. This advanced technology represents the optimization of the surrounding technical operations and business processes to create the architectural logic of an entire managed environment. It integrates the capability for Verizon Terremark to manage its services for customers through the following modules: Order Broker, Entity Manager, Alert Management, Implementation, Configuration Management Database (CMDB), Change Management, Ticketing, and Verizon Terremark View Point. Managed Router Service (MRS) Verizon Terremark offers a Managed Routing Service (MRS) that leverages the global network connectivity provided by the telecommunications companies located within Verizon Terremark s carrier-neutral facilities. Verizon Terremark s Managed Router Service (MRS) provides optimal access to the Internet without the purchase and management of individually owned Internet routers. Using Verizon Terremark s Managed Route Control Platform (MRCP), the MRS solution helps ensure the best possible path to the Internet in real-time. Verizon Terremark intelligently routes Internet traffic across multiple networks, reducing latency and providing redundancy in the event of a problem. Hybrid Capabilities Verizon Terremark has the ability to provide hybrid solutions that combine traditional colocation with cloud computing environments and managed hosting. Existing physical devices and private networks can also be integrated into cloud environments as needed. Verizon Terremark s hybrid 1304-1059738 9

Description of the Administration of Verizon Terremark Colocation Services for the Period from November 1, 2012 to October 31, 2013 capabilities provide customers with access to various levels of support depending on their requirements. RemoteHands SmartHands Service Verizon Terremark s RemoteHands SmartHands services assist customers that need remote access to equipment for performing simple troubleshooting or maintenance tasks. Verizon Terremark s staff can perform basic tasks that may require the use of tools or equipment. Verizon Terremark RemoteHands SmartHands services are available on demand or by subscription in four-hour blocks per month. Network and Connectivity Services Verizon Terremark s Managed Network and Connectivity services include the basic layer one services such as physical interconnection to more complex layer three monitoring of networks and alerts. Carrier-neutral design provides zero mile access to robust connectivity and at the same time delivers cost savings, flexibility, and can scale to match customer growth while still delivering the performance customers demand. Cross-connect Services Cross-connectivity is provided to customers in a streamlined manner through the adoption of a centralized hub named a Meet Point Room, to which all inbound and outbound interconnections are routed to service the colocation customers. Cross-connects can be delivered by means of copper (POTS), coaxial, unshielded twisted pair (UTP) and fiber. Exchange Services Peering Verizon Terremark's state-of-the-art Exchange Platform is at the core of Verizon Terremark s network and offers a total switching capacity of over 1.0 Tbps. In addition to providing flexible and reliable Ethernet-virtual local area network (VLAN) and Optical/Digital connections for the exchange of Internet traffic, Verizon Terremark s Exchange Platform is used for the provisioning of next generation network-based services. Verizon Terremark s Exchange Platform employs an industry-leading and state-of-the-art Ethernet technology. The Exchange Platform is the vehicle used to reach many businesses and consumers served by the companies connected to Verizon Terremark, enabling Internet Protocol (IP)-based products and services to easily reach virtually anywhere in the world. Components of the System Verizon s System includes infrastructure, software, people, procedures and data: Infrastructure the physical and hardware components of the System including facilities, equipment, and networks. Verizon Terremark infrastructure includes Verizon Terremark Colocation Services network backbone. Verizon Terremark does not control customer-specific hardware, operating systems, databases, applications, or any other content loaded on the customer hardware. Verizon Terremark configures the customer site either in a locked server cabinet/rack or a cage which 1304-1059738 10

Description of the Administration of Verizon Terremark Colocation Services for the Period from November 1, 2012 to October 31, 2013 consists of multiple server racks/cabinets that are based on each individual customer s specifications. Verizon Terremark is responsible for setting up each individual customer s environment including the customer cabinets and cages, providing network connectivity and power for the environment, and managing the environmental safeguard systems. Once the customer environment has been set up, Verizon Terremark turns over the environment to the customer who is then responsible for building/staging its own infrastructure. Software the programs and operating software of the System including systems, applications, and utilities. Verizon Terremark does not administer or access customer systems at the operating system, database, or application levels. As part of the Verizon Terremark service, when a customer is not able to be on-site at the Verizon Terremark data center, Verizon Terremark provides handson technical support should the customer require technical assistance such as a system reboot or a hardware replacement. People the personnel involved in the operation and use of the System including developers, operators, users, and managers. The Company s organizational structure provides the overall framework for planning, directing, and controlling operations. Personnel and business functions are separated into departments according to job responsibilities. The structure provides defined responsibilities and lines of authority for reporting and communication. The assignment of roles and responsibilities within the various departments provides effective segregation of duties. All team members are recruited and managed using Verizon s global policies and procedures described in the Description of the Control Environment, Control Activities, Information Communication, Monitoring and Risk Assessment Processes section. The following teams are involved in the services provided by Verizon Terremark Colocation Services solution: NOC administration Responsible for functions such as management of network infrastructure including switches, firewalls, load balancers, routers and virtual private network platforms. Facilities administration Responsible for maintenance functions for systems such as electrical power, air conditioning and humidity, UPS, electric generators, fire suppression, smoke detection, real-time monitoring with alarms and alerts. Service Center Responsible for functions such as dedicated customer support, troubleshooting, issue and problem management, escalation and resolutions procedures. Procedures the automated and manual procedures involved in the operation of the System. The Company s employees adhere to Verizon s global policies that define how services should be delivered. The policies are located on Verizon s intranet and can be accessed by the Company s employees. 1304-1059738 11

Description of the Administration of Verizon Terremark Colocation Services for the Period from November 1, 2012 to October 31, 2013 Data the information used and supported by the System. Verizon does not manage or input data into customer systems and is not responsible for the accuracy or completeness of customer data. Customer data necessary to provide the services within the boundaries of the System is managed in accordance with the relevant data protection and other regulations, with any specific requirements specified in the customer contracts. Description of the Control Environment, Control Activities, Information Communication, Monitoring and Risk Assessment Processes Control Environment The control environment reflects the overall attitude and awareness of management and personnel concerning the importance of controls and the emphasis given to controls in the Company s policies, procedures, and actions. The organizational structure, separation of job responsibilities by departments and business function, and documentation of policies and procedures, are the methods used to define and implement operational controls. The following is a description of the five components of internal control as they pertain to Verizon Terremark. Management Controls Verizon management is responsible for directing and controlling operations and for establishing, communicating, and monitoring control policies and procedures. Management focuses on maintaining sound internal controls and the integrity and ethical values of all Company personnel. Organizational values and behavioral standards are communicated to all personnel through policy statements and guidelines during new hire orientation and are also available for review on the Company intranet. Verizon Board of Directors, assisted by its committees, directs the affairs of the Company. Twelve directors hold office until the next annual meeting of stockholders and until a successor is duly elected and qualified. The election of directors requires the affirmative vote of a majority of the votes represented and entitled to vote at the annual meeting. Verizon Corporate Governance and Policy Committee provides oversight and guidance to the membership, structure, policies and processes of the Board of Directors and its committees to facilitate the effective exercise of the Board's role in the governance of the Corporation. In addition, the Committee reviews the Company's governance and policy processes. In carrying out its activities, the Committee is supported by the Corporate Secretary as the Company's chief governance officer. Verizon Human Resources Committee (HRC) oversees management in the development and implementation of human resource practices and policies. One of the programs the HRC has developed is succession planning, which enhances the Company s strategic objectives and promotes equal opportunity and diversity. Additionally, the HRC reviews management compensation and benefit plans to make sure they are competitive so as to attract, motivate, and retain highly qualified employees. Verizon Audit Committee is appointed by the Board of Directors to oversee (1) management in the performance of its responsibility for the integrity of the Company's accounting and financial 1304-1059738 12

Description of the Administration of Verizon Terremark Colocation Services for the Period from November 1, 2012 to October 31, 2013 reporting, and its systems of internal controls, (2) the performance and qualifications of the independent auditor (including the independent auditor's independence), (3) the performance of the Company's internal audit function, and (4) the Company's compliance with legal and regulatory requirements. The Internal Controls Organization, in conjunction with Verizon Internal Audit, assesses the effectiveness of the internal control structure and procedures for financial reporting on an annual basis. The Internal Controls Organization works with key business units and process owners throughout the entire Company to ensure management establishes and maintains an adequate internal control structure and procedure for collecting, processing, and disclosing financial information. Verizon has implemented policies and procedures to address critical financial and operational processes including human resources, information systems, and operations. Personnel Policies and Procedures The competence of employees is a key element of the control environment. Verizon is committed to the development of its employees. This commitment to competence is expressed in the Company s personnel policies and related human resources programs. Specific indicators of the commitment to personnel development include recruiting and hiring policies, investment in training and development, and performance monitoring. Verizon s commitment to competence begins with recruiting, which is the joint responsibility of the Human Resources Department and business unit managers. Hiring decisions are based on various factors, including educational background, prior relevant experience, past accomplishments, and evidence of integrity and ethical behavior. The Company s commitment to the development of its staff includes an active performance monitoring process. The process is co-managed by each employee and his or her manager. The process entails the development of specific, quantifiable objectives for the coming period, periodic discussions of progress in meeting those objectives, and an annual formal review of the employee s overall performance in the current position as well as career development discussions to help prepare the individual for advancement. Integrity and high ethical standards are qualities essential to the business of the Company and are viewed as fundamental standards of behavior for all employees. At Verizon, the standards of integrity and ethics are demonstrated daily by the personal conduct of management and various controls, including guidelines for handling confidential information and policies stipulating that employees comply with all laws, regulations, and corporate policies as a condition of continuing employment. In addition, the Company has a code of conduct and requires all employees to formally acknowledge their commitment to performing in a professional and ethical manner. Further, each employee is expected to report any violation or exception to these policies that are suspected by another employee of Verizon or an outsider. Recognizing the sensitive nature of these situations, employees have several options for bringing these situations to management s attention. The Company has also instituted an open-door policy to facilitate open and frequent communication with executive management. 1304-1059738 13

Description of the Administration of Verizon Terremark Colocation Services for the Period from November 1, 2012 to October 31, 2013 Monitoring Management has implemented a division of roles and responsibilities, which limits the ability of a single individual to subvert critical processes. This segregation of duties increases control over processes that may impact customer systems. There are procedures in place to help ensure that personnel perform only those duties related to their positions. Management has defined and implemented relevant procedures to control the activities of consultants and other contract personnel in order to protect the organization s assets. Contractors and consultants are issued access badges based upon responsibility and job scope. These badges include an expiration date which is based upon their contract. Management verifies personnel references for new hires before they are hired, transferred, or promoted, with additional screening checks depending on the sensitivity of the position. Risk Assessment Verizon employs both formal and informal risk assessment procedures. A formal risk assessment is conducted annually by the Company s executive management and is reviewed by Verizon Audit Committee. The process includes identifying, prioritizing, and ranking risks at both the entity and activity level. used to rank risks include, but are not limited to, financial activities, technological complexity and dependencies, and process impact on the Company s reputation. Other assessments that are performed consider economic and industry factors affecting the Company, business planning, and discussions with market analysts by each business unit. Information and Communication Management is committed to maintaining effective communication with all personnel and customers. To help align Verizon strategies and goals with operating performance as it relates to customers, management across all departments participates in weekly meetings in order to discuss the status of service delivery or other matters of interest and concern. Issues or suggestions identified by personnel are readily brought to the attention of management to be addressed and resolved. On a monthly basis, operating performance reports are provided to management to summarize the performance statistics of the various products, including, but not limited to, utilization, and problem reporting. Daily alerts are provided to product support personnel regarding problems. Senior management is presented with a summary of operations and future business plans on a quarterly basis. and Controls The Trust Services and the controls that meet the criteria are listed in the accompanying Description of, Controls, Tests,. The management of Verizon has specified its controls that meet the criteria for Security and Availability. The controls are described using the following categories: 1304-1059738 14

Description of the Administration of Verizon Terremark Colocation Services for the Period from November 1, 2012 to October 31, 2013 Policies: Verizon has defined and documented its policies relevant to the Security and Availability principles. Communications: Verizon has communicated its defined policies to responsible parties and authorized users of the system. Procedures: Verizon placed in operation procedures to achieve its objectives in accordance with its defined policies. Monitoring: Verizon monitors the System and takes action to maintain compliance with its defined policies. Physical Security Overview Verizon Terremark s physical security standards for data center facilities feature a centrally located guard post / command center that is staffed by security personnel at all times. Security personnel provide overall building security, monitor security cameras, guard building entrance and exit access points, and control access to the entire facility to employees, contractors, customers and visitors. The data centers in North America, Europe and Latin America are also continuously monitored by Verizon Security s central monitoring facilities in those regions. These facilities provide a backup response capability. Policies and Procedures Verizon Terremark security policies are documented and available to all employees on an internal web site. Employees receive security awareness training for both physical and information security as part of the onboarding process. This training is reinforced by security awareness articles and bulletins on current issues. Additionally, employees are also required to participate in annual security awareness training. Secure Area Access Control Areas designated to be secure areas continuously remain secure and are only accessed by authorized company personnel and/or visitors for approved purposes. Access is assigned based upon an individual s specific job assignment(s) and responsibilities. A centralized security badge access system provides controlled access to each facility. Administrative access privileges to the badge access systems are restricted to user accounts accessible by authorized personnel. Predefined physical security zones are utilized to define role-based access privileges to and throughout the data center facilities. The badge access system logs both successful and unsuccessful access attempts for ad hoc review. Access attempts are traceable to specific employee accounts. Verizon Terremark personnel must wear an authorized employee access badge while conducting business at a data center facility. Contractors, vendors, and visitors must obtain an access badge to gain entry into a data center facility. The on-duty security personnel are responsible for granting access to vendors, visitors and Verizon Terremark customers requiring access to their equipment. The security personnel are also responsible for security monitoring and reporting procedures, responding to building 1304-1059738 15

Description of the Administration of Verizon Terremark Colocation Services for the Period from November 1, 2012 to October 31, 2013 alarms and monitoring video surveillance cameras. Security incidents are recorded in security patrol logs and investigated. Employee Access Requests for new employee access are submitted by Human Resources and include name of the new employee, department, site, supervisor and the access areas to be assigned. Requests for access are approved by employee s supervisor. Requests for changes in access for employees are submitted by a department supervisor and approved by the area authorizer. Employee terminations are submitted by Human Resources. Physical security personnel revoke access privileges assigned to terminated employees as a component of the employee termination process. Physical access rights are reviewed periodically by management to help ensure that access privileges are assigned to appropriate employees. Customer and Visitor Access Customers physical hardware is maintained in locked server racks/cabinets and cages within the data centers. Badge access cards and physical keys to the server racks/cabinets and cages located within the data centers are secured. Customer access to Verizon Terremark facilities is strictly enforced. Customers whose accounts are in good standing may visit their equipment at any time. Customers are required to comply with Verizon Terremark physical access procedures while on premises at the data center facility. To obtain access to the customer cages and/or racks/cabinets, a pre-approved customer contact must request that a particular customer employee or vendor be granted access in advance of the visit from the appropriate business or technical representative. Upon arrival at the data center, visitors requiring access must present government-issued photo identification to Verizon Terremark security personnel to obtain a visitor badge. Security personnel document the visitor s name, firm represented and the name of the employee authorizing physical access within the visitor access log. Visitor badges do not have physical access capabilities and are identifiably different from employee badges. Visitors are required to surrender their visitor badges upon departure from the data center facilities. Based on individual customer requirements, vendors representing customers may be required to provide evidence that they work for the specified vendor before they can obtain access, in addition to providing the government-issued photo identification. The vendor name must also appear on the approved access list. Vendors are required to be escorted and accompanied by an authorized Verizon Terremark employee when in sensitive areas. If an individual is not authorized for entry, he/she is prohibited from access into the data center. Video surveillance cameras are installed at each data facility. The video surveillance cameras are positioned to monitor for intrusion activities or possible vulnerabilities and are recorded on an ongoing basis. Cameras capture data centers, passageways, entrances, exits, and external surroundings. The digital video recorders are configured to retain the digital recordings for a minimum of 90 days for investigations. 1304-1059738 16

Description of the Administration of Verizon Terremark Colocation Services for the Period from November 1, 2012 to October 31, 2013 Environmental Safeguards Overview To minimize the likelihood of system outages and the effects of disasters on systems and operations, Verizon Terremark has implemented redundant environmental safeguards and backup power systems. The Manager of Data Center Operations and the Facilities Manager at each data center oversee the data center environmental safeguards and backup power management systems. The following section describes the environmental safeguards in place at each data center. Although minor differences exist between each of the data centers, the listed safeguards apply to the data centers in the scope of this report. Each data center is equipped to maintain continuous operation and protect against environmental extremes. The environment including temperature and humidity in each facility is controlled using air-conditioning systems that are regularly maintained. Additional cooling to the data center floor area is provided by multiple computer room air conditioning (CRAC) units. Each unit is attached to several leak detection sensors which are continuously monitored. The CRAC units are supported by multiple redundant water chiller systems. The temperature and humidity are monitored using a centralized monitoring system. Power Each Verizon Terremark data center utilizes separate and secure power management and power backup systems. The data centers utilize power from multiple commercial feeds from the local substations. In the event of a brief commercial power failure, the power is backed up by multiple redundant uninterruptible power supply (UPS) systems or continuous power systems (CPS). In the event of a power disruption, each facility s system is able to sustain power to critical areas including infrastructure and customer equipment until the diesel generators are activated. The redundant diesel generators provide additional power protection should a power disruption last more than a few minutes. The diesel generators can supply the power necessary for site management and can be refueled to power the facility. Generators and UPS systems are maintained and tested in accordance with a maintenance schedule. The electrical system, utility power, and distribution systems are monitored using a centralized monitoring system. The monitoring system generates alarms and alert notifications for possible failure or overloading of the electrical systems. Fire Detection and Suppression The environment is protected by a fire detection system with smoke detectors under the raised floor and on the ceiling or above the suspended ceiling, where applicable. The system is equipped with a local display panel and, in some facilities, the alarm signals are automatically transmitted to the local fire authority. In addition, alarm status signals will also be transmitted to the multi-zone pre-action dry pipe fire suppression system. The system has two levels of alarms before water can be released; an individual head must fuse and either a smoke or heat detector must activate. Water will then begin to flow at that location of the activated sprinkler head only. This configuration provides protection against accidental discharge of water by requiring two separate attributes to occur before releasing water. In the event of a system malfunction or unnecessary water discharge, the water supply to the sprinkler system can be shut down manually to prevent unnecessary water damage to the 1304-1059738 17

Description of the Administration of Verizon Terremark Colocation Services for the Period from November 1, 2012 to October 31, 2013 equipment located on the data center floor. The data centers are also equipped with Power Off valves at the main data center exit. These Power Off valves can be used to quickly shut down the system in the event of an emergency to prevent unnecessary damage to the equipment. As an additional backup, hand-held fire extinguishers are in place for manual fire suppression. Monitoring and Inspections Each of the environmental safeguard and power management systems are monitored on a daily basis and inspected on a regular basis according to a predefined maintenance schedule. Verizon Terremark has developed standardized inspection procedures and schedules for the various systems. An enterprise monitoring system is in place to monitor certain environmental conditions throughout the data centers. The system is configured to alert facilities personnel via e-mail when predefined thresholds are exceeded on monitored systems. Network Availability Overview In order to help ensure that network devices and related services are available for operation and that network problems are identified, investigated, and resolved, Verizon Terremark uses a combination of monitoring tools, procedures and support protocols. Network monitoring policies and procedures are in place and provide guidance in the prioritization and handling of monitoring alerts and required activities that include the following: Network communications monitoring and troubleshooting Malicious Internet activity procedures NOC functions Handling failure alerts Handling site down alerts Handling warning alerts Network Operations Centers Verizon Terremark s Network Operations Centers (NOCs) serve as the central command points for service delivery and oversee day-to-day operations within each data center. Verizon Terremark s NOCs are staffed with support personnel on an ongoing basis. The continuous staffing schedule is instrumental in supporting customers on a global scale. NOC personnel oversee the enterprise monitoring applications that are in place to monitor the performance and availability of network communications devices and to help identify potential sources of failure. Service Centers Verizon Terremark s Service Centers (SCs) are the on-site resource centers for Verizon Terremark customers. The SC handles service inquiries and provides support for customers at each of the data center facilities. Network Device Configuration 1304-1059738 18

Description of the Administration of Verizon Terremark Colocation Services for the Period from November 1, 2012 to October 31, 2013 Network infrastructure devices are configured with access control lists to allow sessions from only specific hosts within the internal network and unused ports are disabled to prevent unauthorized access. Management restricts the ability to remotely administer network devices to user accounts accessible by appropriate support personnel. Infrastructure modifications are documented and maintained in the change management system. When an infrastructure configuration change or modification occurs, the details of the change are automatically e-mailed to network operations personnel from the network automation system. Verizon s security program includes security vulnerability testing on the network backbone and the corporate business systems. Tests that help to ensure the overall security and availability of the network and systems and alignment with the Company policies are performed on a periodic basis. Where technically applicable, Verizon uses a real-time antivirus solution to protect its servers against viruses, worms, Trojan horses and other forms of malicious code that may cause damage. Business Continuity and Disaster Recovery Business Continuity is a business-sponsored initiative within Verizon. The Business Continuity Plan is designed to provide immediate response and subsequent recovery from an unplanned business interruption such as a loss of critical business functions, a loss of building access, a physical facility catastrophe, or loss of personnel. The Business Continuity and Emergency Management (BCEM) group coordinates the Business Continuity initiative and sets guidelines for plan development. The recovery plans are reviewed by the BCEM and are exercised by Verizon Terremark executive teams. A centralized group referred to as the Incident Management Team oversees the response and recovery activities as well as supports the recovery of affected business units. The Incident Management Team provides overall coordination of response and recovery support activities. Once an incident occurs, the Incident Management Team evaluates which response and recovery actions should be invoked based on the priority of the incident. Designated personnel provide centralized support to affected departments in acquiring necessary recovery resources. Certain User Entity Obligations (CUO) In designing its system, Verizon has contemplated that certain user entity obligations would be implemented by user organizations to meet certain criteria applicable to security and availability. The user entity obligations are listed in Description of, Controls, Tests, and Results of Tests. The list of the user entity obligations presented in the in Description of, Controls, Tests, is not and should not be considered a comprehensive list of internal controls that should be implemented by the customers of Verizon. Other internal controls may be required at user organizations 1304-1059738 19

Description of, Controls, Tests, Tests Performed of Entity-Level Controls In planning the nature, timing, and extent of our testing of the controls specified by Verizon Terremark, we considered the aspects of Verizon Terremark s control environment, control activities, risk assessment processes, information and communication and monitoring procedures and performed such procedures as we considered necessary in the circumstances. Inspected the company s organizational structure, including segregation of functional responsibilities, policy statements, operating manuals, and personnel policies. Inquired of management, operations, administrative, and other personnel responsible for developing, ensuring adherence to, and applying internal controls. Observed personnel in the performance of their assigned duties. Inspected results of the monthly operating performance meetings for a sample of months. Inspected results of the annual employee performance monitoring process for a sample of employees. Inspected operations, human resources and information systems policies and procedures. Inquired of management as to the procedures for formal and informal risk assessments. Inspected results of the annual formal risk assessment. Inspected evidence of employee training for a sample of employees. and Controls On the pages that follow, the applicable Trust Services criteria and the controls to meet the criteria have been specified by and are the responsibility of Verizon Terremark. The tests performed by EY (Ernst & Young) and the results of tests are the responsibility of the service auditor. 1304-1059738 20 1304-1059738

Description of, Controls, Tests, Security and Availability Policies S1.00 Policies: The entity defines and documents its policies for the security of its system. A1.00 Policies: The entity defines and documents its policies for the availability of its system. # Description 1 The entity s security policies are established and periodically reviewed and approved by a designated individual or group. The entity s system availability and related security policies are established and periodically reviewed and approved by a designated individual or group. 2 The entity s security policies include, but may not be limited to, the following matters. See Required Policy Components in Appendix A. The entity s system availability and related security policies include, but may not be limited to, the following matters. See Required Policy Components in Appendix A. S1.01 A1.01 S1.02 A1.02 Verizon Terremark has established security and availability policies and practices to help ensure that Verizon Terremark assets are safeguarded and access to Verizon Terremark systems, networks, resources, and data is secured. Policies are reviewed and changes are approved by the Quality Management team before they can be enforced. The policies and procedures include security awareness, security hardening guides, configuration management and patch updates, security best practices, compliance monitoring and incident response guides, physical and environmental requirements, provisioning and authentication of users, data classification, and security risk assessment. Obtained and inspected the security and availability policies and practices, noting that they included the relevant components and were reviewed and approved by the Quality Management team. No deviations noted. Obtained and inspected the security and availability policies and practices, noting that they included the relevant components and were reviewed and approved by the Quality Management team. No deviations noted. 21 1304-1059738

Description of, Controls, Tests, # Description S1.03 A1.03 3 Responsibility and accountability for developing and maintaining the entity s system security policies, and changes and updates to those policies, are assigned. Responsibility and accountability for developing and maintaining the entity s system availability and related security policies, and changes and updates to those policies, are assigned. Policies are reviewed and changes are approved by the Quality Management team before they can be enforced. Obtained and inspected the security and availability policies and practices, noting that they included the relevant components and were reviewed and approved by the Quality Management team. No deviations noted. 22 1304-1059738

Description of, Controls, Tests, Security and Availability Communications S2.00 Communications: The entity communicates its defined system security policies to responsible parties and authorized users. A2.00 Communications: The entity communicates its defined system availability policies to responsible parties and authorized users. # Description 4 The entity has prepared an objective description of the system and its boundaries and communicated such description to authorized users. The entity has prepared an objective description of the system and its boundaries and communicated such description to authorized users. S2.01 A2.01 Customer obligations are presented to customers in combination with the Terms and Conditions as part of the customer contract. Customer obligations are reinforced through the Client Portal and are also posted at each data center. Verizon Terremark provides customers with various operational reports through a webbased customer portal. Inspected the system description, information about Verizon s services, customer obligations and customer reporting functionality on the webbased customer portal. Noted that customer obligations were included in the customer contract and posted at the entrance of the data centers. No deviations noted. 23 1304-1059738

Description of, Controls, Tests, # Description 5 The security obligations of users and the entity s security commitments to users are communicated to authorized users. The availability and related security obligations of users and the entity s availability and related security commitments to users are communicated to authorized users. S2.02 A2.02 Verizon Terremark maintains policies on the corporate intranet site. New employees are required to familiarize themselves with the policies and sign an acknowledgement of their understanding and willingness to comply with these policies. Verizon Terremark sends out security update/awareness notification every quarter to employees for their review. Verizon has a New Employee Orientation Program which includes a section on security awareness. To complement this program, security awareness posters are deployed in strategic locations throughout and rotated in location and content. Customer obligations are presented to customers in combination with the Terms and Conditions as part of the customer contract. Customer obligations are reinforced through the Client Portal and are also posted at each data center. Through inquiry of management and staff, noted that the policies, procedures and reference manuals were provided to employees during the New Employee Orientation Program and were available to staff through the corporate intranet and changes were communicated. Inspected evidence of the quarterly security update/awareness notification for a sample of quarters. Noted the presence of security awareness posters throughout the facilities. Inspected the system description, information about Verizon s services, customer obligations and customer reporting functionality on the Client Portal. Noted that customer obligations were included in the customer contract and posted at the entrance of the data centers. No deviations noted. 24 1304-1059738

Description of, Controls, Tests, # Description S2.03 A2.03 6 Responsibility and accountability for the entity s system security policies and changes and updates to those policies are communicated to entity personnel responsible for implementing them. Policies are reviewed and changes are approved by the Quality Management team before they can be enforced. Obtained and inspected the security and availability policies and practices, noting that they included the relevant components and were reviewed and approved by the Quality Management team. No deviations noted. Responsibility and accountability for the entity s system availability and related security policies and changes and updates to those policies are communicated to entity personnel responsible for implementing them. 25 1304-1059738

Description of, Controls, Tests, # Description S2.04 A2.04 7 The process for informing the entity about breaches of the system security and for submitting complaints is communicated to authorized users. The process for informing the entity about system availability issues and breaches of system security and for submitting complaints is communicated to authorized users. Management across all departments participates in weekly meetings in order to discuss the status of service delivery or other matters of interest and concern. On a monthly basis, operating performance reports are provided to management to summarize the performance statistics of the various products, including, but not limited to, utilization, and problem reporting. Daily, alerts are provided to product support personnel regarding problems. Senior management is presented with a summary of operations and future business plans on a quarterly basis. Documented network monitoring policies and procedures are in place and provide guidance in the prioritization and handling of monitoring alerts and required activities that include, but are not limited to, the following: Network communications monitoring and troubleshooting Malicious Internet activity procedures NOC functions Handling failure alerts Handling site down alerts Handling warning alerts Through inquiry of management and inspection of evidence, noted that weekly operations meetings were held, monthly operating performance reports were compiled and provided to management and daily alerts were provided to product support personnel. Through inspection of policies and procedures and inquiry of management, determined that the network monitoring policies and procedures were in place and provided guidance in the prioritization and handling of monitoring alerts and required activities. Through inspection of policies and procedures and inquiry of management, determined that the network monitoring policies and procedures were in place and provided guidance in the prioritization and handling of monitoring alerts and required activities. No deviations noted. An enterprise monitoring application is in place to monitor the performance and availability of network communications devices and to help identify potential sources of failure. 26 1304-1059738

Description of, Controls, Tests, # Description S2.05 A2.05 Inspected a sample of infrastructure modifications changes noting that the modifications were documented in the change management system. 8 Changes that may affect system security are communicated to management and users who will be affected. Changes that may affect system availability and system security are communicated to management and users who will be affected. Infrastructure modifications are documented and maintained in a change management system. Management restricts the ability to remotely administer network devices to user accounts accessible by appropriate support personnel. Inspected the list of individuals with access to remotely administer network devices noting that access was restricted to user accounts accessible by appropriate support personnel. No deviations noted. 27 1304-1059738

Description of, Controls, Tests, Security and Availability Procedures S3.00 Procedures: The entity placed in operation procedures to achieve its documented system security objectives in accordance with its defined policies. A3.00 Procedures: The entity placed in operation procedures to achieve its documented system availability objectives in accordance with its defined policies. # Description 9 Procedures exist to (1) identify potential threats of disruption to systems operation that would impair system security commitments and (2) assess the risks associated with the identified threats. S3.01 A3.01 Procedures exist to (1) identify potential threats of disruptions to systems operation that would impair system availability commitments and (2) assess the risks associated with the identified threats. Verizon s security program includes security vulnerability testing on the network backbone and the corporate business systems. Tests that help to ensure the overall security and availability of the network and systems and alignment with the Company policies are performed on a periodic basis. Documented network monitoring policies and procedures are in place and provide guidance in the prioritization and handling of monitoring alerts and required activities that include, but are not limited to, the following: Network communications monitoring and troubleshooting Malicious Internet activity procedures NOC functions Handling failure alerts Handling site down alerts Handling warning alerts An enterprise monitoring application is in place to monitor the performance and availability of network communications devices and to help identify potential sources of failure. Through inquiry of management and inspection of evidence, noted that a security vulnerability test is performed on a periodic basis. Additionally, noted that the network is monitored on a real time basis for malicious events and events are tracked to resolution. Through inspection of policies and procedures and inquiry of management, determined that the network monitoring policies and procedures were in place and provided guidance in the prioritization and handling of monitoring alerts and required activities. Through observation, noted that an enterprise monitoring application was in place to monitor the performance and availability of network communications devices and to help identify potential sources of failure. Inspected the NOC personnel schedule for a sample of weeks noting that NOC personnel were available to oversee the enterprise monitoring applications at all times. No deviations noted. 28 1304-1059738

Description of, Controls, Tests, # Description NOC personnel are available to oversee the enterprise monitoring applications at all times. (CUO) Customer organizations are responsible for identifying personnel responsible for problem resolution and instructing personnel on the escalation procedures provided by Verizon Terremark. (CUO) Customer organizations are responsible for notifying Verizon Terremark of changes to their escalation procedures. (CUO) Customer organizations are responsible for providing up-to-date escalation contact information to Verizon Terremark. 10 Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters: a. Logical access security measures to restrict access to information resources not deemed to be public. b. Identification and authentication of users. c. Registration and authorization of new users. d. The process to make S3.02 A3.05 Network infrastructure devices have unused ports disabled to prevent unauthorized access. Network infrastructure devices are configured with access control lists to allow sessions from only specific hosts within the network. Management restricts the ability to remotely administer network devices to user accounts accessible by appropriate support personnel. Inspected configurations for a sample of network infrastructure devices noting that unused ports were disabled. Inspected configurations for a sample of network infrastructure devices noting that access control lists were configured to allow sessions from only specific hosts within the network. Inspected the list of individuals with access to remotely administer network devices noting that access was restricted to user accounts accessible by appropriate support personnel. No deviations noted. 29 1304-1059738

Description of, Controls, Tests, # Description changes and updates to user profiles. e. Distribution of output restricted to authorized users. f. Restriction of access to offline storage, backup data, systems, and media. g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (for example, firewalls). Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters: a. Logical access security measures to restrict access to information resources not deemed to be public. b. Identification and authentication of users. c. Registration and authorization of new users. d. The process to make changes and updates to user profiles. 30 1304-1059738

Description of, Controls, Tests, # Description e. Restriction of access to offline storage, backup data, systems and media. f. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (for example, firewalls). 11 Procedures exist to restrict physical access to the defined system including, but not limited to, facilities, backup media, and other system components such as firewalls, routers, and servers. Procedures exist to restrict physical access to the defined system including, but not limited to, facilities, backup media, and other system components such as firewalls, routers, and servers. S3.03 A3.06 Documented security policies and procedures are in place and communicated to guide personnel in granting, controlling, and monitoring physical access to the data center facilities. Security personnel document the visitor s name, firm represented and the name of the employee authorizing physical access within the visitor access log. Visitors are required to present governmentissued photo-identification in order to obtain a visitor badge. Visitors are required to wear a visitor badge and are escorted and accompanied by authorized personnel throughout sensitive areas. Visitors are required to surrender their visitor badges upon departure from the data center facilities. Through inspection of the security policies and procedures and inquiry of management, determined that the security policies and procedures were in place and communicated to guide personnel in granting, controlling and monitoring physical access to the data center facilities. Through inquiry and inspection of the visitor access logs for a sample of dates at the inscope facilities, determined that security personnel documented the visitor s name, firm represented and the name of the employee authorizing physical access. Through inquiry and observation of the visitor badge process at the in-scope facilities, determined that visitors are required to present government-issued photo identification in order to obtain a visitor badge. Through inquiry and observation of the visitor badge process at the in-scope facilities, determined that visitors are required to wear a 31 1304-1059738

Description of, Controls, Tests, # Description Visitor badges are identifiably different from employee badges and do not have physical access capabilities. visitor badge and are escorted and accompanied by authorized personnel throughout sensitive areas. Third-party contractors are required to be escorted and accompanied by an authorized Verizon Terremark employee throughout sensitive areas. Badge access systems have been installed that limit access to sensitive areas. The badge access system logs both successful and unsuccessful access attempts. Access attempts are traceable to specific employee accounts. Predefined physical security zones are utilized to establish role-based access privileges to and throughout the data center facilities. Written documentation and supervisor approval are obtained to add employee physical access privileges. Through inquiry and observation of the visitor badge process at the in-scope facilities, determined that visitors are required to surrender their visitor badges upon departure from the data center facilities. Through inquiry and observation at the in-scope facilities, noted that visitor badges are identifiably different from employee badges. Attempted to access a sample of doors to sensitive areas with a visitor badge at the inscope facilities and noted that access was denied. Inspected access logs noting that attempts were logged. Through inquiry and observation at the in-scope facilities, determined that third-party contractors are required to be escorted and accompanied by an authorized Verizon Terremark employee throughout sensitive areas. Physical security personnel revoke access privileges assigned to terminated employees as part of the employee termination process. Physical access rights are reviewed periodically by management to help ensure that access privileges are assigned to appropriate employees. Through inquiry and observation at the in-scope facilities, determined that badge access systems were installed that limited access to sensitive areas. Through inquiry and inspection of access logs at the in-scope facilities, determined that both successful and unsuccessful access attempts were logged in the badge access system and 32 1304-1059738

Description of, Controls, Tests, # Description Administrative access privileges to the badge access system are restricted to user accounts accessible by appropriate personnel. Digital surveillance video cameras are installed to monitor activity to and throughout the data center facilities. Digital surveillance video camera recordings are archived for a minimum of 90 days. The data center facilities are continuously monitored. the attempts were traceable to specific employee accounts. Inspected the physical security zone configurations within the physical access control system for the in-scope facilities and noted that predefined physical security zones were utilized to establish role-based access privileges to and throughout the data center facilities. For a sample of new employees, inspected the physical access reports and written documentation and supervisor approval of physical access privileges. On-site security guards continuously monitor access to the data center facilities and manage visitor access. Customers physical hardware is maintained in locked server racks and cages within the data centers. Badge access cards and physical keys to the server racks and cages located within the data centers are secured. Security incidents are recorded in security patrol logs and investigated. For a sample of terminated employees, inspected the access removal requests and the current physical access lists noting that access was removed. Inspected a sample of periodic physical access rights reviews noting that reviews were performed timely and items identified during the review were resolved. Inspected the list of individuals with administrative access privileges to the badge access system and through inquiry of management and review of the user s job responsibilities, determined that access was restricted to user accounts accessible by appropriate personnel. Through inquiry and observation for the in-scope facilities, determined that digital surveillance 33 1304-1059738

Description of, Controls, Tests, # Description video cameras are installed to monitor activity to and throughout the data center facilities. Through inquiry and inspection for the in-scope facilities, determined that digital surveillance video camera recordings are archived for a minimum of 90 days. Through inquiry and inspection for the in-scope facilities, determined that the data center facilities are continuously monitored. Through inquiry and observation for the in-scope facilities, determined that on-site security guards continuously monitor access to the data center facilities and manage visitor access. Through inquiry and inspection for the in-scope facilities, determined that customers physical hardware is maintained in locked server racks and cages within the data centers. Through inquiry and observation for the in-scope facilities, determined that the badge access cards and physical keys to the server racks and cages located within the data centers are secured. For a sample of dates, inspected the security patrol logs noting that security incidents were recorded and investigated. Deviations noted: For the period of February through August 2013, a periodic review of access was not performed 34 1304-1059738

Description of, Controls, Tests, # Description for the Amsterdam data center. Management s response: Once the deviation was identified that affected only the Q2 2013 quarterly access review, management reinforced the periodic review process with staff. 12 Procedures exist to protect against unauthorized access to system resources. Procedures exist to protect against unauthorized access to system resources. S3.04 A3.07 Customers physical hardware is maintained in locked server racks and cages within the data centers. Badge access cards and physical keys to the server racks and cages located within the data centers are secured. Security incidents are recorded in security patrol logs and investigated. Through inquiry and inspection for the in-scope facilities, determined that customers physical hardware is maintained in locked server racks and cages within the data centers. Through inquiry and observation for the in-scope facilities, determined that the badge access cards and physical keys to the server racks and cages located within the data centers are secured. The data center facilities are continuously monitored. On-site security guards continuously monitor access to the data center facilities and manage visitor access. Network infrastructure devices have unused ports disabled to prevent unauthorized access. Network infrastructure devices are configured with access control lists to allow sessions from only specific hosts within the network. For a sample of dates, inspected the security patrol logs noting that security incidents were recorded and investigated. Through inquiry and inspection for the in-scope facilities, determined that the data center facilities are continuously monitored. Through inquiry and observation for the in-scope facilities, determined that on-site security guards continuously monitor access to the data center facilities and manage visitor access. Inspected configurations for a sample of network infrastructure devices noting that unused ports were disabled. 35 1304-1059738

Description of, Controls, Tests, # Description Inspected configurations for a sample of network infrastructure devices noting that access control lists were configured to allow sessions from only specific hosts within the network. No deviations noted. 13 Procedures exist to protect against infection by computer viruses, malicious code, and unauthorized software. S3.05 A3.08 Where technically applicable, Verizon uses a real-time antivirus solution to protect its servers against viruses, worms, Trojan horses and other forms of malicious code that may cause damage. Observed evidence of the antivirus solution installed on production servers to protect the servers against viruses, worms, Trojan horses and other forms of malicious code that may cause damage. Procedures exist to protect against infection by computer viruses, malicious codes, and unauthorized software. No deviations noted. 36 1304-1059738

Description of, Controls, Tests, # Description 14 Encryption or other equivalent security techniques are used to protect user authentication information and the corresponding session transmitted over the Internet or other public networks. S3.06 A3.09 Verizon Terremark does not administer or access customer devices. Verizon Terremark does not administer or access customer devices. Encryption or other equivalent security techniques are used to protect user authentication information and the corresponding session transmitted over the Internet or other public networks. 37 1304-1059738

Description of, Controls, Tests, # Description 15 Procedures exist to identify, report, and act upon system security breaches and other incidents. Procedures exist to identify, report, and act upon system availability issues and related security breaches and other incidents. S3.07 A3.10 Security incidents are recorded in security patrol logs and investigated. Documented network monitoring policies and procedures are in place and provide guidance in the prioritization and handling of monitoring alerts and required activities that include, but are not limited to, the following: Network communications monitoring and troubleshooting Malicious Internet activity procedures NOC functions Handling failure alerts Handling site down alerts Handling warning alerts An enterprise monitoring application is in place to monitor the performance and availability of network communications devices and to help identify potential sources of failure. For a sample of dates, inspected the security patrol logs noting that security incidents were recorded and investigated. Through inspection of policies and procedures and inquiry of management, determined that the network monitoring policies and procedures were in place and provided guidance in the prioritization and handling of monitoring alerts and required activities. Through observation, noted that an enterprise monitoring application was in place to monitor the performance and availability of network communications devices and to help identify potential sources of failure. Inspected the NOC personnel schedule for a sample of weeks noting that NOC personnel were available to oversee the enterprise monitoring applications at all times. NOC personnel are available to oversee the enterprise monitoring applications at all times. No deviations noted. 38 1304-1059738

Description of, Controls, Tests, # Description 16 Procedures exist to classify data in accordance with classification policies and periodically monitor and update such classifications as necessary. S3.08 A3.11 Verizon Terremark does not administer or access customer devices. Verizon Terremark does not administer or access customer devices. Procedures exist to classify data in accordance with classification policies and periodically monitor and update such classifications as necessary. 39 1304-1059738

Description of, Controls, Tests, # Description 17 Procedures exist to provide that issues of noncompliance with security policies are promptly addressed and that corrective measures are taken on a timely basis. Procedures exist to provide that issues of noncompliance with system availability and related security policies are promptly addressed and that corrective measures are taken on a timely basis. S3.09 A3.12 Security incidents are recorded in security patrol logs and investigated. Documented network monitoring policies and procedures are in place and provide guidance in the prioritization and handling of monitoring alerts and required activities that include, but are not limited to, the following: Network communications monitoring and troubleshooting Malicious Internet activity procedures NOC functions Handling failure alerts Handling site down alerts Handling warning alerts An enterprise monitoring application is in place to monitor the performance and availability of network communications devices and to help identify potential sources of failure. NOC personnel are available to oversee the enterprise monitoring applications at all times. For a sample of dates, inspected the security patrol logs noting that security incidents were recorded and investigated. Through inspection of policies and procedures and inquiry of management, determined that the network monitoring policies and procedures were in place and provided guidance in the prioritization and handling of monitoring alerts and required activities. Through observation, noted that an enterprise monitoring application was in place to monitor the performance and availability of network communications devices and to help identify potential sources of failure. Inspected the NOC personnel schedule for a sample of weeks noting that NOC personnel were available to oversee the enterprise monitoring applications at all times. No deviations noted. 40 1304-1059738

Description of, Controls, Tests, # Description S3.10 A3.13 18 Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistent with defined system security policies to enable authorized access and to prevent unauthorized access. Infrastructure modifications are documented and maintained in a change management system. Inspected a sample of infrastructure modifications changes noting that the modifications were documented in the change management system. No deviations noted. Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistent with defined system availability and related security policies. 19 Procedures exist to provide that personnel responsible for the design, development, implementation, and operation of systems affecting security have the qualifications and resources to fulfill their responsibilities. S3.11 A3.14 Responsibility for security and system availability is appropriately assigned and employees are trained. Through inspection of job descriptions and through inquiry and observation, determined that responsibility for security was assigned and employees were trained to perform their duties. No deviations noted. Procedures exist to provide that personnel responsible for the design, development, implementation, and operation of systems affecting availability and 41 1304-1059738

Description of, Controls, Tests, # Description security have the qualifications and resources to fulfill their responsibilities. 20 Procedures exist to maintain system components, including configurations consistent with the defined system security policies. Procedures exist to maintain system components, including configurations consistent with the defined system availability and related security policies. S3.12 A3.15 Infrastructure modifications are documented and maintained in a change management system. Inspected a sample of infrastructure modifications changes noting that the modifications were documented in the change management system. No deviations noted. 21 Procedures exist to provide that only authorized, tested, and documented changes are made to the system. S3.13 A3.16 Infrastructure modifications are documented and maintained in a change management system. Inspected a sample of infrastructure modifications changes noting that the modifications were documented in the change management system. Procedures exist to provide that only authorized, tested, and documented changes are made to the system. No deviations noted. 22 Procedures exist to provide that emergency changes are documented and authorized timely. S3.14 A3.17 Infrastructure modifications are documented and maintained in a change management system. Inspected a sample of infrastructure modifications changes noting that the modifications were documented in the change management system. Procedures exist to provide that emergency changes are documented and authorized (including after-the-fact approval). No deviations noted. 42 1304-1059738

Description of, Controls, Tests, # Description A3.02 23 Measures to prevent or mitigate threats have been implemented consistent with the risk assessment when commercially practicable. The data centers are protected by fire detection and suppression systems that include the following: Fire alarms Smoke and heat detectors Fire suppression system Hand-held fire extinguishers An inspection of the fire detection and suppression systems is performed on a periodic basis. Through inspection of the in-scope facilities, determined that the data centers are protected by fire detection and suppression systems that include fire alarms, smoke and heat detectors, fire suppression systems and hand-held fire extinguishers. Through inspection of the in-scope facilities, determined that an inspection of the fire detection and suppression systems is performed on a periodic basis. The data centers are equipped with multiple CRAC units. An inspection of the CRAC units is performed on a periodic basis. The CRAC units are supported by multiple redundant water chiller systems. An inspection of the water chiller systems is performed on a periodic basis. Through inspection of the in-scope facilities, determined that the data centers are equipped with multiple CRAC units. Through inspection of evidence, determined that an inspection of the CRAC units is performed on a periodic basis at the in-scope facilities. Through inspection of the in-scope facilities, determined that the CRAC units are supported by multiple redundant water chiller systems. The data center infrastructure is connected to multiple redundant UPS systems to provide temporary backup power in the event of a primary power failure. Through inspection of evidence, determined that an inspection of the water chiller systems is performed on a periodic basis at the in-scope facilities. An inspection of the UPS systems is performed on a periodic basis. The data centers are equipped with multiple dedicated power generators to provide electricity to the data centers in the event of a Through inspection of the in-scope facilities, determined that the data center infrastructure is connected to multiple redundant UPS systems to provide temporary backup power in the event of a primary power failure. 43 1304-1059738

Description of, Controls, Tests, # Description power outage. An inspection of the power generators is performed on a periodic basis. The data centers are equipped with raised flooring. The data centers are equipped with a leak detection system to detect water damage in the event of a flood or water leakage. Through inspection of evidence, determined that an inspection of the UPS systems is performed on a periodic basis at the in-scope facilities. Through inspection of the in-scope facilities, determined that the data centers are equipped with multiple dedicated power generators to provide electricity to the data centers in the event of a power outage. Through inspection of evidence, determined that an inspection of the power generators is performed on a periodic basis at the in-scope facilities. Through inspection of the in-scope facilities, determined that the data centers are equipped with raised flooring. Through inspection of the in-scope facilities, determined that the data centers are equipped with a leak detection system to detect water damage in the event of a flood or water leakage. No deviations noted. 44 1304-1059738

Description of, Controls, Tests, # Description A3.03 24 Procedures exist to provide for backup, offsite storage, restoration, and disaster recovery consistent with the entity s defined system availability and related security policies. Verizon Terremark does not administer or access customer devices. The Business Continuity and Emergency Management (BCEM) group coordinates the Business Continuity initiative and sets guidelines for plan development. The recovery plans are reviewed by the BCEM and are exercised by Verizon Terremark executive teams. Verizon Terremark does not administer or access customer devices. Through inquiry of management and inspection of the Business Continuity Plan, noted that the Plan was documented and reviewed by the BCEM. No deviations noted. 25 Procedures exist to provide for the integrity of backup data and systems maintained to support the entity s defined system availability and related security policies. A3.04 Verizon Terremark does not administer or access customer devices. Verizon Terremark does not administer or access customer devices. 45 1304-1059738

Description of, Controls, Tests, Security and Availability Monitoring S4.00 Monitoring: The entity monitors the system and takes action to maintain compliance with its defined system security policies. A4.00 Monitoring: The entity monitors the system and takes action to maintain compliance with its defined system availability policies. # Description 26 The entity s system security is periodically reviewed and compared with the defined system security policies. The entity s system availability and security performance is periodically reviewed and compared with the defined system availability and related security policies. S4.01 A4.01 Management across all departments participates in weekly meetings in order to discuss the status of service delivery or other matters of interest and concern. On a monthly basis, operating performance reports are provided to management to summarize the performance statistics of the various products, including, but not limited to, utilization, and problem reporting. Daily, alerts are provided to product support personnel regarding problems. Senior management is presented with a summary of operations and future business plans on a quarterly basis. Through inquiry of management and inspection of evidence, noted that weekly operations meetings were held, monthly operating performance reports were compiled and provided to management and daily alerts were provided to product support personnel. No deviations noted. 46 1304-1059738

Description of, Controls, Tests, # Description 27 There is a process to identify and address potential impairments to the entity s ongoing ability to achieve its objectives in accordance with its defined system security policies. There is a process to identify and address potential impairments to the entity s ongoing ability to achieve its objectives in accordance with its defined system availability and related security policies. S4.02 A4.02 Management across all departments participates in weekly meetings in order to discuss the status of service delivery or other matters of interest and concern. On a monthly basis, operating performance reports are provided to management to summarize the performance statistics of the various products, including, but not limited to, utilization, and problem reporting. Daily, alerts are provided to product support personnel regarding problems. Senior management is presented with a summary of operations and future business plans on a quarterly basis. A formal risk assessment is conducted annually by the Company s executive management and is reviewed by Verizon Audit Committee. Through inquiry of management and inspection of evidence, noted that weekly operations meetings were held, monthly operating performance reports were compiled and provided to management and daily alerts were provided to product support personnel. Inspected evidence of the annual risk assessment and noted that risks were identified, prioritized and ranked and the assessment was reviewed by the Verizon Audit Committee. No deviations noted. 47 1304-1059738

Description of, Controls, Tests, # Description S4.03 A4.03 28 Environmental, regulatory, and technological changes are monitored and their effect on system security is assessed on a timely basis and policies are updated for that assessment. Environmental, regulatory, and technological changes are monitored, and their effect on system availability and security is assessed on a timely basis; policies are updated for that assessment. Verizon has implemented measures and procedures in order to identify potential threats of disruption to systems operation that would impair system security and availability, prevent and mitigate threats when commercially practicable and assess the risks associated with the identified threats. Through inquiry of management, noted that Verizon has implemented measures and procedures in order to identify potential threats of disruption to systems operation that would impair system security and availability, prevent and mitigate threats when commercially practicable and assess the risks associated with the identified threats. No deviations noted. 48 1304-1059738

Other Information Provided by Verizon Communications, Inc. APPENDIX A Required Policy Components Number S1.2.a S1.2.b S1.2.c S1.2.d S1.2.e S1.2.f S1.2.g S1.2.h S1.2.i S1.2.j S1.2.k S1.2.l S1.2.m S1.2.n Security Component Description Identifying and documenting the security requirements of authorized users. Classifying data based on its criticality and sensitivity and that classification is used to define protection requirements, access rights and access restrictions, and retention and destruction requirements. Assessing risks on a periodic basis. Preventing unauthorized access. Adding new users, modifying the access levels of existing users, and removing users who no longer need access. Assigning responsibility and accountability for system security. Assigning responsibility and accountability for system changes and maintenance. Testing, evaluating, and authorizing system components before implementation. Addressing how complaints and requests relating to security issues are resolved. Identifying and mitigating security breaches and other incidents. Providing for training and other resources to support its system security policies. Providing for the handling of exceptions and situations not specifically addressed in its system security policies. Providing for the identification of and consistency with applicable laws and regulations, defined commitments, service-level agreements and other contractual requirements. Providing for sharing information with third parties. 49 1304-1059738

Other Information Provided by Verizon Communications, Inc. Number A1.2.a A1.2.b A1.2.c A1.2.d A1.2.e A1.2.f A1.2.g A1.2.h A1.2.i A1.2.j A1.2.k A1.2.l A1.2.m A1.2.n A1.2.o Availability Component Description Identifying and documenting the system availability and related security requirements of authorized users. Classifying data based on its criticality and sensitivity and that classification is used to define protection requirements, access rights and access restrictions, and retention and destruction requirements. Assessing risks on a periodic basis. Preventing unauthorized access. Adding new users, modifying the access levels of existing users, and removing users who no longer need access. Assigning responsibility and accountability for system availability and related security. Assigning responsibility and accountability for system changes and maintenance. Testing, evaluating, and authorizing system components before implementation. Addressing how complaints and requests relating to system availability and related security issues are resolved. Identifying and mitigating system availability and related security breaches and other incidents. Providing for training and other resources to support its system availability and related security policies. Providing for the handling of exceptions and situations not specifically addressed in its system availability and related security policies. Providing for the identification of and consistency with, applicable laws and regulations, defined commitments, service-level agreements and other contractual requirements. Recovering and continuing service in accordance with documented customer commitments or other agreements. Monitoring system capacity to achieve customer commitments or other agreements regarding availability. 50 1304-1059738

We Are VERIZON INTEGRITY - RESPECT - PERFORMANCE - EXCELLENCE - ACCOUNTABILITY