Service Organization Controls 3 Report. Report on Hyland Software, Inc. s OnBase Online Cloud Platform, relevant to Security and Availability



Similar documents
FormFire Application and IT Security. White Paper

Service Organization Controls 3 Report

IBX Business Network Platform Information Security Controls Document Classification [Public]

Service Organization Controls 3 Report

Addressing Cloud Computing Security Considerations

Report of Independent Auditors

White Paper: Librestream Security Overview

Tel: Fax: ey.com. Report of Independent Auditors

Keyfort Cloud Services (KCS)

UCS Level 2 Report Issued to

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Autodesk PLM 360 Security Whitepaper

SOC 3 SYSTRUST FOR SERVICE ORGANIZATIONS REPORT

System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012

Service Organization Control (SOC 3) Report on a Description of the Data Center Colocation System Relevant to Security and Availability

SOC 2 Report Seattle, WA (SEF)

Security from a customer s perspective. Halogen s approach to security

Oracle Cloud Enterprise Hosting and Delivery Policies Effective Date: June 1, 2015 Version 1.5

VMware vcloud Air HIPAA Matrix

QAD CLOUD EDI PROGRAM DOCUMENT

INDEPENDENT PRACTITIONER S TRUST SERVICES REPORT LIQUID WEB, INC.

IT - General Controls Questionnaire

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Security and Managed Services

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Report of Independent Accountants. To the Management of Verizon Communications Inc. Verizon Business IP Application Hosting:

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

Injazat s Managed Services Portfolio

Supplier Security Assessment Questionnaire

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 13 Business Continuity

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

StratusLIVE for Fundraisers Cloud Operations

DISASTER RECOVERY WITH AWS

White Paper How Noah Mobile uses Microsoft Azure Core Services

Designtech Cloud-SaaS Hosting and Delivery Policy, Version 1.0, Designtech Cloud-SaaS Hosting and Delivery Policy

the limits of your infrastructure. How to get the most out of virtualization

Privacy + Security + Integrity

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Ayla Networks, Inc. SOC 3 SysTrust 2015

SECTION I: REPORT OF INDEPENDENT SERVICE AUDITORS... 3 SECTION II: MANAGEMENT OF INTERNAP NETWORK SERVICES CORPORATION'S ASSERTION 5

Projectplace: A Secure Project Collaboration Solution

Exhibit to Data Center Services Service Component Provider Master Services Agreement

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

SNAP WEBHOST SECURITY POLICY

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Secure, Scalable and Reliable Cloud Analytics from FusionOps

Security Controls for the Autodesk 360 Managed Services

Stone Vault, LLC SOC 1 (SSAE NO. 16) TYPE 1 REPORT ON CONTROLS PLACED IN OPERATION FOR TAX RETURN AND FINANCIAL STATEMENT PORTAL SERVICES

SRA International Managed Information Systems Internal Audit Report

Security Policy JUNE 1, SalesNOW. Security Policy v v

KeyLock Solutions Security and Privacy Protection Practices

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Security Whitepaper: ivvy Products

SITECATALYST SECURITY

Qualification Guideline

Microsoft s Compliance Framework for Online Services

Is Your IT Environment Secure? November 18, Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting

Supplier Information Security Addendum for GE Restricted Data

Retention & Destruction

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM

SOC 3 for Security and Availability

Service Organization Control (SOC) 3 Report

Information for Management of a Service Organization

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

7QUESTIONSYOUNEEDTOASKBEFORE CHOOSINGACOLOCATIONFACILITY FORYOURBUSINESS

5054A: Designing a High Availability Messaging Solution Using Microsoft Exchange Server 2007

Comodo Certificate Manager. Centrally Managing Enterprise Security, Trust & Compliance

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

EOH Cloud Services - EOH Cloud Backup - Server

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Cybersecurity and internal audit. August 15, 2014

SECTION I INDEPENDENT SERVICE AUDITOR S REPORT

Description of the Administration of Verizon Terremark Colocation Services Relevant to Security and Availability

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Birst Security and Reliability

VA Office of Inspector General

RMS. Privacy Policy for RMS Hosting Plus and RMS(one) Guiding Principles

SAS 70 Type II Audits

<cloud> Secure Hosting Services

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Xerox Litigation Services. In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk

At a Glance. Key Benefits. Data sheet. A la carte User Module. Administration. Integrations. Enterprise SaaS

Does it state the management commitment and set out the organizational approach to managing information security?

CoreSite A Carlyle Company. 70 Innerbelt Colocation Services

VMware vcloud Air Security TECHNICAL WHITE PAPER

Vistara Lifecycle Management

Transcription:

Service Organization Controls 3 Report Report on Hyland Software, Inc. s OnBase Online Cloud Platform, relevant to Security and Availability for the period May 1, 2015 through October 31, 2015

Ernst & Young LLP Suite 1800 950 Main Avenue Cleveland, OH 44113-7214 Tel: +1 216 861 5000 Fax: +1 216 583 2013 ey.com Report of Independent Accountants To The Board of Directors Hyland Software, Inc. We have examined management s assertion that Hyland Software, Inc. (Hyland), during the period May 1, 2015 through October 31, 2015, maintained effective controls to provide reasonable assurance that: the OnBase Online Cloud Platform was protected against unauthorized access, use, or modification the OnBase Online Cloud Platform was available for operation and use, as committed or agreed based on the criteria for security and availability in the American Institute of Certified Public Accountants TSP Section 100, Trust Services Principles and Criteria, for Security, Availability, Processing Integrity, Confidentiality, and Privacy. This assertion is the responsibility of Hyland s management. Our responsibility is to express an opinion based on our examination. Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included (1) obtaining an understanding of Hyland s relevant security and availability controls, (2) testing and evaluating the operating effectiveness of the controls and (3) performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. Because of inherent limitations in controls, error or fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that the validity of such conclusions may be altered because of changes made to the system or controls, the failure to make needed changes to the system or controls or a deterioration in the degree of effectiveness of the controls. In our opinion, Hyland s management s assertion referred to above is fairly stated, in all material respects, based on the aforementioned criteria for security and availability. December 21, 2015 1 A member firm of Ernst & Young Global Limited

Management Assertion Regarding the Effectiveness of Its Controls Over the OnBase Online Cloud Platform Based on the Trust Services Principles and Criteria for Security and Availability December 21, 2015 Hyland Software, Inc. s (Hyland s) OnBase Online Cloud Platform helps organizations streamline their document and content management processes and share information among employees, partners, and customers. Hyland uses carved-out subservice organizations, AT&T and BlueBridge Networks, to provide internet connectivity and environmental controls to support the OnBase Online Cloud Platform. Hyland asserts that it has maintained effective controls over the Security and Availability of its OnBase Online Cloud Platform to provide reasonable assurance that: the OnBase Online Cloud Platform was protected against unauthorized access, use, or modification the OnBase Online Cloud Platform was available for operation and use, as committed or agreed during the period May 1, 2015 through October 31, 2015, based on the criteria for the security and availability principles set forth in the AICPA s TSP section 100, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy), if the aforementioned subservice organizations maintained effective controls throughout the period May 1, 2015 to October 31, 2015. Our attached System Description of the OnBase Online Cloud Platform identified the aspects of the OnBase Online Cloud Platform covered by our assertion and describes the controls expected to be implemented at the subservice organizations. Global Cloud Services Management Hyland Software, Inc. 28500 Clemens Road T: 440.788.5000 www.onbase.com Westlake, Ohio 44145 2

Hyland s OnBase Online Cloud Platform Background Established in 1991, Hyland Software, Inc. (Hyland) is the developer of OnBase, an Enterprise Content Management (ECM) solution designed to help organizations streamline their document and content management processes and share information among employees, partners, and customers. Hyland is based in Westlake, Ohio. The OnBase ECM software electronically captures and manages everything from paper reports to web content. It is used by customers in industries ranging from financial services and government to manufacturing and health care. In addition to its core solutions, Hyland also offers specific add-on modules for functions such as business process automation, digital imaging and capturing and records management. Customers utilize these OnBase solutions to fulfill a variety of business needs, including information consumption, streamlining business needs with a high degree of reliability and integrity. Hyland leverages the OnBase Online Cloud Platform (Platform) to deliver hosted OnBase ECM solutions. These hosted OnBase solutions reside on servers that are owned and managed by Hyland. The Platform is co-located within N+1 redundant data centers that are owned and operated by third-party Internet Service Providers (ISPs), AT&T and BlueBridge. These ISPs provide internet connectivity, physical security components, power, and environmental systems and services to the Platform. Customers securely access their hosted OnBase solution from the Internet using encrypted network protocols including secure sockets layer (SSL), transport layer security (TLS), and/or secure file transfer (SFTP). Services covered by this report The Platform is comprised of components such as network devices, servers and software that are physically installed and operating within its defined system which is limited to components such as network drives, servers, and software that are physically installed and operating within Hyland s internet-enabled network infrastructure, and its process boundaries, which are limited to those that are executed by a Hyland employee, an authorized third-party, or processes that are executed within their established system boundaries. For the purposes of this report, the Platform s system boundary does not include the internet connectivity, power, physical security components of the data centers, and environmental systems and services provided by third-party Internet Service Providers (ISPs) that own and operate the data centers in which the Platform is co-located. These components of the Platform are addressed within Service Organization Controls reports published by these data center providers, which are available to Hyland s customers upon request. Additionally, any instances of an OnBase hosted solution that is used for non-production workloads are also explicitly identified as being outside of the Platform s system boundaries. This includes systems that are used exclusively for pilot, demo, testing, or development purposes. 3

Components of the Platform Providing the Defined Services Infrastructure Hosting services are provided to customers through an internet-enabled network infrastructure that is owned and operated by Hyland. The system components associated with this network infrastructure are physically located within data centers that are owned and operated by third-party Internet Service Providers (ISP). These ISPs provide internet connectivity, physical security components, power and environmental systems and services to the Platform. Hyland installs servers within each data center on an as-needed basis. Hyland owns and operates these servers. This includes, but is not limited to, web, application, file and database servers. A variety of peripheral devices are also used. This may include, but is not limited to, network appliances, disk drives, and keyboard video monitor switches which are also owned and operated by Hyland. People Hyland s OnBase Online Cloud Platforms organization structure provides a framework for planning, executing, and controlling business operations. Executive and senior leadership play important roles in establishing the Company s tone and core values. The organizational structure assigns roles and responsibilities to provide for adequate staffing, security, efficiency of operations, and segregation of duties. Management has also established authority and appropriate lines of reporting for key personnel. The administration and other hosting services of the Platform environment is provided by Hyland employees. Employees are screened and qualified before a job position is offered. Hyland maintains written job descriptions/plans specifying the responsibilities and corresponding academic and professional requirements for key job positions to determine that current and prospective employees have the qualifications and skill level necessary to perform the job successfully. All employees are informed of their security-related responsibilities before access to the Platform is provisioned. Policy and security-related training is provided on an annual basis. Procedures All Hyland employees are expected to adhere to company-wide, departmental, and position-specific procedures that define how hosting services should be delivered. These procedures are documented within Hyland s Employee Process Manual, and are provided upon hiring and then can be accessed by appropriate personnel. Data Data, as defined herein, constitutes the following: Files owned by a customer that are stored within the OnBase software s disk groups. Disk groups are configured to write electronic documents to a primary network attached storage device or file server. Files owned by a customer that have been transferred to the Platform s SFTP (Secure File Transfer Protocol) systems. Meta-data owned by a customer that is stored within the OnBase software s database. The database is configured to store data files and transaction log files to redundant array of inexpensive disks (RAID). Platform customers retain control and ownership of their own data. Customers are responsible for the development, content, operation, maintenance, and use of their content. The Platform is designed to prevent customers from accessing physical hosts or instances not assigned to them by filtering through the virtualization software. The Director of Global Cloud Services (GCS) maintains documented policies for the Platform. Policies are reviewed and, if necessary, updated annually. All policies are maintained within Hyland s Employee Process Manual and are accessible by appropriate personnel. Availability and Incident Handling The Platform is architected in a manner to maintain availability of its services through defined programs, processes, and procedures. Hyland employees monitor the network using both automated and traditional means. Predefined events (e.g., ping failures, full drive, missing application heartbeats) generate alerts that are delivered to Hyland personnel on a 24/7 basis. 4

Users are instructed to contact the Hyland Technical Support Team and report any suspected availability incidents. The Hyland Technical Support Team will interview the user and gather information to assess the event as to whether it is a malfunction or a possible service failure. If it is determined that the event represents a potential service failure, Hyland employees follow documented escalation procedures. All availability incidents are investigated promptly and thoroughly by individuals who are qualified to perform this task. All availability incidents are documented and reviewed within de-escalation procedures conducted by the Global Cloud Services Management Team. Once normal business operations have been restored after a service failure, Hyland will deliver a summary report to the applicable impacted customers. Information contained within this report will include, but is not limited to, when the incident occurred, when normal business operations were restored, the root cause of the incident, the technical effect of the incident, an accounting of actions taken to restore service, and a description of any outstanding remediation plans that have been approved by the GCS Management Team. The Platform is architected in a manner to maintain availability of its services through defined programs, processes, and procedures. The disaster recovery plan encompasses the processes and procedures by which Hyland identifies, responds to, and recovers from a major event or incident within the environment. This program builds upon the traditional approach of addressing contingency management, incorporating elements of business continuity and disaster recovery plans while expanding to consider critical elements of proactive risk mitigation strategies. Contingency plans and incident response procedures are maintained to reflect emerging continuity risks and lessons learned. Plans are tested and updated through the course of business and the disaster recovery plan is annually reviewed and approved by senior leadership. Hyland has identified critical system components required to maintain the availability of the system and recover services in the event of an outage. These components are replicated across multiple co-location data centers; backups are maintained and monitored to ensure successful replication. Service usage is continuously monitored, protecting infrastructure needs and supporting availability commitments and requirements. Additionally, GCS maintains a capacity planning model to assess infrastructure usage and demands. Subservice Organizations OnBase Online owns and operates an internet-enabled network infrastructure. The platform components associated with this network infrastructure are physically located within data centers that are owned and operated by Internet Service Providers (ISPs). These ISPs provide internet connectivity, physical security components, power, and environmental systems and services. GCS installs servers within the co-location data centers on an as-needed basis to this internet-enabled network infrastructure. GCS owns and operates these servers. This includes, but is not limited to, web, application, file, and database servers. A variety of peripheral devices are also used. The accompanying Hyland Software, Inc. s Management Assertion includes only the controls of Hyland. It excludes the controls of the data centers in which Hyland co-locates their network infrastructure, specifically controls around the network connectivity, power, physical security and environmental services provided by the third-party ISP. The achievement of Management s Assertion on the applicable trust services criteria and related controls of Hyland is dependent on the following controls being in place at the third-party ISP. 5

Subservice Organization Controls Expected To Meet Applicable Related Trust Services Principles and Criteria for Security and Availability Subservice organizations are responsible for implementing environmental controls to promote continuity of operations, including, but not limited to, cooling systems, fire detection and suppression systems, uninterruptible power supply (UPS) and emergency power supply (EPS). Subservice organizations are responsible for implementing controls to periodically test the environmental controls. Subservice organizations are responsible for implementing controls to restrict access to only authorized users, as defined by the preauthorized access listings provided by the Cloud Services Management Team. Subservice organizations are responsible for implementing controls to maintain logs of access card usage. Subservice organizations are responsible for implementing controls to define procedures for the escalation of physical security breaches. Subservice organizations are responsible for implementing controls to restrict access to only authorized users, as defined by the preauthorized access listings provided by the Cloud Services Management Team. Subservice organizations are responsible for implementing controls to maintain logs of access card usage. Subservice organizations are responsible for implementing controls to identify potential threats of disruption to systems operation and assess the risk associated with the identified threats. Subservice organizations are responsible for implementing controls to identify potential threats of disruption to system availability as related to the physical environment, including such threats as power failure, fire, flood, and excessive heat and humidity. 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information