Service Organization Control (SOC 3) Report on a Description of the Data Center Colocation System Relevant to Security and Availability

Similar documents
SOC 2 Report Seattle, WA (SEF)

SYSTRUST CERTIFICATION REPORT FOR COLLOCATION AND DATA CENTER HOSTING SERVICES FOR THE PERIOD FROM JANUARY 1, 2013 TO DECEMBER 31, 2013

SECTION I: REPORT OF INDEPENDENT SERVICE AUDITORS... 3 SECTION II: MANAGEMENT OF INTERNAP NETWORK SERVICES CORPORATION'S ASSERTION 5

Retention & Destruction

UCS Level 2 Report Issued to

SRA International Managed Information Systems Internal Audit Report

Service Organization Controls 3 Report. Report on Hyland Software, Inc. s OnBase Online Cloud Platform, relevant to Security and Availability

System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012

CoreSite A Carlyle Company. 70 Innerbelt Colocation Services

Information for Management of a Service Organization

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Report of Independent Auditors

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Description of the Administration of Verizon Terremark Colocation Services Relevant to Security and Availability

Ayla Networks, Inc. SOC 3 SysTrust 2015

Understanding Sage CRM Cloud

Report of Independent Accountants. To the Management of Verizon Communications Inc. Verizon Business IP Application Hosting:

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

SOC 3 SYSTRUST FOR SERVICE ORGANIZATIONS REPORT

SECTION I INDEPENDENT SERVICE AUDITOR S REPORT

Autodesk PLM 360 Security Whitepaper

SOC 1 (SSAE NO. 16) TYPE 2 REPORT ON CONTROLS PLACED IN OPERATION FOR DATA CENTER SERVICES BROADRIVER INC. AUGUST 1, 2014 TO JULY 31, 2015

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Service Organization Control 1 Type II Report

Tel: Fax: ey.com. Report of Independent Auditors

Exhibit to Data Center Services Service Component Provider Master Services Agreement

Austin Independent School District Police Department Policy and Procedure Manual

Remote Guarding. The traditional guarding functions that you depend on can now be performed remotely.

DISASTER RECOVERY. Omniture Disaster Plan. June 2, 2008 Version 2.0

SOC 3 for Security and Availability

vcloud SERVICE Virtual Tech in partnership with Equinix - vcloud Service

Powering the Cloud Desktop: OS33 Data Centers

INDEPENDENT PRACTITIONER S TRUST SERVICES REPORT LIQUID WEB, INC.

SITECATALYST SECURITY

IT - General Controls Questionnaire

CITY UNIVERSITY OF HONG KONG Physical Access Security Standard

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Customs-Trade Partnership Against Terrorism (C-TPAT) Security Guidelines for Suppliers/Shippers

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

Hosted Testing and Grading

System Security Plan University of Texas Health Science Center School of Public Health

Tom J. Hull & Company Type 1 SSAE

Auditing in an Automated Environment: Appendix C: Computer Operations

Data Center Overview Document

FormFire Application and IT Security. White Paper

ABBVIE C-TPAT SUPPLY CHAIN SECURITY QUESTIONNAIRE

MARULENG LOCAL MUNICIPALITY

Information Technology Internal Audit Report

Report on FTHC, LLC d/b/a Miami Data Vault s Description of its Data Center System and on the Suitability of the Design and Operating Effectiveness

StratusLIVE for Fundraisers Cloud Operations

REVIEWED ICT DATA CENTRE PHYSICAL ACCESS AND ENVIROMENTAL CONTROL POLICY

Data Center Build vs. Buy

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Service Organization Control Reports

Major Risks and Recommended Solutions

TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1

Service Organization Control 3 Report

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

GOVERNANCE AND SECURITY BEST PRACTICES FOR PAYMENT PROCESSORS

Supply Chain Security Audit Tool - Warehousing/Distribution

Independent Accountants Report

Importers must have written and verifiable processes for the selection of business partners including manufacturers, product suppliers and vendors.

CVS HEALTH CORPORATION A Delaware corporation (the Company ) Audit Committee Charter Amended as of September 24, 2014

DETAIL AUDIT PROGRAM Information Systems General Controls Review

Return the attached PPG Supply Chain Security Acknowledgement by , fax, or mail within two weeks from receipt.

Title: Design of a Shared Tier III+ Data Center: A Case Study with Design Alternatives and Selection Criteria

White paper. SAS Solutions OnDemand Hosting Overview

Itron Cloud Services Offering

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

IBX Business Network Platform Information Security Controls Document Classification [Public]

HealthcareBookings.com Security Set Up

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

CDW Advanced Image Deployment Service Customer Guide

Data Management Policies. Sage ERP Online

SECURITY FAQs Vunetrix Network Monitor Hosted Service. ver Revision: 1.2 Updated: April P a g e

welcome to Telect s Minimum Security Criteria for Customs-Trade Partnership Against Terrorism (C-TPAT) Foreign Manufacturers Training Presentation

Security Systems Surveillance Policy

Network Router Monitoring & Management Services

SOFTLAYER TECHNOLOGIES, INC.

OCDC. OMNIconnect Data Centre.

Rotherham CCG Network Security Policy V2.0

I. EXECUTIVE SUMMARY. Date: June 30, Sabina Sitaru, Chief Innovation Officer, Metro Hartford Innovation Services

ClickTale Security Standards and Practices: Delivering Peace of Mind in Digital Optimization

Appendix D to DIR Contract No. DIR-SDD SYNNEX Corporation STATEMENT OF WORK / SUPPLEMENTAL AGREEMENT for <DIR CUSTOMER> END USER SERVICES

Transcription:

15301 Dallas Parkway, Suite 960, Addison, TX 75001 MAIN 214 545 3965 FAX 214 545 3966 www.bkmsh.com Service Organization Control (SOC 3) Report on a Description of the Data Center Colocation System Relevant to Security and Availability For the Period:

Table of Contents Section 1 - Independent Service Auditors Report... 4 Section 2 - Opus Fortunantus Three, LLC's Assertion Regarding the Effectiveness of Its Controls Over the Data Center Colocation System Based on the Trust Services Principoles and Criteria for Secuirty and Availability... Section 3 - System Description of the Opus-3 Data Center Colocation System...

Section I Independent Auditor s Report

Independent Service Auditors Report To Opus Fortunatus Three, LLC ( OPUS-3 ) Accountants + Consultants 15301 Dallas Parkway Suite 960 Addison, Texas 75001 MAIN 214 545 3965 FAX 214 545 3966 www.bkmsh.com We have examined management s assertion that Opus Fortunatus Three, LLC s ( Opus-3 or the Company ), during the period from June 1, 2014 to May 31, 2015, maintained effective controls based on the AICPA Trust Services Security and Availability Criteria to provide reasonable assurance that: The Opus-3 Data Center Colocation System was protected against unauthorized access (both physical and logical); and The Opus-3 Data Center Colocation System was available for operation and use, as committed and agreed based on the criteria for the security and availability principles set forth in the AICPA s TSP section 100, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (Trust Services Security Criteria). This assertion is the responsibility of Opus-3 s management. Our responsibility is to express an opinion of such assertion based on our examination. Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included: (1) obtaining an understanding of Opus-3 s relevant security and availability controls; (2) testing and evaluating the operating effectiveness of the controls; and (3) performing such other procedures we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. Because of inherent limitations in controls, error or fraud may occur and go undetected. Furthermore, the projection of any conclusions contained within this report to future periods is subject to the risk that the validity of such conclusions may be weakened as a result of changes made in, or a failure to make needed changes to, the system or controls utilized, as well as deterioration in the degree of effectiveness of such controls. In our opinion, Opus-3 s management assertion referred to above is fairly stated, in all material respects, based on the AICPA Trust Services Security and Availability Criteria. BKM Sowan Horan, LLP Addison, Texas November 12, 2015

Section II Management s Assertion and Data Center Colocation System Description Provided by Opus Fortunatus Three, LLC

Opus Fortunatus Three, LLC s Assertion Regarding the Effectiveness of Its Controls Over the Data Center Colocation System Based on the Trust Services Principles and Criteria for Security and Availability Opus-3 maintained effective controls over the security and availability of its Data Center Colocation System to provide reasonable assurance that, for the period from June 1, 2014 to May 31, 2015, and based on the AICPA Trust Services Criteria for Security and Availability located at www.aicpa.org: The Opus-3 Data Center Colocation System was protected against unauthorized access (both physical and logical); and The Opus-3 Data Center Colocation System was available for operation and use, as committed and agreed. Our attached System Description summarizes those aspects of this System covered by our assertion. /s/ George Lollis, President/CEO Opus Fortunatus Three, LLC November 12, 2015-4 -

Section 3: Description of Opus-3 s Data Center Colocation System For the Period June 1, 2014 to May 31, 2015 Background Opus-3 offers a data center colocation solution that allows companies to house their voice, computing, and networking equipment within a highly connected, redundant, and secure facility. Located in Dallas, Texas and established in 2011 Opus-3 has become one of the most trusted and stable facilities at which to colocate. Data center colocation services enable both small and medium-sized companies to leverage a large company infrastructure, be cost-effective, and build their information technology services on a solid foundation of power and connectivity. Colocation Services are also ideal for creating a centralized computing location for companies with distributed physical locations. The Opus-3 Data Center Colocation Services System is comprised of the following five components: Infrastructure (facilities, equipment, and networks); Software (systems, application, and utilities); People (developers, operators, and users); Procedures (automated and manual); and Data (transaction streams, files, databases, and tables). The remainder of this Section defines each of the five components listed above. Infrastructure The key infrastructure supporting Opus-3 s Data Center Colocation System consists of routers and switches for the distribution of network connectivity. Multiple fiber connections are in place to provide carrier neutral services and cross connect capabilities via the meet me room. Multiple carrier points of presence and redundant high availability Cisco 7609 core routers provide redundancy within the delivery of their data services. The data center s power supplies are supported by generators and Uninterruptible Power Supply ( UPS ) systems. Multiple Computer Room Air Conditioning ( CRAC ) units are in place to cool the data centers. The personnel that support the data center are on-site at the facilities weekdays from 7am to 6pm. Opus-3 relies on formal internal control policies and procedures to manage this infrastructure, and data center access is restricted to only authorized personnel by employing on-site security, video surveillance, key cards, biometric readers, and password security. - 5 -

Software The following provides a summary of the systems used in the delivery of data center colocation services: SolarWinds Monitoring System is used to monitor issues related to network utilization, physical access, and key infrastructure devices and services; Room Alert is used to monitor alerts related to temperature concerns; Ubersmith is used as the service desk management and customer relationship management system; C-Cure Access Control system is used to manage key card access throughout the facilities; and Hand reader devices are used to manage biometric access. People Personnel involved in the operation and use of the system include: Executive Management: Responsible for providing execution of business objectives and strategic direction. The Chief Financial Officer manages all financial aspects of the Company and the Chief Operating Officer manages operational and engineering activities throughout the Company. Both CFO and COO report to the Company s board of directors. Facilities Management: Provides complete administration of the OPUS-3 data center. The facility s policies are closely aligned with the Information Technology Infrastructure Library (ITIL) guidelines for incident management, change management, and Service Desk. Individual Facility Managers report directly to the Chief Operating Officer. Finance and Administration: Coordinates all aspects of OPUS-3 s Services operations, including service billing. Human Resources: Conducts background, credit, and security checks on OPUS-3 personnel prior to employment. Human Resources provides a mandatory orientation program to all employees. The confidentiality of customer and facility information is stressed during the new- employee orientation program and is also addressed in the employee handbook issued to each employee. New employees are given the necessary job training to meet the expectations of their positions including security, confidentiality and compliance requirements. Sales and Marketing: Provides analysis for new business prospects and new service offerings. Supports Company market position and brand/image management through a variety of marketing tactics. Develops and manages customer relationships. - 6 -

Procedures Executive and operations management personnel maintain documented automated and manual standard operating procedures involved in the operation of Opus-3 s Data Center Colocation system that include: Company Handbook; Network Operations Center ( NOC ) operations policy; Service level agreement; Acceptable use policy; Privacy policy; Rules and regulations; Cable management procedure; New client/equipment installations; Door and alarm procedures; Customer removal procedures; Generator load test procedures; and Shipment arrival and storage procedure. Control activities have been placed into operation to help ensure that the actions are carried out properly and efficiently. Control procedures serve as mechanisms for managing the achievement of control activities, and are a part of the process by which Opus-3 strives to achieve its business objectives. Opus-3 has applied a risk management approach to the organization in order to select and develop control procedures. After relevant risks have been identified and evaluated, controls are established, implemented, monitored, reviewed, and improved when necessary to meet the applicable trust services criteria and the overall objective of the organization. Access to the data centers is restricted through the use of key card and hand scan readers. Opus-3 data centers are monitored by a digital surveillance system and displayed within the NOC; the cameras which comprise the digital surveillance system are positioned to record activities at facility entrances and throughout each room. Visitors are required to show proper identification and to sign a visitors log, and are escorted by a NOC engineer while on the premises. Digital surveillance footage of at least 30 days is available for ad hoc review. Customer access to the Opus-3 facilities is permitted 24x7 and 365 days a year. Customer access is provided through a formal authorization process, requiring the approval of the primary customer contact and Management. The Opus-3 data center is equipped with a FM-200 smoke/fire detection and suppression system. The environmental protection consists of smoke detectors, fire alarms, and fire extinguishers. A third party vendor performs annual preventative maintenance inspections to - 7 -

ensure that the fire detection and suppression systems are in proper working order. Opus-3 environmental conditions and systems are monitored continuously using its enterprise monitoring systems. Computer operations are the primary responsibility of the Director of Operations. The Opus-3 data center is staffed on-site weekdays from 8am to 6pm with on-call after-hours staff available in case of emergency. Incidents are formally logged, tracked, and resolved using Opus-3 s online ticketing system. Customer complaints and other issues are promptly handled via the online ticketing system and personal contact by management staff. Major customer-facing issues are reported to the CEO for discussion and further approval of responsive action. New clients are required to provide Opus-3 with the names and contact information of those authorized to gain access to such client s equipment. Opus-3 requires each client to submit a service ticket or e-mail from an authorized account prior to changes being made to their approved contact listing. Changes to a client s list of those authorized to gain access to such client s equipment requires submission of a written notification to the Opus-3 operations center. Upon receipt of such written notification, Opus-3 personnel verify the validity of the request by checking the client credentials against pre-approved client contact tables prior to making modifications to records. Data Neither the Opus-3 Data Center Colocation System, nor its employees, has control or logical access to customer-specific hardware, operating systems, databases, applications, or any other data loaded on the customer s hardware. System Boundaries System boundaries, pertaining to collection, use, retention, disclosure, and disposal or anonymization or personalization of data, are governed by contract provisions for particular service engagements. - 8 -

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information