SOC 3 for Security and Availability



Similar documents
SOC 3 for Security and Availability

System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012

Report of Independent Accountants. To the Management of Verizon Communications Inc. Verizon Business IP Application Hosting:

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

Service Organization Controls 3 Report

Ayla Networks, Inc. SOC 3 SysTrust 2015

Independent Service Auditors Report

Paxata Security Overview

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS

Information for Management of a Service Organization

Security Information & Policies

Service Organization Control 3 Report

With Eversync s cloud data tiering, the customer can tier data protection as follows:

SECURITY AND EXTERNAL SERVICE PROVIDERS

Security from a customer s perspective. Halogen s approach to security

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

THE BLUENOSE SECURITY FRAMEWORK

Agio Remote Monitoring and Management

AURO Enterprise Cloud

Picasso Recommendation

Cloud models and compliance requirements which is right for you?

Service Organization Controls 3 Report. Report on Hyland Software, Inc. s OnBase Online Cloud Platform, relevant to Security and Availability

Achieve Economic Synergies by Managing Your Human Capital In The Cloud

WALKME WHITEPAPER. WalkMe Architecture

Cloud Operations Excellence & Reliability

ENABLING TODAY S WIRELESS ENTERPRISE

Report of Independent Auditors

BMC Cloud Management Functional Architecture Guide TECHNICAL WHITE PAPER

Minder. simplifying IT. All-in-one solution to monitor Network, Server, Application & Log Data

Cloud Security Trust Cisco to Protect Your Data

SYSTRUST CERTIFICATION REPORT FOR COLLOCATION AND DATA CENTER HOSTING SERVICES FOR THE PERIOD FROM JANUARY 1, 2013 TO DECEMBER 31, 2013

Anypoint Platform Cloud Security and Compliance. Whitepaper

Software as a Service: Guiding Principles

Stone Vault, LLC SOC 1 (SSAE NO. 16) TYPE 1 REPORT ON CONTROLS PLACED IN OPERATION FOR TAX RETURN AND FINANCIAL STATEMENT PORTAL SERVICES

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

Capturing the New Frontier:

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

How To Create A Walkme.Com Walkthrus.Com Website And Help With Your Website Or App On A Pc Or Mac Or Ipad (For Pc) Or Mac (For Mac) Or Ipa (For Ipa) Or Pc

Independent Accountants Report

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Service Organization Controls 3 Report

Tel: Fax: ey.com. Report of Independent Auditors

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports

CA Automation Suite for Data Centers

INDEPENDENT PRACTITIONER S TRUST SERVICES REPORT LIQUID WEB, INC.

SAS No. 70, Service Organizations

Close-Up on Cloud Security Audit

Autodesk PLM 360 Security Whitepaper

Cloud Computing Paradigm Shift. Jan Šedivý

Address IT costs and streamline operations with IBM service desk and asset management.

CUMULUX WHICH CLOUD PLATFORM IS RIGHT FOR YOU? COMPARING CLOUD PLATFORMS. Review Business and Technology Series

Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid clouds.

Incident Management & Communications. Top 8 Focus Areas to Mitigate Risk

Enterprise Architecture Review Checklist

Implement a unified approach to service quality management.

Successfully managing geographically distributed development

CLOUD SERVICES FOR EMS

The SMB IT Decision Maker s Guide: Choosing a SaaS Service Management Solution

NCTA Cloud Architecture

Deploying a Geospatial Cloud

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

White Paper How Noah Mobile uses Microsoft Azure Core Services

Technology Enablement

Cloud Infrastructure Operational Excellence & Reliability

Securing the Microsoft Cloud Infrastructure. Reto Häni Chief Security Officer Microsoft Western Europe MEET SWISS INFOSEC!

Securing The Cloud With Confidence. Opinion Piece

Vendor Management Best Practices

IT Enterprise Services

Planning the Migration of Enterprise Applications to the Cloud

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013

LANDesk Service Desk Certified in All 15 ITIL. v3 Suitability Requirements. LANDesk demonstrates capabilities for all PinkVERIFY 3.

Interoute Virtual Data Centre. Hands on cloud control.

Protecting Data and Privacy in the Cloud

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

Comodo Certificate Manager. Centrally Managing Enterprise Security, Trust & Compliance

The Private Cloud Your Controlled Access Infrastructure

Cloud Computing What Auditors need to know

Shared Service System Audits: What User Management and Auditors Need to Know

VALUE PROPOSITION FOR SERVICE PROVIDERS. Helping Service Providers accelerate adoption of the cloud

Bringing the Cloud into Focus. A Whitepaper by CMIT Solutions and Cadence Management Advisors

CloudCheck Compliance Certification Program

Live Guide System Architecture and Security TECHNICAL ARTICLE

SOC 3 SYSTRUST FOR SERVICE ORGANIZATIONS REPORT

Vistara Lifecycle Management

SECTION I INDEPENDENT SERVICE AUDITOR S REPORT

Transcription:

SOC 3 for Security and Availability Independent Practioner s Trust Services Report For the Period October 1, 2013 through September 30, 2014 Independent SOC 3 Report for the Security and Availability Trust Principles for Everbridge, Inc.

EVERBRIDGE, INC. INDEPENDENT PRACTIONER S TRUST SERVICES REPORT SOC 3 Table of Contents SECTION ONE: INDEPENDENT PRACTIONER S TRUST SERVICES REPORT... 1 SECTION TWO: EVERBRIDGE, INC. S ASSERTION REGARDING ITS MASS NOTIFICATION SYSTEM... 2 SECTION THREE: DESCRIPTION OF EVERBRIDGE, INC. S MASS NOTIFICATION SYSTEM... 3 1 OVERVIEW OF THE EVERBRIDGE OPERATIONS... 3 2 OVERVIEW OF THE SYSTEM AND APPLICATIONS... 3

SECTION ONE: INDEPENDENT PRACTIONER S TRUST SERVICES REPORT To the Management of Everbridge, Inc.: Scope We have examined management s assertion that during the period October 1, 2013 through September 30, 2014, Everbridge, Inc. (the Company ) maintained effective controls over its Mass Notification system, based on the American Institute of Public Accountants ( AICPA ) and Canadian Institute of Charted Accountants ( CICA ) trust services security and availability criteria to provide reasonable assurance that: the system was protected against unauthorized access (both physical and logical); and the system was available for operation and use, as committed or agreed; The Company is responsible for this assertion. Our responsibility is to express an opinion based on our examination. The Company s management description of the aspects of the Mass Notification system covered by their respective assertion is outlined within the report. Our examination was conducted in accordance with attestation standards established by the AICPA and, accordingly, included (1) obtaining an understanding of the Company s relevant controls over security and availability of the Mass Notification system; (2) testing and evaluating the operating effectiveness of the controls; and (3) performing such other procedures as we considered necessary during our examination. We believe that our examination provides a reasonable basis for our opinion. Because of the nature and inherent limitations of controls, the Company s ability to meet the aforementioned criteria may be affected. For example, controls may not prevent, or detect and correct errors or fraud, unauthorized access to systems and information, or failure to comply with internal and external policies or requirements. Also, the projection of any conclusions based on our findings to future periods is subject to the risk that changes may alter the validity of such conclusions. In our opinion, the Company s assertion referred to above are fairly stated, in all material respects, based on the AICPA and CICA trust services security and availability criteria. Everbridge s use of the SysTrust for Service Organizations Seal constitutes a symbolic representation of the contents of this report and is not intended, nor should it be construed, to update this report or provide any additional assurance. SSAE 16 Professionals, LLP December 15, 2014 Orange, California 1

SECTION TWO: EVERBRIDGE, INC. S ASSERTION REGARDING ITS MASS NOTIFICATION SYSTEM December 15, 2014 During the period October 1, 2013 through September 30, 2014, the Company, in all material respects maintained effective controls over the Mass Notification system, as defined by the System Description attached within the report, to provide reasonable assurance that: the system was protected against unauthorized access (both physical and logical); and the system was available for operation and use, as committed or agreed; Further, the Company confirms that to the best of our knowledge and belief, that the controls related to the trust services criteria were suitably designed and operating effectively during the period October 1, 2013 through September 30, 2014, to achieve those control objectives. The criteria we used in making this assertion were that: The risks that threaten the achievement of the controls related to the trust services criteria have been identified by the Company; and The controls related to the trust services criteria would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives stated in the trust services criteria from being achieved. Everbridge, Inc. 2

SECTION THREE: DESCRIPTION OF EVERBRIDGE, INC. S MASS NOTIFICATION SYSTEM 1 Overview of the Everbridge Operations Everbridge Inc., founded in 2002 and based in Glendale, CA, is the world's recognized leader in unified critical communications, merges technology with industry expertise to help millions of people communicate in a crisis, manage operational incidents and connect on a daily basis. The company's notification platform and incident lifecycle communications model makes communicating to many as simple and effective as communicating to one. 2 Overview of the System and Applications System Overview The System is comprised of the following components: Infrastructure: The physical and virtual components of a Hybrid Cloud (facilities, server, storage, and networks); Software: The programs and operating software of a system (systems, applications, and utilities); People: The personnel involved in the operation and use of a system (developers, operators, users, and managers); Procedures: The automated and manual procedures involved in the operation of a system; and Data: The information used and supported by a system (transaction streams, files, databases, and tables). Infrastructure Everbridge employs multiple data centers for all its test and production systems in an active-active configuration. Data is continuously replicated between the various sites, and each site can provide the full range of Everbridge services. If service is disrupted at any site, all traffic is dynamically rerouted to another site so that Everbridge's systems remain constantly available. Every system in the infrastructure is individually fault-tolerant with redundant power, network, and disc wherever possible. The Everbridge application suites and all its components are stored in highly secured CenturyLink (formerly Qwest) CyberCenters, located in Burbank, CA and Denver, CO. Also, Everbridge utilizes cloud infrastructure providers like Amazon Web Services (AWS), Elastic Hosts, and Interoute. Software Everbridge s application suites are Java J2EE solution built on application server and database platforms utilizing a hybrid cloud infrastructure for global deployment. Core components are built on virtual server farm with SSD storage. Everbridge s application suites features robust analytics, GIS 3

capabilities, and flexible contact management. In addition, customers with global contacts can leverage a single access point to notify contacts and manage contact data across multiple distributed data stores a unique globally local approach. The RESTful Web services design of Everbridge s application incorporates a simple, scalable, efficient, secure, reliable, and extensible architecture. Everbridge s SaaS-based application suites are built on a multi-component, multi-tier architecture, which means that multiple like components reside on each tier, facilitating load balancing and the modification or replacement of components at any tier without affecting the other tiers or service availability. Everbridge's secure infrastructure is built from Cisco Systems hardware, software-defined networking (SDN) with F5 traffic managers for local and global load balancing. People Everbridge employs over 200 employees and is organized into the following areas: The SaaS Operations team includes system administrators, database administrators, application and technical analysts, release management, governance and security and the service desk which collectively are responsible for maintaining the availability, confidentiality, and integrity of all information systems. The Client Services department interfaces directly with clients during the on boarding and training process and addresses any and all issues quickly and with confidence to provide the outstanding customer service. System Development creates quality solutions that meet the business needs, maintain existing software components, support IT operations, and commit to continuous improvements. Quality Assurance utilizes several methodologies of testing to ensure the highest quality product is being delivered. The Product team is responsible for determining the strategy for the Product Portfolio based on the Everbridge organization s business goals as well as collecting and prioritizing system enhancements and discovered defects and defining requirements for approved projects Procedures There are several procedures that add to the strength and reliability of the Everbridge system. The procedures include: 24/7 service desk that actively monitors the system and a system administration team that is also available 24 hours a day for escalation of any issues that may arise. Robust Incident, Problem, Change and Release Management. Risk management process which includes annual independent audits and penetration tests as mandated by the Federal Information Security Management Act of 2002 (FISMA). Annual employee security training and awareness programs. Documented and tested contingency plans. Systems development lifecycle (SDLC). Cloud Security Alliance (CSA) Security, Trust and Assurance Registry (STAR). 4

Data The Everbridge system stores and processes data that is classified as Personally Identifiable Information (PII). This information may include: name, address, phone numbers (home, work, cell, etc.), email address, instant messaging handle or address, fax and pager. Data can be input manually or by utilizing a bulk secure upload feature that expedites the data population process. Both of these functions can be done by the clients to add, delete, or modify existing information. Various reports such as usage and current member lists can also be processed through the application interface. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information