• Save
Sample - Corporate Report
Upcoming SlideShare
Loading in...5
×
 

Sample - Corporate Report

on

  • 774 views

 

Statistics

Views

Total Views
774
Views on SlideShare
774
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Sample - Corporate Report Sample - Corporate Report Document Transcript

  • [CLIENT] DOCUMENT MANAGEMENT , DATA C APTURE, AND PRINT OUTPUT SERVICES SYSTEM SERVICE ORGANIZATION CONTROLS (“SOC”) REPORT – SOC 2RELEVANT TO SECURITY , AVAILABILITY , PROCESSING INTEGRITY, AND CONFIDENTIALITY FOR THE PERIOD J ANUARY 1, 2012 TO SEPTEMBER 30, 2012
  • Table of ContentsSection Page 1 Independent Service Auditors’ Report ........................................................................................ 2 Management of [CLIENT]’s Assertion Regarding Its Document Management, Data Capture, and Print Output Services System for the Period January 1, 2012 to September 30, 2 2012……………………………………………………….. ............................................................................. 6 Description of [CLIENT]’s Document Management, Data Capture, and Print Output Services 3 System for the Period January 1, 2012 to September 30, 2012 .................................................... 10 Background and Overview of Services ............................................................................ 10 Other Relevant Aspects of the Control Environment, Risk Assessment, Monitoring, and Information and Communication Control Environment ............................................................................................... 11 Risk Assessment ..................................................................................................... 11 Monitoring .............................................................................................................. 11 Information and Communication .............................................................................. 11 Document Management, Data Capture, and Print Output Services System Components Infrastructure ......................................................................................................... 12 Software ................................................................................................................ 12 People ................................................................................................................... 13 Procedures ............................................................................................................. 14 Data ...................................................................................................................... 19 Subservice Organizations ............................................................................................. 20 Applicable Criteria and Related Controls ......................................................................... 20 User-Entity Control Considerations ................................................................................. 21 4 Independent Service Auditors’ Description of Tests of Controls and Results .................................. 23
  • SECTION 1INDEPENDENT SERVICE AUDITORS’ REPORT
  • Independent Service Auditors’ ReportTo [CLIENT]ScopeWe have examined the attached description titled “Description of [CLIENT]’s Document Management, DataCapture, and Print Output Services System for the Period January 1, 2012 to September 30, 2012” (“thedescription”) included in Section 3 of this report and the suitability of the design and operating effectiveness ofcontrols to meet the criteria for the security, availability, processing integrity, and confidentiality principles setforth in TSP Section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, ProcessingIntegrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids) (“applicable trust services criteria”),throughout the period January 1, 2012 to September 30, 2012. The description indicates that certain applicabletrust services criteria specified in the description can be achieved only if complementary user-entity controlscontemplated in the design of [CLIENT]’s (“[CLIENT]”) controls are suitably designed and operating effectively,along with related controls at the service organization. We have not evaluated the suitability of the design oroperating effectiveness of such complementary user-entity controls.[CLIENT]uses service organizations (subservice organizations) to provide data capture and data entry services forcertain clients who elect such processing services. The description indicates that certain applicable trust servicecriteria can only be met if controls at the subservice organizations are suitably designed and operating effectively.The description presents [CLIENT]’s Document Management, Data Capture, and Print Output Services System; itscontrols relevant to the applicable trust service criteria; and the types of controls that the service organizationexpects to be implemented, suitably designed, and operating effectively at the subservice organizations to meetcertain applicable trust service criteria. The description does not include any of the controls implemented at thesubservice organizations. Our examination did not extend to the services provided by the subserviceorganizations.Service Organization’s Responsibilities[CLIENT] has provided the attached assertion titled “Management of Diversified Information Technology Inc.’sAssertion Regarding its Document Management, Data Capture, and Print Output Services System for the PeriodJanuary 1, 2012 to September 30, 2012,” included in Section 2 of this report which is based on the criteriaidentified in management’s assertion. [CLIENT] is responsible for (1) preparing the description and assertion; (2)the completeness, accuracy, and method of presentation of both the description and assertion; (3) providing theservices covered by the description; (4) specifying the controls that meet the applicable trust services criteria andstating them in the description; and (5) designing, implementing, and documenting the controls to meet theapplicable trust services criteria. Page | 1
  • Service Auditors’ ResponsibilitiesOur responsibility is to express an opinion on the fairness of the presentation of the description based on thedescription criteria set forth in [CLIENT]’s assertion and on the suitability of the design and operatingeffectiveness of the controls to meet the applicable trust services criteria, based on our examination. Weconducted our examination in accordance with attestation standards established by the American Institute ofCertified Public Accountants. Those standards require that we plan and perform our examination to obtainreasonable assurance about whether, in all material respects, (1) the description is fairly presented based on thedescription criteria, and (2) the controls were suitably designed and operating effectively to meet the applicabletrust services criteria throughout the period January 1, 2012 to September 30, 2012.Our examination involved performing procedures to obtain evidence about the fairness of the presentation of thedescription based on the description criteria and the suitability of the design and operating effectiveness of thosecontrols to meet the applicable trust services criteria. Our procedures included assessing the risks that thedescription is not fairly presented and that the controls were not suitably designed or operating effectively tomeet the applicable trust services criteria. Our procedures also included testing the operating effectiveness ofthose controls that we consider necessary to provide reasonable assurance that the applicable trust servicescriteria were met. Our examination also included evaluating the overall presentation of the description. Webelieve that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.Inherent LimitationsBecause of their nature and inherent limitations, controls at a service organization may not always operateeffectively to meet the applicable trust services criteria. Also, the projection to the future of any evaluation of thefairness of the presentation of the description or conclusions about the suitability of the design or operatingeffectiveness of the controls to meet the applicable trust services criteria is subject to the risks that the systemmay change or that controls at a service organization may become inadequate or fail.OpinionIn our opinion, based on the description criteria identified in [CLIENT]’s assertion and the applicable trust servicescriteria, in all material respects: a. The description fairly presents the system that was designed and implemented throughout the period January 1, 2012 to September 30, 2012. b. The controls stated in the description were suitably designed to provide reasonable assurance that the applicable trust services criteria would be met if the controls operated effectively throughout the period January 1, 2012 to September 30, 2012, and user entities applied the complementary user- entity controls contemplated in the design of [CLIENT]’s controls throughout the period January 1, 2012 to September 30, 2012, and the subservice organizations applied, throughout the period January 1, 2012 to September 30, 2012, the types of controls expected to be implemented at the subservice organizations and incorporated in the design of the system. Page | 2
  • c. The controls tested, which together with the complementary user-entity controls referred to in the scope paragraph of this report, and together with the types of controls expected to be implemented at the subservice organizations and incorporated in the design of the system and, if operating effectively, were those necessary to provide reasonable assurance that the applicable trust services criteria were met, operated effectively throughout the period January 1, 2012 to September 30, 2012.Description of Tests of ControlsThe specific controls we tested and the nature, timing, and results of our tests are presented in Section 4 of thisreport titled “Independent Service Auditors’ Description of Tests of Controls and Results”.Intended UseThis report and the description of tests of controls and results thereof are intended solely for the information anduse of [CLIENT]; user entities of [CLIENT]’s Document Management, Data Capture, and Print Output ServicesSystem during some or all of the period January 1, 2012 to September 30, 2012; and prospective user entities,independent auditors and practitioners providing services to such user entities, and regulators who have sufficientknowledge and understanding of the following:  The nature of the service provided by the service organization  How the service organization’s system interacts with user entities, subservice organizations, and other parties  Internal control and its limitations  Complementary user-entity controls and how they interact with related controls at the service organization to meet the applicable trust services criteria  The applicable trust services criteria  The risks that may threaten the achievement of the applicable trust services criteria and how controls address those risksThis report is not intended to be and should not be used by anyone other than these specified parties.<insert firm signature>October XX, 2012Philadelphia, Pennsylvania Page | 3
  • SECTION 2MANAGEMENT OF DIVERSIFIED INFORMATION TECHNOLOGY, INC’S ASSERTION REGARDING ITS DOCUMENT MANAGEMENT, DATA CAPTURE, AND PRINT OUTPUT SERVICESSYSTEM FOR THE PERIODJANUARY 1, 2012 TO SEPTEMBER 30, 2012
  • October xx, 2012We have prepared the attached description titled “Description of [CLIENT]’s Document Management, DataCapture, and Print Output Services System for the Period January 1, 2012 to September 30, 2012” (“thedescription”), included in Section 3 of this report, based on the criteria identified below under the heading“Description Criteria”. The description is intended to provide users with information about our DocumentManagement, Data Capture, and Print Output Services System, particularly system controls intended to meet thecriteria for the security, availability, processing integrity, and confidentiality principles set forth in TSP Section100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity,Confidentiality, and Privacy (AICPA, Technical Practice Aids) (“applicable trust services criteria”). We confirm, tothe best of our knowledge and belief, that:  The description fairly presents the Document Management, Data Capture, and Print Output Services System throughout the period January 1, 2012 to September 30, 2012, based on the description criteria identified below under the heading “Description Criteria”.  The controls stated in the description were suitably designed throughout the period from January 1, 2012 to September 30, 2012 to meet the applicable trust services criteria.  The controls were operating effectively throughout the period January 1, 2012 to September 30, 2012 to meet the related criteria as described in Section 4 of this report.Description CriteriaIn preparing our description and making our assertion regarding the fairness of the presentation of thedescription, we used the criteria below, which are the criteria for a description of a service organization’s systemincluded in paragraph 1.33 of the AICPA Guide Reporting on Controls at a Service Organization Relevant toSecurity, Availability, Processing Integrity, Confidentiality, or Privacy. a. The description contains the following information: i. The types of services provided. Page | 4
  • ii. The components of the system used to provide the services, which are the following:  Infrastructure. The physical and hardware components of a system (facilities, equipment, and networks)  Software. The programs and operating software of a system (systems, applications, and utilities).  People. The personnel involved in the operation and use of a system (developers, operators, users, and managers).  Procedures. The automated and manual procedures involved in the operation of a system.  Data. The information used and supported by a system (transactions streams, files, databases, and tables).iii. The boundaries or aspects of the system covered by the description.iv. How the system captures and addresses significant events and conditions.v. The process used to prepare and deliver reports and other information to user entities and other parties.vi. If information is provided to, or received from, subservice organizations or other parties, how such information is provided or received; the role of the subservice organization and other parties; and the procedures performed to determine that such information and its processing, maintenance, and storage are subject to appropriate controls.vii. For each principle being reported on, the applicable trust services criteria and the related controls designed to meet those criteria, including, as applicable, complementary user-entity controls contemplated in the design of the Document Management, Data Capture, and Print Output Services System.viii. For the subservice organizations presented using the carve-out method, the nature of the services provided by the subservice organizations; each of the applicable trust services criteria that are intended to be met by controls at the subservice organization, alone or in combination with controls at the service organizations, and the type of controls expected to be implemented at the carved-out subservice organizations to meet those criteria.ix. Any applicable trust services criteria that are not addressed by a control at [CLIENT] or a subservice organization and the reasons therefore.x. Other aspects of [CLIENT]’s control environment, risk assessment process, information and communication systems, and monitoring of controls that are relevant to the services provided and the applicable trust services criteria.xi. Relevant details of changes to [CLIENT]’s Document Management, Data Capture, and Print Output Services System during the period January 1, 2012 to September 30, 2012. Page | 5
  • b. The description does not omit or distort information relevant to [CLIENT]’s Document Management, Data Capture, and Print Output Services System. The description was prepared to meet the common needs of a broad range of users and may not, therefore, include every aspect of the Document Management, Data Capture, and Print Output Services System that each individual user may consider important to his or her own particular needs.Scott A. ByersPresident & Chief Executive Officer[CLIENT]October XX, 2012Michael MalkemesDirector, Compliance & Risk Management[CLIENT]October XX, 2012 Page | 6
  • SECTION 3 DESCRIPTION OF [CLIENT]’S DOCUMENT MANAGEMENT, DATA CAPTURE, AND PRINTOUTPUT SERVICES SYSTEM FOR THE PERIODJANUARY 1, 2012 TO SEPTEMBER 30, 2012
  • Background and Overview of ServicesHeadquartered in Scranton, PA, [CLIENT] has successfully served its clients since 1982 through business processoutsourcing and information management solutions. With over 650 customers, [CLIENT] has firmly establisheditself as an industry-leader. [CLIENT] serves the Fortune 500 in healthcare, insurance and finance as well asgovernment agencies.[CLIENT]’s clients include seven of the top twelve United States financial services firms, three of the top tenUnited States life insurance Companies, four of the top ten electronic health record providers serving over 170hospitals and 10,000 physicians and key federal agencies including the Department of Homeland Security –United States Customs, the International Trade Commission and United States Environmental Protection Agency.[CLIENT]’s end to end document management system is a combination of systems that work together to providesecure, confidential processing and retention of documents and the critical data they contain. The components ofthe system include:  Communication/Distributed Output System – This system entails receiving client data and merging this data into print templates to produce correspondence, statements and printed material. Once documents are produced they are sent via mail or electronic delivery.  Image Conversion and Data Capture System – This system is a document conversion system that begins at receipt of documents in hard copy or electronic forms; documents enter into a stream at the wireless mailroom, are then converted to image on high speed scanners, data is captured either through automatic recognition software or human data entry, image and data are spot reviewed for quality and then exported to NetView or client specific systems.  Document Management and Preservation System – This system tracks location and movement of hard copy records stored in multiple secure facilities throughout the US.The overarching framework of the system is overseen and managed by a security team consisting of the Directorof Compliance and Risk Management and Director of IT Infrastructure. The Data Center and Facility MonitoringSystem are based at the company headquarters in Scranton, PA.[CLIENT] has designed the systems with boundaries ensuring data security, confidentiality, processing integrity,and availability. The system is comprised of the following five components:  Infrastructure (facilities, equipment, and networks)  Software (systems, applications, and utilities)  People (developers, operators, users, and managers)  Procedures (automated, and manual)  Data (transaction streams, files, databases, and tables)The following sections of this description define each of these five components comprising [CLIENT]’s system andother relevant aspects of [CLIENT]’s control environment, risk assessment processes, monitoring processes, andinformation and communication. Page | 7
  • Other Relevant Aspects of the Control Environment, Risk Assessment, Monitoring, andInformation and CommunicationControl Environment[CLIENT]’s control environment reflects the overall attitude, awareness, and actions of management and othersconcerning the importance of controls and their emphasis within the organization and the execution of [CLIENT]’smission. [CLIENT] provides corporate compliance and ethics training to all employees as well as physical andlogical security training. At various corporate functions, executive management communicates [CLIENT]’s top 5priorities including compliance. Periodically, the Corporate Compliance Manager provides awarenesscommunications covering compliance, ethics, and security information.Risk Assessment[CLIENT] has a risk assessment process to identify and manage risks that could affect its ability to providesecure, reliable transaction processing for user entities. This process requires management to conduct an internalsecurity audit twice per year to identify vulnerabilities and threats. Remediation steps are put in place as a resultof these audits if necessary. Items that are considered during risk assessment audits include:  Changes in operating systems  New information systems  New security threats  Operational location moves  New technology  Personnel changesMonitoring[CLIENT]’s management and supervisory personnel monitor the quality of internal control performance as aroutine part of their activities. Oversight of job completion is the responsibility of supervisors and is monitored bybatch monitoring and job ticket documentation. Quality assurance procedures are in place for each client andmonitored based on predetermined thresholds to ensure reconciliation and processing integrity.Information and Communication[CLIENT] gathers information on the processing of work using reporting tools. Reports are customized for eachclient to track documents from entry into the system to the final reconciliation of completion. Clients are providedaccess to the reporting system through client specific access.Clients are assigned a client solution executive responsible for account relationship management activities, settingstrategy for account support, and developing new solutions to promote client growth as well as profitability and aclient relationship executive with the responsibility to interact with key client contacts and manage day-to-dayoperations. [CLIENT] client relationship executives act as the voice of the clients within [CLIENT] and provide akey function in managing customer expectations and established Service Level Agreement metrics. To reviewactivities, a formal report and presentation is made to [CLIENT]s Client service and operations groupsummarizing the previous month’s activity. Page | 8
  • Document Management, Data Capture, and Print Output Services System Components Infrastructure Distributed, world-wide operations are maintained and managed to provide confidentiality, security, availability, processing integrity and safeguard against compromise or breach. The following facilities are included in the scope of the Document Management, Data Capture, and Print Output Services System. Metro Area Facility FunctionRaleigh, North Carolina – Millville, New Jersey Communication/Distributed Output Document Management/Preservation,Scranton, Pennsylvania (Headquarters) Document Processing, and Data CenterBinghamton, New York Disaster Recovery DocumentMoosic, Pennsylvania Management/Preservation and Document ProcessingDelano, Pennsylvania - Gordonsville, Virginia - Exeter, Pennsylvania – DocumentHouston, Texas - Louisville, Kentucky – Los Angeles, California – Columbia, Management/PreservationSouth Carolina – Hartford, Connecticut – Minneapolis, Minnesota The systems are designed similarly regardless of location to provide for consistent organizational policies and procedures. Software [CLIENT] utilizes a mix of commercial off-the-shelf products and internally developed programs for day-to- day processing of client information. The list noted below includes the systems, applications and utilities used to produce scanned images, index data and printed invoices and statements. Page | 9
  • Technology FunctionIBML Image Trac3 IBML is a companywide, high speed/high volume scanner platform.Docnetics IBML document typing and recognition software.EMC | Captiva and AnyDoc Data capture forms and processing workflow platform. Automates the tracking of all inbound mail from receipt through scanningVirtual Mailroom through export. Receives faxes digitally and processes them directly into the data capture andE-Fax imaging platform.E-Sort Data capture application program.NetView&NetVault© Web based application used for exception processing. Web based computer integrated records management and imaging systemWebCIRM utilizing bar code technology and radio frequency scanners.EmtexVIP Centralized queue and Print File Output Management System.Objectif Lune Variable data print composition software.Planet PressBARR Channel Server Print Stream blocking tool.Production Insight Output management tracking & reporting tool.Kodak EX300 MICR Printers Check production printers.OCE 6250 Printers High speed black/white production printers.Ricoh 720 Color High speed color printer.Canon IR-150 Monochrome and MICR printer.Pitney Bowes FPS auto-inserter High Speed document to envelope inserter.Bell & Howell 4000 auto-inserter High Speed document to envelope inserter. Page | 10
  • People[CLIENT] has a staff of approximately 600 employees across 25 U.S. locations. Scranton, Pennsylvania is[CLIENT]’s headquarters and the Scranton Facility is the main location for outsourced documentprocessing and workflow solutions. Morrisville, North Carolina is the main processing facility for output ofprinted materials.The organization is overseen by an Executive Team consisting of the following positions and their supportstaff: President/Chief Executive Officer – responsible for strategy, business development and overall leadership. The executive team members report to the President. Chief Financial Officer/Vice President Support Services – responsible for the financial services team, human resources, compliance, risk management, facilities and IT Infrastructure.  IT Infrastructure Team responsible for Network design, log monitoring, assessment and vulnerability testing.  Human Resources Team responsible for the processes of hiring, termination, training and compliance with organizational policies.  Financial Services Team responsible for billing, procurement and payroll.  Compliance & Risk Management Team responsible for facility oversight and support, security, corporate compliance, risk management. Chief Relationship Officer/VP Solutions – responsible for solutions, client relationship and customer service  Solutions Executive Team responsible to oversee sales and governance for each service line. It is broken down into teams supporting the Communication/Distributed Output System, Image Conversion and Data Capture System and Document Management and Preservation System.  Client Service and Interaction Team responsible for day-to-day client interaction and support on the Communication/Distributed Output System, Image Conversion and Data Capture System and fulfillment of the Document Management and Preservation System. Chief Operations Officer/VP Global Operations – responsible for processing, fulfillment, operational functions, project management and IT Development  Communication/Distributed Output Team responsible for fulfilling client contracted actions including printing, fulfillment and output mail.  Image Conversion and Data Capture System Team responsible for the processing of documents from mailroom or electronic receipt, conversion to image, capture of data and delivery to client..  Chief Implementation Officer/VP Integrated Systems – responsible for processing, fulfillment, operational functions, project management and IT Development Page | 11
  •  Quality and Excellence responsible for development and monitoring of ISO and production procedures and quality.  Project Delivery & Management responsible for the management and delivery of new projects and implementation of production.  IT Systems Development responsible for design, development and maintenance of processing systems.Procedures[CLIENT] provides document management for the entire document lifecycle from print to image and datacapture to processing, preservation, and storage. [CLIENT] specializes in large, complex, and dynamicprojects and operations. [CLIENT] provides redundancy and business continuity of operations with 25facilities located throughout the U.S. Quality control procedures are tracked and reported at thedocument level. The hardware and software include IBML production scanners with Captiva AnyDocadvanced capture platforms. Security, Access and Monitoring Procedures include:  Visitor and Building Security  Access Authorization Control  Confidentiality  Security Clearance for new hires  System Monitoring  Information Security Monitoring  Incident Response  Data Classification  Availability [CLIENT] protects client information starting with personnel policies, which are documented in [CLIENT]s Employee Handbook and in the Human Resource Hiring policies. Written job descriptions have been developed and are revised as necessary. Employees undergo comprehensive background/security checks and drug screening prior to employment and are required to sign confidentiality agreements upon hire, which state that no confidential information can be communicated outside of the organization. Mandatory training is completed annually to ensure understanding and compliance with policies on confidentiality, ethics, and privacy. [CLIENT]’s Access Control Policy guides access approval, provisioning, removal and monitoring. Access to building areas, system network and information is granted based on job classifications and responsibilities. Management is responsible for authorizing access. The Director of Risk Management and Compliance monitor and review access granted when changes are made to positions. Page | 12
  • Solarwinds Orion System Monitoring software is used to monitor system availability and performanceand provides current and historical tracking reports of performance factors including processorutilization, memory utilization, network usage, errors and disk utilization. The system monitors Ciscoswitches, routers, firewalls, and Windows based servers. This information is used to provideinformation to user entities, proactively identify concerns and plan for future system requirements.Information security monitoring is the responsibility of the Infrastructure team who review daily logsto ensure a security breach is not missed.[CLIENT] designed its Incident Response Policy and Procedure to establish a planned course of actionin case of security incidents. The procedure is a stepped process that includes initial assessment toassign a severity level, incident notification, incident containment and response, recovery, andreview. Additional testing is completed twice per year to simulate a potential incident and the actiontaken.Communication/Distributed Output System Procedures include:[CLIENT]’s Communication/Distributed Output capabilities include a secure digital print and mailfacility capable of producing over 1.4 billion printed images and 220 million mail pieces per year.[CLIENT] offers a suite of document composition and electronic delivery solutions to satisfy userentity needs for multi channel communications. Examples of the output capabilities include:  Invoices  Statements  Insurance membership materials (Identification cards, member guide booklets, rate change notices, and other policy reference materials)  Payments: check and vouchers  Educational materialsApplicable Facility: Raleigh, North Carolina and Millville, New JerseyImage Conversion and Data Capture System Procedures include:[CLIENT]’s Image Conversion and Data Capture capabilities include a systematic and analytical wayto track mail from initial receipt to image export. From the initial time of receipt, [CLIENT] usesvirtual mailroom technology to track the different types of mail received from various Post OfficeBoxes. Mail is opened, sorted, scanned, indexed and integrated into each client’s workflow system ina seamless manner; keeping process streams separate and retaining receipt and functionalinformation throughout the entire process [CLIENT] utilizes a combination of internal audits andclient audits to measure performance against agreed upon Service Level Agreements (SLA’s).Examples of the conversion and data capture capabilities include:  Virtual mailroom  Conversion by scan to image  Data capture – key from image and verify Page | 13
  •  Live document handling and return including checks, death certificates, cds, etc.  Quality auditApplicable Facilities: Scranton, Pennsylvania and Montage, PennsylvaniaDocument Management and Preservation System Procedures include:[CLIENT] provides a total records management solution that includes the WebCIRM recordsmanagement tracking and management system and secure storage facilities. The DocumentManagement and Preservation System tracks location and movement of hard copy records stored inmultiple secure facilities throughout the US. Example of record retention capabilities include:  WebCIRM  Record storageApplicable Facilities: Scranton, Pennsylvania, Montage, Pennsylvania, Exeter, Pennsylvania, Delano,Pennsylvania, Los Angeles, California, Louisville, Kentucky, Gordonsville, Virginia, Houston, TexasSystems Development and MaintenanceThe two key applications supporting the imaging operations are InputAccel and Captiva FormWare.Both software packages are developed and supported by EMC, a third-party vendor. [CLIENT]programming changes are limited to applications settings and customized modules that hook to theapplication interfaces. If modifications to core source code are needed, [CLIENT] requestsmodifications from the vendor who include them in future product releases.Data transfer applications that provide interface between imaging applications and file transfersoftware packages are developed internally.Program Modification ControlsThe following description of program modification controls applies to changes to existing systems andprograms:Requests for ModificationsRequests for enhancements can originate from either external clients or from internal operationsdepartments. Enhancements or modifications requested by external customers are communicated to[CLIENT] personnel, who document the client requests. Changes originating from the internaldepartments stem from issues identified during day-to-day processing, errors or a need for additionalsystems controls to minimize the probability of errors and increase the accuracy of data capture.For all change requests, the internal [CLIENT] employee submits a request via the Web-basedElementool. Any modifications to the issue are maintained in an issue history. Page | 14
  • The Elementool issue record contains the following information:  Title  Type (change request, project, request for proposal, status rollup)  Requestor  Requirements  Weekly report/comments  System impacts  Priority  Customer  Customer type  System impacts  Division/location  Status manager  Lead developer  StatusIn addition to the fields listed above, if the request originates from a customer, a Customer ChangeRequest Form or statement of work can be attached to the issue. Members of IT senior managementreview the requests and work with application development teams to determine the technical scopeand details for the changes.Authorization of ChangesApproval of application system change requests is required from [CLIENT] operations management.If the change request originated from a customer, the customer must also approve the changebefore development can begin.For customer-originating requests, the Customer Change Request Form, signed by [CLIENT]management, is sent to the customer for final approval and sign-off. The final form contains thefollowing information:  Initiator of the change  Overview and benefit  Technical change to be made  Technical implications  Operational implications  Test information relative to thechange  Implementation information relative to the change  Back-out plans  Target date Page | 15
  • When required approvals and sign-offs are obtained, IT senior management assigns resources towork on the development of changes.Program TestingApplication system changes are tested by both the IT and client operations groups. The followingmajor phases are typical for application change releases:  IT testing  Operations testing  Identified issues resolution  Approval and sign-offThough releases differ in scope, complexity and extent of testing, the following sections are the mostcommonly executed steps.IT TestingUnit testing and debugging is conducted by the IT Development Team. The release is deployed intothe test environment after unit testing has been performed locally by the IT Development Team.Formal test plans are executed by anOperational Excellence analyst with the assistance of the ITDevelopment Team in order to cover areas of potential impact. The Operational Excellencedepartment notifies client operations management that the new release has been installed in the testenvironment and is available for testing.Operations TestingScan operators scan a limited number test batches into the test environment as determined by theoperations management and Operational Excellence department. When the batches reach thecompletion stages, the production test operators start processing the batches. The OperationalExcellence analyst executes the test plans and checks for errors and issues that may arise duringtesting. If error messages are noted or system results or behavior are deemed to be out of theordinary, issues are reported to the Operational Excellence department. Noted issues are recordedinto appropriate test results documentation along with applicable error messages, batch names anderror screen printouts. Some of the releases require integrated testing with the clients. For thesetypes of releases, account management or product management coordinates testing with thecorresponding clients and collects feedback covering the observed outcomes, issues, or failures.Approval and Sign-OffThe operations and the Operational Excellence department managers review the issues observedduring each test run and determine if the tests can be considered successful. If the test is consideredsuccessful, the team’s management signs off that the release can proceed to the next stage. Resultsof tests of changes affecting or originated by the clients are reviewed and approved by the affectedclients. Approvals are sent via e-mails. If a release is approved for rollout to the productionenvironment, the IT project manager e-mails the release group that the release installation can beexecuted. Page | 16
  • Control Over Production Programs Depending on the type and complexity of a change, rollout schedules, coordination and cross- department notifications, preparation efforts and potential issues are discussed during ad-hoc pre- production release management meetings. Rollout of changes to the production environment is the responsibility of the NetAdmin group. The only exceptions are changes to the InputAccel parameter files, which require a developer to insert parameter changes directly into the parameter file. Developers must request this access from the director of IT support prior to perform this update. Developers have no access to other production systems or files. Production release issues and items are discussed during ad-hoc post-production implementation management meetings. In some instances, clients are also present via teleconference to provide their feedback on the results of the upgrades. Monthly file reviews are performed on the InputAccel parameter files to verify that they have the same process install date documented in the latest approval granted by IT management. In addition, the file shares containing the application updates are reviewed for synchronization on a monthly basis by NetAdmin. If a discrepancy is encountered, the issue is reported in the form of a five-point analysis. This report also lists the corrective action taken along with the business impact. Source and Object Code The development teams use the CVS version control system to provide secured access to the source code, maintain different versions and history of programs, as well as to facilitate controlled changes and access to the source code. Access permissions are integrated with Microsoft Active Directory. Documentation Imaging applications documentation is written, updated and distributed by the [CLIENT] client operations staff and personnel responsible for training of operations staff. Standard documentation related to the operating systems and infrastructure is provided by the corresponding operating system and hardware vendors. Such technical documentation is available only to authorized IT personnel.Data[CLIENT]’s records and information management services encompass the following types of data in each of[CLIENT]’s core service offerings:  Print and Output System – Client data in the form of data files is output via print templates to produce correspondence, statements, and other printed material.  Image Conversion and Data Capture System – Client data in hard copy or electronic forms data is captured either through automatic recognition software or human data entry.  Document Management and Preservation System – This system tracks location and movement of hard copy records stored in one of [CLIENT]’s secure facilities throughout the US. Page | 17
  • Subservice Organizations[CLIENT] utilizes several subservice organizations to perform services for its clients. Presented below is adescription of the services provided by the subservice organization, the criteria relevant to the services performedby the subservice organization and the types of controls expected at the subservice organizations.Document Capture and Data Entry Services[CLIENT] clients with specialized and global processing requirements may request that [CLIENT] utilize one ofthree subservice organizations with unique capabilities that complement [CLIENT]’s services. These subserviceorganizations perform capture of data from files imaged by [CLIENT], and return to [CLIENT] the capture data inmachine readable format. The Criteria that relate to controls at these subservice organizations include all criteriarelated to the Trust Services Principles of Security, Confidentiality, Processing Integrity, and Availability for thoseclients which elect for [CLIENT] to use these service organization while processing is performed by thesesubservice organizations. The types of controls that are necessary to meet the applicable trust services criteria,either alone or in combination with controls at [CLIENT] include:  The system is protected against unauthorized access (both physical and logical).  The system is available for operation and use as committed or agreed.  System processing is complete, accurate, timely, and authorized.  Information designated as confidential is protected as committed or agreed.  Policies and procedures exist related to security, availability, processing integrity, and confidentiality and are implemented and followed.  Communication and monitoring controls are implemented related to security, availability, processing integrity, and confidentiality.Applicable Criteria and Related ControlsThe security, availability, processing integrity, and confidentiality trust services criteria and [CLIENT]’s relatedcontrols are included in Section 4 of this report, “Independent Service Auditors’ Description of Tests of Controlsand Results”. Although the security, availability, processing integrity, and confidentiality trust services criteria and[CLIENT]’s related controls are included in Section 4, they are an integral part of [CLIENT]’s description of itsDocument Management, Data Capture, and Print Output Services System and are incorporated herein. Page | 18
  • User-Entity Control ConsiderationsServices provided by [CLIENT] to user entities and the controls of [CLIENT] cover only a portion of the overallcontrols of each user entity. [CLIENT]’s controls were designed with the assumption that certain controls wouldbe implemented by user entities. In certain situations, the application of specific controls at user entities isnecessary to achieve the applicable trust principles criteria. It is not feasible for the applicable trust servicescriteria relating to the services outlined in this report to be achieved solely by [CLIENT]. This section highlightsthose internal control responsibilities that [CLIENT] believes should be present for each user entity and hasconsidered in developing the controls described in the report. This list does not purport to be, and should not be,considered a complete listing of the controls relevant at user entities. Other controls may be required at userentities.  Information provided to [CLIENT] from user entities should be in accordance with provisions in the agreement for services between [CLIENT] and user entities.  User entities are responsible for encrypting and protecting transmissions.  User entities are responsible for maintaining and communicating to [CLIENT]a current list of employees who have authority to access systems and determine action (i.e., destruction).  The security administrators at user entities are responsible for ongoing maintenance and monitoring of their employees’ system access to [CLIENT]’s infrastructure.  User entities are responsible for reporting to [CLIENT] any known or suspected issues with security, processing integrity, confidentiality, and availability.  User entities are responsible for monitoring any processing reports provided or made available by [CLIENT].  User entities are responsible for participating in disaster recovery tests related to test if [CLIENT]’s disaster recovery procedures meet their disaster recovery needs. Page | 19
  • SECTION 4 INDEPENDENT SERVICEAUDITORS’DESCRIPTION OF TESTS OF CONTROLS AND TEST RESULTS
  • Introduction The purpose of this report is to provide management of [CLIENT], user entities, and other specified parties with information about controls at [CLIENT] that are intended to mitigate risks related to security, availability, processing integrity, and confidentiality. The security, availability, processing integrity, and confidentiality principles are outlined in TSP Section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Description of Types of Testing Performed The types of tests performed to assess the effectiveness of controls included the following: Type of Test Description Discussed the controls with operations, administrative personnel, and/orInquiry management who are responsible for developing, adhering to, and applying the controls to determine their understanding and compliance.Inspection Inspected documents and reports indicating performance of the controls.Observation Observed the application of specific controls.Reperformance Re-performed application of the controls. Page | 20
  • Security Criteria1.0 Policies: The entity defines and documents its policies for the security of its system.Criteria 1.1: The entity’s security policies are established and periodically reviewed and approved by a designated individual or group. Controls Test of Controls Test ResultsA written security policy has been approved by Inquired with the Manager, Corporate Compliance and Security and inspected the No deviations noted.Executive Leadership. Data Security Handbook and Risk Assessment Policy to determine if security policies were established, periodically reviewed and approved by Executive Leadership.Criteria 1.2: The entitys security policies include, but may not be limited to, the following matters: a. Identifying and documenting the security requirements of authorized users b. Classifying data based on its criticality and sensitivity and that classification is used to define protection requirements, access rights and access restrictions, and retention and destruction requirements c. Assessing risks on a periodic basis d. Preventing unauthorized access e. Adding new users, modifying the access levels of existing users, and removing users who no longer need access f. Assigning responsibility and accountability for system security g. Assigning responsibility and accountability for system changes and maintenance h. Testing, evaluating, and authorizing system components before implementation i. Addressing how complaints and requests relating to security issues are resolved j. Identifying and mitigating security breaches and other incidents k. Providing for training and other resources to support its system security policies l. Providing for the handling of exceptions and situations not specifically addressed in its system security policies m. Providing for the identification of and consistency with applicable laws and regulations, defined commitments, service-level agreements, and other contractual requirements n. Providing for sharing information with third parties Controls Test of Controls Test ResultsA written Data Security Handbook identifies and Inspected the Data Security Handbook and risk assessment policy to determine if No deviations noted.documents the noted requirements “a” – “n.” the noted elements of “a” – “n” were included. Page | 21
  • Criteria 1.3: Responsibility and accountability for developing and maintaining the entitys system security policies, and changes and updatesto those policies, are assigned. Controls Test of Controls Test ResultsManagement has assigned responsibility and Inspected job descriptions for the Director of IT Infrastructure and the Director of No deviations noted.accountability for the maintenance and Compliance and Risk Management to determine if accountability for developingenforcement of [CLIENT]’s security and availability and maintaining [CLIENT]’s system security policies, and changes and updates topolicy to the Director of Compliance and Risk those policies, was assigned.Management as well as the Director of ITInfrastructure.The Executive Team approves updates to policies. Inspected meeting minutes to determine if responsibility for maintaining policies No deviations noted. and changes or updates to security policies was assigned to the Executive Team.2.0 Communications: The entity communicates its defined system security policies toresponsible parties and authorized users.Criteria 2.1: The entity has prepared an objective description of the system and its boundaries and communicated such description toauthorized users. Controls Test of Controls Test Results[CLIENT] prepares an objective description of the Inspected the system description to determine if the system and its No deviations noted.system and its boundaries and communicates it to boundaries were communicated to authorized users.user entities.Criteria 2.2: The security obligations of users and the entitys security commitments to users are communicated to authorized users. Controls Test of Controls Test ResultsSecurity obligations are customized to each client Selected a sample of clients and inspected Service Level Agreements to No deviations noted.and are part of their contract. confirm security obligations were communicated.Internal employees are held to HIPAA guidelines Inspected acknowledgment forms to determine if the acknowledgements No deviations noted.and Confidentiality policies. These policies are forms identify the security responsibilities of employees.reviewed upon hire and employees are required tosign documents acknowledging the understanding Selected a sample of new hires and inspected their acknowledgementof these obligations. The policies are also reviewed forms to determine if [CLIENT] received the signed acknowledgement.annually by all personnel. Page | 22
  • 2.0 Communications: The entity communicates its defined system security policies toresponsible parties and authorized users.Criteria 2.1: The entity has prepared an objective description of the system and its boundaries and communicated such description toauthorized users. Controls Test of Controls Test Results[CLIENT] prepares an objective description of the Inspected the system description to determine if the system and its No deviations noted.system and its boundaries and communicates it to boundaries were communicated to authorized users.user entities.The Data Security Handbook, Employee Handbook Observed the company intranet to determine if the Data Security No deviations noted.with Confidentiality and HIPAA policy are published Handbook and Employee Handbook were published.on the company intranet. Inspected the Data Security Handbook and HIPAA policy to determine if security obligations of users and the entity’s security commitments to users were communicated. Page | 23
  • Criteria 2.3: Responsibility and accountability for the entitys system security policies and changes and updates to those policies arecommunicated to entity personnel responsible for implementing them. Controls Test of Controls Test ResultsThe Director of Compliance and Risk Management Inquired of the Director of Compliance and Risk Management and No deviations noted.and Director of IT Infrastructure have custody of inspected job descriptions for the Director of Compliance and Riskand are responsible for the day-to-day Management and Director of IT Infrastructure to determine ifmaintenance of [CLIENT]’s technical security responsibilities for system security, confidentiality, availability andpolicies and recommend confidentiality, availability processing integrity policies were formally assigned.and processing integrity changes.Written job descriptions have been defined and arecommunicated to the Director of IT Infrastructureand Director of Compliance and Risk Management.Written process and procedure manuals for all Inspected the Data Security Handbook to determine if defined security No deviations noted.defined security processes are provided to all IT processes were provided to all IT personnel, management, and client-personnel, management and client facing personnel facing personnel.and included in new hire and annual training andsign-off procedures.If any policy changes are made they are Inquired of the Manager, Corporate Compliance and Security and No deviations notedcommunicated by internal company-wide email by determined that no policy changes were performed during the period ofthe Vice President of Finance or President. January 1, 2012 to September 30, 2012. The operating effectiveness of this control activity could not be tested as there was no related activity during the period January 1, 2012 to September 30, 2012. Page | 24
  • Criteria 2.4: The process for informing the entity about breaches of the system security and for submitting complaints is communicated toauthorized users. Controls Test of Controls Test ResultsIT incidents (security, availability, confidentiality, or Inspected the Data Security Handbook incident response procedures, No deviations noted.processing integrity) including potential breaches documented escalation process, and 5 Point Process to determine ifare reported to the IT Help Desk for action as incidents and system/operational issues were communicated based upondefined in the Data Security Handbook. criteria specified in the escalation document.An 800 number and email address is provided on Selected a sample of clients and inspected supporting documentation to No deviations noted.our website to contact our Customer Service area determine if a process existed for authorized users to inform [CLIENT] offor any questions or issues. Clients who store data breaches and submit complaints.on our systems are assigned a Solutions Executiveand Client Advocate who serve as their directresolution experts.Criteria 2.5: Changes that may affect system security are communicated to management and users who will be affected. Controls Test of Controls Test ResultsPlanned changes to system components and the For a sample of months, inspected meeting agendas and/or minutes from No deviations noted.scheduling of those changes are reviewed as part the monthly IT/Operations meetings to determine that changes that mayas part of monthly IT/Operations meetings. affect system security, availability, processing integrity, or confidentiality were communicated to management or users who will be affected. The operating effectiveness of this control activity could not be tested as there was no related activity during the examination period. Inquired with management at [CLIENT] to determine that no changes occurred during the period which required communication. Inspected a sample of changes to determine that none required communication. Page | 25
  • 3.0:Procedures: The entity placed in operation procedures to achieve its documented systemsecurity objectives in accordance with its definedpolicies.Criteria 3.1: Procedures exist to (1) identify potential threats of disruption to systems operation that would impair system securitycommitments and (2) assess the risks associated with the identified threats. Controls Test of Controls Test ResultsBi-annual internal security audits are performed Inspected the Risk Assessment Policy to determine if procedures exist to No deviations noted.that review firewall rules, IDS configurations, VPN identify potential threats of disruption and assess risks associated withsystems, Cisco Switch/Router Configs, Antivirus the threats.software, software patches, any changes to localsystem accounts and generic domain accounts, Inspected the internal vulnerability assessment results to determine thedomain and account groups (monthly), and backup following: 1) bi-annual internal security audits were performed to identifyprocedures. A report is composed, compiles the potential threats 2) a risk assessment was performed to identify potentialresults of the previous steps, and assigns a grade threats and assess risks.based on predefined parameters.A risk assessment is performed based on thevulnerabilities uncovered, the probability of a threatthat would exploit that vulnerability, and theestimated value of the asset that would becompromised. Risks that rate high are given priorityduring the mitigation phase. Page | 26
  • Criteria 3.2: Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters:a. Logical access security measures to restrict access to information resources not deemed to be public.b. Identification and authentication of users.c. Registration and authorization of new users.d. The process to make changes and updates to user profiles.e. Distribution of output restricted to authorized users.f. Restriction of access to offline storage, backup data, systems, and media.g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (forexample, firewalls). Controls Test of Controls Test Resultsa. Logical access to nonpublic information a. Inspected the Data Security Handbook, Windows security access No deviations noted.resources is protected through the use of security reports, IBML user access list, EMC Captiva user access list, Anydocsoftware and operating system security. access list and Emtex VIP access list (Raleigh) to determine 1) if logicalAccess is defined by job description and manager access to nonpublic information was required to be protected throughauthorization. security software or operating system security 2) if authentication with aAccess to resources is granted to an authenticated valid user ID was needed to access resources.user based on the user’s identity.Proper authorization must be completed for any Inquired of the Director of IT Infrastructure and inspected privileged useraccess to be granted. access listings to determine if access was assigned and defined based on job descriptions. Inquired of the Director of IT Infrastructure and inspected if Data Security Handbook to determine if users were required to authenticate with a unique ID and password when accessing systems. Selected a sample of new hires and inspected new user access request forms to determine if manager authorization was obtained prior to granting system access. Inspected a sample of IBML, Anydoc, EMC, Thunderhead portal and Emtex VIP application users to determine if access was commensurate with their job description. Also inspected all members of the IT Personnel user access group to determine if access was commensurate with their job description. Page | 27
  • Criteria 3.2: Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters:a. Logical access security measures to restrict access to information resources not deemed to be public.b. Identification and authentication of users.c. Registration and authorization of new users.d. The process to make changes and updates to user profiles.e. Distribution of output restricted to authorized users.f. Restriction of access to offline storage, backup data, systems, and media.g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (forexample, firewalls). Controls Test of Controls Test Resultsb. Users must establish their identity to [CLIENT]’s b. Inspected the Data Security Handbook to determine if users must be No deviations noted.network and application systems when accessing authenticated prior to gaining access to system resources, unique usernonpublic resources through the use of a valid user IDs were assigned, use of group or shared IDs was not permitted,ID that is authenticated by an associated password. passwords must be changed, must be a minimum of eight characters with complexity in the character set and login sessions must beUnique user IDs are assigned to individual users. terminated after three failed attempts.Use of group or shared IDs is not permitted. Inspected password configuration settings to determine if the noted settings were enforced.Passwords must contain at least eight characters,at least three character types, and are not able to Observed a user login to the network to determine if the users wererepeat within 24 months. prompted for a unique username and password.Security configuration parameters force passwords Inspected the IBML Windows Group, Windows domain admin list andto be changed every 30 days. Emtex VIP (Raleigh) to determine if unique user IDs were assigned andLogin sessions are terminated after 3 unsuccessful the use of group or shared IDs was not permitted.login attempts. See tests of controls included under Security 3.2(a). Page | 28
  • Criteria 3.2: Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters:a. Logical access security measures to restrict access to information resources not deemed to be public.b. Identification and authentication of users.c. Registration and authorization of new users.d. The process to make changes and updates to user profiles.e. Distribution of output restricted to authorized users.f. Restriction of access to offline storage, backup data, systems, and media.g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (forexample, firewalls). Controls Test of Controls Test Resultsc. Customers must be approved and granted access c. Inspected the Network Solutions Certificate Authority issued to See test results included in Security Criteria 3.2(a).to [CLIENT]’s Web site (WebCIRM), under a secure WebCIRM to determine if encryption through SSL was enforced.session, requiring user ID and password. Privilegesare limited to specific system functionality. Inspected the Data Security Handbook to determine if Director level approval was required for changes to access privileges for employees andThe Director of Business Process Operations vendors.authorizes access privilege change requests foremployees and the Vice President of Operations Inspected a list of employees with administrative access privileges ondoes so for vendors. Access is limited to specific Windows systems, network devices and database servers to determine iffunctionality. access was limited to IT personnel based on job function.The ability to create or modify users and useraccess privileges (other than the limitedfunctionality “customer accounts”) is limited to thesecurity administration team. Page | 29
  • Criteria 3.2: Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters:a. Logical access security measures to restrict access to information resources not deemed to be public.b. Identification and authentication of users.c. Registration and authorization of new users.d. The process to make changes and updates to user profiles.e. Distribution of output restricted to authorized users.f. Restriction of access to offline storage, backup data, systems, and media.g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (forexample, firewalls). Controls Test of Controls Test Resultsd. Changes to customer accounts may be d. Selected a sample of users and inspected the related user access No deviations noted.performed by the Director of Client Interaction with request forms to determine if changes to customer accounts wereauthorization documented on user access request authorized.forms. Changes are reflected immediately. Inspected the CIRM User ID Recertification to determine if unusedUnused WebCIRM customer accounts (no activity WebCIRM customer accounts were reviewed by the Director of Clientfor six months) are reviewed by the Director of Interaction.Client Interaction and if necessary purged from thesystem. Selected a sample of new hires and inspected Network Access Forms to determine if user account additions were approved.Changes to other accounts and profiles are madeby the security administration team through arequest on a Network Access Form and require thewritten approval of the Director of Business Processor other higher level Management.e. Access to computer processing output is e. Inspected badge access listings to determine if access was restricted No deviations noted.provided to authorized individuals based on their based on job responsibilities.job description and classification of the information. Inspected the Data Security handbook to determine if policies exist forProcessing output is stored in an area that reflects the distribution of processing output based on information classification.the classification of the information.Processing output is distributed in accordance withthe security policy based on classification of theinformation. Page | 30
  • Criteria 3.2: Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters:a. Logical access security measures to restrict access to information resources not deemed to be public.b. Identification and authentication of users.c. Registration and authorization of new users.d. The process to make changes and updates to user profiles.e. Distribution of output restricted to authorized users.f. Restriction of access to offline storage, backup data, systems, and media.g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (forexample, firewalls). Controls Test of Controls Test Resultsf. Access to offline storage, backup data, systems, f. Inspected the Data Security handbook to determine if access to No deviations noted.and media is limited to computer operations staff sensitive data was secured through logical and physical securitythrough the use of restricted physical and logical measures.access. Inspected the computer room badge access listing to determine if access was restricted based on job responsibilities. Inspected the list of users with system administrator capabilities on the windows systems and badge access system to determine if access was restricted based on job responsibilities.g. Hardware and operating system configuration g. Inspected the list of users with administrative access rights on No deviations noted.tables are restricted to appropriate personnel Windows systems, VPN and databases to determine if access was limitedthrough physical access controls, native operating based on job need.system security, and add-on security software. Inspected the Windows event log settings and Cisco access control serverApplication software configuration tables are (ACS) settings to determine if system configuration activity was logged.restricted to authorized users and monitored by theDirector of Network. Inspected the Daily Security Log to determine if system configuration usage logs were monitored by members of the network infrastructureUtility programs that can read, add, change, or group.delete data or programs are restricted toauthorized technical services staff. Usage is logged Inquired of the Director of IT Infrastructure and observed the masterand monitored by the Director of Network. A spare password file to determine if master passwords were stored in anlisting of all master passwords is stored in an encrypted file.encrypted file. Page | 31
  • Criteria 3.3: Procedures exist to restrict physical access to the defined system including, but not limited to, facilities, backup media, andother system components such as firewalls, routers, and servers. Controls Test of Controls Test ResultsPhysical access to the computer rooms, which Inspected the computer room badge access listing, operations access No deviations noted.house [CLIENT]’s IT resources, servers, and related listing and Kirkwood facility access listing to determine if access washardware such as firewalls and routers, is restricted restricted based on job responsibilities.to authorized individuals by card key systems andmonitored by video surveillance. Performed a tour of the data center to determine if video surveillance was in place.Requests for physical access privileges to[CLIENT]’s computer facilities require the approval Inspected physical access procedures to determine if requests to accessof the Director of Compliance and Risk [CLIENT]’s facilities require approval of the Director of Compliance andManagement. Risk Management.Documented procedures exist for the identification Inspected the data security handbook and inspected the documentedand escalation of potential physical security incident response procedures to determine if identification and escalationbreaches. of potential physical security breaches were addressed.Offsite backups are stored at a physical DisasterRecovery/Business Continuity site. This facilityrequires physical access cards and is restricted tothe exact parameters as the main site.Criteria 3.4: Procedures exist to protect against unauthorized access to system resources. Controls Test of Controls Test Results Page | 32
  • Protective system processes are in place to prevent Inspected security logs to determine if failed login attempts and system No deviations noted.and monitor unauthorized access to system lockouts are recorded.resources and unauthorized access attempts. Inspected network diagram, Cisco device list, and security logs to confirm that system fire walls are in use and firewall event logs are reviewed daily. Inspected master server list and inquired of IT management that the master server list is maintained an updated by the IT department for any system changes. Inspected and inquired about the use of IDS Snort software. Inspected the external vulnerability assessment results to verify security reviews are being performed by external parties.See controls included in Security Criteria 3.2. See test of controls included in Security Criteria 3.2. See test results included in Security Criteria 3.2. Page | 33
  • Criteria 3.5: Procedures exist to protect against infection by computer viruses, malicious code, and unauthorized software. Controls Test of Controls Test ResultsAntivirus software is in place, that prevents Inquired of the Director of IT Infrastructure and observed antivirus No deviations noted.computer viruses, malicious code and unauthorized configuration settings to determine if antivirus software was installed andsoftware including virus scans of incoming e-mail virus definitions were updated daily.messages. Virus signatures are reviewed andupdated daily.Criteria 3.6: Encryption or other equivalent security techniques are used to protect user authentication information and the correspondingsession transmitted over the Internet or other public networks. Controls Test of Controls Test Results[CLIENT] uses encryption technology, VPN Inspected SSL protocol permissions, SSL certificates, and VPN protocol No deviations noted.software, and other secure communication systems encryption to determine if encryption technology was in use.(consistent with its periodic IT risk assessment) forthe transmission of private or confidentialinformation over public networks, including userIDs and passwords.Criteria 3.7: Procedures exist to identify, report, and act upon system security breaches and other incidents. Controls Test of Controls Test ResultsA Security Incident Response Plan (5-Point Process) Inspected the Data Security Handbook and Security Log Sign-off Sheet to No deviations noted.is instituted for identification and resolution of determine if a) the security incident response plan was defined andpotential security breaches to the information documented b) the network staff was responsible for reviewing securitysecurity team. logs on a daily basis. Inspected the 5-Point Analysis Procedures document to determine if a defined escalation process was established and appropriate resolution requires approval by management.When an incident is detected or reported, a defined Inspected a sample of completed 5-Point Analysis documentation to No deviations noted.Security Incident Response Plan (5-Point Process) determine if the 5-Point Analysis procedures were followed.identifies severity and action to be taken.Corrective actions are implemented in accordancewith defined policies and procedures. Page | 34
  • Criteria 3.8: Procedures exist to classify data in accordance with classification policies and periodically monitor and update suchclassifications as necessary. Controls Test of Controls Test ResultsData Classifications are used to determine access Inspected the detailed data classification assignments tracking No deviations noted.permissions as well as audit levels. The principle of spreadsheet used to assign and track access rights.least privilege is utilized to assign permissions at alllevels. Permissions are assigned on Windowsgroups which map to a specific job function.Propriety of data is considered during newimplementations, upgrades and change orderactions.Criteria 3.9: Procedures exist to provide that issues of noncompliance with security policies are promptly addressed and that correctivemeasures are taken on a timely basis. Controls Test of Controls Test ResultsAll incidents are tracked by management until See test of controls included in Security Criteria 3.7 See test results included in Security Criteria 3.7resolved through the 5–Point incident responseprocess.Supervisors review and approve the incident See test of controls included in Security Criteria 3.7 See test results included in Security Criteria 3.7response process to help make certain proceduresare followed.Criteria 3.10 Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistentwith defined system security policies to enable authorized access and to prevent unauthorized access. Controls Test of Controls Test Results[CLIENT] has adopted a formal systems Inquired of the Director of IT Development, and inspected the IT Change No deviations noted.development life cycle (SDLC) methodology that Control Procedures and Standard Build Documentation to determine if: a)governs the development, acquisition, a formal methodology exists that governs the change management andimplementation, and maintenance of computerized SDLC processes and b) the network administration team was responsibleinformation systems and related technology. for approving architecture and design specifications for new systems. Inspected the Data Security Handbook to determine if system changes that cannot meet defined data security standards require approval by senior IT management. Page | 35
  • Criteria 3.10 Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistentwith defined system security policies to enable authorized access and to prevent unauthorized access. Controls Test of Controls Test ResultsThe Network administration team reviews and Requested a sample of new systems development and acquisition No deviations noted.approves the architecture and design specifications projects to determine if the Network administration team reviewed andfor new systems development and acquisition to approved the architecture and design specifications.help ensure consistency with [CLIENT]’s securityobjectives, policies, and standards. The operating effectiveness of this control activity could not be tested as there was no related activity during the examination period. Inquired with management at [CLIENT] to determine that no new systems development and acquisition projects occurred during the period. Inspected a sample of changes to determine that none were related to new systems development and acquisition.Criteria 3.11 Procedures exist to provide that personnel responsible for the design, development, implementation, and operation of systemsaffecting security have the qualifications and resources to fulfill their responsibilities.Criteria 3.12 Procedures exist to maintain system components, including configurations consistent with the defined system security policies. Controls Test of Controls Test ResultsThe IT department maintains an up-to-date listing Inspected the software list to determine if an up-to-date list was No deviations noted.of all software and the respective level, version, maintained by IT.and patches that have been applied.Requests for changes, system maintenance, and Inquired of the Director of IT Development and inspected IT Change No deviations noted.supplier maintenance are standardized and subject Control Procedures and Standard Build Documentation to determine if ato documented change management procedures. formal methodology exists that governs the change management and SDLC processes. Inspected a sample of changes to determine if requests for change were standardized and subject to documented change management procedures. Page | 36
  • Criteria 3.12 Procedures exist to maintain system components, including configurations consistent with the defined system security policies. Controls Test of Controls Test ResultsSystem configurations are tested annually and Inspected the external Vulnerability Assessment results to determine if an No deviations noted.evaluated against [CLIENT]’s security policies and assessment was performed.current service-level agreements. An exceptionreport is prepared and remediation plans are Inspected the internal Vulnerability Assessment results to determine if: 1)developed and tracked. system configurations were tested, 2) system configurations were evaluated against [CLIENT]’s security policies, 3) an exception report was prepared, and 4) remediation plans were developed/tracked.Criteria 3.13 Procedures exist to provide that only authorized, tested, and documented changes are made to the system. Controls Test of Controls Test ResultsChanges to system infrastructure and software are For a sample of environments observed test systems to determine if a No deviations noted.developed and tested in a separate development or separate environment was in place for the development and testing oftest environment before implementation into software changes prior to promotion of changes into production.production.As part of the change control policies and Selected a sample of changes to determine if testing and approval was No deviations noted.procedures, there is a “promotion” process (for obtained prior to promotion to production.example, from “analysis” to “development” to“testing" to "production”).Promotion to production requires testing andapproval from both clients (if a client requests thechange) and [CLIENT] supervisors.When changes are made to key systems Inquired of the Director of IT Infrastructure and observed the network No deviations noted.components, "back out" plan procedures are in backup file folder to determine if backup versions of code wereplace for use in the event of major interruption(s). maintained for changes to key systems. Page | 37
  • Criteria 3.14 Procedures exist to provide that emergency changes are documented and authorized timely. Controls Test of Controls Test ResultsRequests for changes, system maintenance, and See test of controls included in Security Criteria 3.12. See test results included in Security Criteria 3.12.supplier maintenance are standardized and subjectto documented change management procedures.Changes are prioritized based on the date assigned Inspected a sample of changes to determine if: 1) changes were No deviations noted.in the client requested completion date field. prioritized based on the date assigned by the client 2) status wasChange requestors are kept informed about the documented 3) emergency changes were documented and authorizedstatus of their requests. by the Director of IT.Emergency changes that require deviations fromstandard procedures are documented andauthorized by the Director of IT. Page | 38
  • 4.0 Monitoring: The entity monitors the system and takes action to maintain compliance with its defined system security policies.Criteria 4.1: The entitys system security is periodically reviewed and compared with the defined system security policies. Controls Test of Controls Test ResultsThe information security team monitors the system Inspected the Risk Assessment Follow-up Policy and internal vulnerability No deviations noted.and assesses the system vulnerabilities using assessment results to determine if: a) the system was monitored by theproprietary and publicly available tools. Potential internal information security team and b) results of the security reviewsrisks are evaluated and compared to service-level were reported to management.agreements and other obligations of the entity.Remediation plans are proposed and Inquired of the Director of IT Infrastructure to determine if remediationimplementations are monitored. plans were implemented.[CLIENT] contracts with third parties to conduct Inspected the Information Security Assessment Executive Summary to No deviations noted.periodic security reviews and vulnerability determine if a third party was contracted to perform securityassessments. Results and recommendations for assessments.improvement are reported to management.Logs are analyzed daily to minimize repetition of Inspected the Security Log to determine if Windows Security Logs, No deviations noted.issues and maintain [CLIENT]’s ability to achieve its Firewall Logs, Cisco ACS Logs, and IDS Logs were monitored daily.system security objectives.Criteria 4.2: There is a process to identify and address potential impairments to the entitys ongoing ability to achieve its objectives inaccordance with its defined system security policies. Controls Test of Controls Test ResultsBi-annual internal security audits are performed that review Selected a sample of internal security audits to determine if No deviations noted.firewall rules, IDS configurations, VPN systems, Cisco switch the audits were completed in accordance with definedand router configurations, antivirus software, software procedures.patches, changes to local system accounts, generic domainaccounts, domain and account groups (monthly), backupprocedures, rogue wireless access points and vulnerability scanresults. A report is composed and compiles the results of theprevious steps and assigns a grade based on predefinedparameters.Risk assessment is performed based on vulnerabilities See test of controls included in Security Criteria 3.1. See test results included in Security Criteria 3.1.uncovered, the probability of a threat that would exploit thatvulnerability and the estimated value of the asset that wouldbe compromised. Page | 39
  • Criteria 4.3: Environmental, regulatory, and technological changes are monitored and their effect on system security is assessed on a timelybasis and policies are updated for that assessment. Controls Test of Controls Test ResultsDirector, Compliance & Risk Management and Inspected job descriptions for the Director of Compliance & Risk No deviations noted.Director of IT Infrastructure are required to keep Management and Director of IT Infrastructure to determine if securitycurrent with regulatory, environmental and and safety responsibilities were defined.technology changes by subscription to newslettersin security and safety. Additionally, Directors in IT Observed that the Director of IT Infrastructure maintains the SANSand Facilities maintain relevant professional Institute Global Information Assurance Certification and SANScertifications. subscriptions and the Director of Compliance & Risk Management maintains an Associate in Risk Management certificate and reviews disaster recovery and risk related publications.A risk assessment is performed based on the See test of controls included in Security Criteria 3.1. See test results included in Security Criteria 3.1.vulnerabilities uncovered, the probability of a threatthat would exploit that vulnerability, and theestimated value of the asset that would becompromised. Page | 40
  • Availability Criteria1.0 Policies: The entity defines and documents its policies for the availability of its system.Criteria 1.1: The entitys system availability and related security policies are established and periodically reviewed and approved by adesignated individual or group. Controls Test of Controls Test ResultsA written availability policy has been approved Inquired of Manager, Corporate Compliance and Security and inspected No deviations noted.by Executive Management and is implemented the Availability Policy to determine if policies were written and approvedthroughout the company. by Executive Management.Criteria 1.2: The entitys system availability and related security policies include, but may not be limited to, the following matters:a. Identifying and documenting the system availability and related security requirements of authorized users.b. Classifying data based on its criticality and sensitivity and that classification is used to define protection requirements, access rightsand access restrictions, and retention and destruction requirements.c. Assessing risks on a periodic basis.d. Preventing unauthorized access.e. Adding new users, modifying the access levels of existing users, and removing users who no longer need access.f. Assigning responsibility and accountability for system availability and related security.g. Assigning responsibility and accountability for system changes and maintenance.h. Testing, evaluating, and authorizing system components before implementation.i. Addressing how complaints and requests relating to system availability and related security issues are resolved.j. Identifying and mitigating system availability and related security breaches and other incidents.k. Providing for training and other resources to support its system availability and related security policies.l. Providing for the handling of exceptions and situations not specifically addressed in its system availability and related security policies.m. Providing for the identification of and consistency with, applicable laws and regulations, defined commitments, service agreements,and other contractual requirements.n. Recovering and continuing service in accordance with documented customer commitments or other agreements.o. Monitoring system capacity to achieve customer commitments or other agreements regarding availability. Controls Test of Controls Test ResultsA written Security and Availability policy Inspected the written Security and Availability Policy to determine if items No deviations noted.includes system availability matters “a” – “o”. “a” – “o” were addressed. Page | 41
  • Criteria 1.3: Responsibility and accountability for developing and maintaining the entitys system availability and related security policies,and changes and updates to those policies, are assigned. Controls Test of Controls Test ResultsSee controls included in Security Criteria 1.3. See test of controls included in Security Criteria 1.3. See test results included in Security Criteria 1.3.2.0 Communications: The entity communicates the defined system availability policies to responsible parties and authorized users.Criteria 2.1: The entity has prepared an objective description of the system and its boundaries and communicated such description toauthorized users. Controls Test of Controls Test ResultsSee controls included in Security Criteria 2.1. See test of controls included in Security Criteria 2.1. See test results included in Security Criteria 2.1.Criteria 2.2: The availability and related security obligations of users and the entitys availability and related security commitments to usersare communicated to authorized users. Controls Test of Controls Test Results[CLIENT]’s system availability and related Selected sample clients and inspected service level agreements to No deviations noted.security commitments and required system determine if system availability service level agreements wereavailability and related security obligations of documented.its customers and other external users are partof [CLIENT]’s standard services agreement. Selected a sample of clients and inspected supportingA governance process provides oversight and documentation to determine if a process exists to providecommunication functions for the critical oversight and communication functions for the critical businessbusiness processing of insurance claims to processing of insurance claims.capture clients. Page | 42
  • 2.0 Communications: The entity communicates the defined system availability policies to responsible parties and authorized users.Criteria 2.1: The entity has prepared an objective description of the system and its boundaries and communicated such description toauthorized users. Controls Test of Controls Test ResultsSee controls included in Security Criteria 2.1. See test of controls included in Security Criteria 2.1. See test results included in Security Criteria 2.1.For its internal users (employees and Selected a sample of personnel and inspected acknowledgment No deviations noted.contractors), [CLIENT]’s policies relating to forms to determine if 1) security obligations were communicatedsystem security are reviewed with new to users and acknowledged and 2) annual refresher training wasemployees and contractors as part of their received and acknowledged.orientation. New employees must sign astatement signifying that they have read,understand, and will follow these policies.The Data Security Handbook, Employee See test of controls included in Security Criteria 2.2. See test results included in Security CriteriaHandbook with Confidentiality, and HIPAA 2.2.policy are published on the company intranet. Page | 43
  • Criteria 2.3: Responsibility and accountability for the entitys system security policies and changes and updates to those policies arecommunicated to entity personnel responsible for implementing them. Controls Test of Controls Test ResultsThe Director of Compliance and Risk Inquired of the Director of Compliance and Risk Management and No deviations noted.Management and Director of IT Infrastructure inspected job descriptions for the Director of Compliance and Riskhave custody of and are responsible for the Management and Director of IT Infrastructure to determine ifday-to-day maintenance of [CLIENT]’s responsibilities for system security, confidentiality, availability andtechnical security policies and recommend processing integrity policies were formally assigned.confidentiality, availability and processingintegrity changes.Written job descriptions have been definedand are communicated to the Director of ITInfrastructure and Director of Compliance andRisk Management.Written process and procedure manuals for all Inspected the Data Security Handbook to determine if defined No deviations noted.defined security processes are provided to all security processes were provided to all IT personnel,IT personnel, management and client facing management, and client-facing personnel.personnel and included in new hire andannual training and sign-off procedures.If any policy changes are made they are Inquired of the Manager, Corporate Compliance and Security and No deviations notedcommunicated by internal company-wide determined that no policy changes were performed during theemail by the Vice President of Finance or period of January 1, 2012 to September 30, 2012.President. The operating effectiveness of this control activity could not be tested as there was no related activity during the period January 1, 2012 to September 30, 2012. Page | 44
  • Criteria 2.4: The process for informing the entity about breaches of the system security and for submitting complaints is communicated toauthorized users. Controls Test of Controls Test ResultsIT incidents (security, availability, Inspected the Data Security Handbook incident response No deviations noted.confidentiality, or processing integrity) procedures, documented escalation process, and 5 Point Processincluding potential breaches are reported to to determine if incidents and system/operational issues werethe IT Help Desk for action as defined in the communicated based upon criteria specified in the escalationData Security Handbook. document.An 800 number and email address is provided Selected a sample of clients and inspected supporting No deviations noted.on our website to contact our Customer documentation to determine if a process existed for authorizedService area for any questions or issues. users to inform [CLIENT] of breaches and submit complaints.Clients who store data on our systems areassigned a Solutions Executive and ClientAdvocate who serve as their direct resolutionexperts.Criteria 2.5: Changes that may affect system security are communicated to management and users who will be affected. Controls Test of Controls Test ResultsPlanned changes to system components and For a sample of months, inspected meeting agendas and/or No deviations noted.the scheduling of those changes are reviewed minutes from the monthly IT/Operations meetings to determineas part as part of monthly IT/Operations that changes that may affect system security, availability,meetings. processing integrity, or confidentiality were communicated to management or users who will be affected. The operating effectiveness of this control activity could not be tested as there was no related activity during the examination period. Inquired with management at [CLIENT] to determine that no changes occurred during the period which required communication. Inspected a sample of changes to determine that none required communication. Page | 45
  • 3.0: Procedures: The entity placed in operation procedures to achieve its documented system security objectives in accordance with itsdefined policies.Criteria 3.1: Procedures exist to (1) identify potential threats of disruption to systems operation that would impair system securitycommitments and (2) assess the risks associated with the identified threats. Controls Test of Controls Test ResultsBi-annual internal security audits are Inspected the Risk Assessment Policy to determine if procedures No deviations noted.performed that review firewall rules, IDS exist to identify potential threats of disruption and assess risksconfigurations, VPN systems, Cisco associated with the threats.Switch/Router Configs, Antivirus software,software patches, any changes to local system Inspected the internal vulnerability assessment results toaccounts and generic domain accounts, determine the following: 1) bi-annual internal security audits weredomain and account groups (monthly), and performed to identify potential threats 2) a risk assessment wasbackup procedures. A report is composed, performed to identify potential threats and assess risks.compiles the results of the previous steps, andassigns a grade based on predefinedparameters.A risk assessment is performed based on thevulnerabilities uncovered, the probability of athreat that would exploit that vulnerability,and the estimated value of the asset thatwould be compromised. Risks that rate highare given priority during the mitigation phase. Page | 46
  • Criteria 3.2: Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters:a. Logical access security measures to restrict access to information resources not deemed to be public.b. Identification and authentication of users.c. Registration and authorization of new users.d. The process to make changes and updates to user profiles.e. Distribution of output restricted to authorized users.f. Restriction of access to offline storage, backup data, systems, and media.g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (forexample, firewalls). Controls Test of Controls Test Resultsa. Logical access to nonpublic information a. Inspected the Data Security Handbook, Windows security No deviations noted.resources is protected through the use of access reports, IBML user access list, EMC Captiva user accesssecurity software and operating system list, Anydoc access list and Emtex VIP access list (Raleigh) tosecurity. determine 1) if logical access to nonpublic information was required to be protected through security software or operatingAccess is defined by job description and system security 2) if authentication with a valid user ID wasmanager authorization. needed to access resources.Access to resources is granted to an Inquired of the Director of IT Infrastructure and inspectedauthenticated user based on the user’s privileged user access listings to determine if access was assignedidentity. and defined based on job descriptions.Proper authorization must be completed for Inquired of the Director of IT Infrastructure and inspected if Dataany access to be granted. Security Handbook to determine if users were required to authenticate with a unique ID and password when accessing systems. Selected a sample of new hires and inspected new user access request forms to determine if manager authorization was obtained prior to granting system access. Inspected a sample of IBML, Anydoc, EMC, Thunderhead portal and Emtex VIP application users to determine if access was commensurate with their job description. Also inspected all members of the IT Personnel user access group to determine if access was commensurate with their job description. Page | 47
  • Criteria 3.2: Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters:a. Logical access security measures to restrict access to information resources not deemed to be public.b. Identification and authentication of users.c. Registration and authorization of new users.d. The process to make changes and updates to user profiles.e. Distribution of output restricted to authorized users.f. Restriction of access to offline storage, backup data, systems, and media.g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (forexample, firewalls). Controls Test of Controls Test Resultsb. Users must establish their identity to b. Inspected the Data Security Handbook to determine if users No deviations noted.[CLIENT]’s network and application systems must be authenticated prior to gaining access to systemwhen accessing nonpublic resources through resources, unique user IDs were assigned, use of group or sharedthe use of a valid user ID that is authenticated IDs was not permitted, passwords must be changed, must be aby an associated password. minimum of eight characters with complexity in the character set and login sessions must be terminated after three failed attempts.Unique user IDs are assigned to individualusers. Inspected password configuration settings to determine if the noted settings were enforced.Use of group or shared IDs is not permitted. Observed a user login to the network to determine if the usersPasswords must contain at least eight were prompted for a unique username and password.characters, at least three character types, andare not able to repeat within 24 months. Inspected the IBML Windows Group, Windows domain admin list and Emtex VIP (Raleigh) to determine if unique user IDs wereSecurity configuration parameters force assigned and the use of group or shared IDs was not permitted.passwords to be changed every 30 days. See tests of controls included under Security 3.2(a).Login sessions are terminated after 3unsuccessful login attempts. Page | 48
  • Criteria 3.2: Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters:a. Logical access security measures to restrict access to information resources not deemed to be public.b. Identification and authentication of users.c. Registration and authorization of new users.d. The process to make changes and updates to user profiles.e. Distribution of output restricted to authorized users.f. Restriction of access to offline storage, backup data, systems, and media.g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (forexample, firewalls). Controls Test of Controls Test Resultsc. Customers must be approved and granted c. Inspected the Network Solutions Certificate Authority issued to See test results included in Security Criteriaaccess to [CLIENT]’s Web site (WebCIRM), WebCIRM to determine if encryption through SSL was enforced. 3.2(a).under a secure session, requiring user ID andpassword. Privileges are limited to specific Inspected the Data Security Handbook to determine if Directorsystem functionality. level approval was required for changes to access privileges for employees and vendors.The Director of Business Process Operationsauthorizes access privilege change requests Inspected a list of employees with administrative access privilegesfor employees and the Vice President of on Windows systems, network devices and database servers toOperations does so for vendors. Access is determine if access was limited to IT personnel based on joblimited to specific functionality. function.The ability to create or modify users and useraccess privileges (other than the limitedfunctionality “customer accounts”) is limited tothe security administration team. Page | 49
  • Criteria 3.2: Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters:a. Logical access security measures to restrict access to information resources not deemed to be public.b. Identification and authentication of users.c. Registration and authorization of new users.d. The process to make changes and updates to user profiles.e. Distribution of output restricted to authorized users.f. Restriction of access to offline storage, backup data, systems, and media.g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (forexample, firewalls). Controls Test of Controls Test Resultsd. Changes to customer accounts may be d. Selected a sample of users and inspected the related user No deviations noted.performed by the Director of Client Interaction access request forms to determine if changes to customerwith authorization documented on user access accounts were authorized.request forms. Changes are reflectedimmediately. Inspected the CIRM User ID Recertification to determine if unused WebCIRM customer accounts were reviewed by the Director ofUnused WebCIRM customer accounts (no Client Interaction.activity for six months) are reviewed by theDirector of Client Interaction and if necessary Selected a sample of new hires and inspected Network Accesspurged from the system. Forms to determine if user account additions were approved.Changes to other accounts and profiles aremade by the security administration teamthrough a request on a Network Access Formand require the written approval of theDirector of Business Process or other higherlevel Management. Page | 50
  • Criteria 3.2: Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters:a. Logical access security measures to restrict access to information resources not deemed to be public.b. Identification and authentication of users.c. Registration and authorization of new users.d. The process to make changes and updates to user profiles.e. Distribution of output restricted to authorized users.f. Restriction of access to offline storage, backup data, systems, and media.g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (forexample, firewalls). Controls Test of Controls Test Resultse. Access to computer processing output is e. Inspected badge access listings to determine if access was No deviations noted.provided to authorized individuals based on restricted based on job responsibilities.their job description and classification of theinformation. Inspected the Data Security handbook to determine if policies exist for the distribution of processing output based onProcessing output is stored in an area that information classification.reflects the classification of the information.Processing output is distributed in accordancewith the security policy based on classificationof the information.f. Access to offline storage, backup data, f. Inspected the Data Security handbook to determine if access to No deviations noted.systems, and media is limited to computer sensitive data was secured through logical and physical securityoperations staff through the use of restricted measures.physical and logical access. Inspected the computer room badge access listing to determine if access was restricted based on job responsibilities. Inspected the list of users with system administrator capabilities on the windows systems and badge access system to determine if access was restricted based on job responsibilities. Page | 51
  • Criteria 3.2: Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters:a. Logical access security measures to restrict access to information resources not deemed to be public.b. Identification and authentication of users.c. Registration and authorization of new users.d. The process to make changes and updates to user profiles.e. Distribution of output restricted to authorized users.f. Restriction of access to offline storage, backup data, systems, and media.g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (forexample, firewalls). Controls Test of Controls Test Resultsg. Hardware and operating system g. Inspected the list of users with administrative access rights on No deviations noted.configuration tables are restricted to Windows systems, VPN and databases to determine if access wasappropriate personnel through physical access limited based on job need.controls, native operating system security,and add-on security software. Inspected the Windows event log settings and Cisco access control server (ACS) settings to determine if system configurationApplication software configuration tables are activity was logged.restricted to authorized users and monitoredby the Director of Network. Inspected the Daily Security Log to determine if system configuration usage logs were monitored by members of theUtility programs that can read, add, change, network infrastructure group.or delete data or programs are restricted toauthorized technical services staff. Usage is Inquired of the Director of IT Infrastructure and observed thelogged and monitored by the Director of master password file to determine if master passwords wereNetwork. A spare listing of all master stored in an encrypted file.passwords is stored in an encrypted file. Page | 52
  • Criteria 3.3: Procedures exist to restrict physical access to the defined system including, but not limited to, facilities, backup media, andother system components such as firewalls, routers, and servers. Controls Test of Controls Test ResultsPhysical access to the computer rooms, which Inspected the computer room badge access listing, operations No deviations noted.house [CLIENT]’s IT resources, servers, and access listing and Kirkwood facility access listing to determine ifrelated hardware such as firewalls and access was restricted based on job responsibilities.routers, is restricted to authorized individualsby card key systems and monitored by video Performed a tour of the data center to determine if videosurveillance. surveillance was in place.Requests for physical access privileges to Inspected physical access procedures to determine if requests to[CLIENT]’s computer facilities require the access [CLIENT]’s facilities require approval of the Director ofapproval of the Director of Compliance and Compliance and Risk Management.Risk Management. Inspected the data security handbook and inspected theDocumented procedures exist for the documented incident response procedures to determine ifidentification and escalation of potential identification and escalation of potential physical securityphysical security breaches. breaches were addressed.Offsite backups are stored at a physicalDisaster Recovery/Business Continuity site.This facility requires physical access cards andis restricted to the exact parameters as themain site. Page | 53
  • Criteria 3.4: Procedures exist to protect against unauthorized access to system resources. Controls Test of Controls Test ResultsProtective system processes are in place to Inspected security logs to determine if failed login attempts and No deviations noted.prevent and monitor unauthorized access to system lockouts are recorded.system resources and unauthorized accessattempts. Inspected network diagram, Cisco device list, and security logs to confirm that system fire walls are in use and firewall event logs are reviewed daily. Inspected master server list and inquired of IT management that the master server list is maintained an updated by the IT department for any system changes. Inspected and inquired about the use of IDS Snort software. Inspected the external vulnerability assessment results to verify security reviews are being performed by external parties.See controls included in Security Criteria 3.2. See test of controls included in Security Criteria 3.2. See test results included in Security Criteria 3.2. Page | 54
  • Criteria 3.5: Procedures exist to protect against infection by computer viruses, malicious code, and unauthorized software. Controls Test of Controls Test ResultsAntivirus software is in place, that prevents Inquired of the Director of IT Infrastructure and observed No deviations noted.computer viruses, malicious code and antivirus configuration settings to determine if antivirus softwareunauthorized software including virus scans of was installed and virus definitions were updated daily.incoming e-mail messages. Virus signaturesare reviewed and updated daily.Criteria 3.6: Encryption or other equivalent security techniques are used to protect user authentication information and the correspondingsession transmitted over the Internet or other public networks. Controls Test of Controls Test Results[CLIENT] uses encryption technology, VPN Inspected SSL protocol permissions, SSL certificates, and VPN No deviations noted.software, and other secure communication protocol encryption to determine if encryption technology was insystems (consistent with its periodic IT risk use.assessment) for the transmission of private orconfidential information over public networks,including user IDs and passwords. Page | 55
  • Criteria 3.7: Procedures exist to identify, report, and act upon system security breaches and other incidents. Controls Test of Controls Test ResultsA Security Incident Response Plan (5-Point Inspected the Data Security Handbook and Security Log Sign-off No deviations noted.Process) is instituted for identification and Sheet to determine if a) the security incident response plan wasresolution of potential security breaches to the defined and documented b) the network staff was responsible forinformation security team. reviewing security logs on a daily basis. Inspected the 5-Point Analysis Procedures document to determine if a defined escalation process was established and appropriate resolution requires approval by management.When an incident is detected or reported, a Inspected a sample of completed 5-Point Analysis documentation No deviations noted.defined Security Incident Response Plan (5- to determine if the 5-Point Analysis procedures were followed.Point Process) identifies severity and action tobe taken. Corrective actions are implementedin accordance with defined policies andprocedures.Criteria 3.8: Procedures exist to classify data in accordance with classification policies and periodically monitor and update suchclassifications as necessary Controls Test of Controls Test ResultsData Classifications are used to determine Inspected the detailed data classification assignments tracking No deviations noted.access permissions as well as audit levels. The spreadsheet used to assign and track access rights.principle of least privilege is utilized to assignpermissions at all levels. Permissions areassigned on Windows groups which map to aspecific job function.Propriety of data is considered during newimplementations, upgrades and change orderactions. Page | 56
  • Criteria 3.9: Procedures exist to provide that issues of noncompliance with security policies are promptly addressed and that correctivemeasures are taken on a timely basis. Controls Test of Controls Test ResultsAll incidents are tracked by management until See test of controls included in Security Criteria 3.7 See test results included in Security Criteriaresolved through the 5–Point incident 3.7response process.Supervisors review and approve the incident See test of controls included in Security Criteria 3.7 See test results included in Security Criteriaresponse process to help make certain 3.7procedures are followed.Criteria 3.10 Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistentwith defined system security policies to enable authorized access and to prevent unauthorized access. Controls Test of Controls Test Results[CLIENT] has adopted a formal systems Inquired of the Director of IT Development, and inspected the IT No deviations noted.development life cycle (SDLC) methodology Change Control Procedures and Standard Build Documentation tothat governs the development, acquisition, determine if: a) a formal methodology exists that governs theimplementation, and maintenance of change management and SDLC processes and b) the networkcomputerized information systems and related administration team was responsible for approving architecturetechnology. and design specifications for new systems. Inspected the Data Security Handbook to determine if system changes that cannot meet defined data security standards require approval by senior IT management. Page | 57
  • Criteria 3.10 Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistentwith defined system security policies to enable authorized access and to prevent unauthorized access. Controls Test of Controls Test ResultsThe Network administration team reviews and Requested a sample of new systems development and acquisition No deviations noted.approves the architecture and design projects to determine if the Network administration teamspecifications for new systems development reviewed and approved the architecture and design specifications.and acquisition to help ensure consistencywith [CLIENT]’s security objectives, policies, The operating effectiveness of this control activity could not beand standards. tested as there was no related activity during the examination period. Inquired with management at [CLIENT] to determine that no new systems development and acquisition projects occurred during the period. Inspected a sample of changes to determine that none were related to new systems development and acquisition.Criteria 3.11 Procedures exist to provide that personnel responsible for the design, development, implementation, and operation of systemsaffecting security have the qualifications and resources to fulfill their responsibilities. Controls Test of Controls Test Results[CLIENT] has written job descriptions Inspected job descriptions for key IT positions (i.e., Director, IT No deviations noted.specifying the responsibilities and academic Support, Director, IT Development, Director, Risk Managementand professional requirements for key job and Compliance) to determine if job responsibilities, academic andpositions. professional requirements were documented.Hiring procedures include a comprehensive Inquired of the HR Specialist and inspected supporting No deviations noted.screening of candidates for key positions and documentation for a sample of new hires to determine if hiringconsideration of whether the verified procedures included an educational background check and reviewcredentials are commensurate with the of employment history prior to hiring.proposed position. New personnel are offeredemployment subject to background checksand reference validation. Page | 58
  • Criteria 3.12 Procedures exist to maintain system components, including configurations consistent with the defined system security policies. Controls Test of Controls Test ResultsThe IT department maintains an up-to-date Inspected the software list to determine if an up-to-date list was No deviations noted.listing of all software and the respective level, maintained by IT.version, and patches that have been applied.Requests for changes, system maintenance, Inquired of the Director of IT Development and inspected IT No deviations noted.and supplier maintenance are standardized Change Control Procedures and Standard Build Documentation toand subject to documented change determine if a formal methodology exists that governs the changemanagement procedures. management and SDLC processes. Inspected a sample of changes to determine if requests for change were standardized and subject to documented change management procedures.System configurations are tested annually and Inspected the external Vulnerability Assessment results to No deviations noted.evaluated against [CLIENT]’s security policies determine if an assessment was performed.and current service-level agreements. Anexception report is prepared and remediation Inspected the internal Vulnerability Assessment results toplans are developed and tracked. determine if: 1) system configurations were tested, 2) system configurations were evaluated against [CLIENT]’s security policies, 3) an exception report was prepared, and 4) remediation plans were developed/tracked. Page | 59
  • Criteria 3.13 Procedures exist to provide that only authorized, tested, and documented changes are made to the system. Controls Test of Controls Test ResultsChanges to system infrastructure and For a sample of environments observed test systems to determine No deviations noted.software are developed and tested in a if a separate environment was in place for the development andseparate development or test environment testing of software changes prior to promotion of changes intobefore implementation into production. production.As part of the change control policies and Selected a sample of changes to determine if testing and approval No deviations noted.procedures, there is a “promotion” process was obtained prior to promotion to production.(for example, from “analysis” to“development” to “testing" to "production”).Promotion to production requires testing andapproval from both clients (if a client requeststhe change) and [CLIENT] supervisors.When changes are made to key systems Inquired of the Director of IT Infrastructure and observed the No deviations noted.components, "back out" plan procedures are network backup file folder to determine if backup versions of codein place for use in the event of major were maintained for changes to key systems.interruption(s).Criteria 3.14 Procedures exist to provide that emergency changes are documented and authorized timely. Controls Test of Controls Test ResultsRequests for changes, system maintenance, See test of controls included in Security Criteria 3.12. See test results included in Security Criteriaand supplier maintenance are standardized and 3.12.subject to documented change managementprocedures.Changes are prioritized based on the date Inspected a sample of changes to determine if: 1) changes were No deviations noted.assigned in the client requested completion prioritized based on the date assigned by the client 2) status wasdate field. Change requestors are kept documented 3) emergency changes were documented andinformed about the status of their requests. authorized by the Director of IT.Emergency changes that require deviationsfrom standard procedures are documented andauthorized by the Director of IT. Page | 60
  • 4.0 Monitoring: The entity monitors the system and takes action to maintain compliance with its defined system security policiesCriteria 4.1 System processing integrity and security performance are periodically reviewed and compared with the defined systemprocessing integrity and related security policies. Controls Test of Controls Test ResultsSee controls included in Security Criteria 4.1. See test of controls included in Security Criteria 4.1. See test results included in Security Criteria 4.1.Criteria 4.2 There is a process to identify and address potential impairments to the entitys ongoing ability to achieve its objectives inaccordance with its defined system processing integrity and related security policies. Controls Test of Controls Test ResultsSee controls included in Security Criteria 4.2. See test of controls included in Security Criteria 4.2. See test results included in Security Criteria 4.2.Criteria 4.3 Environmental, regulatory, and technological changes are monitored, their impact on system processing integrity and security isassessed on a timely basis, and policies are updated for that assessment. Controls Test of Controls Test ResultsSee controls included in Security Criteria 4.3. See test of controls included in Security Criteria 4.3. See test results included in Security Criteria 4.3. Page | 61
  • Confidentiality Criteria1.0 Policies: The entity defines and documents its policies related to the system protecting confidential information, as committed oragreed.Criteria 1.1: The entitys system confidentiality and related security policies are established and periodically reviewed and approved by adesignated individual or group. Controls Test of Controls Test ResultsConfidentiality and security policies, addressing Inspected the Data Security Handbook and standard No deviations noted.both IT and physical security, have been Confidentiality Agreement to determine if logical and physicalapproved by the Executive Team and are security policies were addressed, implemented, and approved byimplemented throughout the company. the Executive Team.Changes to the IT security policy are approved Inspected executive meeting minutes to determine if changes to No deviations noted.by the IT Management team prior to IT Security Policy were approved by the IT Management teamimplementation. prior to implementation.Client confidentiality requirements are Inspected standard employee Confidentiality Agreements and No deviations noted.documented in service-level agreements, Vendor Nondisclosure Agreements to determine if confidentialitynondisclosure agreements, or other requirements were documented.documents.Employees are required to sign confidentiality Selected a sample of new hires to determine if employees wereagreements. required to sign confidentiality agreements upon hire. Page | 62
  • Criteria 1.2: The entitys policies related to the systems protection of confidential information and security include, but are not limited to,the following matters:a. Identifying and documenting the confidentiality and related security requirements of authorized users.b. Classifying data based on its criticality and sensitivity that is used to define protection requirements, access rights and accessrestrictions, and retention and destruction requirements.c. Assessing risk on a periodic basis.d. Preventing unauthorized access.e. Adding new users, modifying the access levels of existing users, and removing users who no longer need access.f. Assigning responsibility and accountability for confidentiality and related security.g. Assigning responsibility and accountability for system changes and maintenance.h. Testing, evaluating, and authorizing system components before implementation.i. Addressing how complaints and requests relating to confidentiality and related security issues are resolved.j. Handling confidentiality and related security breaches and other incidents.k. Providing for training and other resources to support its system confidentiality and related security policies.l. Providing for the handling of exceptions and situations not specifically addressed in its system confidentiality and related securitypolicies.m. Providing for the identification of and consistency with, applicable laws and regulations, defined commitments, service-levelagreements, and other contractual requirements.n. Sharing information with third parties. Controls Test of Controls Test ResultsSee controls included in Confidentiality Criteria Inspected to determine if the policies included matters “a” – “n”. See test results included in Confidentiality1.1. See test of controls included in Confidentiality Criteria 1.1. Criteria 1.1.Criteria 1.3: Responsibility and accountability for developing and maintaining the entitys system confidentiality and related security policies,and changes and updates to those polices, are assigned. Controls Test of Controls Test ResultsSee controls included in Confidentiality Criteria See test of controls included in Confidentiality Criteria 1.1. See test results included in Confidentiality1.1. Criteria 1.1. Page | 63
  • 2.0 Communications: The entity communicates its defined policies related to the systems protection of confidential information toresponsible parties and authorized users.Criteria 2.1: The entity has prepared an objective description of the system and its boundaries and communicated such description toauthorized users.Controls Test of Controls Test ResultsSee controls included in Security Criteria 2.1. See test of controls included in Security Criteria 2.1. See test results included in Security Criteria 2.1.Criteria 2.2: The system confidentiality and related security obligations of users and the entitys confidentiality and related securitycommitments to users are communicated to authorized users before the confidential information is provided. This communication includes, butis not limited to, the following matters:a. How information is designated as confidential and ceases to be confidential. The handling, destruction, maintenance, storage, backup,and distribution or transmission of confidential information.b. How access to confidential information is authorized and how such authorization is rescinded.c. How confidential information is used.d. How confidential information is shared.e. If information is provided to third parties, disclosures include any limitations on reliance on the third partys confidentiality practicesand controls. Lack of such disclosure indicates that the entity is relying on the third partys confidentiality practices and controls that meet orexceed those of the entity.f. Practices to comply with applicable laws and regulations addressing confidentiality. Controls Test of Controls Test Results[CLIENT]’s confidentiality and related security Inspected the Data Security handbook and No deviations noted.commitments and required confidentiality obligations Confidentiality Agreement to determine ifare part of the Employee Handbook and Data confidentiality and security commitments wereSecurity Handbook. communicated to employees and included the matters “a” – “e” above as well as procedures forClient specific confidentiality policies/practices are reporting breaches, complaints and related incidents.detailed in customer contracts, service-levelagreements, vendor contract terms and conditions, Selected a sample of personnel and inspected signedand a standard nondisclosure agreement. Employees confidentiality and employee handbookassigned to clients are trained on any client specific acknowledgement forms or refresher trainingpolicies. acknowledgements to determine if employees receive training on security and confidentiality practices/policies. Page | 64
  • Criteria 2.2: The system confidentiality and related security obligations of users and the entitys confidentiality and related securitycommitments to users are communicated to authorized users before the confidential information is provided. This communication includes, butis not limited to, the following matters:a. How information is designated as confidential and ceases to be confidential. The handling, destruction, maintenance, storage, backup,and distribution or transmission of confidential information.b. How access to confidential information is authorized and how such authorization is rescinded.c. How confidential information is used.d. How confidential information is shared.e. If information is provided to third parties, disclosures include any limitations on reliance on the third partys confidentiality practicesand controls. Lack of such disclosure indicates that the entity is relying on the third partys confidentiality practices and controls that meet orexceed those of the entity.f. Practices to comply with applicable laws and regulations addressing confidentiality. Controls Test of Controls Test Results Inspected standard non-disclosure and master agreements to determine if user requirements were documented.[CLIENT] publishes its confidentiality and related See test of controls included in Security Criteria 2.2. See test results included in Security Criteria 2.2.security policies on its corporate intranet. Page | 65
  • Criteria 2.3: Responsibility and accountability for the entitys system confidentiality and related security policies and changes and updates tothose policies are communicated to entity personnel responsible for implementing them. Controls Test of Controls Test ResultsResponsibility and accountability for establishing and See test of controls included in Security Criteria 2.3. See test results included in Security Criteria 2.3.updating [CLIENT]’s confidentiality and securitypolicies have been documented in written jobdescriptions and communicated to the responsiblepersonnel.Criteria 2.4 The process for informing the entity about breaches of confidentiality and system security and for submitting complaints iscommunicated to authorized users. Controls Test of Controls Test ResultsThe process for employees to inform [CLIENT] of See test of controls included in Confidentiality See test results included in Confidentiality Criteriapossible confidentiality or security breaches and Criteria 2.2. 2.2.other incidents is defined in the Data SecurityHandbook, posted on the company’s intranet, andreviewed during employee orientation.A process for customers to inform [CLIENT] of See test of controls included in Confidentiality See test results included in Confidentiality Criteriapossible breaches is defined in each contract and Criteria 2.2. 2.2.includes a feedback mechanism to ensure the issuehas been resolved.Documented procedures exist for the identification See test of controls included in Confidentiality See test results included in Confidentiality Criteriaand escalation of possible confidentiality or security Criteria 2.2. 2.2.breaches and other incidents.Criteria 2.5: Changes that may affect confidentiality and system security are communicated to management and users who will be affected. Controls Test of Controls Test ResultsSee controls included in Security Criteria 2.5. See test of controls included in Security Criteria 2.5. See test results included in Security Criteria 2.5. Page | 66
  • 3.0 Procedures: The entity placed in operation procedures to achieve its documented system confidentiality objectives in accordance withits defined policies.Criteria 3.1: Procedures exist to (1) identify potential threats of disruptions to systems operations that would impair system confidentialitycommitments and (2) assess the risks associated with the identified threats. Controls Test of Controls Test ResultsSee controls included in Security Criteria 3.1. See test of controls included in Security Criteria 3.1. See test results included in Security Criteria 3.1.Criteria 3.2: The system procedures related to confidentiality of inputs are consistent with the documented confidentiality policies. Controls Test of Controls Test ResultsConfidentiality processes exist to restrict the See test of controls included in Security Criteria 3.2. See test results included in Security Criteria 3.2.capability to input information to only authorizedindividuals. This includes limitations of physicalaccess based on specific operational or project rolesand responsibilities.Criteria 3.3: The system procedures related to confidentiality of data processing are consistent with the documented confidentiality policies. Controls Test of Controls Test ResultsConfidentiality processes exist to monitor, in a timely Inspected Information Security Monitoring No deviations noted.manner, unauthorized attempts to access data for Procedures to determine if procedures to monitorany purposes, or for purposes beyond the unauthorized attempts to access data wereauthorization level of the person accessing the data, documented.including inappropriate or unusual actions, overrides,or bypasses applied to data and transaction Inspected the Security Log to determine if Windowsprocessing. Security Logs, Firewall Logs, Cisco ACS Logs, IDS Logs were monitored daily. Page | 67
  • Criteria 3.4 The system procedures related to confidentiality of outputs are consistent with the documented confidentiality policies. Controls Test of Controls Test ResultsManagement has developed and adheres to strict See test of controls included in Security Criteria 3.2. See test results included in Security Criteria 3.2.guidelines on appropriateness of user access tooutput data.User access to output data is appropriately aligned Selected a sample of employees and inspected their No deviations noted.with the user’s role and confidentiality of badge access to determine if access to operationalinformation. areas was limited based on job function.Access to reports is restricted to those users with alegitimate business need for the information.Criteria 3.5: The system procedures provide that confidential information is disclosed to parties only in accordance with the entitys definedconfidentiality and related security policies. Controls Test of Controls Test ResultsEmployees are required to sign a confidentiality See test of controls included in Security Criteria 2.2. See test results included in Security Criteria 2.2.agreement as a routine part of their employment.This agreement prohibits any disclosures ofinformation and other data to which the employeehas been granted access.Access is provided based on job function and need. Selected a sample of new hires and inspected their No deviations noted.Requests for access privileges to confidential data Network Access authorization form to determine ifrequire the approval of management. approvals were obtained before system access was granted. Page | 68
  • Criteria 3.6: The entity has procedures to obtain assurance or representation that the confidentiality policies of third parties to whominformation is transferred and upon which the entity relies are in conformity with the entitys defined system confidentiality and relatedsecurity policies and that the third party is in compliance with its policies. Controls Test of Controls Test ResultsAnnually management reviews representations or Selected a sample of third-party providers and No deviations noted.assurance reports from any organizations with which inspected their contracts to determine if[CLIENT] provides confidential information to assess confidentiality requirements were documented andconformity of the service provider’s confidentiality representations or assurance reports were reviewed.provisions with [CLIENT]’s confidentiality policies.Criteria 3.7: In the event that a disclosed confidentiality practice is discontinued or changed to be less restrictive, the entity has proceduresto protect confidential information in accordance with the system confidentiality practices in place when such information was received, orobtains customer consent to follow the new confidentiality practice with respect to the customers confidential information. Controls Test of Controls Test ResultsChanges to confidentiality provisions in business Inquired of Manager, Corporate Compliance, and No deviations noted.partner contracts are renegotiated with the business Security to determine if: 1) changes to confidentialitypartner. provisions in business partner contracts were renegotiated with any business partner and 2) thereWhen changes resulting in less restrictive procedures were any changes performed in 2011 resulting inare made, [CLIENT] attempts to obtain the less restrictive procedures at [CLIENT].agreement of its customers to the new procedures.Confidential information for those customers who do The operating effectiveness of this control activitynot agree to the new policy is either removed from could not be tested, as there was no related activitythe system and destroyed or isolated to receive during the period of January 1, 2012 and Septembercontinued protection under the old policy. 30, 2012. Page | 69
  • Criteria 3.8: Procedures exist to restrict logical access to the system and the confidential information resources maintained in the systemincluding, but not limited to, the following matters:a. Logical access security measures to restrict access to information resources not deemed to be public.b. Identification and authentication of all users.c. Registration and authorization of new users.d. The process to make changes and updates to user profiles.e. Procedures to prevent customers, groups of individuals, or other entities from accessing confidential information other than their own.f. Procedures to limit access to confidential information to only authorized employees based upon their assigned roles andresponsibilities.g. Distribution of output containing confidential information restricted to authorized users.h. Restriction of access to offline storage, backup data, systems, and media.i. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (forexample, firewalls). Controls Test of Controls Test Resultsa. See controls included in Security Criteria 3.2. See test of controls included in Security Criteria 3.2 See test results included in Security Criteria 3.2 (a). (a).b. See controls included in Security Criteria 3.2. See test of controls included in Security Criteria 3.2 See test results included in Security Criteria 3.2 (b). (b).c. See controls included in Security Criteria 3.2. See test of controls included in Security Criteria See test results included in Security Criteria 3.2(c). 3.2(c).d. See controls included in Security Criteria 3.2. See test of controls included in Security Criteria 3.2 See test results included in Security Criteria 3.2 (d). (d).e. Corporate customers are assigned a unique Inspected the WebCirm user IDs and cost center No deviations noted.company identifier that is required as part of the codes to determine if corporate customers werelogin process. Access software is used to restrict assigned a unique company identifier and if accessuser access based on the company identifier used at was restricted based on the company identifier usedlogin. at login.Individual customers have their access restricted totheir own confidential information resources basedon their unique user IDs. Page | 70
  • Criteria 3.8: Procedures exist to restrict logical access to the system and the confidential information resources maintained in the systemincluding, but not limited to, the following matters:a. Logical access security measures to restrict access to information resources not deemed to be public.b. Identification and authentication of all users.c. Registration and authorization of new users.d. The process to make changes and updates to user profiles.e. Procedures to prevent customers, groups of individuals, or other entities from accessing confidential information other than their own.f. Procedures to limit access to confidential information to only authorized employees based upon their assigned roles andresponsibilities.g. Distribution of output containing confidential information restricted to authorized users.h. Restriction of access to offline storage, backup data, systems, and media.i. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (forexample, firewalls). Controls Test of Controls Test Resultsf. Requests for privileges to access confidential Inquired of the Manager, Corporate Compliance and No deviations noted.customer information resources require the approval Security and inspected the Data Security Handbookof management. to determine if managers were required to authorizeSimulated customer data are used for system data access requests which includes confidentialdevelopment and testing purposes. Confidential customer information.customer information is not used for this purpose. Inquired of the Manager, Corporate Compliance and Security Director of IT Development to determine if customer data was not used for system development or testing purposes. See test of controls included in Security Criteria 3.2 Inquired of the Manager, Corporate Compliance and No deviations noted. Security Director of IT Development to determine if customer data was not used for system development or testing purposes. See test of controls included in Security Criteria 3.2 Page | 71
  • Criteria 3.8: Procedures exist to restrict logical access to the system and the confidential information resources maintained in the systemincluding, but not limited to, the following matters:a. Logical access security measures to restrict access to information resources not deemed to be public.b. Identification and authentication of all users.c. Registration and authorization of new users.d. The process to make changes and updates to user profiles.e. Procedures to prevent customers, groups of individuals, or other entities from accessing confidential information other than their own.f. Procedures to limit access to confidential information to only authorized employees based upon their assigned roles andresponsibilities.g. Distribution of output containing confidential information restricted to authorized users.h. Restriction of access to offline storage, backup data, systems, and media.i. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (forexample, firewalls). Controls Test of Controls Test Resultsg. Access to computer processing output is provided See test of controls included in Security Criteria 3.2 See test results included in Security Criteria 3.2.to authorized individuals based on the classificationof the information.Access to computer processing output is authorizedby job description and client specific assignments.h. See controls included in Security Criteria 3.2. See test of controls included in Security Criteria 3.2 See test results included in Security Criteria 3.2 (f). (f).i. See controls included in Security Criteria 3.2. See test of controls included in Security Criteria 3.2 See test results included in Security Criteria 3.2 (g). (g).Criteria 3.9: Procedures exist to restrict physical access to the defined system including, but not limited to, facilities, backup media, andother system components such as firewalls, routers, and servers. Controls Test of Controls Test ResultsSee controls included in Security Criteria 3.3. See test of controls included in Security Criteria 3.3. See test results included in Security Criteria 3.3. Page | 72
  • Criteria 3.10 Procedures exist to protect against unauthorized access to system resources. Controls Test of Controls Test ResultsSee controls included in Security Criteria 3.2. See test of controls included in Security Criteria 3.2. See test results included in Security Criteria 3.2.Criteria 3.11 Procedures exist to protect against infection by computer viruses, malicious code, and unauthorized software. Controls Test of Controls Test ResultsSee controls included in Security Criteria 3.5. See test of controls included in Security Criteria 3.5. See test results included in Security Criteria 3.5.Criteria 3.12 Encryption or other equivalent security techniques are used to protect transmissions of user authentication and otherconfidential information passed over the Internet or other public networks. Controls Test of Controls Test ResultsSee controls included in Security Criteria 3.6. See test of controls included in Security Criteria 3.6. See test results included in Security Criteria 3.6.Criteria 3.13 Procedures exist to identify, report, and act upon system confidentiality and security breaches and other incidents. Controls Test of Controls Test ResultsSee controls included in Security Criteria 3.7. See test of controls included in Security Criteria 3.7. See test results included in Security Criteria 3.7.Criteria 3.14 Procedures exist to provide that system data are classified in accordance with the defined confidentiality and related securitypolicies. Controls Test of Controls Test ResultsSee controls included in Security Criteria 3.8. See test of controls included in Security Criteria 3.8. See test results included in Security Criteria 3.8.Criteria 3.15 Procedures exist to provide that issues of noncompliance with defined confidentiality and related security policies are promptlyaddressed and that corrective measures are taken on a timely basis. Controls Test of Controls Test ResultsSee controls included in Security Criteria 3.9. See test of controls included in Security Criteria 3.9. See test results included in Security Criteria 3.9. Page | 73
  • Criteria 3.16 Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistentwith defined confidentiality and related security policies. Controls Test of Controls Test ResultsSee controls included in Security Criteria 3.10. See test of controls included in Security Criteria 3.10. See test results included in Security Criteria 3.10.Criteria 3.17 Procedures exist to help ensure that personnel responsible for the design, development, implementation, and operation ofsystems affecting confidentiality and security have the qualifications and resources to fulfill their responsibilities. Controls Test of Controls Test ResultsSee controls included in Security Criteria 3.11. See test of controls included in Security Criteria 3.11. See test results included in Security Criteria 3.11.Criteria 3.18 Procedures exist to maintain system components, including configurations consistent with the defined system confidentialityand related security policies. Controls Test of Controls Test ResultsSee controls included in Security Criteria 3.12. See test of controls included in Security Criteria 3.12. See test results included in Security Criteria 3.12.Criteria 3.19 Procedures exist to provide that only authorized, tested, and documented changes are made to the system. Controls Test of Controls Test ResultsSee controls included in Security Criteria 3.13. See test of controls included in Security Criteria 3.13. See test results included in Security Criteria 3.13.Criteria 3.20 Procedures exist to provide that emergency changes are documented and authorized (including after-the-fact approval). Controls Test of Controls Test ResultsSee controls included in Security Criteria 3.14. See test of controls included in Security Criteria 3.14. See test results included in Security Criteria 3.14. Page | 74
  • Criteria 3.21 Procedures exist to provide that confidential information is protected during the system development, testing, and changeprocesses in accordance with defined system confidentiality and related security policies. Controls Test of Controls Test ResultsInformation designated as confidential is not stored, Inquired of Manager, Corporate Governance and No deviations noted.processed, or maintained in test or development Security and Director, IT Development, to determinesystems and environments. if customer data was not stored, processed or maintained in test or development environments.[CLIENT] classifies confidential information in Inspected the detailed data classification No deviations noted.accordance with [CLIENT]’s data classification assignments tracking spreadsheet used to assignpolicies and access is only granted to individuals with and track access rights.a business need. Page | 75
  • 4.0 Monitoring: The entity monitors the system and takes action to maintain compliance with its defined confidentiality policies.Criteria 4.1 The entitys system confidentiality and security performance is periodically reviewed and compared with the defined systemconfidentiality and related security policies. Controls Test of Controls Test ResultsSee controls included in Security Criteria 4.1 See test of controls included in Security Criteria 4.1. See test results included in Security Criteria 4.1.Criteria 4.2 There is a process to identify and address potential impairments to the entitys ongoing ability to achieve its objectives inaccordance with its system confidentiality and related security policies. Controls Test of Controls Test ResultsSee controls included in Security Criteria 4.2. See test of controls included in Security Criteria 4.2. See test results included in Security Criteria 4.2.Criteria 4.3: Environmental, regulatory, and technological changes are monitored, and their impact on system confidentiality and security isassessed on a timely basis. System confidentiality policies and procedures are updated for such changes as required. Controls Test of Controls Test ResultsSee controls included in Security Criteria 4.3. See test of controls included in Security Criteria 4.3. See test results included in Security Criteria 4.3. Page | 76