Sample - Corporate Report

996 views

Published on

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
996
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Sample - Corporate Report

  1. 1. [CLIENT] DOCUMENT MANAGEMENT , DATA C APTURE, AND PRINT OUTPUT SERVICES SYSTEM SERVICE ORGANIZATION CONTROLS (“SOC”) REPORT – SOC 2RELEVANT TO SECURITY , AVAILABILITY , PROCESSING INTEGRITY, AND CONFIDENTIALITY FOR THE PERIOD J ANUARY 1, 2012 TO SEPTEMBER 30, 2012
  2. 2. Table of ContentsSection Page 1 Independent Service Auditors’ Report ........................................................................................ 2 Management of [CLIENT]’s Assertion Regarding Its Document Management, Data Capture, and Print Output Services System for the Period January 1, 2012 to September 30, 2 2012……………………………………………………….. ............................................................................. 6 Description of [CLIENT]’s Document Management, Data Capture, and Print Output Services 3 System for the Period January 1, 2012 to September 30, 2012 .................................................... 10 Background and Overview of Services ............................................................................ 10 Other Relevant Aspects of the Control Environment, Risk Assessment, Monitoring, and Information and Communication Control Environment ............................................................................................... 11 Risk Assessment ..................................................................................................... 11 Monitoring .............................................................................................................. 11 Information and Communication .............................................................................. 11 Document Management, Data Capture, and Print Output Services System Components Infrastructure ......................................................................................................... 12 Software ................................................................................................................ 12 People ................................................................................................................... 13 Procedures ............................................................................................................. 14 Data ...................................................................................................................... 19 Subservice Organizations ............................................................................................. 20 Applicable Criteria and Related Controls ......................................................................... 20 User-Entity Control Considerations ................................................................................. 21 4 Independent Service Auditors’ Description of Tests of Controls and Results .................................. 23
  3. 3. SECTION 1INDEPENDENT SERVICE AUDITORS’ REPORT
  4. 4. Independent Service Auditors’ ReportTo [CLIENT]ScopeWe have examined the attached description titled “Description of [CLIENT]’s Document Management, DataCapture, and Print Output Services System for the Period January 1, 2012 to September 30, 2012” (“thedescription”) included in Section 3 of this report and the suitability of the design and operating effectiveness ofcontrols to meet the criteria for the security, availability, processing integrity, and confidentiality principles setforth in TSP Section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, ProcessingIntegrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids) (“applicable trust services criteria”),throughout the period January 1, 2012 to September 30, 2012. The description indicates that certain applicabletrust services criteria specified in the description can be achieved only if complementary user-entity controlscontemplated in the design of [CLIENT]’s (“[CLIENT]”) controls are suitably designed and operating effectively,along with related controls at the service organization. We have not evaluated the suitability of the design oroperating effectiveness of such complementary user-entity controls.[CLIENT]uses service organizations (subservice organizations) to provide data capture and data entry services forcertain clients who elect such processing services. The description indicates that certain applicable trust servicecriteria can only be met if controls at the subservice organizations are suitably designed and operating effectively.The description presents [CLIENT]’s Document Management, Data Capture, and Print Output Services System; itscontrols relevant to the applicable trust service criteria; and the types of controls that the service organizationexpects to be implemented, suitably designed, and operating effectively at the subservice organizations to meetcertain applicable trust service criteria. The description does not include any of the controls implemented at thesubservice organizations. Our examination did not extend to the services provided by the subserviceorganizations.Service Organization’s Responsibilities[CLIENT] has provided the attached assertion titled “Management of Diversified Information Technology Inc.’sAssertion Regarding its Document Management, Data Capture, and Print Output Services System for the PeriodJanuary 1, 2012 to September 30, 2012,” included in Section 2 of this report which is based on the criteriaidentified in management’s assertion. [CLIENT] is responsible for (1) preparing the description and assertion; (2)the completeness, accuracy, and method of presentation of both the description and assertion; (3) providing theservices covered by the description; (4) specifying the controls that meet the applicable trust services criteria andstating them in the description; and (5) designing, implementing, and documenting the controls to meet theapplicable trust services criteria. Page | 1
  5. 5. Service Auditors’ ResponsibilitiesOur responsibility is to express an opinion on the fairness of the presentation of the description based on thedescription criteria set forth in [CLIENT]’s assertion and on the suitability of the design and operatingeffectiveness of the controls to meet the applicable trust services criteria, based on our examination. Weconducted our examination in accordance with attestation standards established by the American Institute ofCertified Public Accountants. Those standards require that we plan and perform our examination to obtainreasonable assurance about whether, in all material respects, (1) the description is fairly presented based on thedescription criteria, and (2) the controls were suitably designed and operating effectively to meet the applicabletrust services criteria throughout the period January 1, 2012 to September 30, 2012.Our examination involved performing procedures to obtain evidence about the fairness of the presentation of thedescription based on the description criteria and the suitability of the design and operating effectiveness of thosecontrols to meet the applicable trust services criteria. Our procedures included assessing the risks that thedescription is not fairly presented and that the controls were not suitably designed or operating effectively tomeet the applicable trust services criteria. Our procedures also included testing the operating effectiveness ofthose controls that we consider necessary to provide reasonable assurance that the applicable trust servicescriteria were met. Our examination also included evaluating the overall presentation of the description. Webelieve that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.Inherent LimitationsBecause of their nature and inherent limitations, controls at a service organization may not always operateeffectively to meet the applicable trust services criteria. Also, the projection to the future of any evaluation of thefairness of the presentation of the description or conclusions about the suitability of the design or operatingeffectiveness of the controls to meet the applicable trust services criteria is subject to the risks that the systemmay change or that controls at a service organization may become inadequate or fail.OpinionIn our opinion, based on the description criteria identified in [CLIENT]’s assertion and the applicable trust servicescriteria, in all material respects: a. The description fairly presents the system that was designed and implemented throughout the period January 1, 2012 to September 30, 2012. b. The controls stated in the description were suitably designed to provide reasonable assurance that the applicable trust services criteria would be met if the controls operated effectively throughout the period January 1, 2012 to September 30, 2012, and user entities applied the complementary user- entity controls contemplated in the design of [CLIENT]’s controls throughout the period January 1, 2012 to September 30, 2012, and the subservice organizations applied, throughout the period January 1, 2012 to September 30, 2012, the types of controls expected to be implemented at the subservice organizations and incorporated in the design of the system. Page | 2
  6. 6. c. The controls tested, which together with the complementary user-entity controls referred to in the scope paragraph of this report, and together with the types of controls expected to be implemented at the subservice organizations and incorporated in the design of the system and, if operating effectively, were those necessary to provide reasonable assurance that the applicable trust services criteria were met, operated effectively throughout the period January 1, 2012 to September 30, 2012.Description of Tests of ControlsThe specific controls we tested and the nature, timing, and results of our tests are presented in Section 4 of thisreport titled “Independent Service Auditors’ Description of Tests of Controls and Results”.Intended UseThis report and the description of tests of controls and results thereof are intended solely for the information anduse of [CLIENT]; user entities of [CLIENT]’s Document Management, Data Capture, and Print Output ServicesSystem during some or all of the period January 1, 2012 to September 30, 2012; and prospective user entities,independent auditors and practitioners providing services to such user entities, and regulators who have sufficientknowledge and understanding of the following:  The nature of the service provided by the service organization  How the service organization’s system interacts with user entities, subservice organizations, and other parties  Internal control and its limitations  Complementary user-entity controls and how they interact with related controls at the service organization to meet the applicable trust services criteria  The applicable trust services criteria  The risks that may threaten the achievement of the applicable trust services criteria and how controls address those risksThis report is not intended to be and should not be used by anyone other than these specified parties.<insert firm signature>October XX, 2012Philadelphia, Pennsylvania Page | 3
  7. 7. SECTION 2MANAGEMENT OF DIVERSIFIED INFORMATION TECHNOLOGY, INC’S ASSERTION REGARDING ITS DOCUMENT MANAGEMENT, DATA CAPTURE, AND PRINT OUTPUT SERVICESSYSTEM FOR THE PERIODJANUARY 1, 2012 TO SEPTEMBER 30, 2012
  8. 8. October xx, 2012We have prepared the attached description titled “Description of [CLIENT]’s Document Management, DataCapture, and Print Output Services System for the Period January 1, 2012 to September 30, 2012” (“thedescription”), included in Section 3 of this report, based on the criteria identified below under the heading“Description Criteria”. The description is intended to provide users with information about our DocumentManagement, Data Capture, and Print Output Services System, particularly system controls intended to meet thecriteria for the security, availability, processing integrity, and confidentiality principles set forth in TSP Section100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity,Confidentiality, and Privacy (AICPA, Technical Practice Aids) (“applicable trust services criteria”). We confirm, tothe best of our knowledge and belief, that:  The description fairly presents the Document Management, Data Capture, and Print Output Services System throughout the period January 1, 2012 to September 30, 2012, based on the description criteria identified below under the heading “Description Criteria”.  The controls stated in the description were suitably designed throughout the period from January 1, 2012 to September 30, 2012 to meet the applicable trust services criteria.  The controls were operating effectively throughout the period January 1, 2012 to September 30, 2012 to meet the related criteria as described in Section 4 of this report.Description CriteriaIn preparing our description and making our assertion regarding the fairness of the presentation of thedescription, we used the criteria below, which are the criteria for a description of a service organization’s systemincluded in paragraph 1.33 of the AICPA Guide Reporting on Controls at a Service Organization Relevant toSecurity, Availability, Processing Integrity, Confidentiality, or Privacy. a. The description contains the following information: i. The types of services provided. Page | 4
  9. 9. ii. The components of the system used to provide the services, which are the following:  Infrastructure. The physical and hardware components of a system (facilities, equipment, and networks)  Software. The programs and operating software of a system (systems, applications, and utilities).  People. The personnel involved in the operation and use of a system (developers, operators, users, and managers).  Procedures. The automated and manual procedures involved in the operation of a system.  Data. The information used and supported by a system (transactions streams, files, databases, and tables).iii. The boundaries or aspects of the system covered by the description.iv. How the system captures and addresses significant events and conditions.v. The process used to prepare and deliver reports and other information to user entities and other parties.vi. If information is provided to, or received from, subservice organizations or other parties, how such information is provided or received; the role of the subservice organization and other parties; and the procedures performed to determine that such information and its processing, maintenance, and storage are subject to appropriate controls.vii. For each principle being reported on, the applicable trust services criteria and the related controls designed to meet those criteria, including, as applicable, complementary user-entity controls contemplated in the design of the Document Management, Data Capture, and Print Output Services System.viii. For the subservice organizations presented using the carve-out method, the nature of the services provided by the subservice organizations; each of the applicable trust services criteria that are intended to be met by controls at the subservice organization, alone or in combination with controls at the service organizations, and the type of controls expected to be implemented at the carved-out subservice organizations to meet those criteria.ix. Any applicable trust services criteria that are not addressed by a control at [CLIENT] or a subservice organization and the reasons therefore.x. Other aspects of [CLIENT]’s control environment, risk assessment process, information and communication systems, and monitoring of controls that are relevant to the services provided and the applicable trust services criteria.xi. Relevant details of changes to [CLIENT]’s Document Management, Data Capture, and Print Output Services System during the period January 1, 2012 to September 30, 2012. Page | 5
  10. 10. b. The description does not omit or distort information relevant to [CLIENT]’s Document Management, Data Capture, and Print Output Services System. The description was prepared to meet the common needs of a broad range of users and may not, therefore, include every aspect of the Document Management, Data Capture, and Print Output Services System that each individual user may consider important to his or her own particular needs.Scott A. ByersPresident & Chief Executive Officer[CLIENT]October XX, 2012Michael MalkemesDirector, Compliance & Risk Management[CLIENT]October XX, 2012 Page | 6
  11. 11. SECTION 3 DESCRIPTION OF [CLIENT]’S DOCUMENT MANAGEMENT, DATA CAPTURE, AND PRINTOUTPUT SERVICES SYSTEM FOR THE PERIODJANUARY 1, 2012 TO SEPTEMBER 30, 2012
  12. 12. Background and Overview of ServicesHeadquartered in Scranton, PA, [CLIENT] has successfully served its clients since 1982 through business processoutsourcing and information management solutions. With over 650 customers, [CLIENT] has firmly establisheditself as an industry-leader. [CLIENT] serves the Fortune 500 in healthcare, insurance and finance as well asgovernment agencies.[CLIENT]’s clients include seven of the top twelve United States financial services firms, three of the top tenUnited States life insurance Companies, four of the top ten electronic health record providers serving over 170hospitals and 10,000 physicians and key federal agencies including the Department of Homeland Security –United States Customs, the International Trade Commission and United States Environmental Protection Agency.[CLIENT]’s end to end document management system is a combination of systems that work together to providesecure, confidential processing and retention of documents and the critical data they contain. The components ofthe system include:  Communication/Distributed Output System – This system entails receiving client data and merging this data into print templates to produce correspondence, statements and printed material. Once documents are produced they are sent via mail or electronic delivery.  Image Conversion and Data Capture System – This system is a document conversion system that begins at receipt of documents in hard copy or electronic forms; documents enter into a stream at the wireless mailroom, are then converted to image on high speed scanners, data is captured either through automatic recognition software or human data entry, image and data are spot reviewed for quality and then exported to NetView or client specific systems.  Document Management and Preservation System – This system tracks location and movement of hard copy records stored in multiple secure facilities throughout the US.The overarching framework of the system is overseen and managed by a security team consisting of the Directorof Compliance and Risk Management and Director of IT Infrastructure. The Data Center and Facility MonitoringSystem are based at the company headquarters in Scranton, PA.[CLIENT] has designed the systems with boundaries ensuring data security, confidentiality, processing integrity,and availability. The system is comprised of the following five components:  Infrastructure (facilities, equipment, and networks)  Software (systems, applications, and utilities)  People (developers, operators, users, and managers)  Procedures (automated, and manual)  Data (transaction streams, files, databases, and tables)The following sections of this description define each of these five components comprising [CLIENT]’s system andother relevant aspects of [CLIENT]’s control environment, risk assessment processes, monitoring processes, andinformation and communication. Page | 7
  13. 13. Other Relevant Aspects of the Control Environment, Risk Assessment, Monitoring, andInformation and CommunicationControl Environment[CLIENT]’s control environment reflects the overall attitude, awareness, and actions of management and othersconcerning the importance of controls and their emphasis within the organization and the execution of [CLIENT]’smission. [CLIENT] provides corporate compliance and ethics training to all employees as well as physical andlogical security training. At various corporate functions, executive management communicates [CLIENT]’s top 5priorities including compliance. Periodically, the Corporate Compliance Manager provides awarenesscommunications covering compliance, ethics, and security information.Risk Assessment[CLIENT] has a risk assessment process to identify and manage risks that could affect its ability to providesecure, reliable transaction processing for user entities. This process requires management to conduct an internalsecurity audit twice per year to identify vulnerabilities and threats. Remediation steps are put in place as a resultof these audits if necessary. Items that are considered during risk assessment audits include:  Changes in operating systems  New information systems  New security threats  Operational location moves  New technology  Personnel changesMonitoring[CLIENT]’s management and supervisory personnel monitor the quality of internal control performance as aroutine part of their activities. Oversight of job completion is the responsibility of supervisors and is monitored bybatch monitoring and job ticket documentation. Quality assurance procedures are in place for each client andmonitored based on predetermined thresholds to ensure reconciliation and processing integrity.Information and Communication[CLIENT] gathers information on the processing of work using reporting tools. Reports are customized for eachclient to track documents from entry into the system to the final reconciliation of completion. Clients are providedaccess to the reporting system through client specific access.Clients are assigned a client solution executive responsible for account relationship management activities, settingstrategy for account support, and developing new solutions to promote client growth as well as profitability and aclient relationship executive with the responsibility to interact with key client contacts and manage day-to-dayoperations. [CLIENT] client relationship executives act as the voice of the clients within [CLIENT] and provide akey function in managing customer expectations and established Service Level Agreement metrics. To reviewactivities, a formal report and presentation is made to [CLIENT]s Client service and operations groupsummarizing the previous month’s activity. Page | 8
  14. 14. Document Management, Data Capture, and Print Output Services System Components Infrastructure Distributed, world-wide operations are maintained and managed to provide confidentiality, security, availability, processing integrity and safeguard against compromise or breach. The following facilities are included in the scope of the Document Management, Data Capture, and Print Output Services System. Metro Area Facility FunctionRaleigh, North Carolina – Millville, New Jersey Communication/Distributed Output Document Management/Preservation,Scranton, Pennsylvania (Headquarters) Document Processing, and Data CenterBinghamton, New York Disaster Recovery DocumentMoosic, Pennsylvania Management/Preservation and Document ProcessingDelano, Pennsylvania - Gordonsville, Virginia - Exeter, Pennsylvania – DocumentHouston, Texas - Louisville, Kentucky – Los Angeles, California – Columbia, Management/PreservationSouth Carolina – Hartford, Connecticut – Minneapolis, Minnesota The systems are designed similarly regardless of location to provide for consistent organizational policies and procedures. Software [CLIENT] utilizes a mix of commercial off-the-shelf products and internally developed programs for day-to- day processing of client information. The list noted below includes the systems, applications and utilities used to produce scanned images, index data and printed invoices and statements. Page | 9
  15. 15. Technology FunctionIBML Image Trac3 IBML is a companywide, high speed/high volume scanner platform.Docnetics IBML document typing and recognition software.EMC | Captiva and AnyDoc Data capture forms and processing workflow platform. Automates the tracking of all inbound mail from receipt through scanningVirtual Mailroom through export. Receives faxes digitally and processes them directly into the data capture andE-Fax imaging platform.E-Sort Data capture application program.NetView&NetVault© Web based application used for exception processing. Web based computer integrated records management and imaging systemWebCIRM utilizing bar code technology and radio frequency scanners.EmtexVIP Centralized queue and Print File Output Management System.Objectif Lune Variable data print composition software.Planet PressBARR Channel Server Print Stream blocking tool.Production Insight Output management tracking & reporting tool.Kodak EX300 MICR Printers Check production printers.OCE 6250 Printers High speed black/white production printers.Ricoh 720 Color High speed color printer.Canon IR-150 Monochrome and MICR printer.Pitney Bowes FPS auto-inserter High Speed document to envelope inserter.Bell & Howell 4000 auto-inserter High Speed document to envelope inserter. Page | 10
  16. 16. People[CLIENT] has a staff of approximately 600 employees across 25 U.S. locations. Scranton, Pennsylvania is[CLIENT]’s headquarters and the Scranton Facility is the main location for outsourced documentprocessing and workflow solutions. Morrisville, North Carolina is the main processing facility for output ofprinted materials.The organization is overseen by an Executive Team consisting of the following positions and their supportstaff: President/Chief Executive Officer – responsible for strategy, business development and overall leadership. The executive team members report to the President. Chief Financial Officer/Vice President Support Services – responsible for the financial services team, human resources, compliance, risk management, facilities and IT Infrastructure.  IT Infrastructure Team responsible for Network design, log monitoring, assessment and vulnerability testing.  Human Resources Team responsible for the processes of hiring, termination, training and compliance with organizational policies.  Financial Services Team responsible for billing, procurement and payroll.  Compliance & Risk Management Team responsible for facility oversight and support, security, corporate compliance, risk management. Chief Relationship Officer/VP Solutions – responsible for solutions, client relationship and customer service  Solutions Executive Team responsible to oversee sales and governance for each service line. It is broken down into teams supporting the Communication/Distributed Output System, Image Conversion and Data Capture System and Document Management and Preservation System.  Client Service and Interaction Team responsible for day-to-day client interaction and support on the Communication/Distributed Output System, Image Conversion and Data Capture System and fulfillment of the Document Management and Preservation System. Chief Operations Officer/VP Global Operations – responsible for processing, fulfillment, operational functions, project management and IT Development  Communication/Distributed Output Team responsible for fulfilling client contracted actions including printing, fulfillment and output mail.  Image Conversion and Data Capture System Team responsible for the processing of documents from mailroom or electronic receipt, conversion to image, capture of data and delivery to client..  Chief Implementation Officer/VP Integrated Systems – responsible for processing, fulfillment, operational functions, project management and IT Development Page | 11
  17. 17.  Quality and Excellence responsible for development and monitoring of ISO and production procedures and quality.  Project Delivery & Management responsible for the management and delivery of new projects and implementation of production.  IT Systems Development responsible for design, development and maintenance of processing systems.Procedures[CLIENT] provides document management for the entire document lifecycle from print to image and datacapture to processing, preservation, and storage. [CLIENT] specializes in large, complex, and dynamicprojects and operations. [CLIENT] provides redundancy and business continuity of operations with 25facilities located throughout the U.S. Quality control procedures are tracked and reported at thedocument level. The hardware and software include IBML production scanners with Captiva AnyDocadvanced capture platforms. Security, Access and Monitoring Procedures include:  Visitor and Building Security  Access Authorization Control  Confidentiality  Security Clearance for new hires  System Monitoring  Information Security Monitoring  Incident Response  Data Classification  Availability [CLIENT] protects client information starting with personnel policies, which are documented in [CLIENT]s Employee Handbook and in the Human Resource Hiring policies. Written job descriptions have been developed and are revised as necessary. Employees undergo comprehensive background/security checks and drug screening prior to employment and are required to sign confidentiality agreements upon hire, which state that no confidential information can be communicated outside of the organization. Mandatory training is completed annually to ensure understanding and compliance with policies on confidentiality, ethics, and privacy. [CLIENT]’s Access Control Policy guides access approval, provisioning, removal and monitoring. Access to building areas, system network and information is granted based on job classifications and responsibilities. Management is responsible for authorizing access. The Director of Risk Management and Compliance monitor and review access granted when changes are made to positions. Page | 12
  18. 18. Solarwinds Orion System Monitoring software is used to monitor system availability and performanceand provides current and historical tracking reports of performance factors including processorutilization, memory utilization, network usage, errors and disk utilization. The system monitors Ciscoswitches, routers, firewalls, and Windows based servers. This information is used to provideinformation to user entities, proactively identify concerns and plan for future system requirements.Information security monitoring is the responsibility of the Infrastructure team who review daily logsto ensure a security breach is not missed.[CLIENT] designed its Incident Response Policy and Procedure to establish a planned course of actionin case of security incidents. The procedure is a stepped process that includes initial assessment toassign a severity level, incident notification, incident containment and response, recovery, andreview. Additional testing is completed twice per year to simulate a potential incident and the actiontaken.Communication/Distributed Output System Procedures include:[CLIENT]’s Communication/Distributed Output capabilities include a secure digital print and mailfacility capable of producing over 1.4 billion printed images and 220 million mail pieces per year.[CLIENT] offers a suite of document composition and electronic delivery solutions to satisfy userentity needs for multi channel communications. Examples of the output capabilities include:  Invoices  Statements  Insurance membership materials (Identification cards, member guide booklets, rate change notices, and other policy reference materials)  Payments: check and vouchers  Educational materialsApplicable Facility: Raleigh, North Carolina and Millville, New JerseyImage Conversion and Data Capture System Procedures include:[CLIENT]’s Image Conversion and Data Capture capabilities include a systematic and analytical wayto track mail from initial receipt to image export. From the initial time of receipt, [CLIENT] usesvirtual mailroom technology to track the different types of mail received from various Post OfficeBoxes. Mail is opened, sorted, scanned, indexed and integrated into each client’s workflow system ina seamless manner; keeping process streams separate and retaining receipt and functionalinformation throughout the entire process [CLIENT] utilizes a combination of internal audits andclient audits to measure performance against agreed upon Service Level Agreements (SLA’s).Examples of the conversion and data capture capabilities include:  Virtual mailroom  Conversion by scan to image  Data capture – key from image and verify Page | 13
  19. 19.  Live document handling and return including checks, death certificates, cds, etc.  Quality auditApplicable Facilities: Scranton, Pennsylvania and Montage, PennsylvaniaDocument Management and Preservation System Procedures include:[CLIENT] provides a total records management solution that includes the WebCIRM recordsmanagement tracking and management system and secure storage facilities. The DocumentManagement and Preservation System tracks location and movement of hard copy records stored inmultiple secure facilities throughout the US. Example of record retention capabilities include:  WebCIRM  Record storageApplicable Facilities: Scranton, Pennsylvania, Montage, Pennsylvania, Exeter, Pennsylvania, Delano,Pennsylvania, Los Angeles, California, Louisville, Kentucky, Gordonsville, Virginia, Houston, TexasSystems Development and MaintenanceThe two key applications supporting the imaging operations are InputAccel and Captiva FormWare.Both software packages are developed and supported by EMC, a third-party vendor. [CLIENT]programming changes are limited to applications settings and customized modules that hook to theapplication interfaces. If modifications to core source code are needed, [CLIENT] requestsmodifications from the vendor who include them in future product releases.Data transfer applications that provide interface between imaging applications and file transfersoftware packages are developed internally.Program Modification ControlsThe following description of program modification controls applies to changes to existing systems andprograms:Requests for ModificationsRequests for enhancements can originate from either external clients or from internal operationsdepartments. Enhancements or modifications requested by external customers are communicated to[CLIENT] personnel, who document the client requests. Changes originating from the internaldepartments stem from issues identified during day-to-day processing, errors or a need for additionalsystems controls to minimize the probability of errors and increase the accuracy of data capture.For all change requests, the internal [CLIENT] employee submits a request via the Web-basedElementool. Any modifications to the issue are maintained in an issue history. Page | 14
  20. 20. The Elementool issue record contains the following information:  Title  Type (change request, project, request for proposal, status rollup)  Requestor  Requirements  Weekly report/comments  System impacts  Priority  Customer  Customer type  System impacts  Division/location  Status manager  Lead developer  StatusIn addition to the fields listed above, if the request originates from a customer, a Customer ChangeRequest Form or statement of work can be attached to the issue. Members of IT senior managementreview the requests and work with application development teams to determine the technical scopeand details for the changes.Authorization of ChangesApproval of application system change requests is required from [CLIENT] operations management.If the change request originated from a customer, the customer must also approve the changebefore development can begin.For customer-originating requests, the Customer Change Request Form, signed by [CLIENT]management, is sent to the customer for final approval and sign-off. The final form contains thefollowing information:  Initiator of the change  Overview and benefit  Technical change to be made  Technical implications  Operational implications  Test information relative to thechange  Implementation information relative to the change  Back-out plans  Target date Page | 15
  21. 21. When required approvals and sign-offs are obtained, IT senior management assigns resources towork on the development of changes.Program TestingApplication system changes are tested by both the IT and client operations groups. The followingmajor phases are typical for application change releases:  IT testing  Operations testing  Identified issues resolution  Approval and sign-offThough releases differ in scope, complexity and extent of testing, the following sections are the mostcommonly executed steps.IT TestingUnit testing and debugging is conducted by the IT Development Team. The release is deployed intothe test environment after unit testing has been performed locally by the IT Development Team.Formal test plans are executed by anOperational Excellence analyst with the assistance of the ITDevelopment Team in order to cover areas of potential impact. The Operational Excellencedepartment notifies client operations management that the new release has been installed in the testenvironment and is available for testing.Operations TestingScan operators scan a limited number test batches into the test environment as determined by theoperations management and Operational Excellence department. When the batches reach thecompletion stages, the production test operators start processing the batches. The OperationalExcellence analyst executes the test plans and checks for errors and issues that may arise duringtesting. If error messages are noted or system results or behavior are deemed to be out of theordinary, issues are reported to the Operational Excellence department. Noted issues are recordedinto appropriate test results documentation along with applicable error messages, batch names anderror screen printouts. Some of the releases require integrated testing with the clients. For thesetypes of releases, account management or product management coordinates testing with thecorresponding clients and collects feedback covering the observed outcomes, issues, or failures.Approval and Sign-OffThe operations and the Operational Excellence department managers review the issues observedduring each test run and determine if the tests can be considered successful. If the test is consideredsuccessful, the team’s management signs off that the release can proceed to the next stage. Resultsof tests of changes affecting or originated by the clients are reviewed and approved by the affectedclients. Approvals are sent via e-mails. If a release is approved for rollout to the productionenvironment, the IT project manager e-mails the release group that the release installation can beexecuted. Page | 16
  22. 22. Control Over Production Programs Depending on the type and complexity of a change, rollout schedules, coordination and cross- department notifications, preparation efforts and potential issues are discussed during ad-hoc pre- production release management meetings. Rollout of changes to the production environment is the responsibility of the NetAdmin group. The only exceptions are changes to the InputAccel parameter files, which require a developer to insert parameter changes directly into the parameter file. Developers must request this access from the director of IT support prior to perform this update. Developers have no access to other production systems or files. Production release issues and items are discussed during ad-hoc post-production implementation management meetings. In some instances, clients are also present via teleconference to provide their feedback on the results of the upgrades. Monthly file reviews are performed on the InputAccel parameter files to verify that they have the same process install date documented in the latest approval granted by IT management. In addition, the file shares containing the application updates are reviewed for synchronization on a monthly basis by NetAdmin. If a discrepancy is encountered, the issue is reported in the form of a five-point analysis. This report also lists the corrective action taken along with the business impact. Source and Object Code The development teams use the CVS version control system to provide secured access to the source code, maintain different versions and history of programs, as well as to facilitate controlled changes and access to the source code. Access permissions are integrated with Microsoft Active Directory. Documentation Imaging applications documentation is written, updated and distributed by the [CLIENT] client operations staff and personnel responsible for training of operations staff. Standard documentation related to the operating systems and infrastructure is provided by the corresponding operating system and hardware vendors. Such technical documentation is available only to authorized IT personnel.Data[CLIENT]’s records and information management services encompass the following types of data in each of[CLIENT]’s core service offerings:  Print and Output System – Client data in the form of data files is output via print templates to produce correspondence, statements, and other printed material.  Image Conversion and Data Capture System – Client data in hard copy or electronic forms data is captured either through automatic recognition software or human data entry.  Document Management and Preservation System – This system tracks location and movement of hard copy records stored in one of [CLIENT]’s secure facilities throughout the US. Page | 17
  23. 23. Subservice Organizations[CLIENT] utilizes several subservice organizations to perform services for its clients. Presented below is adescription of the services provided by the subservice organization, the criteria relevant to the services performedby the subservice organization and the types of controls expected at the subservice organizations.Document Capture and Data Entry Services[CLIENT] clients with specialized and global processing requirements may request that [CLIENT] utilize one ofthree subservice organizations with unique capabilities that complement [CLIENT]’s services. These subserviceorganizations perform capture of data from files imaged by [CLIENT], and return to [CLIENT] the capture data inmachine readable format. The Criteria that relate to controls at these subservice organizations include all criteriarelated to the Trust Services Principles of Security, Confidentiality, Processing Integrity, and Availability for thoseclients which elect for [CLIENT] to use these service organization while processing is performed by thesesubservice organizations. The types of controls that are necessary to meet the applicable trust services criteria,either alone or in combination with controls at [CLIENT] include:  The system is protected against unauthorized access (both physical and logical).  The system is available for operation and use as committed or agreed.  System processing is complete, accurate, timely, and authorized.  Information designated as confidential is protected as committed or agreed.  Policies and procedures exist related to security, availability, processing integrity, and confidentiality and are implemented and followed.  Communication and monitoring controls are implemented related to security, availability, processing integrity, and confidentiality.Applicable Criteria and Related ControlsThe security, availability, processing integrity, and confidentiality trust services criteria and [CLIENT]’s relatedcontrols are included in Section 4 of this report, “Independent Service Auditors’ Description of Tests of Controlsand Results”. Although the security, availability, processing integrity, and confidentiality trust services criteria and[CLIENT]’s related controls are included in Section 4, they are an integral part of [CLIENT]’s description of itsDocument Management, Data Capture, and Print Output Services System and are incorporated herein. Page | 18
  24. 24. User-Entity Control ConsiderationsServices provided by [CLIENT] to user entities and the controls of [CLIENT] cover only a portion of the overallcontrols of each user entity. [CLIENT]’s controls were designed with the assumption that certain controls wouldbe implemented by user entities. In certain situations, the application of specific controls at user entities isnecessary to achieve the applicable trust principles criteria. It is not feasible for the applicable trust servicescriteria relating to the services outlined in this report to be achieved solely by [CLIENT]. This section highlightsthose internal control responsibilities that [CLIENT] believes should be present for each user entity and hasconsidered in developing the controls described in the report. This list does not purport to be, and should not be,considered a complete listing of the controls relevant at user entities. Other controls may be required at userentities.  Information provided to [CLIENT] from user entities should be in accordance with provisions in the agreement for services between [CLIENT] and user entities.  User entities are responsible for encrypting and protecting transmissions.  User entities are responsible for maintaining and communicating to [CLIENT]a current list of employees who have authority to access systems and determine action (i.e., destruction).  The security administrators at user entities are responsible for ongoing maintenance and monitoring of their employees’ system access to [CLIENT]’s infrastructure.  User entities are responsible for reporting to [CLIENT] any known or suspected issues with security, processing integrity, confidentiality, and availability.  User entities are responsible for monitoring any processing reports provided or made available by [CLIENT].  User entities are responsible for participating in disaster recovery tests related to test if [CLIENT]’s disaster recovery procedures meet their disaster recovery needs. Page | 19
  25. 25. SECTION 4 INDEPENDENT SERVICEAUDITORS’DESCRIPTION OF TESTS OF CONTROLS AND TEST RESULTS
  26. 26. Introduction The purpose of this report is to provide management of [CLIENT], user entities, and other specified parties with information about controls at [CLIENT] that are intended to mitigate risks related to security, availability, processing integrity, and confidentiality. The security, availability, processing integrity, and confidentiality principles are outlined in TSP Section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Description of Types of Testing Performed The types of tests performed to assess the effectiveness of controls included the following: Type of Test Description Discussed the controls with operations, administrative personnel, and/orInquiry management who are responsible for developing, adhering to, and applying the controls to determine their understanding and compliance.Inspection Inspected documents and reports indicating performance of the controls.Observation Observed the application of specific controls.Reperformance Re-performed application of the controls. Page | 20
  27. 27. Security Criteria1.0 Policies: The entity defines and documents its policies for the security of its system.Criteria 1.1: The entity’s security policies are established and periodically reviewed and approved by a designated individual or group. Controls Test of Controls Test ResultsA written security policy has been approved by Inquired with the Manager, Corporate Compliance and Security and inspected the No deviations noted.Executive Leadership. Data Security Handbook and Risk Assessment Policy to determine if security policies were established, periodically reviewed and approved by Executive Leadership.Criteria 1.2: The entitys security policies include, but may not be limited to, the following matters: a. Identifying and documenting the security requirements of authorized users b. Classifying data based on its criticality and sensitivity and that classification is used to define protection requirements, access rights and access restrictions, and retention and destruction requirements c. Assessing risks on a periodic basis d. Preventing unauthorized access e. Adding new users, modifying the access levels of existing users, and removing users who no longer need access f. Assigning responsibility and accountability for system security g. Assigning responsibility and accountability for system changes and maintenance h. Testing, evaluating, and authorizing system components before implementation i. Addressing how complaints and requests relating to security issues are resolved j. Identifying and mitigating security breaches and other incidents k. Providing for training and other resources to support its system security policies l. Providing for the handling of exceptions and situations not specifically addressed in its system security policies m. Providing for the identification of and consistency with applicable laws and regulations, defined commitments, service-level agreements, and other contractual requirements n. Providing for sharing information with third parties Controls Test of Controls Test ResultsA written Data Security Handbook identifies and Inspected the Data Security Handbook and risk assessment policy to determine if No deviations noted.documents the noted requirements “a” – “n.” the noted elements of “a” – “n” were included. Page | 21
  28. 28. Criteria 1.3: Responsibility and accountability for developing and maintaining the entitys system security policies, and changes and updatesto those policies, are assigned. Controls Test of Controls Test ResultsManagement has assigned responsibility and Inspected job descriptions for the Director of IT Infrastructure and the Director of No deviations noted.accountability for the maintenance and Compliance and Risk Management to determine if accountability for developingenforcement of [CLIENT]’s security and availability and maintaining [CLIENT]’s system security policies, and changes and updates topolicy to the Director of Compliance and Risk those policies, was assigned.Management as well as the Director of ITInfrastructure.The Executive Team approves updates to policies. Inspected meeting minutes to determine if responsibility for maintaining policies No deviations noted. and changes or updates to security policies was assigned to the Executive Team.2.0 Communications: The entity communicates its defined system security policies toresponsible parties and authorized users.Criteria 2.1: The entity has prepared an objective description of the system and its boundaries and communicated such description toauthorized users. Controls Test of Controls Test Results[CLIENT] prepares an objective description of the Inspected the system description to determine if the system and its No deviations noted.system and its boundaries and communicates it to boundaries were communicated to authorized users.user entities.Criteria 2.2: The security obligations of users and the entitys security commitments to users are communicated to authorized users. Controls Test of Controls Test ResultsSecurity obligations are customized to each client Selected a sample of clients and inspected Service Level Agreements to No deviations noted.and are part of their contract. confirm security obligations were communicated.Internal employees are held to HIPAA guidelines Inspected acknowledgment forms to determine if the acknowledgements No deviations noted.and Confidentiality policies. These policies are forms identify the security responsibilities of employees.reviewed upon hire and employees are required tosign documents acknowledging the understanding Selected a sample of new hires and inspected their acknowledgementof these obligations. The policies are also reviewed forms to determine if [CLIENT] received the signed acknowledgement.annually by all personnel. Page | 22
  29. 29. 2.0 Communications: The entity communicates its defined system security policies toresponsible parties and authorized users.Criteria 2.1: The entity has prepared an objective description of the system and its boundaries and communicated such description toauthorized users. Controls Test of Controls Test Results[CLIENT] prepares an objective description of the Inspected the system description to determine if the system and its No deviations noted.system and its boundaries and communicates it to boundaries were communicated to authorized users.user entities.The Data Security Handbook, Employee Handbook Observed the company intranet to determine if the Data Security No deviations noted.with Confidentiality and HIPAA policy are published Handbook and Employee Handbook were published.on the company intranet. Inspected the Data Security Handbook and HIPAA policy to determine if security obligations of users and the entity’s security commitments to users were communicated. Page | 23
  30. 30. Criteria 2.3: Responsibility and accountability for the entitys system security policies and changes and updates to those policies arecommunicated to entity personnel responsible for implementing them. Controls Test of Controls Test ResultsThe Director of Compliance and Risk Management Inquired of the Director of Compliance and Risk Management and No deviations noted.and Director of IT Infrastructure have custody of inspected job descriptions for the Director of Compliance and Riskand are responsible for the day-to-day Management and Director of IT Infrastructure to determine ifmaintenance of [CLIENT]’s technical security responsibilities for system security, confidentiality, availability andpolicies and recommend confidentiality, availability processing integrity policies were formally assigned.and processing integrity changes.Written job descriptions have been defined and arecommunicated to the Director of IT Infrastructureand Director of Compliance and Risk Management.Written process and procedure manuals for all Inspected the Data Security Handbook to determine if defined security No deviations noted.defined security processes are provided to all IT processes were provided to all IT personnel, management, and client-personnel, management and client facing personnel facing personnel.and included in new hire and annual training andsign-off procedures.If any policy changes are made they are Inquired of the Manager, Corporate Compliance and Security and No deviations notedcommunicated by internal company-wide email by determined that no policy changes were performed during the period ofthe Vice President of Finance or President. January 1, 2012 to September 30, 2012. The operating effectiveness of this control activity could not be tested as there was no related activity during the period January 1, 2012 to September 30, 2012. Page | 24
  31. 31. Criteria 2.4: The process for informing the entity about breaches of the system security and for submitting complaints is communicated toauthorized users. Controls Test of Controls Test ResultsIT incidents (security, availability, confidentiality, or Inspected the Data Security Handbook incident response procedures, No deviations noted.processing integrity) including potential breaches documented escalation process, and 5 Point Process to determine ifare reported to the IT Help Desk for action as incidents and system/operational issues were communicated based upondefined in the Data Security Handbook. criteria specified in the escalation document.An 800 number and email address is provided on Selected a sample of clients and inspected supporting documentation to No deviations noted.our website to contact our Customer Service area determine if a process existed for authorized users to inform [CLIENT] offor any questions or issues. Clients who store data breaches and submit complaints.on our systems are assigned a Solutions Executiveand Client Advocate who serve as their directresolution experts.Criteria 2.5: Changes that may affect system security are communicated to management and users who will be affected. Controls Test of Controls Test ResultsPlanned changes to system components and the For a sample of months, inspected meeting agendas and/or minutes from No deviations noted.scheduling of those changes are reviewed as part the monthly IT/Operations meetings to determine that changes that mayas part of monthly IT/Operations meetings. affect system security, availability, processing integrity, or confidentiality were communicated to management or users who will be affected. The operating effectiveness of this control activity could not be tested as there was no related activity during the examination period. Inquired with management at [CLIENT] to determine that no changes occurred during the period which required communication. Inspected a sample of changes to determine that none required communication. Page | 25
  32. 32. 3.0:Procedures: The entity placed in operation procedures to achieve its documented systemsecurity objectives in accordance with its definedpolicies.Criteria 3.1: Procedures exist to (1) identify potential threats of disruption to systems operation that would impair system securitycommitments and (2) assess the risks associated with the identified threats. Controls Test of Controls Test ResultsBi-annual internal security audits are performed Inspected the Risk Assessment Policy to determine if procedures exist to No deviations noted.that review firewall rules, IDS configurations, VPN identify potential threats of disruption and assess risks associated withsystems, Cisco Switch/Router Configs, Antivirus the threats.software, software patches, any changes to localsystem accounts and generic domain accounts, Inspected the internal vulnerability assessment results to determine thedomain and account groups (monthly), and backup following: 1) bi-annual internal security audits were performed to identifyprocedures. A report is composed, compiles the potential threats 2) a risk assessment was performed to identify potentialresults of the previous steps, and assigns a grade threats and assess risks.based on predefined parameters.A risk assessment is performed based on thevulnerabilities uncovered, the probability of a threatthat would exploit that vulnerability, and theestimated value of the asset that would becompromised. Risks that rate high are given priorityduring the mitigation phase. Page | 26
  33. 33. Criteria 3.2: Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters:a. Logical access security measures to restrict access to information resources not deemed to be public.b. Identification and authentication of users.c. Registration and authorization of new users.d. The process to make changes and updates to user profiles.e. Distribution of output restricted to authorized users.f. Restriction of access to offline storage, backup data, systems, and media.g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (forexample, firewalls). Controls Test of Controls Test Resultsa. Logical access to nonpublic information a. Inspected the Data Security Handbook, Windows security access No deviations noted.resources is protected through the use of security reports, IBML user access list, EMC Captiva user access list, Anydocsoftware and operating system security. access list and Emtex VIP access list (Raleigh) to determine 1) if logicalAccess is defined by job description and manager access to nonpublic information was required to be protected throughauthorization. security software or operating system security 2) if authentication with aAccess to resources is granted to an authenticated valid user ID was needed to access resources.user based on the user’s identity.Proper authorization must be completed for any Inquired of the Director of IT Infrastructure and inspected privileged useraccess to be granted. access listings to determine if access was assigned and defined based on job descriptions. Inquired of the Director of IT Infrastructure and inspected if Data Security Handbook to determine if users were required to authenticate with a unique ID and password when accessing systems. Selected a sample of new hires and inspected new user access request forms to determine if manager authorization was obtained prior to granting system access. Inspected a sample of IBML, Anydoc, EMC, Thunderhead portal and Emtex VIP application users to determine if access was commensurate with their job description. Also inspected all members of the IT Personnel user access group to determine if access was commensurate with their job description. Page | 27
  34. 34. Criteria 3.2: Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters:a. Logical access security measures to restrict access to information resources not deemed to be public.b. Identification and authentication of users.c. Registration and authorization of new users.d. The process to make changes and updates to user profiles.e. Distribution of output restricted to authorized users.f. Restriction of access to offline storage, backup data, systems, and media.g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (forexample, firewalls). Controls Test of Controls Test Resultsb. Users must establish their identity to [CLIENT]’s b. Inspected the Data Security Handbook to determine if users must be No deviations noted.network and application systems when accessing authenticated prior to gaining access to system resources, unique usernonpublic resources through the use of a valid user IDs were assigned, use of group or shared IDs was not permitted,ID that is authenticated by an associated password. passwords must be changed, must be a minimum of eight characters with complexity in the character set and login sessions must beUnique user IDs are assigned to individual users. terminated after three failed attempts.Use of group or shared IDs is not permitted. Inspected password configuration settings to determine if the noted settings were enforced.Passwords must contain at least eight characters,at least three character types, and are not able to Observed a user login to the network to determine if the users wererepeat within 24 months. prompted for a unique username and password.Security configuration parameters force passwords Inspected the IBML Windows Group, Windows domain admin list andto be changed every 30 days. Emtex VIP (Raleigh) to determine if unique user IDs were assigned andLogin sessions are terminated after 3 unsuccessful the use of group or shared IDs was not permitted.login attempts. See tests of controls included under Security 3.2(a). Page | 28
  35. 35. Criteria 3.2: Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters:a. Logical access security measures to restrict access to information resources not deemed to be public.b. Identification and authentication of users.c. Registration and authorization of new users.d. The process to make changes and updates to user profiles.e. Distribution of output restricted to authorized users.f. Restriction of access to offline storage, backup data, systems, and media.g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (forexample, firewalls). Controls Test of Controls Test Resultsc. Customers must be approved and granted access c. Inspected the Network Solutions Certificate Authority issued to See test results included in Security Criteria 3.2(a).to [CLIENT]’s Web site (WebCIRM), under a secure WebCIRM to determine if encryption through SSL was enforced.session, requiring user ID and password. Privilegesare limited to specific system functionality. Inspected the Data Security Handbook to determine if Director level approval was required for changes to access privileges for employees andThe Director of Business Process Operations vendors.authorizes access privilege change requests foremployees and the Vice President of Operations Inspected a list of employees with administrative access privileges ondoes so for vendors. Access is limited to specific Windows systems, network devices and database servers to determine iffunctionality. access was limited to IT personnel based on job function.The ability to create or modify users and useraccess privileges (other than the limitedfunctionality “customer accounts”) is limited to thesecurity administration team. Page | 29
  36. 36. Criteria 3.2: Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters:a. Logical access security measures to restrict access to information resources not deemed to be public.b. Identification and authentication of users.c. Registration and authorization of new users.d. The process to make changes and updates to user profiles.e. Distribution of output restricted to authorized users.f. Restriction of access to offline storage, backup data, systems, and media.g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (forexample, firewalls). Controls Test of Controls Test Resultsd. Changes to customer accounts may be d. Selected a sample of users and inspected the related user access No deviations noted.performed by the Director of Client Interaction with request forms to determine if changes to customer accounts wereauthorization documented on user access request authorized.forms. Changes are reflected immediately. Inspected the CIRM User ID Recertification to determine if unusedUnused WebCIRM customer accounts (no activity WebCIRM customer accounts were reviewed by the Director of Clientfor six months) are reviewed by the Director of Interaction.Client Interaction and if necessary purged from thesystem. Selected a sample of new hires and inspected Network Access Forms to determine if user account additions were approved.Changes to other accounts and profiles are madeby the security administration team through arequest on a Network Access Form and require thewritten approval of the Director of Business Processor other higher level Management.e. Access to computer processing output is e. Inspected badge access listings to determine if access was restricted No deviations noted.provided to authorized individuals based on their based on job responsibilities.job description and classification of the information. Inspected the Data Security handbook to determine if policies exist forProcessing output is stored in an area that reflects the distribution of processing output based on information classification.the classification of the information.Processing output is distributed in accordance withthe security policy based on classification of theinformation. Page | 30
  37. 37. Criteria 3.2: Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters:a. Logical access security measures to restrict access to information resources not deemed to be public.b. Identification and authentication of users.c. Registration and authorization of new users.d. The process to make changes and updates to user profiles.e. Distribution of output restricted to authorized users.f. Restriction of access to offline storage, backup data, systems, and media.g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (forexample, firewalls). Controls Test of Controls Test Resultsf. Access to offline storage, backup data, systems, f. Inspected the Data Security handbook to determine if access to No deviations noted.and media is limited to computer operations staff sensitive data was secured through logical and physical securitythrough the use of restricted physical and logical measures.access. Inspected the computer room badge access listing to determine if access was restricted based on job responsibilities. Inspected the list of users with system administrator capabilities on the windows systems and badge access system to determine if access was restricted based on job responsibilities.g. Hardware and operating system configuration g. Inspected the list of users with administrative access rights on No deviations noted.tables are restricted to appropriate personnel Windows systems, VPN and databases to determine if access was limitedthrough physical access controls, native operating based on job need.system security, and add-on security software. Inspected the Windows event log settings and Cisco access control serverApplication software configuration tables are (ACS) settings to determine if system configuration activity was logged.restricted to authorized users and monitored by theDirector of Network. Inspected the Daily Security Log to determine if system configuration usage logs were monitored by members of the network infrastructureUtility programs that can read, add, change, or group.delete data or programs are restricted toauthorized technical services staff. Usage is logged Inquired of the Director of IT Infrastructure and observed the masterand monitored by the Director of Network. A spare password file to determine if master passwords were stored in anlisting of all master passwords is stored in an encrypted file.encrypted file. Page | 31
  38. 38. Criteria 3.3: Procedures exist to restrict physical access to the defined system including, but not limited to, facilities, backup media, andother system components such as firewalls, routers, and servers. Controls Test of Controls Test ResultsPhysical access to the computer rooms, which Inspected the computer room badge access listing, operations access No deviations noted.house [CLIENT]’s IT resources, servers, and related listing and Kirkwood facility access listing to determine if access washardware such as firewalls and routers, is restricted restricted based on job responsibilities.to authorized individuals by card key systems andmonitored by video surveillance. Performed a tour of the data center to determine if video surveillance was in place.Requests for physical access privileges to[CLIENT]’s computer facilities require the approval Inspected physical access procedures to determine if requests to accessof the Director of Compliance and Risk [CLIENT]’s facilities require approval of the Director of Compliance andManagement. Risk Management.Documented procedures exist for the identification Inspected the data security handbook and inspected the documentedand escalation of potential physical security incident response procedures to determine if identification and escalationbreaches. of potential physical security breaches were addressed.Offsite backups are stored at a physical DisasterRecovery/Business Continuity site. This facilityrequires physical access cards and is restricted tothe exact parameters as the main site.Criteria 3.4: Procedures exist to protect against unauthorized access to system resources. Controls Test of Controls Test Results Page | 32
  39. 39. Protective system processes are in place to prevent Inspected security logs to determine if failed login attempts and system No deviations noted.and monitor unauthorized access to system lockouts are recorded.resources and unauthorized access attempts. Inspected network diagram, Cisco device list, and security logs to confirm that system fire walls are in use and firewall event logs are reviewed daily. Inspected master server list and inquired of IT management that the master server list is maintained an updated by the IT department for any system changes. Inspected and inquired about the use of IDS Snort software. Inspected the external vulnerability assessment results to verify security reviews are being performed by external parties.See controls included in Security Criteria 3.2. See test of controls included in Security Criteria 3.2. See test results included in Security Criteria 3.2. Page | 33
  40. 40. Criteria 3.5: Procedures exist to protect against infection by computer viruses, malicious code, and unauthorized software. Controls Test of Controls Test ResultsAntivirus software is in place, that prevents Inquired of the Director of IT Infrastructure and observed antivirus No deviations noted.computer viruses, malicious code and unauthorized configuration settings to determine if antivirus software was installed andsoftware including virus scans of incoming e-mail virus definitions were updated daily.messages. Virus signatures are reviewed andupdated daily.Criteria 3.6: Encryption or other equivalent security techniques are used to protect user authentication information and the correspondingsession transmitted over the Internet or other public networks. Controls Test of Controls Test Results[CLIENT] uses encryption technology, VPN Inspected SSL protocol permissions, SSL certificates, and VPN protocol No deviations noted.software, and other secure communication systems encryption to determine if encryption technology was in use.(consistent with its periodic IT risk assessment) forthe transmission of private or confidentialinformation over public networks, including userIDs and passwords.Criteria 3.7: Procedures exist to identify, report, and act upon system security breaches and other incidents. Controls Test of Controls Test ResultsA Security Incident Response Plan (5-Point Process) Inspected the Data Security Handbook and Security Log Sign-off Sheet to No deviations noted.is instituted for identification and resolution of determine if a) the security incident response plan was defined andpotential security breaches to the information documented b) the network staff was responsible for reviewing securitysecurity team. logs on a daily basis. Inspected the 5-Point Analysis Procedures document to determine if a defined escalation process was established and appropriate resolution requires approval by management.When an incident is detected or reported, a defined Inspected a sample of completed 5-Point Analysis documentation to No deviations noted.Security Incident Response Plan (5-Point Process) determine if the 5-Point Analysis procedures were followed.identifies severity and action to be taken.Corrective actions are implemented in accordancewith defined policies and procedures. Page | 34
  41. 41. Criteria 3.8: Procedures exist to classify data in accordance with classification policies and periodically monitor and update suchclassifications as necessary. Controls Test of Controls Test ResultsData Classifications are used to determine access Inspected the detailed data classification assignments tracking No deviations noted.permissions as well as audit levels. The principle of spreadsheet used to assign and track access rights.least privilege is utilized to assign permissions at alllevels. Permissions are assigned on Windowsgroups which map to a specific job function.Propriety of data is considered during newimplementations, upgrades and change orderactions.Criteria 3.9: Procedures exist to provide that issues of noncompliance with security policies are promptly addressed and that correctivemeasures are taken on a timely basis. Controls Test of Controls Test ResultsAll incidents are tracked by management until See test of controls included in Security Criteria 3.7 See test results included in Security Criteria 3.7resolved through the 5–Point incident responseprocess.Supervisors review and approve the incident See test of controls included in Security Criteria 3.7 See test results included in Security Criteria 3.7response process to help make certain proceduresare followed.Criteria 3.10 Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistentwith defined system security policies to enable authorized access and to prevent unauthorized access. Controls Test of Controls Test Results[CLIENT] has adopted a formal systems Inquired of the Director of IT Development, and inspected the IT Change No deviations noted.development life cycle (SDLC) methodology that Control Procedures and Standard Build Documentation to determine if: a)governs the development, acquisition, a formal methodology exists that governs the change management andimplementation, and maintenance of computerized SDLC processes and b) the network administration team was responsibleinformation systems and related technology. for approving architecture and design specifications for new systems. Inspected the Data Security Handbook to determine if system changes that cannot meet defined data security standards require approval by senior IT management. Page | 35
  42. 42. Criteria 3.10 Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistentwith defined system security policies to enable authorized access and to prevent unauthorized access. Controls Test of Controls Test ResultsThe Network administration team reviews and Requested a sample of new systems development and acquisition No deviations noted.approves the architecture and design specifications projects to determine if the Network administration team reviewed andfor new systems development and acquisition to approved the architecture and design specifications.help ensure consistency with [CLIENT]’s securityobjectives, policies, and standards. The operating effectiveness of this control activity could not be tested as there was no related activity during the examination period. Inquired with management at [CLIENT] to determine that no new systems development and acquisition projects occurred during the period. Inspected a sample of changes to determine that none were related to new systems development and acquisition.Criteria 3.11 Procedures exist to provide that personnel responsible for the design, development, implementation, and operation of systemsaffecting security have the qualifications and resources to fulfill their responsibilities.Criteria 3.12 Procedures exist to maintain system components, including configurations consistent with the defined system security policies. Controls Test of Controls Test ResultsThe IT department maintains an up-to-date listing Inspected the software list to determine if an up-to-date list was No deviations noted.of all software and the respective level, version, maintained by IT.and patches that have been applied.Requests for changes, system maintenance, and Inquired of the Director of IT Development and inspected IT Change No deviations noted.supplier maintenance are standardized and subject Control Procedures and Standard Build Documentation to determine if ato documented change management procedures. formal methodology exists that governs the change management and SDLC processes. Inspected a sample of changes to determine if requests for change were standardized and subject to documented change management procedures. Page | 36

×