Sample - Corporate Report

[CLIENT]

DOCUMENT MANAGEMENT , DATA C APTURE, AND PRINT OUTPUT SERVICES SYSTEM
SERVICE ORGANIZATION CONTROLS (“SOC”) REPORT – SOC 2
RELEVANT TO SECURITY , AVAILABILITY , PROCESSING INTEGRITY, AND CONFIDENTIALITY

FOR THE PERIOD J ANUARY 1, 2012 TO SEPTEMBER 30, 2012

Table of Contents

Section Page
1 Independent Service Auditors’ Report ........................................................................................ 2

Management of [CLIENT]’s Assertion Regarding Its Document Management, Data Capture, and
Print Output Services System for the Period January 1, 2012 to September 30,
2
2012……………………………………………………….. .............................................................................
6

Description of [CLIENT]’s Document Management, Data Capture, and Print Output Services
3
System for the Period January 1, 2012 to September 30, 2012 ....................................................
10

Background and Overview of Services ............................................................................ 10

Other Relevant Aspects of the Control Environment, Risk Assessment,
Monitoring, and Information and Communication
Control Environment ............................................................................................... 11
Risk Assessment ..................................................................................................... 11
Monitoring .............................................................................................................. 11
Information and Communication .............................................................................. 11

Document Management, Data Capture, and Print Output Services System Components
Infrastructure ......................................................................................................... 12
Software ................................................................................................................ 12
People ................................................................................................................... 13
Procedures ............................................................................................................. 14
Data ...................................................................................................................... 19

Subservice Organizations ............................................................................................. 20

Applicable Criteria and Related Controls ......................................................................... 20

User-Entity Control Considerations ................................................................................. 21

4 Independent Service Auditors’ Description of Tests of Controls and Results .................................. 23

SECTION 1
INDEPENDENT SERVICE AUDITORS’ REPORT

Independent Service Auditors’ Report

To [CLIENT]

Scope

We have examined the attached description titled “Description of [CLIENT]’s Document Management, Data
Capture, and Print Output Services System for the Period January 1, 2012 to September 30, 2012” (“the
description”) included in Section 3 of this report and the suitability of the design and operating effectiveness of
controls to meet the criteria for the security, availability, processing integrity, and confidentiality principles set
forth in TSP Section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing
Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids) (“applicable trust services criteria”),
throughout the period January 1, 2012 to September 30, 2012. The description indicates that certain applicable
trust services criteria specified in the description can be achieved only if complementary user-entity controls
contemplated in the design of [CLIENT]’s (“[CLIENT]”) controls are suitably designed and operating effectively,
along with related controls at the service organization. We have not evaluated the suitability of the design or
operating effectiveness of such complementary user-entity controls.

[CLIENT]uses service organizations (subservice organizations) to provide data capture and data entry services for
certain clients who elect such processing services. The description indicates that certain applicable trust service
criteria can only be met if controls at the subservice organizations are suitably designed and operating effectively.
The description presents [CLIENT]’s Document Management, Data Capture, and Print Output Services System; its
controls relevant to the applicable trust service criteria; and the types of controls that the service organization
expects to be implemented, suitably designed, and operating effectively at the subservice organizations to meet
certain applicable trust service criteria. The description does not include any of the controls implemented at the
subservice organizations. Our examination did not extend to the services provided by the subservice
organizations.

Service Organization’s Responsibilities

[CLIENT] has provided the attached assertion titled “Management of Diversified Information Technology Inc.’s
Assertion Regarding its Document Management, Data Capture, and Print Output Services System for the Period
January 1, 2012 to September 30, 2012,” included in Section 2 of this report which is based on the criteria
identified in management’s assertion. [CLIENT] is responsible for (1) preparing the description and assertion; (2)
the completeness, accuracy, and method of presentation of both the description and assertion; (3) providing the
services covered by the description; (4) specifying the controls that meet the applicable trust services criteria and
stating them in the description; and (5) designing, implementing, and documenting the controls to meet the
applicable trust services criteria.

Page | 1

Service Auditors’ Responsibilities

Our responsibility is to express an opinion on the fairness of the presentation of the description based on the
description criteria set forth in [CLIENT]’s assertion and on the suitability of the design and operating
effectiveness of the controls to meet the applicable trust services criteria, based on our examination. We
conducted our examination in accordance with attestation standards established by the American Institute of
Certified Public Accountants. Those standards require that we plan and perform our examination to obtain
reasonable assurance about whether, in all material respects, (1) the description is fairly presented based on the
description criteria, and (2) the controls were suitably designed and operating effectively to meet the applicable
trust services criteria throughout the period January 1, 2012 to September 30, 2012.

Our examination involved performing procedures to obtain evidence about the fairness of the presentation of the
description based on the description criteria and the suitability of the design and operating effectiveness of those
controls to meet the applicable trust services criteria. Our procedures included assessing the risks that the
description is not fairly presented and that the controls were not suitably designed or operating effectively to
meet the applicable trust services criteria. Our procedures also included testing the operating effectiveness of
those controls that we consider necessary to provide reasonable assurance that the applicable trust services
criteria were met. Our examination also included evaluating the overall presentation of the description. We
believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.

Inherent Limitations

Because of their nature and inherent limitations, controls at a service organization may not always operate
effectively to meet the applicable trust services criteria. Also, the projection to the future of any evaluation of the
fairness of the presentation of the description or conclusions about the suitability of the design or operating
effectiveness of the controls to meet the applicable trust services criteria is subject to the risks that the system
may change or that controls at a service organization may become inadequate or fail.

Opinion

In our opinion, based on the description criteria identified in [CLIENT]’s assertion and the applicable trust services
criteria, in all material respects:

a. The description fairly presents the system that was designed and implemented throughout the period
January 1, 2012 to September 30, 2012.

b. The controls stated in the description were suitably designed to provide reasonable assurance that
the applicable trust services criteria would be met if the controls operated effectively throughout the
period January 1, 2012 to September 30, 2012, and user entities applied the complementary user-
entity controls contemplated in the design of [CLIENT]’s controls throughout the period January 1,
2012 to September 30, 2012, and the subservice organizations applied, throughout the period
January 1, 2012 to September 30, 2012, the types of controls expected to be implemented at the
subservice organizations and incorporated in the design of the system.

Page | 2

c. The controls tested, which together with the complementary user-entity controls referred to in the
scope paragraph of this report, and together with the types of controls expected to be implemented
at the subservice organizations and incorporated in the design of the system and, if operating
effectively, were those necessary to provide reasonable assurance that the applicable trust services
criteria were met, operated effectively throughout the period January 1, 2012 to September 30,
2012.

Description of Tests of Controls

The specific controls we tested and the nature, timing, and results of our tests are presented in Section 4 of this
report titled “Independent Service Auditors’ Description of Tests of Controls and Results”.

Intended Use

This report and the description of tests of controls and results thereof are intended solely for the information and
use of [CLIENT]; user entities of [CLIENT]’s Document Management, Data Capture, and Print Output Services
System during some or all of the period January 1, 2012 to September 30, 2012; and prospective user entities,
independent auditors and practitioners providing services to such user entities, and regulators who have sufficient
knowledge and understanding of the following:

 The nature of the service provided by the service organization
 How the service organization’s system interacts with user entities, subservice organizations, and other
parties
 Internal control and its limitations
 Complementary user-entity controls and how they interact with related controls at the service
organization to meet the applicable trust services criteria
 The applicable trust services criteria
 The risks that may threaten the achievement of the applicable trust services criteria and how controls
address those risks

This report is not intended to be and should not be used by anyone other than these specified parties.

<insert firm signature>

October XX, 2012
Philadelphia, Pennsylvania

Page | 3

SECTION 2
MANAGEMENT OF DIVERSIFIED INFORMATION
TECHNOLOGY, INC’S ASSERTION REGARDING
ITS DOCUMENT MANAGEMENT, DATA
CAPTURE, AND PRINT OUTPUT SERVICES
SYSTEM FOR THE PERIODJANUARY 1, 2012 TO
SEPTEMBER 30, 2012

October xx, 2012

We have prepared the attached description titled “Description of [CLIENT]’s Document Management, Data
Capture, and Print Output Services System for the Period January 1, 2012 to September 30, 2012” (“the
description”), included in Section 3 of this report, based on the criteria identified below under the heading
“Description Criteria”. The description is intended to provide users with information about our Document
Management, Data Capture, and Print Output Services System, particularly system controls intended to meet the
criteria for the security, availability, processing integrity, and confidentiality principles set forth in TSP Section
100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity,
Confidentiality, and Privacy (AICPA, Technical Practice Aids) (“applicable trust services criteria”). We confirm, to
the best of our knowledge and belief, that:

 The description fairly presents the Document Management, Data Capture, and Print Output Services
System throughout the period January 1, 2012 to September 30, 2012, based on the description criteria
identified below under the heading “Description Criteria”.

 The controls stated in the description were suitably designed throughout the period from January 1, 2012
to September 30, 2012 to meet the applicable trust services criteria.

 The controls were operating effectively throughout the period January 1, 2012 to September 30, 2012 to
meet the related criteria as described in Section 4 of this report.

Description Criteria

In preparing our description and making our assertion regarding the fairness of the presentation of the
description, we used the criteria below, which are the criteria for a description of a service organization’s system
included in paragraph 1.33 of the AICPA Guide Reporting on Controls at a Service Organization Relevant to
Security, Availability, Processing Integrity, Confidentiality, or Privacy.

a. The description contains the following information:

i. The types of services provided.

Page | 4

ii. The components of the system used to provide the services, which are the following:

 Infrastructure. The physical and hardware components of a system (facilities, equipment,
and networks)

 Software. The programs and operating software of a system (systems, applications, and
utilities).

 People. The personnel involved in the operation and use of a system (developers, operators,
users, and managers).

 Procedures. The automated and manual procedures involved in the operation of a system.

 Data. The information used and supported by a system (transactions streams, files,
databases, and tables).

iii. The boundaries or aspects of the system covered by the description.

iv. How the system captures and addresses significant events and conditions.

v. The process used to prepare and deliver reports and other information to user entities and other
parties.

vi. If information is provided to, or received from, subservice organizations or other parties, how such
information is provided or received; the role of the subservice organization and other parties; and the
procedures performed to determine that such information and its processing, maintenance, and
storage are subject to appropriate controls.

vii. For each principle being reported on, the applicable trust services criteria and the related controls
designed to meet those criteria, including, as applicable, complementary user-entity controls
contemplated in the design of the Document Management, Data Capture, and Print Output Services
System.

viii. For the subservice organizations presented using the carve-out method, the nature of the services
provided by the subservice organizations; each of the applicable trust services criteria that are
intended to be met by controls at the subservice organization, alone or in combination with controls
at the service organizations, and the type of controls expected to be implemented at the carved-out
subservice organizations to meet those criteria.

ix. Any applicable trust services criteria that are not addressed by a control at [CLIENT] or a subservice
organization and the reasons therefore.

x. Other aspects of [CLIENT]’s control environment, risk assessment process, information and
communication systems, and monitoring of controls that are relevant to the services provided and the
applicable trust services criteria.

xi. Relevant details of changes to [CLIENT]’s Document Management, Data Capture, and Print Output
Services System during the period January 1, 2012 to September 30, 2012.

Page | 5

b. The description does not omit or distort information relevant to [CLIENT]’s Document Management, Data
Capture, and Print Output Services System. The description was prepared to meet the common needs of
a broad range of users and may not, therefore, include every aspect of the Document Management, Data
Capture, and Print Output Services System that each individual user may consider important to his or her
own particular needs.

Scott A. Byers
President & Chief Executive Officer
[CLIENT]

October XX, 2012

Michael Malkemes
Director, Compliance & Risk Management
[CLIENT]

October XX, 2012

Page | 6

SECTION 3
DESCRIPTION OF [CLIENT]’S DOCUMENT
MANAGEMENT, DATA CAPTURE, AND PRINT
OUTPUT SERVICES SYSTEM FOR THE PERIOD
JANUARY 1, 2012 TO SEPTEMBER 30, 2012

Background and Overview of Services

Headquartered in Scranton, PA, [CLIENT] has successfully served its clients since 1982 through business process
outsourcing and information management solutions. With over 650 customers, [CLIENT] has firmly established
itself as an industry-leader. [CLIENT] serves the Fortune 500 in healthcare, insurance and finance as well as
government agencies.

[CLIENT]’s clients include seven of the top twelve United States financial services firms, three of the top ten
United States life insurance Companies, four of the top ten electronic health record providers serving over 170
hospitals and 10,000 physicians and key federal agencies including the Department of Homeland Security –
United States Customs, the International Trade Commission and United States Environmental Protection Agency.

[CLIENT]’s end to end document management system is a combination of systems that work together to provide
secure, confidential processing and retention of documents and the critical data they contain. The components of
the system include:

 Communication/Distributed Output System – This system entails receiving client data and merging this
data into print templates to produce correspondence, statements and printed material. Once documents
are produced they are sent via mail or electronic delivery.

 Image Conversion and Data Capture System – This system is a document conversion system that begins
at receipt of documents in hard copy or electronic forms; documents enter into a stream at the wireless
mailroom, are then converted to image on high speed scanners, data is captured either through
automatic recognition software or human data entry, image and data are spot reviewed for quality and
then exported to NetView or client specific systems.

 Document Management and Preservation System – This system tracks location and movement of hard
copy records stored in multiple secure facilities throughout the US.

The overarching framework of the system is overseen and managed by a security team consisting of the Director
of Compliance and Risk Management and Director of IT Infrastructure. The Data Center and Facility Monitoring
System are based at the company headquarters in Scranton, PA.

[CLIENT] has designed the systems with boundaries ensuring data security, confidentiality, processing integrity,
and availability. The system is comprised of the following five components:

 Infrastructure (facilities, equipment, and networks)

 Software (systems, applications, and utilities)

 People (developers, operators, users, and managers)

 Procedures (automated, and manual)

 Data (transaction streams, files, databases, and tables)
The following sections of this description define each of these five components comprising [CLIENT]’s system and
other relevant aspects of [CLIENT]’s control environment, risk assessment processes, monitoring processes, and
information and communication.

Page | 7

Other Relevant Aspects of the Control Environment, Risk Assessment, Monitoring, and
Information and Communication
Control Environment

[CLIENT]’s control environment reflects the overall attitude, awareness, and actions of management and others
concerning the importance of controls and their emphasis within the organization and the execution of [CLIENT]’s
mission. [CLIENT] provides corporate compliance and ethics training to all employees as well as physical and
logical security training. At various corporate functions, executive management communicates [CLIENT]’s top 5
priorities including compliance. Periodically, the Corporate Compliance Manager provides awareness
communications covering compliance, ethics, and security information.

Risk Assessment

[CLIENT] has a risk assessment process to identify and manage risks that could affect its ability to provide
secure, reliable transaction processing for user entities. This process requires management to conduct an internal
security audit twice per year to identify vulnerabilities and threats. Remediation steps are put in place as a result
of these audits if necessary. Items that are considered during risk assessment audits include:

 Changes in operating systems

 New information systems

 New security threats

 Operational location moves

 New technology

 Personnel changes

Monitoring

[CLIENT]’s management and supervisory personnel monitor the quality of internal control performance as a
routine part of their activities. Oversight of job completion is the responsibility of supervisors and is monitored by
batch monitoring and job ticket documentation. Quality assurance procedures are in place for each client and
monitored based on predetermined thresholds to ensure reconciliation and processing integrity.

Information and Communication

[CLIENT] gathers information on the processing of work using reporting tools. Reports are customized for each
client to track documents from entry into the system to the final reconciliation of completion. Clients are provided
access to the reporting system through client specific access.

Clients are assigned a client solution executive responsible for account relationship management activities, setting
strategy for account support, and developing new solutions to promote client growth as well as profitability and a
client relationship executive with the responsibility to interact with key client contacts and manage day-to-day
operations. [CLIENT] client relationship executives act as the voice of the clients within [CLIENT] and provide a
key function in managing customer expectations and established Service Level Agreement metrics. To review
activities, a formal report and presentation is made to [CLIENT]'s Client service and operations group
summarizing the previous month’s activity.

Page | 8

Document Management, Data Capture, and Print Output Services System Components
Infrastructure

Distributed, world-wide operations are maintained and managed to provide confidentiality, security,
availability, processing integrity and safeguard against compromise or breach. The following facilities are
included in the scope of the Document Management, Data Capture, and Print Output Services System.

Metro Area Facility Function
Raleigh, North Carolina – Millville, New Jersey Communication/Distributed Output
Document
Management/Preservation,
Scranton, Pennsylvania (Headquarters)
Document Processing, and Data
Center

Binghamton, New York Disaster Recovery

Document
Moosic, Pennsylvania Management/Preservation and
Document Processing
Delano, Pennsylvania - Gordonsville, Virginia - Exeter, Pennsylvania –
Document
Houston, Texas - Louisville, Kentucky – Los Angeles, California – Columbia,
Management/Preservation
South Carolina – Hartford, Connecticut – Minneapolis, Minnesota

The systems are designed similarly regardless of location to provide for consistent organizational policies
and procedures.

Software

[CLIENT] utilizes a mix of commercial off-the-shelf products and internally developed programs for day-to-
day processing of client information. The list noted below includes the systems, applications and utilities
used to produce scanned images, index data and printed invoices and statements.

Page | 9

Technology Function

IBML Image Trac3 IBML is a companywide, high speed/high volume scanner platform.

Docnetics IBML document typing and recognition software.

EMC | Captiva and AnyDoc Data capture forms and processing workflow platform.

Automates the tracking of all inbound mail from receipt through scanning
Virtual Mailroom
through export.

Receives faxes digitally and processes them directly into the data capture and
E-Fax
imaging platform.

E-Sort Data capture application program.

NetView&NetVault© Web based application used for exception processing.

Web based computer integrated records management and imaging system
WebCIRM
utilizing bar code technology and radio frequency scanners.

EmtexVIP Centralized queue and Print File Output Management System.

Objectif Lune
Variable data print composition software.
Planet Press

BARR Channel Server Print Stream blocking tool.

Production Insight Output management tracking & reporting tool.

Kodak EX300 MICR Printers Check production printers.

OCE 6250 Printers High speed black/white production printers.

Ricoh 720 Color High speed color printer.

Canon IR-150 Monochrome and MICR printer.

Pitney Bowes FPS auto-inserter High Speed document to envelope inserter.

Bell & Howell 4000 auto-inserter High Speed document to envelope inserter.

Page | 10

People

[CLIENT] has a staff of approximately 600 employees across 25 U.S. locations. Scranton, Pennsylvania is
[CLIENT]’s headquarters and the Scranton Facility is the main location for outsourced document
processing and workflow solutions. Morrisville, North Carolina is the main processing facility for output of
printed materials.

The organization is overseen by an Executive Team consisting of the following positions and their support
staff:

President/Chief Executive Officer – responsible for strategy, business development and overall
leadership. The executive team members report to the President.

Chief Financial Officer/Vice President Support Services – responsible for the financial services
team, human resources, compliance, risk management, facilities and IT Infrastructure.

 IT Infrastructure Team responsible for Network design, log monitoring, assessment and
vulnerability testing.

 Human Resources Team responsible for the processes of hiring, termination, training and
compliance with organizational policies.

 Financial Services Team responsible for billing, procurement and payroll.

 Compliance & Risk Management Team responsible for facility oversight and support,
security, corporate compliance, risk management.

Chief Relationship Officer/VP Solutions – responsible for solutions, client relationship and
customer service

 Solutions Executive Team responsible to oversee sales and governance for each service
line. It is broken down into teams supporting the Communication/Distributed Output
System, Image Conversion and Data Capture System and Document Management and
Preservation System.

 Client Service and Interaction Team responsible for day-to-day client interaction and
support on the Communication/Distributed Output System, Image Conversion and Data
Capture System and fulfillment of the Document Management and Preservation System.

Chief Operations Officer/VP Global Operations – responsible for processing, fulfillment,
operational functions, project management and IT Development

 Communication/Distributed Output Team responsible for fulfilling client contracted
actions including printing, fulfillment and output mail.

 Image Conversion and Data Capture System Team responsible for the processing of
documents from mailroom or electronic receipt, conversion to image, capture of data and
delivery to client..

 Chief Implementation Officer/VP Integrated Systems – responsible for processing,
fulfillment, operational functions, project management and IT Development

Page | 11

 Quality and Excellence responsible for development and monitoring of ISO and
production procedures and quality.

 Project Delivery & Management responsible for the management and delivery of new
projects and implementation of production.

 IT Systems Development responsible for design, development and maintenance of
processing systems.

Procedures

[CLIENT] provides document management for the entire document lifecycle from print to image and data
capture to processing, preservation, and storage. [CLIENT] specializes in large, complex, and dynamic
projects and operations. [CLIENT] provides redundancy and business continuity of operations with 25
facilities located throughout the U.S. Quality control procedures are tracked and reported at the
document level. The hardware and software include IBML production scanners with Captiva AnyDoc
advanced capture platforms.

Security, Access and Monitoring Procedures include:

 Visitor and Building Security

 Access Authorization Control

 Confidentiality

 Security Clearance for new hires

 System Monitoring

 Information Security Monitoring

 Incident Response

 Data Classification

 Availability
[CLIENT] protects client information starting with personnel policies, which are documented in
[CLIENT]s Employee Handbook and in the Human Resource Hiring policies. Written job descriptions
have been developed and are revised as necessary. Employees undergo comprehensive
background/security checks and drug screening prior to employment and are required to sign
confidentiality agreements upon hire, which state that no confidential information can be
communicated outside of the organization. Mandatory training is completed annually to ensure
understanding and compliance with policies on confidentiality, ethics, and privacy.

[CLIENT]’s Access Control Policy guides access approval, provisioning, removal and monitoring.
Access to building areas, system network and information is granted based on job classifications and
responsibilities. Management is responsible for authorizing access. The Director of Risk Management
and Compliance monitor and review access granted when changes are made to positions.

Page | 12

Solarwinds Orion System Monitoring software is used to monitor system availability and performance
and provides current and historical tracking reports of performance factors including processor
utilization, memory utilization, network usage, errors and disk utilization. The system monitors Cisco
switches, routers, firewalls, and Windows based servers. This information is used to provide
information to user entities, proactively identify concerns and plan for future system requirements.
Information security monitoring is the responsibility of the Infrastructure team who review daily logs
to ensure a security breach is not missed.

[CLIENT] designed its Incident Response Policy and Procedure to establish a planned course of action
in case of security incidents. The procedure is a stepped process that includes initial assessment to
assign a severity level, incident notification, incident containment and response, recovery, and
review. Additional testing is completed twice per year to simulate a potential incident and the action
taken.

Communication/Distributed Output System Procedures include:

[CLIENT]’s Communication/Distributed Output capabilities include a secure digital print and mail
facility capable of producing over 1.4 billion printed images and 220 million mail pieces per year.
[CLIENT] offers a suite of document composition and electronic delivery solutions to satisfy user
entity needs for multi channel communications. Examples of the output capabilities include:

 Invoices

 Statements

 Insurance membership materials (Identification cards, member guide booklets, rate
change notices, and other policy reference materials)

 Payments: check and vouchers

 Educational materials

Applicable Facility: Raleigh, North Carolina and Millville, New Jersey

Image Conversion and Data Capture System Procedures include:

[CLIENT]’s Image Conversion and Data Capture capabilities include a systematic and analytical way
to track mail from initial receipt to image export. From the initial time of receipt, [CLIENT] uses
virtual mailroom technology to track the different types of mail received from various Post Office
Boxes. Mail is opened, sorted, scanned, indexed and integrated into each client’s workflow system in
a seamless manner; keeping process streams separate and retaining receipt and functional
information throughout the entire process [CLIENT] utilizes a combination of internal audits and
client audits to measure performance against agreed upon Service Level Agreements (SLA’s).
Examples of the conversion and data capture capabilities include:

 Virtual mailroom

 Conversion by scan to image

 Data capture – key from image and verify

Page | 13

 Live document handling and return including checks, death certificates, cds, etc.

 Quality audit

Applicable Facilities: Scranton, Pennsylvania and Montage, Pennsylvania

Document Management and Preservation System Procedures include:

[CLIENT] provides a total records management solution that includes the WebCIRM records
management tracking and management system and secure storage facilities. The Document
Management and Preservation System tracks location and movement of hard copy records stored in
multiple secure facilities throughout the US. Example of record retention capabilities include:

 WebCIRM

 Record storage

Applicable Facilities: Scranton, Pennsylvania, Montage, Pennsylvania, Exeter, Pennsylvania, Delano,
Pennsylvania, Los Angeles, California, Louisville, Kentucky, Gordonsville, Virginia, Houston, Texas

Systems Development and Maintenance
The two key applications supporting the imaging operations are InputAccel and Captiva FormWare.
Both software packages are developed and supported by EMC, a third-party vendor. [CLIENT]
programming changes are limited to applications settings and customized modules that hook to the
application interfaces. If modifications to core source code are needed, [CLIENT] requests
modifications from the vendor who include them in future product releases.

Data transfer applications that provide interface between imaging applications and file transfer
software packages are developed internally.

Program Modification Controls
The following description of program modification controls applies to changes to existing systems and
programs:

Requests for Modifications
Requests for enhancements can originate from either external clients or from internal operations
departments. Enhancements or modifications requested by external customers are communicated to
[CLIENT] personnel, who document the client requests. Changes originating from the internal
departments stem from issues identified during day-to-day processing, errors or a need for additional
systems controls to minimize the probability of errors and increase the accuracy of data capture.

For all change requests, the internal [CLIENT] employee submits a request via the Web-based
Elementool. Any modifications to the issue are maintained in an issue history.

Page | 14

The Elementool issue record contains the following information:

 Title
 Type (change request, project, request for proposal, status rollup)
 Requestor
 Requirements
 Weekly report/comments
 System impacts
 Priority
 Customer
 Customer type
 System impacts
 Division/location
 Status manager
 Lead developer
 Status

In addition to the fields listed above, if the request originates from a customer, a Customer Change
Request Form or statement of work can be attached to the issue. Members of IT senior management
review the requests and work with application development teams to determine the technical scope
and details for the changes.

Authorization of Changes

Approval of application system change requests is required from [CLIENT] operations management.
If the change request originated from a customer, the customer must also approve the change
before development can begin.

For customer-originating requests, the Customer Change Request Form, signed by [CLIENT]
management, is sent to the customer for final approval and sign-off. The final form contains the
following information:
 Initiator of the change
 Overview and benefit
 Technical change to be made
 Technical implications
 Operational implications
 Test information relative to thechange
 Implementation information relative to the change
 Back-out plans
 Target date

Page | 15

When required approvals and sign-offs are obtained, IT senior management assigns resources to
work on the development of changes.

Program Testing

Application system changes are tested by both the IT and client operations groups. The following
major phases are typical for application change releases:

 IT testing
 Operations testing
 Identified issues resolution
 Approval and sign-off
Though releases differ in scope, complexity and extent of testing, the following sections are the most
commonly executed steps.

IT Testing

Unit testing and debugging is conducted by the IT Development Team. The release is deployed into
the test environment after unit testing has been performed locally by the IT Development Team.
Formal test plans are executed by anOperational Excellence analyst with the assistance of the IT
Development Team in order to cover areas of potential impact. The Operational Excellence
department notifies client operations management that the new release has been installed in the test
environment and is available for testing.

Operations Testing

Scan operators scan a limited number test batches into the test environment as determined by the
operations management and Operational Excellence department. When the batches reach the
completion stages, the production test operators start processing the batches. The Operational
Excellence analyst executes the test plans and checks for errors and issues that may arise during
testing. If error messages are noted or system results or behavior are deemed to be out of the
ordinary, issues are reported to the Operational Excellence department. Noted issues are recorded
into appropriate test results documentation along with applicable error messages, batch names and
error screen printouts. Some of the releases require integrated testing with the clients. For these
types of releases, account management or product management coordinates testing with the
corresponding clients and collects feedback covering the observed outcomes, issues, or failures.

Approval and Sign-Off

The operations and the Operational Excellence department managers review the issues observed
during each test run and determine if the tests can be considered successful. If the test is considered
successful, the team’s management signs off that the release can proceed to the next stage. Results
of tests of changes affecting or originated by the clients are reviewed and approved by the affected
clients. Approvals are sent via e-mails. If a release is approved for rollout to the production
environment, the IT project manager e-mails the release group that the release installation can be
executed.

Page | 16

Control Over Production Programs

Depending on the type and complexity of a change, rollout schedules, coordination and cross-
department notifications, preparation efforts and potential issues are discussed during ad-hoc pre-
production release management meetings.

Rollout of changes to the production environment is the responsibility of the NetAdmin group. The
only exceptions are changes to the InputAccel parameter files, which require a developer to insert
parameter changes directly into the parameter file. Developers must request this access from the
director of IT support prior to perform this update. Developers have no access to other production
systems or files.

Production release issues and items are discussed during ad-hoc post-production implementation
management meetings. In some instances, clients are also present via teleconference to provide their
feedback on the results of the upgrades.

Monthly file reviews are performed on the InputAccel parameter files to verify that they have the
same process install date documented in the latest approval granted by IT management. In addition,
the file shares containing the application updates are reviewed for synchronization on a monthly basis
by NetAdmin. If a discrepancy is encountered, the issue is reported in the form of a five-point
analysis. This report also lists the corrective action taken along with the business impact.

Source and Object Code

The development teams use the CVS version control system to provide secured access to the source
code, maintain different versions and history of programs, as well as to facilitate controlled changes
and access to the source code. Access permissions are integrated with Microsoft Active Directory.

Documentation

Imaging applications documentation is written, updated and distributed by the [CLIENT] client
operations staff and personnel responsible for training of operations staff. Standard documentation
related to the operating systems and infrastructure is provided by the corresponding operating
system and hardware vendors. Such technical documentation is available only to authorized IT
personnel.

Data

[CLIENT]’s records and information management services encompass the following types of data in each of
[CLIENT]’s core service offerings:

 Print and Output System – Client data in the form of data files is output via print templates to
produce correspondence, statements, and other printed material.

 Image Conversion and Data Capture System – Client data in hard copy or electronic forms data is
captured either through automatic recognition software or human data entry.

 Document Management and Preservation System – This system tracks location and movement of
hard copy records stored in one of [CLIENT]’s secure facilities throughout the US.

Page | 17

Subservice Organizations

[CLIENT] utilizes several subservice organizations to perform services for its clients. Presented below is a
description of the services provided by the subservice organization, the criteria relevant to the services performed
by the subservice organization and the types of controls expected at the subservice organizations.

Document Capture and Data Entry Services

[CLIENT] clients with specialized and global processing requirements may request that [CLIENT] utilize one of
three subservice organizations with unique capabilities that complement [CLIENT]’s services. These subservice
organizations perform capture of data from files imaged by [CLIENT], and return to [CLIENT] the capture data in
machine readable format. The Criteria that relate to controls at these subservice organizations include all criteria
related to the Trust Services Principles of Security, Confidentiality, Processing Integrity, and Availability for those
clients which elect for [CLIENT] to use these service organization while processing is performed by these
subservice organizations. The types of controls that are necessary to meet the applicable trust services criteria,
either alone or in combination with controls at [CLIENT] include:

 The system is protected against unauthorized access (both physical and logical).

 The system is available for operation and use as committed or agreed.

 System processing is complete, accurate, timely, and authorized.

 Information designated as confidential is protected as committed or agreed.

 Policies and procedures exist related to security, availability, processing integrity, and confidentiality and
are implemented and followed.

 Communication and monitoring controls are implemented related to security, availability, processing
integrity, and confidentiality.

Applicable Criteria and Related Controls

The security, availability, processing integrity, and confidentiality trust services criteria and [CLIENT]’s related
controls are included in Section 4 of this report, “Independent Service Auditors’ Description of Tests of Controls
and Results”. Although the security, availability, processing integrity, and confidentiality trust services criteria and
[CLIENT]’s related controls are included in Section 4, they are an integral part of [CLIENT]’s description of its
Document Management, Data Capture, and Print Output Services System and are incorporated herein.

Page | 18

User-Entity Control Considerations

Services provided by [CLIENT] to user entities and the controls of [CLIENT] cover only a portion of the overall
controls of each user entity. [CLIENT]’s controls were designed with the assumption that certain controls would
be implemented by user entities. In certain situations, the application of specific controls at user entities is
necessary to achieve the applicable trust principles criteria. It is not feasible for the applicable trust services
criteria relating to the services outlined in this report to be achieved solely by [CLIENT]. This section highlights
those internal control responsibilities that [CLIENT] believes should be present for each user entity and has
considered in developing the controls described in the report. This list does not purport to be, and should not be,
considered a complete listing of the controls relevant at user entities. Other controls may be required at user
entities.

 Information provided to [CLIENT] from user entities should be in accordance with provisions in the
agreement for services between [CLIENT] and user entities.

 User entities are responsible for encrypting and protecting transmissions.

 User entities are responsible for maintaining and communicating to [CLIENT]a current list of employees
who have authority to access systems and determine action (i.e., destruction).

 The security administrators at user entities are responsible for ongoing maintenance and monitoring of
their employees’ system access to [CLIENT]’s infrastructure.

 User entities are responsible for reporting to [CLIENT] any known or suspected issues with security,
processing integrity, confidentiality, and availability.

 User entities are responsible for monitoring any processing reports provided or made available by
[CLIENT].

 User entities are responsible for participating in disaster recovery tests related to test if [CLIENT]’s
disaster recovery procedures meet their disaster recovery needs.

Page | 19

SECTION 4
INDEPENDENT SERVICE
AUDITORS’DESCRIPTION OF TESTS OF
CONTROLS AND TEST RESULTS

Introduction

The purpose of this report is to provide management of [CLIENT], user entities, and other specified parties
with information about controls at [CLIENT] that are intended to mitigate risks related to security, availability,
processing integrity, and confidentiality. The security, availability, processing integrity, and confidentiality
principles are outlined in TSP Section 100, Trust Services Principles, Criteria, and Illustrations for Security,
Availability, Processing Integrity, Confidentiality, and Privacy.

Description of Types of Testing Performed

The types of tests performed to assess the effectiveness of controls included the following:

Type of Test Description

Discussed the controls with operations, administrative personnel, and/or
Inquiry management who are responsible for developing, adhering to, and applying the
controls to determine their understanding and compliance.

Inspection Inspected documents and reports indicating performance of the controls.

Observation Observed the application of specific controls.

Reperformance Re-performed application of the controls.

Page | 20

Security Criteria
1.0 Policies: The entity defines and documents its policies for the security of its system.

Criteria 1.1: The entity’s security policies are established and periodically reviewed and approved by a designated individual or group.

Controls Test of Controls Test Results
A written security policy has been approved by Inquired with the Manager, Corporate Compliance and Security and inspected the No deviations noted.
Executive Leadership. Data Security Handbook and Risk Assessment Policy to determine if security
policies were established, periodically reviewed and approved by Executive
Leadership.

Criteria 1.2: The entity's security policies include, but may not be limited to, the following matters:
a. Identifying and documenting the security requirements of authorized users
b. Classifying data based on its criticality and sensitivity and that classification is used to define protection requirements, access rights
and access restrictions, and retention and destruction requirements
c. Assessing risks on a periodic basis
d. Preventing unauthorized access
e. Adding new users, modifying the access levels of existing users, and removing users who no longer need access
f. Assigning responsibility and accountability for system security
g. Assigning responsibility and accountability for system changes and maintenance
h. Testing, evaluating, and authorizing system components before implementation
i. Addressing how complaints and requests relating to security issues are resolved
j. Identifying and mitigating security breaches and other incidents
k. Providing for training and other resources to support its system security policies
l. Providing for the handling of exceptions and situations not specifically addressed in its system security policies
m. Providing for the identification of and consistency with applicable laws and regulations, defined commitments, service-level
agreements, and other contractual requirements
n. Providing for sharing information with third parties
A written Data Security Handbook identifies and Inspected the Data Security Handbook and risk assessment policy to determine if No deviations noted.
documents the noted requirements “a” – “n.” the noted elements of “a” – “n” were included.

Page | 21

Criteria 1.3: Responsibility and accountability for developing and maintaining the entity's system security policies, and changes and updates
to those policies, are assigned.
Management has assigned responsibility and Inspected job descriptions for the Director of IT Infrastructure and the Director of No deviations noted.
accountability for the maintenance and Compliance and Risk Management to determine if accountability for developing
enforcement of [CLIENT]’s security and availability and maintaining [CLIENT]’s system security policies, and changes and updates to
policy to the Director of Compliance and Risk those policies, was assigned.
Management as well as the Director of IT
Infrastructure.
The Executive Team approves updates to policies. Inspected meeting minutes to determine if responsibility for maintaining policies No deviations noted.
and changes or updates to security policies was assigned to the Executive Team.

2.0 Communications: The entity communicates its defined system security policies toresponsible parties and authorized users.

Criteria 2.1: The entity has prepared an objective description of the system and its boundaries and communicated such description to
authorized users.
[CLIENT] prepares an objective description of the Inspected the system description to determine if the system and its No deviations noted.
system and its boundaries and communicates it to boundaries were communicated to authorized users.
user entities.
Criteria 2.2: The security obligations of users and the entity's security commitments to users are communicated to authorized users.

Security obligations are customized to each client Selected a sample of clients and inspected Service Level Agreements to No deviations noted.
and are part of their contract. confirm security obligations were communicated.

Internal employees are held to HIPAA guidelines Inspected acknowledgment forms to determine if the acknowledgements No deviations noted.
and Confidentiality policies. These policies are forms identify the security responsibilities of employees.
reviewed upon hire and employees are required to
sign documents acknowledging the understanding Selected a sample of new hires and inspected their acknowledgement
of these obligations. The policies are also reviewed forms to determine if [CLIENT] received the signed acknowledgement.
annually by all personnel.

Page | 22

2.0 Communications: The entity communicates its defined system security policies toresponsible parties and authorized users.

Criteria 2.1: The entity has prepared an objective description of the system and its boundaries and communicated such description to
authorized users.
[CLIENT] prepares an objective description of the Inspected the system description to determine if the system and its No deviations noted.
system and its boundaries and communicates it to boundaries were communicated to authorized users.
user entities.
The Data Security Handbook, Employee Handbook Observed the company intranet to determine if the Data Security No deviations noted.
with Confidentiality and HIPAA policy are published Handbook and Employee Handbook were published.
on the company intranet.
Inspected the Data Security Handbook and HIPAA policy to determine if
security obligations of users and the entity’s security commitments to
users were communicated.

Page | 23

Criteria 2.3: Responsibility and accountability for the entity's system security policies and changes and updates to those policies are
communicated to entity personnel responsible for implementing them.
The Director of Compliance and Risk Management Inquired of the Director of Compliance and Risk Management and No deviations noted.
and Director of IT Infrastructure have custody of inspected job descriptions for the Director of Compliance and Risk
and are responsible for the day-to-day Management and Director of IT Infrastructure to determine if
maintenance of [CLIENT]’s technical security responsibilities for system security, confidentiality, availability and
policies and recommend confidentiality, availability processing integrity policies were formally assigned.
and processing integrity changes.

Written job descriptions have been defined and are
communicated to the Director of IT Infrastructure
and Director of Compliance and Risk Management.

Written process and procedure manuals for all Inspected the Data Security Handbook to determine if defined security No deviations noted.
defined security processes are provided to all IT processes were provided to all IT personnel, management, and client-
personnel, management and client facing personnel facing personnel.
and included in new hire and annual training and
sign-off procedures.
If any policy changes are made they are Inquired of the Manager, Corporate Compliance and Security and No deviations noted
communicated by internal company-wide email by determined that no policy changes were performed during the period of
the Vice President of Finance or President. January 1, 2012 to September 30, 2012.

The operating effectiveness of this control activity could not be tested as
there was no related activity during the period January 1, 2012 to
September 30, 2012.

Page | 24

Criteria 2.4: The process for informing the entity about breaches of the system security and for submitting complaints is communicated to
authorized users.
IT incidents (security, availability, confidentiality, or Inspected the Data Security Handbook incident response procedures, No deviations noted.
processing integrity) including potential breaches documented escalation process, and 5 Point Process to determine if
are reported to the IT Help Desk for action as incidents and system/operational issues were communicated based upon
defined in the Data Security Handbook. criteria specified in the escalation document.

An 800 number and email address is provided on Selected a sample of clients and inspected supporting documentation to No deviations noted.
our website to contact our Customer Service area determine if a process existed for authorized users to inform [CLIENT] of
for any questions or issues. Clients who store data breaches and submit complaints.
on our systems are assigned a Solutions Executive
and Client Advocate who serve as their direct
resolution experts.

Criteria 2.5: Changes that may affect system security are communicated to management and users who will be affected.
Planned changes to system components and the For a sample of months, inspected meeting agendas and/or minutes from No deviations noted.
scheduling of those changes are reviewed as part the monthly IT/Operations meetings to determine that changes that may
as part of monthly IT/Operations meetings. affect system security, availability, processing integrity, or confidentiality
were communicated to management or users who will be affected.

The operating effectiveness of this control activity could not be tested as
there was no related activity during the examination period. Inquired
with management at [CLIENT] to determine that no changes occurred
during the period which required communication.

Inspected a sample of changes to determine that none required
communication.

Page | 25

3.0:Procedures: The entity placed in operation procedures to achieve its documented systemsecurity objectives in accordance with its defined
policies.

Criteria 3.1: Procedures exist to (1) identify potential threats of disruption to systems operation that would impair system security
commitments and (2) assess the risks associated with the identified threats.
Bi-annual internal security audits are performed Inspected the Risk Assessment Policy to determine if procedures exist to No deviations noted.
that review firewall rules, IDS configurations, VPN identify potential threats of disruption and assess risks associated with
systems, Cisco Switch/Router Configs, Antivirus the threats.
software, software patches, any changes to local
system accounts and generic domain accounts, Inspected the internal vulnerability assessment results to determine the
domain and account groups (monthly), and backup following: 1) bi-annual internal security audits were performed to identify
procedures. A report is composed, compiles the potential threats 2) a risk assessment was performed to identify potential
results of the previous steps, and assigns a grade threats and assess risks.
based on predefined parameters.

A risk assessment is performed based on the
vulnerabilities uncovered, the probability of a threat
that would exploit that vulnerability, and the
estimated value of the asset that would be
compromised. Risks that rate high are given priority
during the mitigation phase.

Page | 26

Criteria 3.2: Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters:
a. Logical access security measures to restrict access to information resources not deemed to be public.
b. Identification and authentication of users.
c. Registration and authorization of new users.
d. The process to make changes and updates to user profiles.
e. Distribution of output restricted to authorized users.
f. Restriction of access to offline storage, backup data, systems, and media.
g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (for
example, firewalls).
a. Logical access to nonpublic information a. Inspected the Data Security Handbook, Windows security access No deviations noted.
resources is protected through the use of security reports, IBML user access list, EMC Captiva user access list, Anydoc
software and operating system security. access list and Emtex VIP access list (Raleigh) to determine 1) if logical
Access is defined by job description and manager access to nonpublic information was required to be protected through
authorization. security software or operating system security 2) if authentication with a
Access to resources is granted to an authenticated valid user ID was needed to access resources.
user based on the user’s identity.
Proper authorization must be completed for any Inquired of the Director of IT Infrastructure and inspected privileged user
access to be granted. access listings to determine if access was assigned and defined based on
job descriptions.

Inquired of the Director of IT Infrastructure and inspected if Data
Security Handbook to determine if users were required to authenticate
with a unique ID and password when accessing systems.

Selected a sample of new hires and inspected new user access request
forms to determine if manager authorization was obtained prior to
granting system access.

Inspected a sample of IBML, Anydoc, EMC, Thunderhead portal and
Emtex VIP application users to determine if access was commensurate
with their job description. Also inspected all members of the IT Personnel
user access group to determine if access was commensurate with their
job description.

Page | 27

b. Users must establish their identity to [CLIENT]’s b. Inspected the Data Security Handbook to determine if users must be No deviations noted.
network and application systems when accessing authenticated prior to gaining access to system resources, unique user
nonpublic resources through the use of a valid user IDs were assigned, use of group or shared IDs was not permitted,
ID that is authenticated by an associated password. passwords must be changed, must be a minimum of eight characters
with complexity in the character set and login sessions must be
Unique user IDs are assigned to individual users. terminated after three failed attempts.

Use of group or shared IDs is not permitted. Inspected password configuration settings to determine if the noted
settings were enforced.
Passwords must contain at least eight characters,
at least three character types, and are not able to Observed a user login to the network to determine if the users were
repeat within 24 months. prompted for a unique username and password.

Security configuration parameters force passwords Inspected the IBML Windows Group, Windows domain admin list and
to be changed every 30 days. Emtex VIP (Raleigh) to determine if unique user IDs were assigned and
Login sessions are terminated after 3 unsuccessful the use of group or shared IDs was not permitted.
login attempts. See tests of controls included under Security 3.2(a).

Page | 28

c. Customers must be approved and granted access c. Inspected the Network Solutions Certificate Authority issued to See test results included in Security Criteria 3.2(a).
to [CLIENT]’s Web site (WebCIRM), under a secure WebCIRM to determine if encryption through SSL was enforced.
session, requiring user ID and password. Privileges
are limited to specific system functionality. Inspected the Data Security Handbook to determine if Director level
approval was required for changes to access privileges for employees and
The Director of Business Process Operations vendors.
authorizes access privilege change requests for
employees and the Vice President of Operations Inspected a list of employees with administrative access privileges on
does so for vendors. Access is limited to specific Windows systems, network devices and database servers to determine if
functionality. access was limited to IT personnel based on job function.

The ability to create or modify users and user
access privileges (other than the limited
functionality “customer accounts”) is limited to the
security administration team.

Page | 29

d. Changes to customer accounts may be d. Selected a sample of users and inspected the related user access No deviations noted.
performed by the Director of Client Interaction with request forms to determine if changes to customer accounts were
authorization documented on user access request authorized.
forms. Changes are reflected immediately.
Inspected the CIRM User ID Recertification to determine if unused
Unused WebCIRM customer accounts (no activity WebCIRM customer accounts were reviewed by the Director of Client
for six months) are reviewed by the Director of Interaction.
Client Interaction and if necessary purged from the
system. Selected a sample of new hires and inspected Network Access Forms to
determine if user account additions were approved.
Changes to other accounts and profiles are made
by the security administration team through a
request on a Network Access Form and require the
written approval of the Director of Business Process
or other higher level Management.
e. Access to computer processing output is e. Inspected badge access listings to determine if access was restricted No deviations noted.
provided to authorized individuals based on their based on job responsibilities.
job description and classification of the information.
Inspected the Data Security handbook to determine if policies exist for
Processing output is stored in an area that reflects the distribution of processing output based on information classification.
the classification of the information.

Processing output is distributed in accordance with
the security policy based on classification of the
information.

Page | 30

f. Access to offline storage, backup data, systems, f. Inspected the Data Security handbook to determine if access to No deviations noted.
and media is limited to computer operations staff sensitive data was secured through logical and physical security
through the use of restricted physical and logical measures.
access.
Inspected the computer room badge access listing to determine if access
was restricted based on job responsibilities.

Inspected the list of users with system administrator capabilities on the
windows systems and badge access system to determine if access was
restricted based on job responsibilities.
g. Hardware and operating system configuration g. Inspected the list of users with administrative access rights on No deviations noted.
tables are restricted to appropriate personnel Windows systems, VPN and databases to determine if access was limited
through physical access controls, native operating based on job need.
system security, and add-on security software.
Inspected the Windows event log settings and Cisco access control server
Application software configuration tables are (ACS) settings to determine if system configuration activity was logged.
restricted to authorized users and monitored by the
Director of Network. Inspected the Daily Security Log to determine if system configuration
usage logs were monitored by members of the network infrastructure
Utility programs that can read, add, change, or group.
delete data or programs are restricted to
authorized technical services staff. Usage is logged Inquired of the Director of IT Infrastructure and observed the master
and monitored by the Director of Network. A spare password file to determine if master passwords were stored in an
listing of all master passwords is stored in an encrypted file.
encrypted file.

Page | 31

Criteria 3.3: Procedures exist to restrict physical access to the defined system including, but not limited to, facilities, backup media, and
other system components such as firewalls, routers, and servers.
Physical access to the computer rooms, which Inspected the computer room badge access listing, operations access No deviations noted.
house [CLIENT]’s IT resources, servers, and related listing and Kirkwood facility access listing to determine if access was
hardware such as firewalls and routers, is restricted restricted based on job responsibilities.
to authorized individuals by card key systems and
monitored by video surveillance. Performed a tour of the data center to determine if video surveillance
was in place.
Requests for physical access privileges to
[CLIENT]’s computer facilities require the approval Inspected physical access procedures to determine if requests to access
of the Director of Compliance and Risk [CLIENT]’s facilities require approval of the Director of Compliance and
Management. Risk Management.

Documented procedures exist for the identification Inspected the data security handbook and inspected the documented
and escalation of potential physical security incident response procedures to determine if identification and escalation
breaches. of potential physical security breaches were addressed.
Offsite backups are stored at a physical Disaster
Recovery/Business Continuity site. This facility
requires physical access cards and is restricted to
the exact parameters as the main site.

Criteria 3.4: Procedures exist to protect against unauthorized access to system resources.


Page | 32

Protective system processes are in place to prevent Inspected security logs to determine if failed login attempts and system No deviations noted.
and monitor unauthorized access to system lockouts are recorded.
resources and unauthorized access attempts.
Inspected network diagram, Cisco device list, and security logs to confirm
that system fire walls are in use and firewall event logs are reviewed
daily.

Inspected master server list and inquired of IT management that the
master server list is maintained an updated by the IT department for any
system changes.

Inspected and inquired about the use of IDS Snort software.

Inspected the external vulnerability assessment results to verify security
reviews are being performed by external parties.
See controls included in Security Criteria 3.2. See test of controls included in Security Criteria 3.2. See test results included in Security Criteria 3.2.

Page | 33

Criteria 3.5: Procedures exist to protect against infection by computer viruses, malicious code, and unauthorized software.

Antivirus software is in place, that prevents Inquired of the Director of IT Infrastructure and observed antivirus No deviations noted.
computer viruses, malicious code and unauthorized configuration settings to determine if antivirus software was installed and
software including virus scans of incoming e-mail virus definitions were updated daily.
messages. Virus signatures are reviewed and
updated daily.

Criteria 3.6: Encryption or other equivalent security techniques are used to protect user authentication information and the corresponding
session transmitted over the Internet or other public networks.

[CLIENT] uses encryption technology, VPN Inspected SSL protocol permissions, SSL certificates, and VPN protocol No deviations noted.
software, and other secure communication systems encryption to determine if encryption technology was in use.
(consistent with its periodic IT risk assessment) for
the transmission of private or confidential
information over public networks, including user
IDs and passwords.

Criteria 3.7: Procedures exist to identify, report, and act upon system security breaches and other incidents.
A Security Incident Response Plan (5-Point Process) Inspected the Data Security Handbook and Security Log Sign-off Sheet to No deviations noted.
is instituted for identification and resolution of determine if a) the security incident response plan was defined and
potential security breaches to the information documented b) the network staff was responsible for reviewing security
security team. logs on a daily basis.

Inspected the 5-Point Analysis Procedures document to determine if a
defined escalation process was established and appropriate resolution
requires approval by management.
When an incident is detected or reported, a defined Inspected a sample of completed 5-Point Analysis documentation to No deviations noted.
Security Incident Response Plan (5-Point Process) determine if the 5-Point Analysis procedures were followed.
identifies severity and action to be taken.
Corrective actions are implemented in accordance
with defined policies and procedures.

Page | 34

Criteria 3.8: Procedures exist to classify data in accordance with classification policies and periodically monitor and update such
classifications as necessary.
Data Classifications are used to determine access Inspected the detailed data classification assignments tracking No deviations noted.
permissions as well as audit levels. The principle of spreadsheet used to assign and track access rights.
least privilege is utilized to assign permissions at all
levels. Permissions are assigned on Windows
groups which map to a specific job function.

Propriety of data is considered during new
implementations, upgrades and change order
actions.

Criteria 3.9: Procedures exist to provide that issues of noncompliance with security policies are promptly addressed and that corrective
measures are taken on a timely basis.

All incidents are tracked by management until See test of controls included in Security Criteria 3.7 See test results included in Security Criteria 3.7
resolved through the 5–Point incident response
process.
Supervisors review and approve the incident See test of controls included in Security Criteria 3.7 See test results included in Security Criteria 3.7
response process to help make certain procedures
are followed.

Criteria 3.10 Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistent
with defined system security policies to enable authorized access and to prevent unauthorized access.
[CLIENT] has adopted a formal systems Inquired of the Director of IT Development, and inspected the IT Change No deviations noted.
development life cycle (SDLC) methodology that Control Procedures and Standard Build Documentation to determine if: a)
governs the development, acquisition, a formal methodology exists that governs the change management and
implementation, and maintenance of computerized SDLC processes and b) the network administration team was responsible
information systems and related technology. for approving architecture and design specifications for new systems.

Inspected the Data Security Handbook to determine if system changes
that cannot meet defined data security standards require approval by
senior IT management.

Page | 35

Criteria 3.10 Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistent
with defined system security policies to enable authorized access and to prevent unauthorized access.
The Network administration team reviews and Requested a sample of new systems development and acquisition No deviations noted.
approves the architecture and design specifications projects to determine if the Network administration team reviewed and
for new systems development and acquisition to approved the architecture and design specifications.
help ensure consistency with [CLIENT]’s security
objectives, policies, and standards. The operating effectiveness of this control activity could not be tested as
there was no related activity during the examination period. Inquired
with management at [CLIENT] to determine that no new systems
development and acquisition projects occurred during the period.

Inspected a sample of changes to determine that none were related to
new systems development and acquisition.

Criteria 3.11 Procedures exist to provide that personnel responsible for the design, development, implementation, and operation of systems
affecting security have the qualifications and resources to fulfill their responsibilities.

Criteria 3.12 Procedures exist to maintain system components, including configurations consistent with the defined system security policies.

The IT department maintains an up-to-date listing Inspected the software list to determine if an up-to-date list was No deviations noted.
of all software and the respective level, version, maintained by IT.
and patches that have been applied.
Requests for changes, system maintenance, and Inquired of the Director of IT Development and inspected IT Change No deviations noted.
supplier maintenance are standardized and subject Control Procedures and Standard Build Documentation to determine if a
to documented change management procedures. formal methodology exists that governs the change management and
SDLC processes.

Inspected a sample of changes to determine if requests for change were
standardized and subject to documented change management
procedures.

Page | 36

Criteria 3.12 Procedures exist to maintain system components, including configurations consistent with the defined system security policies.

System configurations are tested annually and Inspected the external Vulnerability Assessment results to determine if an No deviations noted.
evaluated against [CLIENT]’s security policies and assessment was performed.
current service-level agreements. An exception
report is prepared and remediation plans are Inspected the internal Vulnerability Assessment results to determine if: 1)
developed and tracked. system configurations were tested, 2) system configurations were
evaluated against [CLIENT]’s security policies, 3) an exception report was
prepared, and 4) remediation plans were developed/tracked.

Criteria 3.13 Procedures exist to provide that only authorized, tested, and documented changes are made to the system.

Changes to system infrastructure and software are For a sample of environments observed test systems to determine if a No deviations noted.
developed and tested in a separate development or separate environment was in place for the development and testing of
test environment before implementation into software changes prior to promotion of changes into production.
production.
As part of the change control policies and Selected a sample of changes to determine if testing and approval was No deviations noted.
procedures, there is a “promotion” process (for obtained prior to promotion to production.
example, from “analysis” to “development” to
“testing" to "production”).

Promotion to production requires testing and
approval from both clients (if a client requests the
change) and [CLIENT] supervisors.
When changes are made to key systems Inquired of the Director of IT Infrastructure and observed the network No deviations noted.
components, "back out" plan procedures are in backup file folder to determine if backup versions of code were
place for use in the event of major interruption(s). maintained for changes to key systems.

Page | 37

Sample - Corporate Report

Recommended

Recommended

More Related Content

Similar to Sample - Corporate Report

Similar to Sample - Corporate Report (20)

Recently uploaded

Recently uploaded (20)

Sample - Corporate Report