Overview and analysis of Memeo C1 and SSAE16 & SOX Compliance Requirements
Memeo C1
Secure File
Transfer and
Compliance
Comply360, Inc
Contents
Executive Summary ... 2
Overview ... 2
Scope of Evaluation ... 2
Sarbanes Oxley ... 3
Computer Operations; Manage Data ... 4
Computer Operations; Manage Operations ... 5
End-‐user applications and Spreadsheet controls ... 5
Computer Operations; Manage Problems & Incidents ... 6
Computer Operation; Manage Configuration ... 6
Logical Access; Ensure Security ... 6
Computer Operations; Manage Problems & Incidents ... 7
SSAE16 Domains ... 7
Logical Access Controls ... 8
Unique ID’s ... 8
Audit Controls ... 8
Account Management ... 8
Authentication ... 8
Data Transmission Controls ... 9
Transmission Security ... 9
Encryption ... 9
2
Executive Summary
Comply360, a Governance, Risk, and Compliance Consulting firm located in Fairfax, CA was engaged to perform an assessment of Memeo C1, a cloud-‐based file sharing and data transfer service, in relation to Compliance Regulations related to SOX section 404 and SSAE16 SOC2.
The assessor, a CISA (Certified Information Systems Auditor), examined the Memeo C1 platform and service and performed an assessment and analysis of the product in relation to SOX 404, COSO, and SSAE16 SOC2 domains for audits analyzing guidelines and requirements for establishing and managing compliance programs in small to mid-‐sized businesses.
The outcome of the assessment for Memeo C1 and compliance requirements related to SOX section 404 and SSAE16 SOC2 domains is ‘meets or exceeds’ the applicable citations, scoring ‘Excellent – Offering full functionality and integration into compliance programs’ related specifically to SOX 404 (using COSO guidelines) and SSAE16 SOC2 Domains for audit.
Overview
Memeo C1 is an online, cloud-‐based, file sharing service primarily focused on the providing secure file transfer and sharing services to the small to mid-‐size business markets.
Memeo’s C1 product offers a secure, managed, and auditable mechanism for file transfer and sharing that has value from a compliance perspective.
This overview and report focus on the value of utilizing Memeo C1 in environments that are subject to Compliance requirements including SSAE16 SOC 2 and Sarbanes Oxley.
Scope of Evaluation
The evaluator created an account on Memeo C1 and evaluated the function and applicability of the following items: • Dashboard • Activity • Users • Devices • Files • Sharing
The evaluation analyzed the requirements of applicable Sarbanes Oxley section 404 SSAE16 domains (as apply to SOC1 & SOC2) and guidelines in relation Memeo’s C1 Secure File Transfer service.
Sarbanes Oxley
404
Management Assessment of Internal Controls
Operational processes are documented and practiced demonstrating the origins of data within the balance sheet. SOX Section 404 (Sarbanes-Oxley Act Section 404) mandates that all publicly traded companies must establish internal controls and procedures for financial reporting and must document, test and maintain those controls and procedures to ensure their
effectiveness.
802
Criminal Penalties for Altering Documents
Requires public companies and their public accounting firms to retain records, including electronic records that impact the company’s assets or performance.
Fines and imprisonment for those who knowingly and willfully violate this section with respect to (1) destruction, alteration, or falsification of records in federal investigations and bankruptcy and (2) destruction of corporate audit records.
Memeo C1 Secure File Transfer can be leveraged to help your organization meet Sarbanes Oxley Compliance Requirements. Here’s how;
The Sarbanes Oxley act contains 11 titles, or sections, ranging from additional corporate board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements for publically traded corporations to comply with the law. The act also covers issues such as auditor independence, corporate governance, internal controls (technology section 404) assessment, and enhanced financial disclosure. The internal controls assessment or ITGC’s include four (4) control types (based on COSO); Program Development, Program Change, Computer Operation, and Logical Access. Of the ITGC’s utilized to measure SOX 404 Compliance, Memeo can be used to help manage the following;
4
Computer Operations; Manage Data
‘Management protects sensitive information—logically and physically, in storage and during transmission—against unauthorized access or modification.’
When providing remote access to employee’s, allowing them to work remotely or telecommute when offsite, often controls are lacking related to how access to data is managed; rights to upload or
download sensitive data, modifying or deleting data, and explicit and detailed audit logs of who, when, and with what data is accessed.
Memeo C1 allows an organization to implement logical and physical access controls around storage and transmission as follows;
C1 Secure File Transfer provides utilizes a complex methodology for file storage and transfer utilizing encryption as follows:
When a customer chooses to use cloud storage provided by Memeo C1, the data is hashed and
encrypted with keys unique to that customer, SSL is used to encrypt the connections, and data at rest is encrypted using AES-‐256 bit algorithm. When the administrator account is created unique keys and ‘salts,’ specific to the organization and administrator account, are created. Each organization has unique keys, used to encrypt all data stored in shared storage or in the cloud. In addition, all hashes computed
on data are ‘salted’ with a value unique to the organization. All connections are end-‐to-‐end encrypted independently between nodes utilizing Public-‐Key Cryptography using two 2048-‐bit RSA public/private key pairs. One is used to secure end-‐to-‐end encryption and the other to sign messages and validate message sources. These keys are pre-‐generated and assigned by the Memeo C1 service, but they are never stored in the cloud once they’ve been assigned. Keys and certificates are always stored in operating-‐system provided secure key stores. SSL is the widely-‐accepted standard to secure communications to and from Web servers. Whenever the client or a browser is connected to the Memeo C1 service, SSL is utilized to secure the traffic. Metadata and agent instructions are secured in this manner.
Additionally, logical access controls are managed through an Administrator dashboard where your organizations administrators can control, down to a detailed level, who can access data remotely, which devices may used to access data, whether the data can be downloaded, and a granular level of auditing related to modifications including read, write, and delete Example Third Party Audit Request .
By using Memeo organizations can avoid emailing data to another person which, inadvertently,
undermines the internal controls for the data. Memeo can be utilized to track exactly where the data is and where is can be sent or saved – allows complete control over the data, who can access it, and monitors what is done to the data.
Computer Operations; Manage Operations
‘User-‐developed systems, such as spreadsheets and other end-‐user programs, are secured from unauthorized use.’
End-‐user applications and Spreadsheet controls
Financial managers and employees often save spreadsheets with sensitive financial data locally, on laptops or other devices, in order to work offsite and then sync the data when back in the office. Risks related to this include losing a laptop or having the data outside of the security controls on the internal network. Memeo storage of the spreadsheet data allows users needing remote access to data can conveniently access data from anywhere with an internet connection. The use of Memeo C1 allows an organization to still maintain the internal security controls related to who has access, what devices have access, and maintaining an audit trail of date/time of access and what specifically is changed or deleted. The administrator uses the dashboard to control what access each has, to what data, and whether it can be downloaded all while creating a detailed audit trail of that access.
PC-‐based spreadsheets or databases are often used to provide critical data or calculations related to financial risk areas within the scope of a SOX 404 assessment. Financial spreadsheets are often
categorized as end-‐user computing (EUC) tools that have historically been absent traditional IT controls. Responsibility for control over spreadsheets is a shared responsibility with the business users and IT. The IT organization is typically concerned with providing a secure access or a shared drive for storage of the spreadsheets and data backup. The business personnel are responsible for the remainder. Adding Memeo C1 Secure File Transfer enables the IT organization to increase the reach of IT controls while allowing business users flexibility and convenience in utilizing the data from different locations.
6
Computer Operations; Manage Problems & Incidents
‘The problem management system provides for adequate audit trail facilities, which allow tracing from incident to underlying cause.’
Computer Operation; Manage Configuration
‘Application software and data storage systems are properly configured to provision and audit access based on the individual's demonstrated need to view, add, change, or delete data’
Most cloud-‐based file sharing/data transfer services do not provide Audit Controls nor, typically do shared storage solutions without additional software. These controls are required for recording, tracking, and examining activity related to accessing sensitive data.
It is important to point out that the ITGC’s do not identify what data must be gathered by the audit controls or how often the audit reports should be reviewed. An organization subject to compliance must consider its risk analysis and organizational factors, such as current technical infrastructure, hardware and software security capabilities, to determine reasonable and appropriate audit controls for
information systems that contain or use sensitive data.
COSO’s (Committee of Sponsoring Organizations) Internal Control—Integrated Framework has become the most commonly used framework by companies complying with Sarbanes-‐Oxley. While COSO makes reference to the importance of IT relative to the overall control environment, it does not provide detailed guidance for companies needing to design and implement specific IT controls for their environment. It does, however, provide the following information for guidance;
• Review the security used to protect unauthorized access to user-‐developed systems.
• Consider observing a user attempting to gain unauthorized access to user-‐developed systems. • Inquire how management is able to detect unauthorized access and what follow-‐up procedures
are performed to assess the impact of such access.
• Select a sample of user-‐developed systems and determine who has access and if the access is appropriate.
Memeo’s C1 Service Dashboard provides detailed and specific information related to these guidelines: • Per user activity including date and time login and logout, files accessed, device and device
location
• Recently modified or deleted data; dates, times, and user specific information • Invalid logon attempts
• Linked devices ( allowing administrator to unlink devices, if required) • What files and data are, or have been, shared and with whom
Logical Access; Ensure Security
‘Where network connectivity is used, appropriate controls exist and are used to prevent unauthorized access’
How does Memeo C1 appropriate controls used to prevent unauthorized access?
In Memeo C1, each customer/partner is treated as a “security silo”. This means that each organization has its own unique set of security information, used to secure all data and communications, and that allow an organization to decide where their data is and who is allowed to access it.
Because each organization has unique keys, used to encrypt all data stored in shared storage or in the cloud and, all hashes computed on data are salted with a value unique to the organization, when a user is added to the organization, he receives the keys and salts required to produce and consume the data for that organization and can interoperate with other users in that organization. The combination of the username/password and unique keys, hash, and salts provide for something the user knows and
something the user ‘has.’
Additionally access controls include the functionality allowing an administrator to register specific devices, allowing only identified and managed devices to connect.
Computer Operations; Manage Problems & Incidents
‘A security incident response process exists to support timely response and investigation of unauthorized activities’
Memeo’s C1 Secure file Transfer provides instantly available information related to access in the event of unauthorized access;
• Per user activity including date and time login and logout, files accessed, device and device location
• Recently modified or deleted data; dates, times, and user specific information • Invalid logon attempts
• Linked devices ( allowing administrator to unlink devices, if required) • What files and data are, or have been, shared and with whom
SSAE16 Domains
SSAE16 Control Objectives -‐ According to the SSAE 16 publication put forth by the American Institute of Certified Public Accountants, a control objective is the "aim or purpose of specified controls at the service organization which address the very risks that these controls are intended to effectively
mitigate". More simply stated, a control objective is an attribute that ensures a control or set of controls is operating effectively, and as designed. It's the basis of the entire SSAE 16 assessment process, and auditors and service organizations often work together in a collaborative manner in developing these control objectives. Technically speaking, however, the controls objectives and related controls are those of the service organization intended to ensure security related to data and technology.
8
There are common domains found within an SSAE16 attestation and stated controls. Memeo C1 can provide support for those controls as follows;
Logical Access Controls
‘Controls provide reasonable assurance that logical access to system resources is restricted to authorized individuals.’
Unique ID’s
User accounts must be created within the Memeo system dashboard by an Administrator. Only user accounts defined by the administrator have access to share, transfer, or access the information. Each user is assigned a unique ID by the administrator and user activity is tracked by user ID.
Memeo’s C1 Secure File Sharing and Transfer service enables system administrators to adhere to internal policies and naming standards to create and manage unique user accounts for each user authorized to utilize the service.
Audit Controls
Memeo’s C1 Service Dashboard provides detailed and specific audit logs and information, specifically: • Per user activity including date and time login and logout,
• files accessed
• device and device location
• Recently modified or deleted data; dates, times, and user specific information • Invalid logon attempts
• Linked devices ( allowing administrator to unlink devices, if required) • What files and data are, or have been, shared and with whom Account Management
Memeo’s C1 Secure File Transfer allows the Administrator to manage accounts through a centralized dashboard. Account management functions include;
• User account creation
• Identification of allows devices; eliminates connections from unmanaged devices • Rights management; level of access, download, delete, etc
• Termination; termination of the user and device, wipes data from the device remotely the next time the device is online
• Common management functions can be performed from any internet connected location; account lockouts, password resets, rights assignment
Authentication
In Memeo C1, each customer/partner is treated as a “security silo”. This means that each organization has its own unique set of security information, used to secure all data and communications, and that allow an organization to manage where their data resides and who is allowed to access it.
Because each organization is assigned unique keys, used to encrypt all data stored in shared storage or in the cloud and, all hashes computed on data are salted with a value unique to the organization, when a user is added to the organization, he receives the keys and salts required to produce and consume the data for that organization and can interoperate with other users in that organization. The combination of the username/password and unique keys, hash, and salts provide for something the user knows and something the user ‘has.’ Each user is required to have the unique key assigned to their account and also the salt assigned to the organization. The data, when stored, is split apart, with each component
assigned a matching hash; there is no way to reassemble the data without all of the components. A users unique logon, combined with the keys assigned to the organization and both data components are required to access the data.
Data Transmission Controls
‘Controls provide reasonable assurance that data transmissions between the organization and its user entities are performed in a secure, complete, accurate and timely manner.’
Transmission Security
A primary method for protecting the integrity of sensitive data being transmitted is through the use of network communications protocols. Memeo’s C1 employs SSL encryption on all data transmissions. SSL is a widely-‐accepted standard to secure communications to and from Web servers. Whenever the client or a browser is connected to the Memeo C1 service, SSL is utilized to secure the traffic. Metadata and agent instructions are secured in this manner.
In general, these protocols, among other things, ensure that the data sent is the same as the data received.
Encryption
Memeo’s C1 Secure File Transfer service leverages end-‐to-‐end encryption, SSL transmission encryption, and AES-‐256 bit encryption for data at rest. The Security Rule allows covered entities the flexibility to determine when, with whom, and what method of encryption to use.
Memeo C1 separates meta data and actual data into separate, encrypted items that are physically separated until such time as a user accesses them using the organization key assigned when the account is created. Additionally, a ‘salt’ is added to the end of the hash that is specific to the organization and the user. If any of these pieces is altered or missing, the data cannot be reassembled and would be corrupted, enabling an administrator to identify possible alteration or improper destruction. Additionally, the Memeo dashboard allows an administrator to track all access and actions, on a per user, date, and device level, including alteration and deletion.