SOC
1
(SSAE
N
O
.
16)
T
YPE
2
R
EPORT ON
C
ONTROLS
P
LACED IN
O
PERATION FOR
D
ATA
C
ENTER
S
ERVICES
B
ROAD
R
IVER
I
NC
.
A
UGUST
1,
2014
TO
J
ULY
31,
2015
B
ROAD
R
IVER
I
NC
.
Table of Contents
SECTION 1: INDEPENDENT SERVICE AUDITORS’ REPORT ... 1
SECTION 2: MANAGEMENT’S ASSERTION ... 4
SECTION 3: BROADRIVER’S DESCRIPTION OF CONTROLS ... 6
SCOPE OF REPORT AND DISCLOSURES ... 8
Sub-Service Organizations ... 8
Significant Changes during the Review Period ... 8
Subsequent Events ... 8
Using the Work of the Internal Audit Function ... 8
OVERVIEW OF OPERATIONS AND THE SYSTEM ... 9
Company Overview and Background ... 9
Overview of the Data Center Services System ... 9
OVERVIEW OF RELEVANT INFRASTRUCTURE ... 10
Infrastructure ... 10
Software ... 10
People ... 10
Procedures ... 11
Data ... 11
RELEVANT ASPECTS OF CONTROL ENVIRONMENT, RISK ASSESSMENT, INFORMATION AND COMMUNICATIONS SYSTEMS, MONITORING, POLICIES AND PRACTICES ... 12
Control Environment ... 12
Risk Assessment ... 14
Information and Communication Systems ... 15
Policies and Practices ... 17
CONTROL OBJECTIVES AND RELATED CONTROLS ... 23
USER ENTITY CONTROL CONSIDERATIONS ... 24
SECTION 4: CONTROL DESCRIPTIONS, RELATED CONTROLS AND TESTS OF OPERATING EFFECTIVENESS ... 26
INFORMATION PROVIDED BY THE SERVICE AUDITOR ... 27
Introduction ... 27
Tests of Operating Effectiveness ... 27
Types of Tests Performed ... 28
Sampling Methodology ... 29 TESTING MATRICES ... 30 Physical Security ... 30 Environmental Security ... 39 Information Security... 45 Systems Availability ... 50 System Maintenance ... 54
SECTION 5: INFORMATION PROVIDED BY THE SERVICE ORGANIZATION ... 58
SECTION 1:
www.360advanced.com
INDEPENDENT SERVICE AUDITORS’ REPORT ON THE DESCRIPTION OF THE SERVICE ORGANIZATION’S SYSTEM AND THE SUITABILITY OF THE DESIGN AND OPERATING
EFFECTIVENESS OF CONTROLS To BroadRiver Inc.:
We have examined BroadRiver Inc.’s (“BroadRiver”) description of its Data Center Services system throughout the period August 1, 2014 to July 31, 2015 and the suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in the description. The description indicates that certain control objectives specified in the description can be achieved only if complementary user entity controls contemplated in the design of BroadRiver’s controls are suitably designed and operating effectively, along with related controls at the service organization. We have not evaluated the suitability of the design or operating effectiveness of such complementary user entity controls.
Within Section 2 of this report, BroadRiver has provided an assertion about the fairness of the presentation of the description and suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description. BroadRiver is responsible for preparing the description and for the assertion, including the completeness, accuracy, and method of presentation of the description and the assertion, providing the services covered by the description, specifying the control objectives and stating them in the description, identifying the risks that threaten the achievement of the control objectives, selecting the criteria, and designing, implementing, and documenting controls to achieve the related control objectives stated in the description.
Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, the description is fairly presented and the controls were suitably designed and operating effectively to achieve the related control objectives stated in the description throughout the period August 1, 2014 to July 31, 2015.
An examination of a description of a service organization’s system and the suitability of the design and operating effectiveness of the service organization’s controls to achieve the related control objectives stated in the description involves performing procedures to obtain evidence about the fairness of the presentation of the description and the suitability of the design and operating effectiveness of those controls to achieve the related control objectives stated in the description. Our procedures included assessing the risks that the description is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives stated in the description. Our procedures also included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the related control objectives stated in the description were achieved. An examination engagement of this type also includes evaluating the overall presentation of the description and the suitability of the control objectives stated therein, and the suitability of the criteria specified by the service organization and described within BroadRiver’s assertion within Section 2 of this report. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.
Because of their nature, controls at a service organization may not prevent, or detect and correct, all errors or omissions in processing or reporting transactions. Also, the projection to the future of any evaluation of the fairness of the presentation of the description, or conclusions about the suitability of the design or operating effectiveness of the controls to achieve the related control objectives is subject to the risk that controls at a service organization may become inadequate or fail.
www.360advanced.com
4806 West Gandy Blvd. Tampa, Florida 33611 866.418.1708
In our opinion, in all material respects, based on the criteria described in BroadRiver’s assertion in the next section of this report:
a. the description fairly presents BroadRiver’s Data Center Services system that was designed and implemented throughout the period August 1, 2014 to July 31, 2015;
b. the controls related to the control objectives of BroadRiver stated in the description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period August 1, 2014 to July 31, 2015, and user entities applied the complementary user entity controls contemplated in the design of BroadRiver’s controls throughout the period August 1, 2014 to July 31, 2015; and
c. the controls that we tested, which together with the complementary user entity controls referred to in Section 3 of this report, if operating effectively, were those necessary to provide reasonable assurance that the control objectives stated in the description were achieved, operated effectively throughout the period August 1, 2014 to July 31, 2015.
The specific controls tested and the nature, timing, and results of those tests are listed within Section 4 of the report.
This report, including the description of tests of controls and results thereof within Section 4, is intended solely for the information and use of BroadRiver, user entities of BroadRiver’s Data Center Services system during some or all of the period August 1, 2014 to July 31, 2015, and the independent auditors of such user entities, who have a sufficient understanding to consider it, along with other information including information about controls implemented by user entities themselves, when assessing the risks of material misstatements of user entities’ financial statements. This report is not intended to be and should not be used by anyone other than these specified parties.
December 16, 2015 Tampa, Florida
SECTION 2:
MANAGEMENT’S ASSERTION December 16, 2015
We have prepared the description of BroadRiver Inc.’s (“BroadRiver”) Data Center Services system for user entities of the system during some or all of the period August 1, 2014 to July 31, 2015 and their user auditors who have a sufficient understanding to consider it, along with other information, including information about controls implemented by user entities of the system themselves, when assessing the risks of material misstatements of user entities’ financial statements. We confirm, to the best of our knowledge and belief, that
a. the description fairly presents the Data Center Services system made available to user entities of the system during some or all of the period August 1, 2014 to July 31, 2015 for processing their transactions. The criteria we used in making this assertion were that the description:
i. presents how the system made available to user entities of the system was designed and implemented to process relevant transactions as they relate to our environment, including when applicable:
1. the types of services provided;
2. the procedures, within both automated and manual systems, by which services are provided;
3. how the system captures and addresses significant events and conditions, other than transactions;
4. the process used to prepare reports or other information provided to user entities of the system;
5. the specified control objectives and controls designed to achieve those objectives; and
6. other aspects of our control environment, risk assessment process, information and communication systems (including the related business processes), control activities, and monitoring controls that are relevant to user entities of the system.
ii. does not omit or distort information relevant to the scope of the Data Center Services system, while acknowledging that the description is presented to meet the common needs of a broad range of user entities of the system and their financial statement auditors, and may not, therefore, include every aspect of the Data Center Services system that each individual user entity of the system and its auditor may consider important in its own particular environment.
iii. includes relevant details of changes to the service organization’s system during the audit period covered by the description.
b. the controls related to the control objectives stated in the description were suitably designed and operated effectively throughout the period August 1, 2014 to July 31, 2015 to achieve those control objectives. The criteria we used in making this assertion were that:
i. the risks that threaten the achievement of the control objectives stated in the description have been identified by management;
ii. the controls identified in the description would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives stated in the description from being achieved; and
iii. the controls were consistently applied as designed, including whether manual controls were applied by individuals who have the appropriate competence and authority.
/s/ BroadRiver Inc.
Michael L. Oken – President Fran Audia – Controller
SECTION 3:
Section 3 Proprietary and Confidential | 8
SCOPE OF REPORT AND DISCLOSURES
This description of the system of controls provided by BroadRiver Inc. (“BroadRiver”) management, as related to Statement on Standards for Attestation Engagements No. 16 ‘Reporting on Controls at a Service Organization’ (“SSAE 16” or “SOC 1”), considers the direct and indirect impact of risks and
controls that BroadRiver management has determined are likely to be relevant to its user entities’ internal controls over financial reporting. The scope of management’s description of the system of controls covers the general computer controls supporting the Description of Service, and considers the initiation, authorization, recording, processing, and reporting of related transactions. BroadRiver is responsible for identification of risks associated with the system of controls (defined as control objectives), and for the design and operation of controls intended to mitigate those risks. This includes the applicable information technology infrastructure and the supporting processes related to the Data Center Services system. It does not include any other processes used to initiate, authorize, record, process, or report on the financial transactions of its user entities. Additionally, BroadRiver does not maintain accountability for any user entity assets, liabilities, or equity.
As part of its overall SOC 1 program, BroadRiver’s management sets and determines the scope and timing of each report. This report features the Data Center Services system provided for the Atlanta, Georgia colocation facility. This description of the system of controls has been prepared by BroadRiver management to provide information on controls applicable to the Data Center Services system at the Atlanta, Georgia colocation facility.
Sub-Service Organizations
BroadRiver does not rely on any sub-service organizations as part of the Data Center Services system included in the scope of this report.
Significant Changes during the Review Period
Management is not aware of any significant changes that occurred during the review period.
Subsequent Events
Management is not aware of any relevant events that occurred subsequent to the period covered by management’s description included in Section 3 of this report through the date of the service auditor’s report that would have a significant effect on management’s assertion.
Using the Work of the Internal Audit Function
OVERVIEW OF OPERATIONS AND THE SYSTEM
Company Overview and Background
BroadRiver is a privately-held competitive IT solutions company based in Atlanta, Georgia. Since 1999, BroadRiver has been providing a variety of technology solutions with a focus on client care and client satisfaction. On November 9, 2015, BroadRiver sold its subsidiary, BroadRiver Communications Corporation, which provided the telecommunications services.
BroadRiver provides data center services spanning various markets throughout the southeastern United States. BroadRiver’s goal is to help their clients select the right data center services for their business needs and to deliver those services with quality and value.
Overview of the Data Center Services System
Data Center Colocation Services
BroadRiver’s Tier 3 colocation facility is a 15,000 square foot facility that was constructed in 2007 approximately 1 mile from the corporate office facility in Atlanta, Georgia. The colocation facility sits on solid granite with concrete floors, steel frame and concrete block walls with a brick outlay and an insulated membrane roof. The data center within the colocation facility features over 200 fully enclosed racks that are sold in half and full-rack increments. The data center was designed with redundant capacity components and multiple independent distribution paths serving the computer equipment to allow systems to be taken offline for scheduled maintenance without impact to the IT environment. BroadRiver provides the facilities and infrastructure to protect clients’ systems from physical and environmental security threats including, but not limited to, unauthorized access, fire, harmful temperature and humidity levels and power surges or power failures.
Activity related to transactions, such as initiation, authorization, recording, processing, correction, or reporting, are performed by clients. BroadRiver has no responsibility for either activities related to transaction processing or the related accounting records and supporting information for clients, including the correction of incorrect information.
Managed Network Services
BroadRiver provides Internet connectivity to clients as well as dedicated network segments where clients place their own servers and applications. Services include:
Client-specific network segmentation and isolation;
Firewall management; and
Section 3 Proprietary and Confidential | 10
OVERVIEW OF RELEVANT INFRASTRUCTURE
The Data Center Services system is comprised of the following components:
Infrastructure (facilities, equipment, and networks);
Software (systems, applications, and utilities);
People (operators, users, and managers);
Procedures (automated and manual); and
Data (transaction streams, files, databases, and tables).
Infrastructure
BroadRiver offers facilities and infrastructure to provide colocation and data center services for its clients. The colocation facility is designed with a data center room where client equipment resides. Single racks, cabinets, and / or isolated cages are offered to clients within the several thousand square feet of data center space located at the colocation facility. Some support and management personnel operate out of the headquarters supporting the colocation and data center services at the colocation facility.
The following describes the in-scope components supporting the Data Center Services system:
System / Application Description Infrastructure
Zenoss Network monitoring GNU / Linux
Software
BroadRiver utilizes Zenoss to provide for network monitoring of the data center facility and services contracted to be provided. Zenoss is the primary application used for monitoring services and has been configured with thresholds and alerts designed to provide management notifications with enough time to adjust and make changes prior to an outage or limitation in services being provided.
People
The roles and responsibilities of key functions include the following:
Michael L. Oken, President and Chief Technology Officer (CTO)
Michael founded BroadRiver, and serves as its President and CTO. Michael plays a central role in driving the strategy and direction relative to product and services development, architecture and infrastructure. His experience spans over 28 years in the technology sector with significant experience in datacenter and network architecture.
Fran Audia, Controller and Secretary
Fran has served as Controller and Secretary of BroadRiver since 2002. Fran has over twenty years of experience in accounting, bookkeeping, risk management, and HR. Prior to joining BroadRiver Inc. she served as a Controller at Network Systems Technology Inc., a network integration company.
Procedures
BroadRiver has developed and communicated to its users, procedures to restrict physical access to the BroadRiver colocation facility, its data center, and the critical areas within the colocation facility, as well as procedures to protect the colocation facility from certain environmental threats. Policies include the following:
BroadRiver Data Center Security Policy;
Information Security Policy;
Data Center Physical Security;
Data Center Environmental Security Policy; and
Incident and Response Policy.
Data
BroadRiver does not process client’s data. The scope of management’s description of the system of controls covers the physical and environmental security supporting the Data Center Services system. This includes the applicable information technology infrastructure and the supporting processes related to the Data Center Services system. It does not include any other processes used to initiate, authorize, record, process, or report on the financial transactions of its user entities.
Section 3 Proprietary and Confidential | 12
RELEVANT ASPECTS OF CONTROL ENVIRONMENT, RISK
ASSESSMENT, INFORMATION AND COMMUNICATIONS SYSTEMS,
MONITORING, POLICIES AND PRACTICES
Control Environment
The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal controls, providing discipline and structure. Aspects of BroadRiver’s control environment that affect the services provided and / or the system of controls are identified in this section.
Integrity and Ethical Values
The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer, and monitor them. Integrity and ethical values are essential elements of BroadRiver’s control environment, affecting the design, administration, and monitoring of other components. Integrity and ethical behavior are the products of BroadRiver’s ethical and behavioral standards, how they are communicated, and how they are reinforced in practices. They include management’s actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. Organizational policy statements and codes of conduct are documented and communicate entity values and behavioral standards to personnel.
Senior Executive Participation
BroadRiver’s control consciousness is influenced significantly by its senior executives. Senior executives oversee management activities and meet on a regular basis to approve budgets and business plans, address operational concerns and strategic direction and review financial performance metrics.
Commitment to Competence
BroadRiver’s management defines competence as the knowledge and skills necessary to accomplish tasks that define employees’ roles and responsibilities. Management has considered the competence levels for particular jobs and translated the required skills and knowledge levels into written position requirements. Employees are required to attend security awareness training upon hire and on an annual basis thereafter.
Management’s Philosophy and Operating Style
BroadRiver’s management philosophy and operating style encompass a broad range of characteristics. Such characteristics include management’s approach to taking and monitoring business risks, and management’s attitudes toward information processing, accounting functions, and personnel. BroadRiver’s management team is hands-on and involved in the day-to-day operations of the business. Management team members are expected not only to lead but to make hands-on contributions and to know the details in their area of the business. Specific control activities that BroadRiver has implemented in this area are described below.
Management is periodically briefed on regulatory and industry changes affecting services provided; and
Management meetings are held on a weekly basis to discuss operational issues. Organizational Structure
BroadRiver’s organizational structure provides the framework within which its activities for achieving entity-wide objectives are planned, executed, controlled, and monitored. BroadRiver’s management believes that establishing a relevant organizational structure includes considering key areas of authority and responsibility and lines of reporting. BroadRiver has developed an organizational structure suited to its needs. This organizational structure is based, in part, on its size and the nature of its activities.
BroadRiver’s assignment of authority and responsibility activities include factors such as how authority and responsibility for operating activities are assigned and how reporting relationships and authorization hierarchies are established. It also includes policies relating to business practices, knowledge and experience of key personnel, and resources provided for carrying out duties. In addition, it includes policies and communications directed at ensuring that personnel understand the entity’s objectives, know how their individual actions interrelate and contribute to those objectives, and recognize how and for what they will be held accountable. Specific control activities that the service organization has implemented in this area are described below.
Organizational charts are in place to communicate key areas of authority, responsibility and lines of reporting; and
Management has considered the reporting structure and accountability for certain business functions and segregated responsibilities by functional area.
Human Resource Policies and Practices
BroadRiver’s human resources policies and practices relate to employee hiring, orientation, training, evaluation, counseling, promotion, compensation, and disciplinary activities. Background checks are performed for employment applicants as a component of the hiring process. Termination procedures are in place to help ensure the employee termination process is consistently executed.
Section 3 Proprietary and Confidential | 14
Risk Assessment
BroadRiver’s risk assessment process is designed to identify and consider the implications of external and internal risk factors concurrent with establishing unit-wide objectives and plans. The likelihood of occurrence and potential monetary impact (or publicity risk) has been evaluated to enhance the reliability of the data center services being provided. Risks are categorized as tolerable or requiring action, and include the following considerations:
Changes in the operating environment – a change in regulations may necessitate a revision of
existing processing. Revisions of existing processing may create the need for additional or revised controls.
New personnel – new personnel who are responsible for overseeing the IT controls may
increase the risk that controls will not operate effectively.
New or revamped information systems – new functions added into the system that could affect
user entities.
Rapid growth – a rapid increase in the number of new clients may affect the operating
effectiveness of certain controls.
New technology – implementation of new application platforms / technology may operate so
differently that it affects user entities.
New business models, products, or activities – the diversion of resources to new activities
from existing activities could affect certain controls.
Corporate restructuring – a change in ownership or internal reorganization could affect
reporting responsibilities or the resources available for services to user entities.
New accounting pronouncements – the implementation of relevant accounting
pronouncements could affect user entities.
Government and regulatory changes – the implementation of relevant government and
regulatory pronouncements could affect user entities.
BroadRiver’s recognition of risks that could affect the organization’s ability to provide reliable data center services for user entities is generally implicit, rather than explicit. Management’s involvement in the daily operations allows them to learn about risks related to the data center services through direct personal involvement with employees and outside parties, thus reducing the need for formalized and structured risk assessment processes.
Information and Communication Systems
Information System
BroadRiver’s hosting infrastructure is located in a colocation facility in Atlanta, Georgia. The site is secured by an electronic biometric enabled card access system at facility entry points and is monitored via a video surveillance system. Power is protected with multiple diesel-powered generators and redundant UPS systems equipped with static transfer switches (STS), while temperature and humidity levels are maintained via redundant air conditioning systems equipped with redundant cooling loops. Private VLANs are configured to segregate client networks and infrastructure based on service offering. Additionally, firewall systems are configured to deny any type of network connection that is not explicitly authorized by a firewall rule. The firewall systems are configured in clusters to provide automatic failover firewall services in the event of a primary firewall failure.
Encrypted VPN connections are utilized for remote access to help ensure the privacy and integrity of the data passing over the public network.
Communication System
BroadRiver’s management is involved with day-to-day operations and is able to provide employees with an understanding of their individual roles and responsibilities pertaining to internal controls. This includes the extent to which personnel understand how their activities relate to the work of others and the means of reporting exceptions to a higher level within the organization. Management believes that open communication channels help ensure that exceptions are reported and resolved. Communication activities are made electronically, verbally, and through the actions of management. For that reason, formal communication tools such as organizational charts, job descriptions and an enterprise issue ticketing application are in place.
Monitoring
Management monitors controls to consider whether they are operating as intended and that the controls are modified for changes in conditions. BroadRiver’s management performs monitoring activities to continuously assess the quality of internal control over time. Necessary corrective actions are taken as required to correct deviations from company policy and procedures. Employee activity and adherence to company policies and procedures is also monitored. This process is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two.
Ongoing Monitoring
The BroadRiver management team conducts quality assurance monitoring on a regular basis and additional training is provided based upon results of monitoring procedures. Monitoring activities are used to initiate corrective action through department meetings, client conference calls and informal notifications.
Examples of BroadRiver’s ongoing monitoring activities include the following:
Physical Security:
The biometric-enabled badge access system creates logs of ingress activity within the data center for review on a scheduled basis.
Surveillance cameras are in place to record activity throughout the colocation facility and the data center, and are equipped with searchable digital video retention for review on a scheduled basis.
Section 3 Proprietary and Confidential | 16
Environmental Security
An enterprise monitoring application is configured to monitor, log and alert personnel in the event predefined threshold events related to the following environmental conditions occur at various locations throughout the facility: Temperature, humidity, and smoke or fire.
Network Infrastructure
An enterprise monitoring application is configured to monitor the network core, network edge, and other shared enterprise systems and devices for availability and transmission activity and alert personnel in the event predefined events occur related to the following: Up/down status, resource utilization, and other Simple Network Management Protocol (SNMP)-enabled thresholds per device.
A ticketing system is in place to document and managed identified problems and activities impacting client services and systems. Tickets are monitored from creation to resolution. Separate Evaluations
Management has daily involvement in BroadRiver’s operations to help identify significant variances from expectations regarding internal controls. Controls addressing higher-priority risks and those most essential to reducing a given risk are evaluated more often. Executive management immediately evaluates the specific facts and circumstances related to any suspected control breakdowns. A decision for addressing any controls weakness is made based on whether the incident was isolated or requires a change in the company’s procedures or personnel.
Policies and Practices
BroadRiver security systems include badge access authentication at each data center door, logging of door access attempts, and video surveillance for access to and within the BroadRiver data center including the data halls where client equipment resides. Electronic badge access systems and biometric fingerprint readers provide access controls at each data center facility entry point. Video surveillance technology has been implemented to monitor and record access to and activity within the facility.
INFRASTRUCTURE MANAGEMENT
BroadRiver is responsible for maintaining and implementing information technology general computer controls related to computer processing supporting the Data Center Services. These controls provide the basis for reliance on information / data from the systems used by user entities for financial reporting.
Physical Security
Documented physical security policies and procedures are in place to guide activities for granting, controlling, and monitoring physical access to the corporate office facility, the colocation facility, and the data center within the colocation facility. Further, to control the physical access of the corporate office facility, the colocation facility, and the data center, the Facility Manager or Technical Operations Manager performs a quarterly access reviews to ensure that access is appropriate based on the individual’s role and job function, and that privileged access is only available to authorized users.
Corporate Office Facility
A receptionist is on-site during normal business hours to monitor the main entrance of the corporate office facility and ensures that visitors sign a visitor log prior to entry. Visitors are provided an identification sticker by receptionist while inside the corporate office facility.
The physical access control system at the corporate office facility utilizes key fobs to restrict and track access to the facility. Key fob holders are required to swipe their key fob in order to enter the facility; otherwise, entry is prevented. Successful and unsuccessful entry events are logged for ad hoc review by the technical operations manager. If a series of unsuccessful attempts occur, the technical operations manager would research and identify the issue. Administrative privileges to the electronic key fob access system are restricted to authorized IT personnel. Additionally, the key fob system administrators revoke key fob access system privileges for terminated employees. Unused and unassigned key fobs are stored in a locked file cabinet.
Colocation Facility and Data Center
The colocation facility and the data center are restricted areas requiring a greater level of control than other non-public spaces. The colocation facility has no exterior signage identification that reference as data center and no exterior data center windows. Only those individuals who are expressly authorized to do so by BroadRiver IT management personnel may enter the colocation facility and the data center. Network operations center (NOC) personnel are stationed at the reception desk to monitor access to the main entrance of the colocation facility during business hours. The NOC personnel ensure that visitors sign a visitor log upon entering the colocation facility. Additionally, visitors are required to be escorted by an employee when in the data center. Access to the colocation facility is restricted via badge access card system to authorized personnel 24 hours per day. The badge access system utilizes pre-defined badge access group to control access privileges to restrict employees and clients to only the areas necessary and authorized. Badge holders are required to swipe their badge access card in order to enter the facility; otherwise, re-entry is systematically prevented. Successful and unsuccessful entry events are logged allowing for ad hoc reviews by the technical operations manager.
If a series of unsuccessful attempts occur, the technical operations manager researches and identifies the issue. Administrative privileges to the badge access card system are restricted to authorized IT personnel.
Section 3 Proprietary and Confidential | 18 Access to the raised-floor data center, within the colocation facility, requires both an access badge card and biometric fingerprint scan. Additionally, the badge system administrators revoke badge access for terminated employees. Unused and unassigned badges are stored in a locked file cabinet. Procedures for terminating or revoking data center access include:
Canceling of door codes, cardkeys, and removal of fingerprint information from access control systems;
Collection of access control credentials and keys from client; and
Removing client authorized name(s) from the operations authorized access list.
The data center is monitored 24 hours per day utilizing alarms, motion detectors and surveillance cameras. Recordings are retained for 90 days, allowing for ad hoc reviews by data center security personnel. Access to client hardware stored in cabinets is restricted to individual client personnel and authorized BroadRiver personnel. Clients do not have access to other clients’ equipment within locked cabinets and cabinets do not designate the client name.
Environmental Security
Environmental security refers to the protection of building sites and equipment (and information and software contained therein) from natural disaster, catastrophes, fire, flood and accidental damage. Documented environmental security policies and procedures are in place to guide personnel in the monitoring of environmental control systems, escalation of status alarms, and the resolution of environmental issues affecting the data center. The data center is equipped with fire detection and fire suppression, including audible and visual fire and smoke alarms; and hand-held fire extinguishers. A third-party specialist is contracted to inspect and maintain the fire detection systems and hand-held fire extinguishers on an annual basis.
The data center is equipped with multiple air conditioning units to maintain consistent temperature and humidity levels. If the temperature or humidity level exceeds pre-defined limits, an audible alarm is triggered. A third-party specialist is contracted to inspect and maintain the air conditioning units on a semi-annual basis. Additionally, facilities personnel inspect the air conditioning units on a monthly basis. Water detection systems are in place to detect leakage from the air conditioning units.
The data center is connected to an uninterruptable power supply (UPS) system and multiple backup generators to provide electricity in the event of a power outage and to help mitigate the risk of power surges impacting the data center infrastructure. A third-party specialist is contracted to inspect and maintain the UPS system and the backup generators on an annual basis. Additionally, facilities personnel perform load tests on the generators on a quarterly basis.
Computer equipment in the data center is maintained in raised rack above the raised floor to help cooling and prevent damage caused by localized flooding.
Enterprise monitoring applications are utilized to monitor environmental conditions within the data center that include; temperature and humidity levels, power levels and availability, fire detection systems and alarm status etc. When the predefined thresholds are exceeded NOC personnel are noted via onscreen and e-mail alerts. Additionally, facility personnel perform daily patrols to monitor certain environment equipment and document reading.
Information Security
Documented network security policies and procedures are in place to guide personnel in managing system access and protecting information assets and data. Additionally, the policies and procedures include firewall system administration and maintenance activities. Management reviews the policies and procedures documentation at least annually and update as needed.
In order to provision logical access to the infrastructure network that is utilized by BroadRiver to provide colocation connectivity to clients, the individuals’ hiring manager sends an e-mail request for system access to the technical operations manager or the senior network engineer. The request contains the individuals’ name, title, and department of the user and access permissions needed. The requestor enters the users’ role for access and a justification for the access. Upon approval of the access request e-mail, network operations personnel provision the requested access.
Network Domain
Private virtual local area networks (VLANs) are configured to segregate network traffic and infrastructure of certain clients, based upon service offering. Access to BroadRiver network infrastructure is protected through the use of authentication protocols. Network operations personnel are authenticated to the infrastructure network that is utilized by BroadRiver to provide colocation connectivity to clients via an authorized user account and password before being granted access to the network domain. The network domain is configured to enforce authentication requirements such as minimum password length, minimum password history, password expiration intervals, invalid password account lockout threshold and password complexity requirements. Administrator access privileges within the network domain are restricted to user accounts accessible by authorized IT personnel. Upon termination of an employee, IT operations personnel revoke network accounts assigned to terminated employees as a component of the employee termination process.
Firewall System and Remote Connectivity
A firewall system is in place to protect BroadRiver network and data. The firewall resides on the network and analyzes data and packets routed to the BroadRiver internal network. A firewall system is configured to deny any type of network connection that is not explicitly authorized by a firewall rule. In the event of primary firewall system failure, a secondary firewall system is in place to provide failover firewall services. Additionally, externally routable internet protocol (IP) addresses are not used within the internal production servers instead the firewall system is configured to utilize network address translation (NAT) functionality to manage internal IP addresses.
Encrypted virtual private networks (VPNs) are utilized for remote access to help ensure the privacy and integrity of the data passing over the public network.
Administrator access privileges within the firewall and VPN remote access systems are restricted to user accounts accessible by authorized IT personnel. Firewall and VPN administrators are authenticated via a user account and password before being granted access to the systems. BroadRiver uses a Cisco Steel Belted Radius (SBR) server for firewall and VPN device authentication. The firewall and VPN devices on the infrastructure network utilized by BroadRiver to provide colocation connectivity to clients are configured to point to the SBR server for authentication. Individuals attempting to authenticate to the firewalls or VPN devices as administrators are required to be in a specific network domain group in order to be authenticated to the firewall and VPN devices.
Systems Availability
Network Monitoring Services
NOC personnel perform network performance monitoring and reporting services as part of managed network services. The NOC personnel actively monitor devices such as routers, switches, storage area networks (SANs), net flow auditors, wired firewall clusters, and wireless intrusion detection systems. Network monitoring activities are guided by incident response and support policies and procedures that address severity level definitions, escalation reporting, and response time requirements for service alerts. These policies and procedures are reviewed by management on an annual basis and updated as necessary.
Section 3 Proprietary and Confidential | 20 Network operations personnel utilize the Zenoss enterprise monitoring application to monitor the availability of the network, colocation services and ports. Zenoss is configured to identify network issues in real time, including:
Device up / down status;
Device response time and latency;
Device packet loss percentage;
Central processing unit (CPU) load percentage;
Memory load percentage;
Interface up / down status;
Interface load percentage;
Disk volume usage percentage;
Inlet and / or outlet temperature range;
Device redundancy / failover triggers; and
Application availability.
The enterprise monitoring application is configured to send on-screen and e-mail alert notifications to network operations personnel when predefined thresholds are exceeded on monitored network devices. Network operations personnel utilize predefined severity levels to categorize and escalate network problems. Additionally, Zenoss is capable of generating reports for ongoing monitoring of performance metrics and SLA adherence, including, but not limited to, the following:
Availability;
Alert history; and
Trend analysis reports.
Network Incident Identification and Escalation
BroadRiver operates its controlled networks and IT infrastructure on a 24 hour per day basis. During normal business hours (8AM-7PM Eastern Standard Time, Monday-Friday), the network operations personnel in the Atlanta, Georgia, corporate office facility and colocation facility provide identification and processing of client Tier 1, Tier 2 and Tier 3 incidents. Overflow incident escalations during normal business hours, as well as after-hours incidents are routed to the off-site NOC facility for processing and handling.
Clients have three methods of contacting BroadRiver to report a problem:
Telephone;
Internet; and
Internet issues are submitted directly to the Help Desk or submitted issues via the clients’ BroadRiver business center portal.
Network issues, failures and anomalies, including those detected by the Zenoss application, and those submitted by clients, are recorded in the IssueTrak automated ticketing system. The IssueTrak system is utilized to document, prioritize, escalate and track the resolution of problems affecting colocation services. BroadRiver has redundant built into network infrastructure that allows alternative equipment in the event of primary system failure.
System Maintenance
The system maintenance process is designed to manage changes to existing client infrastructure, software and hardware with minimal disruptions, risk and complexity, while maintaining agreed-upon service levels. This includes identifying a business reason behind each change and the specific configurations and services affected by the change, planning the change, and where necessary, testing the change, and having a documented back out plan should the change result in an unexpected state of the client infrastructure. Documented change management policies and procedures are in place to guide personnel in the request, documentation, and approval of changes to internal BroadRiver and client infrastructure, including the following:
Cisco hardware changes;
Juniper M series hardware changes;
Firewall hardware changes;
Changes to IP routing protocol areas;
Changes to transit peering providers;
Changes to core network interconnections;
OS/IOS revision changes; and
Blade and VM chassis backplane changes. Change Request Submittal
Clients submit change requests via e-mail submission to the help desk e-mail address, or via e-mail submission to BroadRiver sales and support personnel. Requests submitted to the help desk e-mail account result in an automatically generated change request form. BroadRiver sales and support personnel manually generate change request forms for requests received via e-mail. Attributes documented in the change requests forms include, but are not limited to, the following:
Client name and client representative requesting the change;
Change description;
Priority level;
Change status; and
Change history.
A change management tracking system is utilized to maintain, manage, and monitor change activities. Infrastructure software or hardware changes request is restricted to pre-authorized client representatives. Specifically, clients with the ability to request infrastructure changes are limited to either the “technical contact” client personnel listed in the clients’ contact profile,” for technical requests; or, the “billing / admin” client personnel listed in the clients’ contact profile for billing and service connection and service disconnection requests. The authorized client representatives are established at the time the clients sign their initial service contracts with BroadRiver. Clients have the ability to update their client contacts via the BroadRiver business portal.
Change Request Approval
Clients approve infrastructure software or hardware changes via a signed service order form or via a workflow enabled electronic ticketing system prior to implementation; however, clients’ approval for certain changes is inherent in their initial request. The ticketing system is configured to send client requestors e-mail notifications of the following events:
Confirmation of receipt of change request;
Section 3 Proprietary and Confidential | 22
Confirmation that the request is closed and work is completed. Change Testing and Change Implementation
For certain infrastructure change requests, operations personnel perform an impact assessment and develop a back out plan that is documented within the change management tracking application. The ability to implement changes to client infrastructure software or hardware is restricted to user accounts accessible by authorized IT personnel.
CONTROL OBJECTIVES AND RELATED CONTROLS
The BroadRiver control objectives and related controls are included in Section 4 of this report, “Control Descriptions, Related Controls and Tests of Operating Effectiveness”, to eliminate the redundancy that would result from listing them in this section and repeating them in Section 4. Although the control objectives and related controls are included in Section 4, they are, nevertheless, an integral part of the service organization’s description of controls.
Section 3 Proprietary and Confidential | 24
USER ENTITY CONTROL CONSIDERATIONS
Support for user entities as performed by BroadRiver and the control activities at BroadRiver cover only a portion of the overall internal control for each user entity. It is not feasible for the control objectives related to the Data Center Services system to be solely achieved by BroadRiver. BroadRiver’s controls over the systems and infrastructure supporting the Data Center Services system were designed with the assumption that certain controls would be in place and in operation at user entities. User entity internal controls must be evaluated, taking into consideration BroadRiver’s controls and their own internal controls. BroadRiver does not make any representations regarding responsibility related to, or provide any assurance in regards to any such internal control or regulatory requirements for which the client must assess or comply.
This section describes some of the control considerations for user entities, or “complementary user entity controls”, which should be in operation at user entities to complement the controls at the service organization. User auditors should determine whether user entities have established controls to ensure that control objectives within this report are met. The “complementary user entity controls” presented below should not be regarded as a comprehensive list of all controls that should be employed by user entities. There may be additional control objectives and related controls that would be appropriate for the processing of user transactions that are not identified in this report.
Control Considerations for User Entities
1. User entities are responsible for ensuring their cabinets are locked and their equipment is secured prior to leaving the premises.
2. User entities are responsible for informing their vendors of BroadRiver’s policies and procedures regarding conduct in the colocation facility and the data center.
3. User entities are responsible for providing BroadRiver the listing of individuals authorized to access the colocation facility and the data center, and for notifying BroadRiver if an individual should be removed from the access list.
4. User entities are responsible for establishing and adhering to BroadRiver’s security procedures to prevent the unauthorized or unintentional use of information systems and infrastructure.
5. User entities are responsible for immediately notifying BroadRiver of any actual or suspected security breaches, including compromised user accounts.
6. User entities are responsible for implementing their own logical access control systems to secure their infrastructure.
7. User entities are responsible for periodically reviewing security configurations and access privileges.
8. User entities are responsible for responding to known or suspected incidents reported by BroadRiver personnel.
9. User entities are responsible for creating and communicating specific escalation procedures for problems with their services and for notifying BroadRiver of changes to their escalation procedures.
10. User entities are responsible for ensuring that the impact of scheduled maintenance activities to their production processes and jobs is sufficiently mitigated.
11. User entities are responsible for notifying BroadRiver of required changes to their services and for responding to BroadRiver inquiries or notifications regarding their solutions.
12. User entities are responsible for reviewing proposed changes and acknowledging the successful completion of change requests reported to the BroadRiver operations support staff.
13. User entities are responsible for notifying and informing BroadRiver of the approval or denial of requested changes or product solutions.
14. User entities are responsible for updating their client contacts by submitting a change request to the Customer Care, Billing, or Sales teams.
SECTION 4:
CONTROL DESCRIPTIONS, RELATED CONTROLS AND TESTS OF
OPERATING EFFECTIVENESS
INFORMATION PROVIDED BY THE SERVICE AUDITOR
Introduction
This report is intended to provide user entities and user auditors with information about controls that may affect the Data Center Services system provided by BroadRiver and to provide information about the operating effectiveness of controls that were tested. This report, when combined with an understanding of the internal controls in place at user entities, is intended to assist the user auditor in planning the audit of the financial statements of user entities. It may be used in assessing control risk associated with user entity financial statement assertions that could be impacted by the Data Center Services system provided by BroadRiver.
The scope of our testing of BroadRiver’s controls was limited to the control objectives and the related controls specified by BroadRiver and contained within Section 4 of this report, which management believes to be the relevant key controls for the objectives stated.
The examination was performed in accordance with the American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements No. 16 (“SSAE 16”), “Reporting on Controls at a Service Organization”, as amended. It is each interested party’s
responsibility to evaluate this information in relation to controls in place at user entities to obtain an overall understanding of internal control and to assess control risk. Controls in place at user entities and BroadRiver’s controls must be evaluated together. A general, but not inclusive, listing of control considerations is provided in Section 3, “User Entity Control Considerations.” If an effectively operating user entity internal control is not in place, the controls at BroadRiver may not sufficiently compensate the deficiency.
Tests of Operating Effectiveness
Our tests of the operating effectiveness of the controls specified by BroadRiver included such tests as we considered necessary in the circumstances to obtain reasonable, but not absolute, assurance that the controls operated in a manner that achieved the specified control objectives during the period from August 1, 2014 to July 31, 2015. In selecting particular tests of the operating effectiveness of controls we considered 1) the nature of the controls being tested; 2) the types and completeness of available evidential matter; 3) the nature of the control objectives to be achieved; 4) the assessed level of control risk; 5) the expected efficiency and effectiveness of the test; and, 6) the testing of other controls relevant to the stated control objectives.
Testing exceptions, if any, and information about specific tests of the operating effectiveness performed that may be relevant to the interpretation of testing results by user entities or user auditors for the controls specified to achieve the stated objective are presented in this section under the column heading “Results of Testing”. Exceptions identified herein are not necessarily considered significant deficiencies or material weaknesses in the total system of internal controls of BroadRiver, as this determination can only be made after consideration of controls in place at user entities. Control considerations that should be exercised by BroadRiver’s clients in order to complement the controls of BroadRiver to attain the stated objectives are presented in relation to the nature of services being audited and the controls specified by BroadRiver.
Section 4 Proprietary and Confidential | 28
Types of Tests Performed
The table below describes the nature of our audit procedures and tests performed to evaluate the operational effectiveness of the controls detailed in the matrices that follow:
Test Types Description of Tests
Inquiry Inquired of appropriate personnel seeking relevant information or representation to obtain the following information about the control:
Knowledge and additional information regarding the policy or procedure; and
Corroborating evidence of the policy or procedure.
Inspection Inspected documents and records indicating performance of the control. This includes, but is not limited to, the following:
Examination / Inspection of source documentation and authorizations to verify transactions processed;
Examination / Inspection of documents or records for evidence of performance, such as existence of initials or signatures;
Examination / Inspection of systems documentation, configurations and settings; and
Examination / Inspection of procedural documentation such as operations manuals, flow charts and job descriptions. Observation Observed the implementation, application or existence of specific controls as represented.
Sampling Methodology
The table below describes the sampling methodology utilized in our testing to evaluate the operational effectiveness of the controls detailed in the matrices that follow:
Type of Control and Frequency Minimum Number of Items to Test (Period of Review Six Months or Less)
Minimum Number of Items to Test (Period of Review More than Six Months)
Manual control, many times per day At least 25 At least 40
Manual control, daily (Note 1) At least 25 At least 40
Manual control, weekly At least 5 At least 10
Manual control, monthly At least 3 At least 4
Manual control, quarterly At least 2 At least 2
Manual control, annually Test annually Test annually
Application controls
Test one operation of each relevant aspect of each application control if supported by effective IT
general controls; otherwise test at least 15
Test one operation of each application control if supported by effective IT general controls;
otherwise test at least 25
IT general controls Follow guidance above for manual and automated aspects of IT general controls
Follow guidance above for manual and automated aspects of IT general controls
Notes: 1.) Some controls might be performed frequently, but less than daily. For such controls, the sample size should be interpolated using the above guidance. Generally, for controls where the number of occurrences ranges from 50 to 250 during the year, our minimum sample size using the above table should be approximately 10% of the number of occurrences.
Section 4 Proprietary and Confidential | 30
TESTING MATRICES
Physical Security
Control Objective Specified by the Service Organization: Control activities provide reasonable assurance that data center infrastructure is
protected from unauthorized access, damage and interference.
# Control Activities Specified
by the Service Organization Tests Applied by the Service Auditor Testing Results
1.1 Documented physical security policies and procedures are in place to guide personnel in granting, controlling, and monitoring physical access to the corporate office facility, the colocation facility, and the data center.
Inquired of the Facilities Manager to verify that documented physical security policies and procedures were in place to guide personnel in granting, controlling, and monitoring physical access to the corporate office facility, the colocation facility, and the data center.
No relevant exceptions noted.
Inspected the physical security policies and procedures to verify that documented physical security policies and procedures were in place to guide personnel in granting, controlling, and monitoring physical access to the
corporate office facility, the colocation facility, and the data center.
No relevant exceptions noted.
1.2 The Service Manager performs a review of badge access logs on a quarterly basis.
Inquired of the CLEC Director to verify that the Service Manager performed a review of badge access logs on a quarterly basis.
No relevant exceptions noted.
Inspected the completed physical access review tickets for a sample of quarters within the opinion period to verity that the Service Manager performed a review of physical access privileges on a quarterly basis.
No relevant exceptions noted.
Corporate Office Facility 1.3 A Receptionist monitors access to the main
entrance of the corporate office facility during normal business hours.
Inquired of the CLEC Director to verify that the
Receptionist monitored access to the main entrance of the corporate office facility during normal business hours.
Physical Security
Control Objective Specified by the Service Organization: Control activities provide reasonable assurance that data center infrastructure is
protected from unauthorized access, damage and interference.
# Control Activities Specified
by the Service Organization Tests Applied by the Service Auditor Testing Results
Observed during onsite procedures performed that the Receptionist monitored the main entrance during business hours to verify that a receptionist monitored access to the main entrance of the corporate office facility during normal business hours.
No relevant exceptions noted.
1.4 Visitors are required to sign a visitor log at the reception desk upon entrance to the corporate office facility.
Inquired of the CLEC Director to verify that visitors were required to sign a visitor log at the reception desk upon entrance to the corporate office facility.
No relevant exceptions noted.
Observed the visitor registration process to verify that visitors were required to sign a visitor log at the reception desk upon entrance to the corporate office facility.
No relevant exceptions noted.
Inspected the visitor logs for a sample of months within the opinion period to verify that visitors were required to sign a visitors log at the reception desk upon entrance to the corporate office facility.
No relevant exceptions noted.
1.5 Visitors are required to wear a temporary visitor badge while visiting the corporate office facility.
Inquired of the CLEC Director to verify that visitors were required to wear a temporary visitor badge while visiting the corporate office facility.
No relevant exceptions noted.
Observed the visitor registration process to verify that visitors were required to wear a temporary visitor badge while visiting the corporate office facility.
No relevant exceptions noted.
1.6 An electronic key fob access system is utilized to control access to, and movement within, the corporate office facility.
Inquired of the CLEC Director to verify that an electronic key fob access system was utilized to control access to, and movement within, the corporate office facility.
Section 4 Proprietary and Confidential | 32
Physical Security
Control Objective Specified by the Service Organization: Control activities provide reasonable assurance that data center infrastructure is
protected from unauthorized access, damage and interference.
# Control Activities Specified
by the Service Organization Tests Applied by the Service Auditor Testing Results
Observed the in place key fob readers to verify that an electronic key fob access system was utilized to control access to, and movement within, the corporate office facility.
No relevant exceptions noted.
Inspected the electronic key fob access system user listing to verify that an electronic key fob access system was utilized to control access to, and movement within, the corporate office facility.
No relevant exceptions noted.
1.7 The key fob access system logs both successful and unsuccessful access attempts for ad hoc forensic investigation purposes. Access attempts are traceable to specific key fobs.
Inquired of the Service Manager to verify that the key fob access system logged both successful and unsuccessful access attempts for ad hoc forensic investigation
purposes. Access attempts were traceable to specific key fobs.
No relevant exceptions noted.
Inspected the key fob access system activity logs to verify that the key fob access system activity logged both successful and unsuccessful access attempts for ad hoc forensic investigation purposes. Access attempts were traceable to specific key fobs.
No relevant exceptions noted.
1.8 Administrator access privileges to the electronic key fob access system are restricted to a single shared user account accessible by authorized IT personnel (2).
Inquired of the Service Manager to verify that administrator access privileges to the electronic key fob access system were restricted to a single shared user account accessible by authorized IT personnel (2).
No relevant exceptions noted.
Inspected the system’s administrative access list to verify that administrator access privileges to the electronic key fob access system were restricted to a single shared user account accessible by authorized IT personnel (2).