Description of the Administration of Verizon Terremark Colocation Services Relevant to Security and Availability

(1)

Service Organization Controls 2 Report

Description of the

Administration of Verizon

Terremark Colocation

Services Relevant to Security

and Availability

For the Period from November 1, 2012 to

October 31, 2013

With Independent Service Auditor’s Report

including Tests Performed and Results Thereof

We Are VERIZON

(2)

1304-1059738

Description of the Administration of Verizon Terremark Colocation Services

Relevant to Security and Availability for the Period from November 1, 2012 to

October 31, 2013

Verizon Communications Inc.’s Management Assertion

February 21, 2014

We have prepared the accompanying Description of the Administration of Verizon Terremark Colocation Services for the period from November 1, 2012 to October 31, 2013 (Description) of Verizon Communications Inc. (Service Organization) based on the criteria in items (a)(i)-(ii) below, which are the criteria for a description of a service organization’s system set forth in paragraph 1.34 of the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy (the description criteria). The Description is intended to provide users with information about the Administration of

Verizon Terremark Colocation Services (System), particularly system controls, intended to meet the criteria for the security and availability principle(s) set forth in the AICPA’s TSP section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing

Integrity, Confidentiality, and Privacy (applicable Trust Services criteria).

Verizon Terremark Colocation Services data centers included in the Description are in the following geographic locations:

Amsterdam, The Netherlands Miami, FL

Bogota, Colombia Richardson, TX

Culpeper, VA Santa Clara, CA

Istanbul, Turkey Sao Paulo, Brazil

The management of Verizon Communications Inc. confirms, to the best of its knowledge and belief, that:

a. the Description fairly presents the System throughout the period from November 1, 2012 to October 31, 2013, based on the following description criteria:

i. the Description contains the following information: (1) The types of services provided.

(2) The components of the System used to provide the services, which are the following:

 Infrastructure. The physical and hardware components of a system (facilities, equipment, and networks).

(4)

1304-1059738 ₂

 People. The personnel involved in the operation and use of a system (developers, operators, users, and managers).

 Procedures. The automated and manual procedures involved in the operation of a system.

 Data. The information used and supported by a system (transaction streams, files, databases, and tables).

(3) The boundaries or aspects of the System covered by the Description. (4) How the System captures and addresses significant events and conditions. (5) The process used to prepare and deliver reports and other information to user

entities or other parties.

(6) If information is provided to, or received from other parties, how such information is provided or received; the role of the other parties; and the procedures performed to determine that such information and its processing, maintenance, and storage are subject to appropriate controls.

(7) For each principle being reported on, the applicable Trust Services criteria and the related controls designed to meet those criteria, including, as applicable, certain user entity obligations contemplated in the design of the Service Organization’s System.

(8) Any applicable Trust Services criteria that are not addressed by a control at the Service Organization and the reasons therefore.

(9) Other aspects of the Service Organization’s control environment, risk

assessment process, information and communication systems, and monitoring of controls that are relevant to the services provided and the applicable Trust Services criteria.

(10) Relevant details of changes to the Service Organization’s System during the period covered by the Description.

ii. the Description does not omit or distort information relevant to the Service

Organization’s System while acknowledging that the Description is prepared to meet the common needs of a broad range of users and may not, therefore, include every aspect of the System that each individual user may consider important to his or her own particular needs.

b. the controls stated in the Description, together with the user entity obligations described in the Description if operating effectively, were suitably designed throughout the

(5)

1304-1059738 ₃

throughout the specified period to meet the applicable Trust Services criteria.

Verizon Communications Inc. One Verizon Way

(6)

Ernst & Young LLP One Commerce Square Suite 700 2005 Market Street Philadelphia, PA 19103 Tel: +1 215 448 5000 Fax: +1 215 448 5500 ey.com 1304-1059738 ₄

Independent Service Auditor’s Report

Board of Directors

Verizon Communications Inc. Scope

We have examined Verizon Communications Inc.’s accompanying Description of the

Administration of Verizon Terremark Colocation Services for the period from November 1, 2012 to October 31, 2013 (Description) of its Administration of Verizon Terremark Colocation Services System for data center colocation hosting throughout the period November 1, 2012 to

October 31, 2013, based on the criteria set forth in paragraph 1.34 of the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy (the description criteria) and the suitability of the design and operating effectiveness of controls described therein to meet the criteria for the security and availability principle(s) set forth in the AICPA’s TSP section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (applicable Trust Services Criteria) throughout the period from November 1, 2012 to October 31, 2013. The Description indicates that certain applicable Trust Services criteria specified in the Description can be met only if certain user entity obligations contemplated in the design of Verizon Communications Inc.’s controls are suitably designed and operating

effectively, along with related controls at the Service Organization. We have not evaluated the suitability of the design or operating effectiveness of such user entity obligations.

Verizon Terremark Colocation Services data centers included in the Description are in the following geographic locations:

(7)

1304-1059738 ₅

The information in the accompanying Other Information Provided by Verizon Communications Inc. is presented by the Company to provide additional information and is not part of Verizon’s

Description. Such information has not been subjected to the procedures applied in our examination of the Description.

Verizon Communications Inc.’s responsibilities

Verizon Communications Inc. has provided the accompanying assertion titled, Verizon

Communications Inc.’s Management Assertion (Assertion) about the fairness of the presentation of the Description based on the description criteria and suitability of the design and operating effectiveness of the controls described therein to meet the applicable Trust Services criteria. Verizon Communications Inc. is responsible for (1) preparing the Description and Assertion; (2) the completeness, accuracy, and method of presentation of the Description and Assertion; (3) providing the services covered by the Description; (4) specifying the controls that meet the applicable Trust Services criteria and stating them in the Description; and (5) designing, implementing, and documenting the controls to meet the applicable Trust Services criteria. Service auditor’s responsibilities

Our responsibility is to express an opinion on the fairness of the presentation of the Description based on the description criteria and on the suitability of the design and operating effectiveness of the controls described therein to meet the applicable Trust Services criteria, based on our examination. We conducted our examination in accordance with attestation standards

established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, (1) the Description is fairly presented based on the description criteria, and (2) the controls described therein are suitably designed and operating effectively to meet the applicable Trust Services criteria throughout the period from November 1, 2012 to October 31, 2013.

An examination of a description of a service organization’s system and the suitability of the design and operating effectiveness of the service organization’s controls, involves performing procedures to obtain evidence about the fairness of the presentation of the Description based on the description criteria and the suitability of the design and operating effectiveness of those controls to meet the applicable Trust Services criteria. Our procedures included assessing the risks that the Description is not fairly presented and that the controls were not suitably designed or operating effectively. Our procedures also included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the applicable Trust Services criteria were met. Our examination also included evaluating the overall

presentation of the Description. We believe that the evidence we have obtained is sufficient and appropriate to provide a reasonable basis for our opinion.

(8)

1304-1059738 ₆

Inherent limitations

The Description is prepared to meet the common needs of a broad range of users and may not, therefore, include every aspect of the system that each individual user may consider important to its own particular needs. Because of their nature and inherent limitations, controls at a service organization may not always operate effectively to meet the applicable Trust Services criteria. Also, the projection to the future of any evaluation of the fairness of the presentation of the Description, or conclusions about the suitability of the design or operating effectiveness of the controls to meet the applicable Trust Services criteria is subject to the risk that the system may change or that controls at a service organization may become ineffective or fail.

Opinion

In our opinion, in all material respects, based on the description criteria and the applicable Trust Services criteria:

a. the Description fairly presents the Administration of Verizon Terremark Colocation Services System that was designed and implemented throughout the period from November 1, 2012 to October 31, 2013.

b. the controls stated in the Description were suitably designed to provide reasonable assurance that the applicable Trust Services criteria would be met if the controls operated effectively throughout the period from November 1, 2012 to October 31, 2013 and if user entities applied the user entity obligations contemplated in the design of Verizon Communications Inc.’s controls throughout the period from November 1, 2012 to October 31, 2013.

c. the controls tested, which, together with the user entity obligations referred to in the scope paragraph of this report if operating effectively, were those necessary to provide reasonable assurance that the applicable Trust Service criteria were met, operated effectively throughout the period from November 1, 2012 to October 31, 2013. Description of tests of controls

The specific controls tested and the nature, timing, and results of those tests are listed in the accompanying Description of Control Objectives, Controls, Tests, and Results of Tests (Description of Tests and Results).

Restricted use

This report, including the description of tests of controls and results thereof in the Description of Tests and Results, is intended solely for the information and use of Verizon Communications Inc., user entities of Verizon Communications Inc.’s System, and prospective user entities, independent auditors and practitioners providing services to such user entities, and regulators who have sufficient knowledge and understanding of the following:

(9)

1304-1059738 ₇

The nature of the service provided by the Service Organization

 How the Service Organization’s System interacts with user entities or other parties

 Internal control and its limitations

 Certain user entity obligations and how they interact with related controls at the Service Organization to meet the applicable Trust Services criteria

 The applicable Trust Services criteria

 The risks that may threaten the achievement of the applicable Trust Services criteria and how controls address those risks

This report is not intended to be and should not be used by anyone other than these specified parties.

February 21, 2014

(10)

1304-1059738 ₈

1304-1059738

Description of the Administration of Verizon Terremark Colocation Services for

the Period from November 1, 2012 to October 31, 2013

Company Overview

Verizon Terremark (the Company) is one of three operating units of Verizon Communications Inc. (NYSE: VZ). The Company delivers advanced IP, data, voice and wireless solutions to a majority of the Fortune 500 businesses and government agencies in more than 200 state-of-the-art data centers in 23 countries across five continents. Verizon Terremark global IP footprint serves 4,000+ networks in 142 countries and territories, including non-Verizon Terremark connections from more than 60 network providers globally. Verizon Terremark provides information technology deployments with advanced infrastructure and managed service offerings that deliver the scale, security, and reliability necessary to meet the requirements of enterprises and governments around the world.

Boundaries of the System

Verizon Terremark’s core business function is to provide strategically positioned data centers around the world within which customers/potential customers can host their computing, storage, telecommunications and application server hardware. Verizon Terremark Colocation Services include providing hardware, software, network technology, physical security, and environmental safeguards necessary to offer customers a comprehensive colocation hosting solution. Verizon Terremark facilities offer choices and redundancies in communication infrastructure. Verizon Terremark data centers are connected to multiple domestic fiber backbones, undersea cables and over 160 carriers providing customers access to virtually any location in the world.

Colocation customers have the ability to contract services directly with carriers in the Verizon Terremark facilities for the connectivity and redundancy they require.

Depending on customer requirements, racks, cabinets, or customized caged floor spaces are available across a global footprint of hardened and secure facilities. Verizon Terremark configures the customer site either in a locked server cabinet/rack or a cage which consists of multiple server racks/cabinets that are based on each individual customer’s specifications. Verizon Terremark is responsible for setting up each individual customer’s environment including the customer cabinets and cages, providing network connectivity and power for the environment, administering physical access to the environment and managing the

environmental safeguard systems. Once the customer environment has been set up, Verizon Terremark turns over the environment to the customer who is then responsible for

building/staging the remainder of its own infrastructure and establishing physical access control lists. Verizon Terremark does not control customer-specific hardware, operating systems, databases, applications, or any other content loaded on the customer hardware. Verizon

Terremark does not administer or access customer systems at the operating system, database, or application levels.

Data Centers

The hardened facilities sit on top of Tier 1 networks. The data centers provide the physical security for sensitive business applications and n+2 redundant power and cooling backed by service level agreements (SLAs). Verizon Terremark provides ongoing monitoring and on-site

(11)

1304-1059738 ₉

technical support. The specific Verizon Terremark Colocation Services included within the scope are in the following geographic locations:

Istanbul, Turkey Sao Paulo, Brazil

Network

Verizon Terremark provides customers network connectivity, with plug-and-play access to leading global carriers, delivering a competitive marketplace of connectivity that allows

customers to strategically select the connectivity service best suited to their business. Verizon Terremark’s peering fabric brings together providers from around the world to a common location for handing off traffic and making connections. Verizon Terremark provides zero mile connectivity to the world.

Service Delivery Platform (SDP) Service Management

Verizon Terremark’s next generation SDP Service Management system is driven by a focus on computing, network design, operations and management. This advanced technology represents the optimization of the surrounding technical operations and business processes to create the architectural logic of an entire managed environment. It integrates the capability for Verizon Terremark to manage its services for customers through the following modules: Order Broker, Entity Manager, Alert Management, Implementation, Configuration Management Database (CMDB), Change Management, Ticketing, and Verizon Terremark View Point.

Managed Router Service (MRS)

Verizon Terremark offers a Managed Routing Service (MRS) that leverages the global network connectivity provided by the telecommunications companies located within Verizon Terremark’s carrier-neutral facilities. Verizon Terremark’s Managed Router Service (MRS) provides optimal access to the Internet without the purchase and management of individually owned Internet routers.

Using Verizon Terremark’s Managed Route Control Platform (MRCP), the MRS solution helps ensure the best possible path to the Internet in real-time. Verizon Terremark intelligently routes Internet traffic across multiple networks, reducing latency and providing redundancy in the event of a problem.

Hybrid Capabilities

Verizon Terremark has the ability to provide hybrid solutions that combine traditional colocation with cloud computing environments and managed hosting. Existing physical devices and private networks can also be integrated into cloud environments as needed. Verizon Terremark’s hybrid

(12)

1304-1059738 ₁₀

capabilities provide customers with access to various levels of support depending on their requirements.

RemoteHands SmartHands Service

Verizon Terremark’s RemoteHands SmartHands services assist customers that need remote access to equipment for performing simple troubleshooting or maintenance tasks. Verizon Terremark’s staff can perform basic tasks that may require the use of tools or equipment. Verizon Terremark RemoteHands SmartHands services are available on demand or by subscription in four-hour blocks per month.

Network and Connectivity Services

Verizon Terremark’s Managed Network and Connectivity services include the basic layer one services such as physical interconnection to more complex layer three monitoring of networks and alerts. Carrier-neutral design provides zero mile access to robust connectivity and at the same time delivers cost savings, flexibility, and can scale to match customer growth while still delivering the performance customers demand.

Cross-connect Services

Cross-connectivity is provided to customers in a streamlined manner through the adoption of a centralized hub named a “Meet Point Room”, to which all inbound and outbound

interconnections are routed to service the colocation customers. Cross-connects can be delivered by means of copper (POTS), coaxial, unshielded twisted pair (UTP) and fiber. Exchange Services – Peering

Verizon Terremark's state-of-the-art Exchange Platform is at the core of Verizon Terremark’s network and offers a total switching capacity of over 1.0 Tbps. In addition to providing flexible and reliable Ethernet-virtual local area network (VLAN) and Optical/Digital connections for the exchange of Internet traffic, Verizon Terremark’s Exchange Platform is used for the provisioning of next generation network-based services.

Verizon Terremark’s Exchange Platform employs an industry-leading and state-of-the-art Ethernet technology. The Exchange Platform is the vehicle used to reach many businesses and consumers served by the companies connected to Verizon Terremark, enabling Internet

Protocol (IP)-based products and services to easily reach virtually anywhere in the world.

Components of the System

Verizon’s System includes infrastructure, software, people, procedures and data:

Infrastructure – the physical and hardware components of the System including facilities, equipment, and networks.

Verizon Terremark infrastructure includes Verizon Terremark Colocation Services network backbone. Verizon Terremark does not control customer-specific hardware, operating systems, databases, applications, or any other content loaded on the customer hardware. Verizon Terremark configures the customer site either in a locked server cabinet/rack or a cage which

(13)

1304-1059738 ₁₁

consists of multiple server racks/cabinets that are based on each individual customer’s specifications. Verizon Terremark is responsible for setting up each individual customer’s environment including the customer cabinets and cages, providing network connectivity and power for the environment, and managing the environmental safeguard systems. Once the customer environment has been set up, Verizon Terremark turns over the environment to the customer who is then responsible for building/staging its own infrastructure.

Software – the programs and operating software of the System including systems, applications, and utilities.

Verizon Terremark does not administer or access customer systems at the operating system, database, or application levels. As part of the Verizon Terremark service, when a customer is not able to be on-site at the Verizon Terremark data center, Verizon Terremark provides hands-on technical support should the customer require technical assistance such as a system reboot or a hardware replacement.

People – the personnel involved in the operation and use of the System including developers, operators, users, and managers.

The Company’s organizational structure provides the overall framework for planning, directing, and controlling operations. Personnel and business functions are separated into departments according to job responsibilities. The structure provides defined responsibilities and lines of authority for reporting and communication. The assignment of roles and responsibilities within the various departments provides effective segregation of duties. All team members are recruited and managed using Verizon’s global policies and procedures described in the Description of the Control Environment, Control Activities, Information Communication, Monitoring and Risk Assessment Processes section.

The following teams are involved in the services provided by Verizon Terremark Colocation Services solution:

 NOC administration – Responsible for functions such as management of network infrastructure including switches, firewalls, load balancers, routers and virtual private network platforms.

 Facilities administration – Responsible for maintenance functions for systems such as electrical power, air conditioning and humidity, UPS, electric generators, fire

suppression, smoke detection, real-time monitoring with alarms and alerts.  Service Center – Responsible for functions such as dedicated customer support,

troubleshooting, issue and problem management, escalation and resolutions procedures.

Procedures – the automated and manual procedures involved in the operation of the System. The Company’s employees adhere to Verizon’s global policies that define how services should be delivered. The policies are located on Verizon’s intranet and can be accessed by the

(14)

1304-1059738 ₁₂

Data – the information used and supported by the System.

Verizon does not manage or input data into customer systems and is not responsible for the accuracy or completeness of customer data. Customer data necessary to provide the services within the boundaries of the System is managed in accordance with the relevant data protection and other regulations, with any specific requirements specified in the customer contracts.

Description of the Control Environment, Control Activities, Information Communication, Monitoring and Risk Assessment Processes

Control Environment

The control environment reflects the overall attitude and awareness of management and personnel concerning the importance of controls and the emphasis given to controls in the Company’s policies, procedures, and actions. The organizational structure, separation of job responsibilities by departments and business function, and documentation of policies and procedures, are the methods used to define and implement operational controls. The following is a description of the five components of internal control as they pertain to Verizon Terremark. Management Controls

Verizon management is responsible for directing and controlling operations and for establishing, communicating, and monitoring control policies and procedures. Management focuses on maintaining sound internal controls and the integrity and ethical values of all Company

personnel. Organizational values and behavioral standards are communicated to all personnel through policy statements and guidelines during new hire orientation and are also available for review on the Company intranet.

Verizon Board of Directors, assisted by its committees, directs the affairs of the Company. Twelve directors hold office until the next annual meeting of stockholders and until a successor is duly elected and qualified. The election of directors requires the affirmative vote of a majority of the votes represented and entitled to vote at the annual meeting.

Verizon Corporate Governance and Policy Committee provides oversight and guidance to the membership, structure, policies and processes of the Board of Directors and its committees to facilitate the effective exercise of the Board's role in the governance of the Corporation. In addition, the Committee reviews the Company's governance and policy processes. In carrying out its activities, the Committee is supported by the Corporate Secretary as the Company's chief governance officer.

Verizon Human Resources Committee (HRC) oversees management in the development and implementation of human resource practices and policies. One of the programs the HRC has developed is succession planning, which enhances the Company’s strategic objectives and promotes equal opportunity and diversity. Additionally, the HRC reviews management compensation and benefit plans to make sure they are competitive so as to attract, motivate, and retain highly qualified employees.

Verizon Audit Committee is appointed by the Board of Directors to oversee (1) management in the performance of its responsibility for the integrity of the Company's accounting and financial

(15)

1304-1059738 ₁₃

reporting, and its systems of internal controls, (2) the performance and qualifications of the independent auditor (including the independent auditor's independence), (3) the performance of the Company's internal audit function, and (4) the Company's compliance with legal and

regulatory requirements.

The Internal Controls Organization, in conjunction with Verizon Internal Audit, assesses the effectiveness of the internal control structure and procedures for financial reporting on an annual basis. The Internal Controls Organization works with key business units and process owners throughout the entire Company to ensure management establishes and maintains an adequate internal control structure and procedure for collecting, processing, and disclosing financial information.

Verizon has implemented policies and procedures to address critical financial and operational processes including human resources, information systems, and operations.

Personnel Policies and Procedures

The competence of employees is a key element of the control environment. Verizon is

committed to the development of its employees. This commitment to competence is expressed in the Company’s personnel policies and related human resources programs. Specific indicators of the commitment to personnel development include recruiting and hiring policies, investment in training and development, and performance monitoring.

Verizon’s commitment to competence begins with recruiting, which is the joint responsibility of the Human Resources Department and business unit managers. Hiring decisions are based on various factors, including educational background, prior relevant experience, past

accomplishments, and evidence of integrity and ethical behavior.

The Company’s commitment to the development of its staff includes an active performance monitoring process. The process is co-managed by each employee and his or her manager. The process entails the development of specific, quantifiable objectives for the coming period, periodic discussions of progress in meeting those objectives, and an annual formal review of the employee’s overall performance in the current position as well as career development

discussions to help prepare the individual for advancement.

Integrity and high ethical standards are qualities essential to the business of the Company and are viewed as fundamental standards of behavior for all employees. At Verizon, the standards of integrity and ethics are demonstrated daily by the personal conduct of management and various controls, including guidelines for handling confidential information and policies stipulating that employees comply with all laws, regulations, and corporate policies as a condition of continuing employment. In addition, the Company has a code of conduct and requires all employees to formally acknowledge their commitment to performing in a professional and ethical manner.

Further, each employee is expected to report any violation or exception to these policies that are suspected by another employee of Verizon or an outsider. Recognizing the sensitive nature of these situations, employees have several options for bringing these situations to

management’s attention. The Company has also instituted an open-door policy to facilitate open and frequent communication with executive management.

(16)

1304-1059738 ₁₄

Monitoring

Management has implemented a division of roles and responsibilities, which limits the ability of a single individual to subvert critical processes. This segregation of duties increases control over processes that may impact customer systems. There are procedures in place to help ensure that personnel perform only those duties related to their positions.

Management has defined and implemented relevant procedures to control the activities of consultants and other contract personnel in order to protect the organization’s assets. Contractors and consultants are issued access badges based upon responsibility and job scope. These badges include an expiration date which is based upon their contract.

Management verifies personnel references for new hires before they are hired, transferred, or promoted, with additional screening checks depending on the sensitivity of the position. Risk Assessment

Verizon employs both formal and informal risk assessment procedures. A formal risk

assessment is conducted annually by the Company’s executive management and is reviewed by Verizon Audit Committee. The process includes identifying, prioritizing, and ranking risks at both the entity and activity level. Criteria used to rank risks include, but are not limited to, financial activities, technological complexity and dependencies, and process impact on the Company’s reputation.

Other assessments that are performed consider economic and industry factors affecting the Company, business planning, and discussions with market analysts by each business unit. Information and Communication

Management is committed to maintaining effective communication with all personnel and customers. To help align Verizon strategies and goals with operating performance as it relates to customers, management across all departments participates in weekly meetings in order to discuss the status of service delivery or other matters of interest and concern. Issues or suggestions identified by personnel are readily brought to the attention of management to be addressed and resolved.

On a monthly basis, operating performance reports are provided to management to summarize the performance statistics of the various products, including, but not limited to, utilization, and problem reporting. Daily alerts are provided to product support personnel regarding problems. Senior management is presented with a summary of operations and future business plans on a quarterly basis.

Criteria and Controls

The Trust Services Criteria and the controls that meet the criteria are listed in the accompanying Description of Criteria, Controls, Tests, and Results of Tests. The management of Verizon has specified its controls that meet the criteria for Security and Availability. The controls are

(17)

1304-1059738 ₁₅  Policies: Verizon has defined and documented its policies relevant to the Security and

Availability principles.

 Communications: Verizon has communicated its defined policies to responsible parties and authorized users of the system.

 Procedures: Verizon placed in operation procedures to achieve its objectives in accordance with its defined policies.

 Monitoring: Verizon monitors the System and takes action to maintain compliance with its defined policies.

Physical Security Overview

Verizon Terremark’s physical security standards for data center facilities feature a centrally located guard post / command center that is staffed by security personnel at all times. Security personnel provide overall building security, monitor security cameras, guard building entrance and exit access points, and control access to the entire facility to employees, contractors, customers and visitors. The data centers in North America, Europe and Latin America are also continuously monitored by Verizon Security’s central monitoring facilities in those regions. These facilities provide a backup response capability.

Policies and Procedures

Verizon Terremark security policies are documented and available to all employees on an internal web site. Employees receive security awareness training for both physical and information security as part of the onboarding process. This training is reinforced by security awareness articles and bulletins on current issues. Additionally, employees are also required to participate in annual security awareness training.

Secure Area Access Control

Areas designated to be secure areas continuously remain secure and are only accessed by authorized company personnel and/or visitors for approved purposes. Access is assigned based upon an individual’s specific job assignment(s) and responsibilities.

A centralized security badge access system provides controlled access to each facility. Administrative access privileges to the badge access systems are restricted to user accounts accessible by authorized personnel. Predefined physical security zones are utilized to define role-based access privileges to and throughout the data center facilities. The badge access system logs both successful and unsuccessful access attempts for ad hoc review. Access attempts are traceable to specific employee accounts. Verizon Terremark personnel must wear an authorized employee access badge while conducting business at a data center facility. Contractors, vendors, and visitors must obtain an access badge to gain entry into a data center facility. The on-duty security personnel are responsible for granting access to vendors, visitors and Verizon Terremark customers requiring access to their equipment. The security personnel are also responsible for security monitoring and reporting procedures, responding to building

(18)

1304-1059738 ₁₆

alarms and monitoring video surveillance cameras. Security incidents are recorded in security patrol logs and investigated.

Employee Access

Requests for new employee access are submitted by Human Resources and include name of the new employee, department, site, supervisor and the access areas to be assigned. Requests for access are approved by employee’s supervisor. Requests for changes in access for

employees are submitted by a department supervisor and approved by the area authorizer. Employee terminations are submitted by Human Resources. Physical security personnel revoke access privileges assigned to terminated employees as a component of the employee

termination process. Physical access rights are reviewed periodically by management to help ensure that access privileges are assigned to appropriate employees.

Customer and Visitor Access

Customers’ physical hardware is maintained in locked server racks/cabinets and cages within the data centers. Badge access cards and physical keys to the server racks/cabinets and cages located within the data centers are secured.

Customer access to Verizon Terremark facilities is strictly enforced. Customers whose accounts are in good standing may visit their equipment at any time. Customers are required to comply with Verizon Terremark physical access procedures while on premises at the data center facility.

To obtain access to the customer cages and/or racks/cabinets, a pre-approved customer contact must request that a particular customer employee or vendor be granted access in advance of the visit from the appropriate business or technical representative. Upon arrival at the data center, visitors requiring access must present government-issued photo identification to Verizon Terremark security personnel to obtain a visitor badge. Security personnel document the visitor’s name, firm represented and the name of the employee authorizing physical access within the visitor access log. Visitor badges do not have physical access capabilities and are identifiably different from employee badges. Visitors are required to surrender their visitor badges upon departure from the data center facilities. Based on individual customer

requirements, vendors representing customers may be required to provide evidence that they work for the specified vendor before they can obtain access, in addition to providing the government-issued photo identification. The vendor name must also appear on the approved access list. Vendors are required to be escorted and accompanied by an authorized Verizon Terremark employee when in sensitive areas.

If an individual is not authorized for entry, he/she is prohibited from access into the data center. Video surveillance cameras are installed at each data facility. The video surveillance cameras are positioned to monitor for intrusion activities or possible vulnerabilities and are recorded on an ongoing basis. Cameras capture data centers, passageways, entrances, exits, and external surroundings. The digital video recorders are configured to retain the digital recordings for a minimum of 90 days for investigations.

(19)

1304-1059738 ₁₇

Environmental Safeguards Overview

To minimize the likelihood of system outages and the effects of disasters on systems and operations, Verizon Terremark has implemented redundant environmental safeguards and backup power systems. The Manager of Data Center Operations and the Facilities Manager at each data center oversee the data center environmental safeguards and backup power

management systems. The following section describes the environmental safeguards in place at each data center. Although minor differences exist between each of the data centers, the listed safeguards apply to the data centers in the scope of this report.

Each data center is equipped to maintain continuous operation and protect against

environmental extremes. The environment including temperature and humidity in each facility is controlled using air-conditioning systems that are regularly maintained. Additional cooling to the data center floor area is provided by multiple computer room air conditioning (CRAC) units. Each unit is attached to several leak detection sensors which are continuously monitored. The CRAC units are supported by multiple redundant water chiller systems. The temperature and humidity are monitored using a centralized monitoring system.

Power

Each Verizon Terremark data center utilizes separate and secure power management and power backup systems. The data centers utilize power from multiple commercial feeds from the local substations. In the event of a brief commercial power failure, the power is backed up by multiple redundant uninterruptible power supply (UPS) systems or continuous power systems (CPS). In the event of a power disruption, each facility’s system is able to sustain power to critical areas including infrastructure and customer equipment until the diesel generators are activated. The redundant diesel generators provide additional power protection should a power disruption last more than a few minutes. The diesel generators can supply the power necessary for site management and can be refueled to power the facility. Generators and UPS systems are maintained and tested in accordance with a maintenance schedule. The electrical system, utility power, and distribution systems are monitored using a centralized monitoring system. The monitoring system generates alarms and alert notifications for possible failure or overloading of the electrical systems.

Fire Detection and Suppression

The environment is protected by a fire detection system with smoke detectors under the raised floor and on the ceiling or above the suspended ceiling, where applicable. The system is equipped with a local display panel and, in some facilities, the alarm signals are automatically transmitted to the local fire authority. In addition, alarm status signals will also be transmitted to the multi-zone pre-action dry pipe fire suppression system. The system has two levels of alarms before water can be released; an individual head must fuse and either a smoke or heat detector must activate. Water will then begin to flow at that location of the activated sprinkler head only. This configuration provides protection against accidental discharge of water by requiring two separate attributes to occur before releasing water.

In the event of a system malfunction or unnecessary water discharge, the water supply to the sprinkler system can be shut down manually to prevent unnecessary water damage to the

(20)

1304-1059738 ₁₈

equipment located on the data center floor. The data centers are also equipped with “Power Off” valves at the main data center exit. These “Power Off” valves can be used to quickly shut down the system in the event of an emergency to prevent unnecessary damage to the equipment. As an additional backup, hand-held fire extinguishers are in place for manual fire suppression. Monitoring and Inspections

Each of the environmental safeguard and power management systems are monitored on a daily basis and inspected on a regular basis according to a predefined maintenance schedule.

Verizon Terremark has developed standardized inspection procedures and schedules for the various systems. An enterprise monitoring system is in place to monitor certain environmental conditions throughout the data centers. The system is configured to alert facilities personnel via e-mail when predefined thresholds are exceeded on monitored systems.

Network Availability Overview

In order to help ensure that network devices and related services are available for operation and that network problems are identified, investigated, and resolved, Verizon Terremark uses a combination of monitoring tools, procedures and support protocols.

Network monitoring policies and procedures are in place and provide guidance in the

prioritization and handling of monitoring alerts and required activities that include the following:

 Network communications monitoring and troubleshooting

 Malicious Internet activity procedures

 NOC functions

 Handling failure alerts

 Handling site down alerts

 Handling warning alerts Network Operations Centers

Verizon Terremark’s Network Operations Centers (NOCs) serve as the central command points for service delivery and oversee day-to-day operations within each data center. Verizon

Terremark’s NOCs are staffed with support personnel on an ongoing basis. The continuous staffing schedule is instrumental in supporting customers on a global scale. NOC personnel oversee the enterprise monitoring applications that are in place to monitor the performance and availability of network communications devices and to help identify potential sources of failure. Service Centers

Verizon Terremark’s Service Centers (SCs) are the on-site resource centers for Verizon Terremark customers. The SC handles service inquiries and provides support for customers at each of the data center facilities.

(21)

1304-1059738 ₁₉

Network infrastructure devices are configured with access control lists to allow sessions from only specific hosts within the internal network and unused ports are disabled to prevent

unauthorized access. Management restricts the ability to remotely administer network devices to user accounts accessible by appropriate support personnel.

Infrastructure modifications are documented and maintained in the change management system. When an infrastructure configuration change or modification occurs, the details of the change are automatically e-mailed to network operations personnel from the network

automation system.

Verizon’s security program includes security vulnerability testing on the network backbone and the corporate business systems. Tests that help to ensure the overall security and availability of the network and systems and alignment with the Company policies are performed on a periodic basis. Where technically applicable, Verizon uses a real-time antivirus solution to protect its servers against viruses, worms, Trojan horses and other forms of malicious code that may cause damage.

Business Continuity and Disaster Recovery

Business Continuity is a business-sponsored initiative within Verizon. The Business Continuity Plan is designed to provide immediate response and subsequent recovery from an unplanned business interruption such as a loss of critical business functions, a loss of building access, a physical facility catastrophe, or loss of personnel. The Business Continuity and Emergency Management (BCEM) group coordinates the Business Continuity initiative and sets guidelines for plan development. The recovery plans are reviewed by the BCEM and are exercised by Verizon Terremark executive teams. A centralized group referred to as the Incident

Management Team oversees the response and recovery activities as well as supports the recovery of affected business units. The Incident Management Team provides overall

coordination of response and recovery support activities. Once an incident occurs, the Incident Management Team evaluates which response and recovery actions should be invoked based on the priority of the incident. Designated personnel provide centralized support to affected departments in acquiring necessary recovery resources.

Certain User Entity Obligations (CUO)

In designing its system, Verizon has contemplated that certain user entity obligations would be implemented by user organizations to meet certain criteria applicable to security and availability. The user entity obligations are listed in Description of Criteria, Controls, Tests, and Results of Tests. The list of the user entity obligations presented in the in Description of Criteria, Controls, Tests, and Results of Tests is not and should not be considered a comprehensive list of internal controls that should be implemented by the customers of Verizon. Other internal controls may be required at user organizations

(22)

1304-1059738 ₂₀

1304-1059738

Description of Criteria, Controls, Tests, and Results of Tests

Tests Performed and Results of Tests of Entity-Level Controls

In planning the nature, timing, and extent of our testing of the controls specified by Verizon Terremark, we considered the aspects of Verizon Terremark’s control environment, control activities, risk assessment processes, information and communication and monitoring

procedures and performed such procedures as we considered necessary in the circumstances.

 Inspected the company’s organizational structure, including segregation of functional responsibilities, policy statements, operating manuals, and personnel policies.

 Inquired of management, operations, administrative, and other personnel responsible for developing, ensuring adherence to, and applying internal controls.

 Observed personnel in the performance of their assigned duties.

 Inspected results of the monthly operating performance meetings for a sample of months.

 Inspected results of the annual employee performance monitoring process for a sample of employees.

 Inspected operations, human resources and information systems policies and procedures.

 Inquired of management as to the procedures for formal and informal risk assessments. Inspected results of the annual formal risk assessment.

 Inspected evidence of employee training for a sample of employees.

Criteria and Controls

On the pages that follow, the applicable Trust Services criteria and the controls to meet the criteria have been specified by and are the responsibility of Verizon Terremark. The tests performed by EY (Ernst & Young) and the results of tests are the responsibility of the service auditor.

(23)

21 1304-1059738

Security and Availability Policies Criteria

S1.00 – Policies: The entity defines and documents its policies for the security of its system. A1.00 – Policies: The entity defines and documents its policies for the availability of its system.

# Criteria Description

Criteria

Reference Controls specified by the Company

Tests performed by EY and Results of Tests

1 The entity’s security policies are established and

periodically reviewed and approved by a designated individual or group. The entity’s system availability and related security policies are

established and periodically reviewed and approved by a designated individual or group.

• S1.01

• A1.01

Verizon Terremark has established security and availability policies and practices to help ensure that Verizon Terremark assets are safeguarded and access to Verizon Terremark systems, networks, resources, and data is secured.

Policies are reviewed and changes are approved by the Quality Management team before they can be enforced.

Obtained and inspected the security and availability policies and practices, noting that they included the relevant components and were reviewed and approved by the Quality

Management team. No deviations noted.

2 The entity’s security policies include, but may not be limited to, the following matters. See Required Policy Components in Appendix A. The entity’s system

availability and related security policies include, but may not be limited to, the following matters. See Required Policy Components in Appendix A.

• S1.02

• A1.02

The policies and procedures include security awareness, security hardening guides, configuration management and patch updates, security best practices, compliance monitoring and incident response guides, physical and environmental requirements, provisioning and authentication of users, data classification, and security risk assessment.

(24)

22 1304-1059738

Criteria

3 Responsibility and

accountability for developing and maintaining the entity’s system security policies, and changes and updates to those policies, are assigned. Responsibility and

accountability for developing and maintaining the entity’s system availability and related security policies, and changes and updates to those policies, are assigned.

• S1.03

• A1.03

(25)

23 1304-1059738

Security and Availability Communications Criteria

S2.00 – Communications: The entity communicates its defined system security policies to responsible parties and authorized users. A2.00 – Communications: The entity communicates its defined system availability policies to responsible parties and authorized users.

Criteria

4 The entity has prepared an objective description of the system and its boundaries and communicated such description to authorized users.

The entity has prepared an objective description of the system and its boundaries and communicated such description to authorized users.

• S2.01

• A2.01

Customer obligations are presented to customers in combination with the Terms and Conditions as part of the customer contract. Customer obligations are reinforced through the Client Portal and are also posted at each data center.

Verizon Terremark provides customers with various operational reports through a web-based customer portal.

Inspected the system description, information about Verizon’s services, customer obligations and customer reporting functionality on the web-based customer portal. Noted that customer obligations were included in the customer contract and posted at the entrance of the data centers.

(26)

24 1304-1059738

Criteria

5 The security obligations of users and the entity’s security commitments to users are communicated to authorized users.

The availability and related security obligations of users and the entity’s availability and related security commitments to users are communicated to authorized users.

• S2.02

• A2.02

Verizon Terremark maintains policies on the corporate intranet site.

New employees are required to familiarize themselves with the policies and sign an acknowledgement of their understanding and willingness to comply with these policies. Verizon Terremark sends out security update/awareness notification every quarter to employees for their review.

Verizon has a “New Employee Orientation Program” which includes a section on security awareness. To complement this program, security awareness posters are deployed in strategic locations throughout and rotated in location and content. Customer obligations are presented to customers in combination with the Terms and Conditions as part of the customer contract. Customer obligations are reinforced through the Client Portal and are also posted at each data center.

Through inquiry of management and staff, noted that the policies, procedures and reference manuals were provided to employees during the “New Employee Orientation Program” and were available to staff through the corporate intranet and changes were communicated.

Inspected evidence of the quarterly security update/awareness notification for a sample of quarters.

Noted the presence of security awareness posters throughout the facilities.

Inspected the system description, information about Verizon’s services, customer obligations and customer reporting functionality on the Client Portal. Noted that customer obligations were included in the customer contract and posted at the entrance of the data centers. No deviations noted.

(27)

25 1304-1059738

Criteria

6 Responsibility and

accountability for the entity’s system security policies and changes and updates to those policies are communicated to entity personnel responsible for implementing them. Responsibility and

accountability for the entity’s system availability and related security policies and changes and updates to those policies are communicated to entity personnel responsible for implementing them.

• S2.03

A2.03

(28)

26 1304-1059738

Criteria

7 The process for informing the entity about breaches of the system security and for submitting complaints is communicated to authorized users.

The process for informing the entity about system availability issues and breaches of system security and for submitting

complaints is communicated to authorized users.

• S2.04

• A2.04

Management across all departments participates in weekly meetings in order to discuss the status of service delivery or other matters of interest and concern.

On a monthly basis, operating performance reports are provided to management to summarize the performance statistics of the various products, including, but not limited to, utilization, and problem reporting.

Daily, alerts are provided to product support personnel regarding problems. Senior management is presented with a summary of operations and future business plans on a quarterly basis.

Documented network monitoring policies and procedures are in place and provide

guidance in the prioritization and handling of monitoring alerts and required activities that include, but are not limited to, the following:  Network communications monitoring

and troubleshooting

 Malicious Internet activity procedures  NOC functions

 Handling failure alerts  Handling site down alerts  Handling warning alerts

An enterprise monitoring application is in place to monitor the performance and availability of network communications devices and to help identify potential sources of failure.

Through inquiry of management and inspection of evidence, noted that weekly operations meetings were held, monthly operating performance reports were compiled and provided to management and daily alerts were provided to product support personnel.

Through inspection of policies and procedures and inquiry of management, determined that the network monitoring policies and

procedures were in place and provided guidance in the prioritization and handling of monitoring alerts and required activities. Through inspection of policies and procedures and inquiry of management, determined that the network monitoring policies and

procedures were in place and provided guidance in the prioritization and handling of monitoring alerts and required activities. No deviations noted.

(29)

27 1304-1059738

Criteria

8 Changes that may affect system security are communicated to

management and users who will be affected.

Changes that may affect system availability and system security are communicated to

management and users who will be affected.

• S2.05

• A2.05

Infrastructure modifications are documented and maintained in a change management system.

Management restricts the ability to remotely administer network devices to user accounts accessible by appropriate support personnel.

Inspected a sample of infrastructure modifications changes noting that the

modifications were documented in the change management system.

Inspected the list of individuals with access to remotely administer network devices noting that access was restricted to user accounts

accessible by appropriate support personnel. No deviations noted.

(30)

28 1304-1059738

Security and Availability Procedures Criteria

S3.00 – Procedures: The entity placed in operation procedures to achieve its documented system security objectives in accordance with its defined policies.

A3.00 – Procedures: The entity placed in operation procedures to achieve its documented system availability objectives in accordance with its defined policies.

Criteria

9 Procedures exist to (1) identify potential threats of disruption to systems operation that would impair system security

commitments and (2) assess the risks associated with the identified threats.

Procedures exist to (1) identify potential threats of disruptions to systems operation that would impair system availability

commitments and (2) assess the risks associated with the identified threats.

• S3.01

• A3.01

Verizon’s security program includes security vulnerability testing on the network backbone and the corporate business systems. Tests that help to ensure the overall security and availability of the network and systems and alignment with the Company policies are performed on a periodic basis.

Documented network monitoring policies and procedures are in place and provide

guidance in the prioritization and handling of monitoring alerts and required activities that include, but are not limited to, the following:  Network communications monitoring

and troubleshooting

 Malicious Internet activity procedures  NOC functions

 Handling failure alerts  Handling site down alerts  Handling warning alerts

An enterprise monitoring application is in place to monitor the performance and availability of network communications devices and to help identify potential sources of failure.

Through inquiry of management and inspection of evidence, noted that a security vulnerability test is performed on a periodic basis.

Additionally, noted that the network is monitored on a real time basis for malicious events and events are tracked to resolution.

Through inspection of policies and procedures and inquiry of management, determined that the network monitoring policies and

procedures were in place and provided guidance in the prioritization and handling of monitoring alerts and required activities. Through observation, noted that an enterprise monitoring application was in place to monitor the performance and availability of network communications devices and to help identify potential sources of failure.

Inspected the NOC personnel schedule for a sample of weeks noting that NOC personnel were available to oversee the enterprise monitoring applications at all times. No deviations noted.

(31)

29 1304-1059738

Criteria

NOC personnel are available to oversee the enterprise monitoring applications at all times.

(CUO) Customer organizations are responsible for identifying personnel responsible for problem resolution and instructing personnel on the escalation procedures provided by Verizon Terremark. (CUO) Customer organizations are

responsible for notifying Verizon Terremark of changes to their escalation procedures. (CUO) Customer organizations are

responsible for providing up-to-date escalation contact information to Verizon Terremark.

10 Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters:

a. Logical access security measures to restrict access to information resources not deemed to be public. b. Identification and authentication of users. c. Registration and authorization of new users.

d. The process to make

• S3.02

• A3.05

Network infrastructure devices have unused ports disabled to prevent unauthorized access.

Network infrastructure devices are configured with access control lists to allow sessions from only specific hosts within the network. Management restricts the ability to remotely administer network devices to user accounts accessible by appropriate support personnel.

Inspected configurations for a sample of network infrastructure devices noting that unused ports were disabled.

Inspected configurations for a sample of network infrastructure devices noting that access control lists were configured to allow sessions from only specific hosts within the network.

Inspected the list of individuals with access to remotely administer network devices noting that access was restricted to user accounts

accessible by appropriate support personnel. No deviations noted.

(32)

30 1304-1059738

Criteria

changes and updates to user profiles.

e. Distribution of output restricted to authorized users.

f. Restriction of access to offline storage, backup data, systems, and media.

g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (for example, firewalls). Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters:

a. Logical access security measures to restrict access to information resources not deemed to be public. b. Identification and authentication of users. c. Registration and authorization of new users.

d. The process to make changes and updates to user profiles.

Description of the Administration of Verizon Terremark Colocation Services Relevant to Security and Availability

Service Organization Controls 2 Report

Description of the

Administration of Verizon

Terremark Colocation

Services Relevant to Security

and Availability

For the Period from November 1, 2012 to

October 31, 2013

With Independent Service Auditor’s Report

including Tests Performed and Results Thereof

Description of the Administration of Verizon Terremark Colocation Services

Relevant to Security and Availability for the Period from November 1, 2012 to

October 31, 2013

Table of Contents

Verizon Communications Inc.’s Management Assertion

Independent Service Auditor’s Report

Description of the Administration of Verizon Terremark Colocation Services for

the Period from November 1, 2012 to October 31, 2013

Description of Criteria, Controls, Tests, and Results of Tests

Security and Availability Policies Criteria

Security and Availability Communications Criteria

Security and Availability Procedures Criteria