Attestation and Compliance Services · TIERPOINT, LLC . SOC 2 REPORT: FOR. DATA CENTER SERVICES . A...

TIERPOINT, LLC

SOC 2 REPORT

FOR

DATA CENTER SERVICES

A TYPE 2 INDEPENDENT SERVICE AUDITOR’S REPORT ON CONTROLS RELEVANT TO SECURITY AND AVAILABILITY

NOVEMBER 1, 2016, TO OCTOBER 31, 2017

Attestation and Compliance Services

Proprietary & Confidential Reproduction or distribution in whole or in part without prior written consent is strictly prohibited.

This report is intended solely for use by the management of TierPoint, LLC, user entities of TierPoint, LLC’s services, and other parties who have sufficient knowledge and understanding of TierPoint, LLC’s services covered by this report (each referred to herein as a “specified user”). If report recipient is not a specified user (herein referred to as a "non-specified user"), use of this report is the non-specified user's sole responsibility and at the non-specified user's sole and exclusive risk. Non-specified users may not rely on this report and do not acquire any rights against Schellman & Company, LLC as a result of such access. Further, Schellman & Company, LLC does not assume any duties or obligations to any non-specified user who obtains this report and/or has access to it. Unauthorized use, reproduction or distribution of this report, in whole or in part, is strictly prohibited.

TABLE OF CONTENTS SECTION 1 INDEPENDENT SERVICE AUDITOR’S

REPORT .................................................... 1

SECTION 2 MANAGEMENT’S ASSERTION .................. 4

SECTION 3 DESCRIPTION OF THE SYSTEM ................ 7

SECTION 4 TESTING MATRICES ............................... 39

SECTION 5 OTHER INFORMATION PROVIDED BY MANAGEMENT ....................................... 97

1

SECTION 1

INDEPENDENT SERVICE AUDITOR’S REPORT

2

INDEPENDENT SERVICE AUDITOR’S REPORT To TierPoint, LLC: Scope

We have examined the attached description of TierPoint, LLC’s (“TierPoint” or the “service organization”) Data Center Services system for the period November 1, 2016, to October 31, 2017, (the “description”) performed at the TierPoint data center facilities listed in Section 3 of this report, based on the criteria set forth in paragraph 1.26 of the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®) (“description criteria”) and the suitability of the design and operating effectiveness of controls described therein to meet the criteria for the security, and availability principles set forth in the 2016 TSP section 100A, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Principles and Criteria) (“applicable trust services criteria”), throughout the period November 1, 2016, to October 31, 2017. In Section 5, TierPoint has provided additional information that is not a part of TierPoint’s description. Information about TierPoint’s service availability levels has not been subjected to the procedures applied in the examination of the description and the suitability of design of controls to meet the applicable trust services criteria. Service organization’s responsibilities

TierPoint has provided the attached assertion, in Section 2, about the fairness of the presentation of the description based on the description criteria and suitability of the design and operating effectiveness of the controls described therein to meet the applicable trust services criteria. TierPoint is responsible for preparing the description of the service organization’s system and the assertion, including the completeness, accuracy, and method of presentation of the description and assertion; providing the services covered by the description of the service organization’s system; selecting the trust services principle(s) addressed by the engagement and stating the applicable trust services criteria and related controls in the description of the service organization’s system; identifying the risks that would prevent the applicable trust services criteria from being met; identifying any applicable trust services criteria related to the principle(s) being reported on that have been omitted from the description and explaining the reason for the omission; and designing, implementing, and documenting controls to meet the applicable trust services criteria.

Service auditor’s responsibilities

Our responsibility is to express an opinion on the fairness of the presentation of the description based on the description criteria and on the suitability of the design and operating effectiveness of the controls described therein to meet the applicable trust services criteria, based on our examination. Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included procedures that we considered necessary in the circumstances. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, the description is fairly presented based on the description criteria, and the controls were suitably designed and operating effectively to meet the applicable trust services criteria throughout the period November 1, 2016, to October 31, 2017. Our examination involved performing procedures to obtain evidence about the fairness of the presentation of the description based on the description criteria and that the controls were suitably designed and operating effectively to meet the applicable trust services criteria throughout the period November 1, 2016, to October 31, 2017. Our procedures included assessing the risks that the description is not fairly presented and that the controls were not suitably designed or operating effectively to meet the applicable trust services criteria. Our procedures also included testing the operating effectiveness of those controls to provide reasonable assurance that the applicable trust services criteria were met. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.

3

Inherent limitations

Because of their nature and inherent limitations, controls at a service organization may not always operate effectively to meet the applicable trust services criteria. Also, the projection to the future of any evaluation of the fairness of the presentation of the description or conclusions about the suitability of the design or operating effectiveness of the controls to meet the applicable trust services criteria is subject to the risks that the system may change or that controls at a service organization may become inadequate or fail.

Opinion

In our opinion, in all material respects, based on the description criteria identified in TierPoint’s assertion and the applicable trust services criteria

a. the description fairly presents the system that was designed and implemented throughout the period November 1, 2016, to October 31, 2017;

b. the controls stated in the description were suitably designed to provide reasonable assurance that the applicable trust services criteria would be met if the controls operated effectively throughout the period November 1, 2016, to October 31, 2017 and

c. the controls that were tested, which were those necessary to provide reasonable assurance that the applicable trust services criteria were met, operated effectively throughout the period November 1, 2016, to October 31, 2017

Description of test of controls

The specific controls we tested, and the nature, timing, and results of our tests are presented in section 4 of our report titled “Testing Matrices.”

Restricted use

This report, including the description of tests of controls and results thereof in section 4 are intended solely for the information and use of TierPoint; user entities of TierPoint’s Data Center Services system during some or all of the period November 1, 2016, to October 31, 2017; and prospective user entities, independent auditors and practitioners providing services to such user entities, and regulators who have sufficient knowledge and understanding of the following:

• The nature of the service provided by the service organization;

• How the service organization’s system interacts with user entities, subservice organizations, or other parties;

• Internal control and its limitations;

• The nature of user entity controls responsibilities and their role in the user entities internal control as it relates to, and how they interact with, related controls at the service organization;

• The applicable trust services criteria; and

• The risks that may threaten the achievement of the applicable trust services criteria and how controls address those risks.

This report is not intended to be and should not be used by anyone other than these specified parties. Tampa, Florida December 8, 2017

Steve Mindrup

S&C-LLC

4

SECTION 2

MANAGEMENT’S ASSERTION

5

MANAGEMENT’S ASSERTION We have prepared the attached description of TierPoint’s Data Center Services system for the period November 1, 2016, to October 31, 2017, (the “description”) based on the criteria in items (a)(i)–(ii) below, which are the criteria for a description of a service organization’s system in paragraph 1.26 of the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®) (the “description criteria”). The description is intended to provide users with information about the Data Center Services system, particularly system controls intended to meet the criteria for the security, and availability principles set forth in the 2016 TSP section 100A, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Principles and Criteria) (“applicable trust services criteria”). We confirm, to the best of our knowledge and belief, that

a. the description fairly presents the Data Center Services system throughout the period November 1, 2016, to October 31, 2017, based on the following description criteria:

i. The description contains the following information:

1.) The types of services provided;

2.) The components of the system used to provide the services, which are the following:

a.) Infrastructure. The physical structures, IT, and other hardware (for example, facilities, computers, equipment, mobile devices, and telecommunications networks)

b.) Software. The application programs and IT system software that supports application programs (operating systems, middleware, and utilities)

c.) People. The personnel involved in the governance, operation and use of a system (developers, operators, entity users, vendor personnel, and managers)

d.) Procedures. The automated and manual procedures

e.) Data. Transaction streams, files, databases, tables, and output used or processed by a system;

3.) The boundaries or aspects of the system covered by the description;

4.) For information provided to, or received from, subservice organizations and other parties

a.) How such information is provided or received and the role of the subservice organizations and other parties

b.) The procedures the service organization performs to determine that such information and its processing, maintenance, and storage are subject to appropriate controls;

5.) The applicable trust services criteria and the related controls designed to meet those criteria, including, as applicable, the following:

a.) Complementary user entity controls contemplated in the design of the service organization’s system

b.) When the inclusive method is used to present a subservice organization, controls at the subservice organization;

6.) If the service organization presents the subservice organization using the carve-out method

a.) The nature of the services provided by the subservice organization

b.) Each of the applicable trust services criteria that are intended to be met by controls at the subservice organization, alone or in combination with controls at the service organization, and the types of controls expected to be implemented at carved-out subservice organizations to meet those criteria;

7.) Any applicable trust services criteria that are not addressed by a control and the reasons; and

6

8.) In the case of a type 2 report, relevant details of changes to the service organization’s system during the period covered by the description.

ii. The description does not omit or distort information relevant to the service organization’s system while acknowledging that the description is prepared to meet the common needs of a broad range of users and may not, therefore, include every aspect of the system that each individual report user may consider important to its own particular needs.

b. the controls stated in the description were suitably designed throughout the specified period to meet the applicable trust services criteria.

c. the controls stated in the description operated effectively throughout the specified period to meet the applicable trust services criteria.

7

SECTION 3

DESCRIPTION OF THE SYSTEM

8

OVERVIEW OF OPERATIONS Company Background TierPoint is a national provider of managed technology services, cloud, and colocation, helping organizations improve business performance and manage risk. With corporate headquarters based in St. Louis, Missouri, TierPoint operates highly-redundant, carrier-neutral data center facilities in the states of Arkansas, Connecticut, Florida, Illinois, Kansas, Maryland, Massachusetts, Missouri, Nebraska, New York, North Carolina, Oklahoma, Pennsylvania, South Dakota, Tennessee, Texas, Washington, and Wisconsin. TierPoint currently employs over 900 professionals, a diversified base of approximately 5,000 customers, and 40 data center facilities in 20 markets with approximately 650,000 total square feet of raised floor space. TierPoint undergoes a variety of audits and assessments of all of its data center facilities on an annual basis and allows its customers to leverage those assessments in meeting their compliance standards. In addition, TierPoint has participated with customers to help ensure its data center facilities and services meet Payment Card Industry Data Security Standard (PCI DSS), System and Organization Controls (SOC) 2, Health Insurance Portability and Accountability Act of 1996 (HIPAA), National Institute of Standards and Technology (NIST) 800-53, Leadership in Energy and Environmental Design (LEED), North American Electric Reliability Corporation (NERC), Gramm–Leach–Bliley Act (GLBA), and Sarbanes–Oxley Act of 2002 (SOX) requirements. Diagram 1: Map of the TierPoint Data Center Facilities

Description of Services Provided Colocation Services

TierPoint’s Colocation Services provides colocation hosting in secure, protected, and environmentally controlled data center facilities to maintain critical data, server operating applications, network and communications assets, as well as connectivity solutions. TierPoint’s data center facilities are customizable to support the unique

9

requirements of their customers’ business. The facilities have been designed to support high power consumption devices and utilize a network of multiple fiber runs from multiple carriers to allow for maximum capacity and redundancy. The network is monitored 24 hours per day by the Enterprise Operations Center (EOC) using a combination of industry standard and internally developed tools. TierPoint data center facilities feature advanced security and monitoring systems, fire detection and suppression systems, power management utility and backup power, and heating, ventilation, and air-conditioning (HVAC). Within the data center facilities, the following options are available to provide customers with several industry features and functionalities for device and data hosting:

• Partial and Full Cabinets – Cabinets are available in both escorted and non-escorted locations within the data center facilities and are situated in a shared space. Customer cabinets are keyed with a unique lock set. The cabinets can utilize friction locks with PIN codes for enhanced security.

• Secure Cage Space – Cage space comes in various sizes, is available in both escorted and non-escorted locations within the data center facilities, and is situated in a shared space. Customer cage space is accessed using a unique key; security card access is available for enhanced security.

Refer to the Infrastructure and Software section of this report for further detail in regards to the physical security infrastructure and the facility and environmental protection infrastructure. Monitoring Services

TierPoint’s Monitoring Services provides monitoring, alert and notification services for TierPoint dedicated hosting equipment and customer-owned equipment. The Monitoring Services provides 24 hours per day monitoring for subscribed customer systems collocated in a TierPoint data center facility. TierPoint employs a multi-site distributed monitoring and management system designed to be resilient in case of a disaster. The following two options are available for customers subscribed to Monitoring Services provided through TierPoint’s EM7 monitoring infrastructure:

• Monitoring Service Standard Service: The Monitoring Service Standard Service provides agent-less monitoring using Internet Control Message Protocol (ICMP) / ping monitoring. Objects typically monitored include servers, network devices or Web content. The standard service includes the following monitoring features:

• One ICMP / ping monitor

• One Transmission Control Protocol (TCP) Service Monitor or Hypertext Transfer Protocol Secure HTTP/S) content check per operating system instance

• Full portal access

• Configuration of the monitors

• Monitoring: event management, data collection

• Alert and customer notification of alarms

• Monitoring Premier Service: The Monitoring Premier Service delivers a comprehensive level of monitoring using a combination of network and simple network management protocol (SNMP) monitoring of the operating system. In addition to the features included in the standard service, the premier service includes the following monitoring features:

• Total of 6 TCP service monitors or HTTP/S content checks per operating system instance

• SNMP monitoring of supported operating systems including disk, central processing unit (CPU), memory utilization, process or Windows service monitoring

• Hardware diagnostics from Dell OpenManage (Dell servers only) & HP Insight Manager (HP servers only) with support for a variety of operating systems

• Full portal access

• Configuration of the monitors

10

• Event management and data collection

• Alert and customer notification of alarms Managed Network Services

Managed Firewall Service - The Managed Firewall Service provides controlled perimeter access to customer equipment, firewall management, installation, 24 hours per day monitoring, and support of firewall software within a TierPoint data center facility. The clustered solution is designed to deliver firewall high-availability (HA) by providing a dedicated hot standby (active / passive). Managed Network Switch Service - The Managed Network Switch Service provides reliable monitoring and management for the switch configurations and backup of the configurations. Managed Load Balancing Services - The Managed Network Load Balancing Services are an implementation of networked appliance-based load balancing, intended to provide high availability for customer server farms. Managed Backup Services

Backup Services include service implementation and 24 hours per day management and monitoring. Data inclusion and exclusion backup requirements are defined by the customer. The standard backup service included is for the purpose of data recovery only, not for general archiving. TierPoint employs a security program that provides physical, logical and network security measures. Only TierPoint employees and vaulting vendors are allowed to physically handle backup media. Tape Rotation and Off-Site Storage Services (Customer Owned)

Tape Rotation and Off-Site Storage Services (Customer Owned) refers to the activities required to transfer magnetic tape media from customer-owned equipment to facilitate off-site storage outside the TierPoint data center facility, and to retrieve the tapes upon the customer’s request. The customer is responsible for providing appropriate documentation for operation of customer-owned equipment necessary to perform the tasks related to tape rotation. The customer will designate in writing to TierPoint, its agent(s) who is / are authorized to order the delivery and retrieval of tapes, cartridges, records or other material to be stored or rotated. The customer represents and warrants that the customer’s designated agent(s) has / have full authority to order, in person or otherwise, any storage or retrieval or rotation of the customer’s tapes. The customer may change the designated agent(s) periodically in writing to TierPoint. TierPoint is not liable for any loss of or damage to tapes. Managed Off-Site Data Storage Services

Off-Site Data Storage Services refers to the activities required to transfer customer data onto tapes from TierPoint equipment to facilitate off-site storage outside the TierPoint data center facility, and to retrieve the tapes upon the customer’s request. The following variables are used to configure the customer off-site tape rotation service:

• Retention – refers to the duration the tape(s) will be stored off-site

• Number of tapes – refers to the quantity of tapes to be rotated off-site

• Frequency – determines how often tapes are rotated off-site Managed Storage Services

TierPoint’s Storage Services provide high-availability managed storage solutions to customers within the TierPoint data center facilities. The Storage Services are provided via the following two platforms:

• Storage Area Network (SAN) – provides high-availability, Fiber Channel (FC) connectivity and redundant array of independent disks (RAID) protected primary data storage in a shared or dedicated configuration.

11

• Network Attached Storage (NAS) – provides shared hard disk storage, including multi-disk RAID systems and software for configuring and mapping file locations to customer servers.

The Storage Services are available in dedicated or multi-tenant environments, which are described below:

• Dedicated – provides the customer with an exclusive use of all necessary components

• Multi-tenant – provides the customer with access to a shared storage infrastructure Managed Cloud Services

TierPoint’s Cloud Services provide secure and flexible IT computing by allocating resources based on each customer’s requirements.

• Multi-tenant Public Cloud Services - shared compute, memory, storage and network

• Multi-tenant Private Cloud Services – dedicated or private compute and memory; shared storage and network

• Single-tenant Cloud Services - dedicated compute, memory, storage and network

• Hybrid Cloud Services - inter-operation of TierPoint Cloud Services with existing customer’s colocation, managed hosting or off-premise servers

TierPoint’s Public Cloud Service is a highly available, managed cloud server infrastructure collocated in multiple TierPoint data center facilities. The cloud infrastructure is partitioned into self-contained virtual environments, each with its own operating systems and sets of applications to meet customer needs. The Public Cloud Services package includes monitoring and backups, and each virtualized server is available with operating system, patch and application management options. TierPoint’s Private Cloud Service consists of dedicated, managed servers, monitoring services and management of the hypervisor residing on the physical hosts, collocated in a TierPoint data center facility. TierPoint’s Cloud Virtual Data Center Service provides a Web-based cloud portal, which allows customers to perform the following activities:

• Virtual machine (VM) provisioning

• Power VM on / off

• View and adjust system resources on a per-VM basis

• Ability to upload VM images and media files

• Remote console access for Kernel-based Virtual Machine (KVM) level management of VMs TierPoint’s Cloud Virtual Data Center Service (TierPoint Generation 3 Cloud) provides the following virtual data center types, which the customers are responsible to select, based on their needs:

• Enterprise Virtual Data Center - provides everything that a customer needs for a standalone cloud services environment, including a TierPoint managed cloud firewall.

• Enterprise Virtual Data Center (Hybrid) - in addition to everything included in the Enterprise Virtual Data Center, the hybrid environment comes with redundant 1 Gigabit Ethernet (GbE) cross-connects, which allow direct access between collocated resources in a TierPoint data center facility and the Public Cloud Service.

• Enterprise Hybrid Compute Only - provides the redundant 1 GbE cross-connects, but excludes the managed cloud firewall and Internet data transfer.

TierPoint’s Compliant Cloud Environment Service consists of a secure edge infrastructure and virtualized environment up to the hypervisor level in a secured shared segmented cloud and includes the following:

• An environment that is compliance focused (PCI DSS, HIPAA, GLBA)

12

• Compliance tools (patching, antivirus (AV), scanner, file integrity, centralized logging, two-factor authentication)

• Management and maintenance of VM environment (patching, hardening)

• Auditing (scanning, penetration testing)

• Monitoring (logging, alerting, intrusion detection system (IDS))

• Secured backups

[Intentionally Blank]

13

Diagram 2: Public Cloud Infrastructure and Connectivity

14

System Boundaries As outlined in 2016 TSP section 100A, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy, a system is designed, implemented, and operated to achieve specific business objectives (for example, delivery of services, production of goods) in accordance with management-specified requirements. The purpose of the system description is to delineate the boundaries of the system, which includes the services outlined above and the five components described below: infrastructure, software, people, procedures and data. The scope of this report includes the Data Center Services provided to TierPoint’s customers at the TierPoint data center facilities noted in the tables below. Table 1: In-Scope TierPoint Data Center Facilities

Metro Area Site ID Address City State Zip

Allentown TEK 9999 Hamilton Blvd. Breinigsville PA 18031

Baltimore BAL 1401 Russell Street Baltimore MD 21230

Bethlehem LVQ 3949 Schelden Circle Bethlehem PA 18017

Bethlehem BET 3864 Courtney Street, Suite 130 Bethlehem PA 18017

Boston AND 15 Shattuck Road Andover MA 01810

Boston BOS 500 Rutherford Avenue Charleston MA 02129

Boston MRL 34 St. Martin Drive Marlborough MA 01752

Charlotte CL1 4021 Rose Lake Drive, Suite 200-201 Charlotte NC 28217

Charlotte CL2 125 North Myers Street, Suite 300 & 400 Charlotte NC 28202

Charlotte CL4 1805 Center Park Drive Charlotte NC 28217

Chicago CHI 9333 Grand Avenue, Suite 120 Franklin Park IL 60131

Chicago POL 601 W. Polk Street Chicago IL 60607

Dallas DAL 3004 Irving Blvd. Dallas TX 75247

Jacksonville JAX 8324 Baymeadows Way Jacksonville FL 32256

Kansas City KCM 10801 N. Amity Avenue Kansas City MO 64153

Kansas City LEN 14500 West 105th Street Lenexa KS 66215

Little Rock LIT 15707 Chenal Parkway Little Rock AR 72223

Milwaukee MKE 3701 W. Burnham Street, Suite A Milwaukee WI 53215

Nashville NSH 311 Eddy Lane, Suite 100 Franklin TN 37064

New York HWT 11 Skyline Drive Hawthorne NY 10532

Oklahoma City OK1 4121 Perimeter Center Place Oklahoma City OK 73112

Oklahoma City OK2 4114 Perimeter Center Place Oklahoma City OK 73112

Omaha MID 11425 South 84th Street Papillion NE 68046

Omaha BEL 1001 North Fort Crook Road Bellevue NE 68005

Philadelphia CON 1100 East Hector Street, Suite 500 Conshohocken PA 19428

Philadelphia PHI 4775 League Island Blvd. Philadelphia PA 19112

Raleigh RAL 5301 Departure Drive, Suite 111 Raleigh NC 27616

Raleigh CRY 111 Corning Road, Suite 150 Cary NC 27518

15

Metro Area Site ID Address City State Zip

Raleigh RTP 99 TW Alexander Drive Durham NC 27709

Seattle SEA 140 4th Avenue N. Suite 360 Seattle WA 98109

Sioux Falls SFE 700 East 54th Street N., Suite 200 Sioux Falls SD 57104

Sioux Falls SFW 5300 North La Mesa Drive Sioux Falls SD 57107

Spokane SPO 23403 E. Mission Avenue, Suite 121W Liberty Lake WA 99019

Spokane SP3 23017 E Mission Avenue Liberty Lake WA 99019

St. Louis SLO 1111 Olive Street St Louis MO 63101

St. Louis SLW 900 Walnut Street St Louis MO 63102

Tulsa TUL 322 E. Archer Street Tulsa OK 74120

Valley Forge VFO 1000 Adams Avenue Norristown PA 19403

Waterbury WAT 108 Bank Street, 5th Floor Waterbury CT 06702

Table 2: Physical Location of the Infrastructure that Supports the Data Center Services

Site ID Colocation Services

Monitoring Services

Managed Network Services

Managed Backup Services

Managed Off-Site

Data Storage Services

Managed Storage Services

Managed Cloud

Services

AND N/A

BAL N/A N/A N/A

BEL N/A N/A

BET N/A N/A

BOS N/A N/A

CHI

CL1 N/A

CL3 N/A N/A N/A

CL4 N/A N/A N/A

CON N/A N/A

CRY N/A

DAL N/A N/A N/A

HWT N/A N/A

JAX N/A N/A N/A

KCM N/A N/A N/A

LEN N/A

LIT N/A

LVQ N/A N/A

MID N/A N/A N/A

MKE N/A N/A

16

Site ID Colocation Services

Monitoring Services

Managed Network Services

Managed Backup Services

Managed Off-Site

Data Storage Services

Managed Storage Services

Managed Cloud

Services

MRL N/A

NSH N/A N/A

OK1 N/A N/A

OK2 N/A N/A N/A

PHI N/A N/A N/A

POL N/A N/A N/A

RAL

RTP

SEA N/A

SFE N/A N/A N/A

SFW N/A N/A N/A

SLO N/A N/A

SLW N/A N/A N/A

SP3 N/A N/A N/A N/A

SPO N/A N/A N/A

TEK N/A N/A

TUL N/A N/A N/A

VFO N/A

WAT N/A N/A N/A Infrastructure and Software TierPoint has a system architecture based on open standards. The architecture is highly available and supports data protection using industry standards to eliminate single points of failure and support system, and data reliability. Redundancy is built into the system infrastructure supporting the Data Center Services to help ensure that there is no single point of failure that includes firewalls, routers, and servers. In the event that a primary system fails, the redundant hardware is configured to take its place. Authentication to the Data Center Services environment, supported by either the Windows or Linux operating systems, is restricted via Cisco Access Control Server (ACS) requiring systems administration personnel to authenticate via their user account and password. Once authenticated, systems administration personnel connect to relevant environments via a secure shell (SSH) connection. Each of the data center facilities and systems utilize the following security features:

• Authentication of all core equipment against Windows Active Directory through the Terminal Access Controller Access – Control System (TACACS) protocol

• Password resetting every 90 days

• Strong password policy for servers and workstations

• Group Policy Object (GPO) policies in place on all Windows servers

17

• Deep packet inspection firewalls

• Encryption for network access using virtual private networks (VPN) and site-to-site tunnels TierPoint infrastructure supporting the Data Center Services consists of multiple applications, operating system platforms and databases, as shown in the table below. Table 3: TierPoint Infrastructure Supporting the Data Center Services

Operating System

System Function Primary Application(s) or Device(s) Linux Windows

Firewall Cisco ASA, Fortigate N/A N/A

Network Authentication Cisco ACS N/A N/A

Single-Sign-On (SSO) Authentication

Active Directory Federation Services (ADFS) N/A

Cloud Infrastructure (Gen 3) vCloud Director / vCenter N/A

Compliant Cloud Environment vCloud Director / vCenter N/A

Monitoring Enterprise Manager 7 (EM7) N/A

Storage Management Unisphere, Virtual Desktop Infrastructure

Backup Systems Backup Executive, CommVault, Avamar, EVault N/A

Intrusion Detection System (IDS) Cisco ASA, Fortigate, Alert Logic N/A N/A The primary in-scope applications and devices supporting TierPoint’s Data Center Services include the following:

• Cisco ASA and Fortigate Firewalls – The Cisco ASA firewalls are utilized to restrict traffic into the TierPoint Data Center Services network.

• Cisco ACS – The Cisco ACS is utilized for managed network device administration to include access control policies for authentication of administrators, commands, and audit logging of device administration activity. Cisco ACS is also utilized for enforcing access policies related to VPN and remote access of these devices.

• ADFS – ADFS provides SSO technology to authenticate TierPoint users to the in-scope applications. ADFS accomplishes this by securely sharing digital identity and entitlement rights, or "claims", across security and enterprise boundaries.

• vCloud Director / vCenter – vCloud Director / vCenter are utilized to partition physical server(s) into multiple self-contained virtual machines, each with its own operating system and set of applications to meet the customer’s needs for the physical server(s) collocated in a TierPoint data center facility.

• EM7 – The EM7 monitoring application provides monitoring, alert and notification services for the TierPoint dedicated hosting equipment and customer-owned equipment collocated in a TierPoint data center facility. The monitoring application is deployed as a multi-site distributed monitoring and management system designed to be resilient in case of disaster.

• Unisphere – Unisphere is utilized for managing both shared storage systems and customer-specific storage systems to meet specific customer requirements. TierPoint offers both EMC- and NetApp-branded storage platforms for SAN and NAS. TierPoint assumes responsibility for installation and break-fix on the customer’s behalf.

• Virtual Desktop Infrastructure (VDI) – VDI is utilized to connect to storage platforms for storage system management.

18

• Backup Executive / CommVault / Avamar / Evault – Backup Executive, CommVault, Avamar, and EVault are utilized to perform backups of customer data according to the requirements defined by the customer. As such, the directories and file inclusions to be backed up are defined and documented on an ongoing basis and are the responsibility of the customer.

• Cisco ASA, Fortigate, and Alert Logic IDS’ – The Cisco ASA, Fortigate, and Alert Logic IDS’ are utilized to monitor the networks for malicious activity or policy violations.

Physical Security Infrastructure

Each data center facility utilizes an array of security equipment, techniques, and procedures to control, monitor, and record access to the facility, including the customer dedicated areas. The data center facilities exteriors may incorporate additional security measures such as masonry and steel construction, ballistics-resistant walls, doors, and windows, and hurricane wind-rated roofs. All areas of the data center facilities, including cages, are controlled, monitored and recorded using closed circuit television (CCTV) cameras. The CCTV subsystem provides the display, control, digital video recording (DVR), and playback of live video from cameras throughout the facilities. Each camera is capable of accelerating digital recording during alarm conditions for better resolution. The data center facilities, other than SFW, are staffed on a 24 hour per day basis by either third party vendor professional security staff or TierPoint personnel, which monitors access points and the electronic security systems. The door entrances to the data center facilities require a two-factor method authentication, consisting of a biometric finger / hand scanner and security code. The biometric finger / hand scanners verify unique geometry images and heat signatures before allowing authorized users access into the facilities and through various doors within the facilities. Through a combination of finger / hand scan and security code, users identify themselves to the system and obtain access into certain areas of the data center facilities based upon the predefined user permissions. Facility and Environmental Protection Infrastructure

Control and Monitoring Systems

A building monitoring system (BMS) is in place at the data center facilities. The BMS is a control, monitoring and reporting system used to monitor and control the environmental systems and alert operations personnel to potential issues. Engineers routinely use it to review operating conditions that include, but are not limited to, temperatures, flows, pressures, electrical and mechanical loads, and alarms, looking for abnormal conditions. The BMS also provides long-term data storage to assist in troubleshooting, if needed. The facility environmental systems are monitored and managed by EOC personnel. The BMS system monitors / controls the following:

• Power systems, including critical electrical components, generators, transfer switches, main switchgears, power distribution units (PDU), automatic transfer switches (ATS), and uninterruptible power supply (UPS) systems.

• The HVAC systems, which controls and / or monitors space temperature and humidity within the data center facilities, space pressurization, HVAC equipment status and performance, and outside air conditions.

• Fire detection and suppression equipment, such as very early smoke detection apparatus (VESDA), double interlock pre-action and detection systems, and zoned gaseous-based fire extinguishing system.

• Leak detection systems. Site personnel perform and log visual checks of power, environmental, and other system controls, including battery and fuel monitoring systems per defined schedules. Fire Detection and Suppression

TierPoint data center facilities are constructed with fire detection and suppression systems that limit potential damage in the event of a fire. Key features of the fire detection and suppression system varies by the data center facility location and includes a combination of any of the following:

19

• Dry-pipe double interlock pre-action fire suppression system

• Wet pipe water sprinkler fire suppression system

• Laser-based VESDA

• Dual alarms (heat and / or smoke) activation

• Zoned gaseous-based fire extinguishing system Sprinkler systems in the data center facilities are implemented with double interlock pre-action and detection systems. Pre-action detection with intelligent heat detectors are installed in the ceiling of mission critical areas of the data center facilities. Upon activation of any of these heat detectors, audio-visual alarms (horn and / or strobes) will activate throughout the space. A signal is sent to a pre-action valve for the affected fire zone. If the temperature in the at-risk area also reaches levels to melt any of the sprinkler head fusible links, water is triggered to enter the sprinkler pipes for the affected areas of the data center facility. Fire extinguishers are provided throughout each data center facility. Dry chemical or clean agent extinguishers are installed in the mission critical space or adjacent areas where one might reasonably expect a person to carry them into the affected areas during an emergency. The fire suppression system is monitored on a 24 hour per day basis by an external alarm monitoring company, which will dispatch the city fire department upon receipt of an alarm. Inside the data center facilities, software is used for fire detection and monitoring, combined with customized floor plan graphics to illustrate detection devices and fire zones to aid TierPoint personnel and the fire department in responding to and coordinating fire control activities. Power Management, Utility and Backup Power

Each data center facility is supplied with high-voltage electrical power from the local utility company. The incoming power is fed into a power system providing diverse power distribution to the cabinet areas. The incoming service is connected to switch gear, which is also connected to redundant standby diesel power generators. Electrical loads are automatically transferred to the standby generators whenever there is a loss of the utility source. The data center facilities provide a minimum of N+1 redundancy for every power system to help ensure uptime availability to the customers. The mission critical electrical loads at each data center facility are sourced by redundant static or rotary UPS systems, which are configured with automatic static bypass and manually operated full maintenance bypass circuits. The primary UPS systems operate as an online power supply. The UPS systems provide conditioned, uninterruptible power to critical electrical loads. UPS systems prevent power spikes, surges, and brown outs while redundant backup diesel power generators provide power to the data center facilities in the event that public utility fails. The electrical system has built-in redundancy to help ensure continuous operation. TierPoint has diesel power generators in place at each data center facility to provide emergency power. Generators may be located indoors or outdoors depending on site-specific conditions. The on-site main fuel tanks provide a source of fuel to the engine generators, sufficient enough to maintain at least 24 hours of design load operation. Generator tests and generator maintenance is performed at regular intervals. Fuel is checked annually for contaminants, bacteria and potency. HVAC

Each data center facility is designed with a HVAC system to provide stable airflow for the proper control of temperature and humidity. Air handling is provided by means of several different cooling technologies and deployed as a homogenous design at the data center facilities. To minimize downtime due to equipment failure, major equipment in the HVAC system is designed with a minimum N+1 redundancy.

20

A representative HVAC system at a TierPoint data center facility includes a combination of any of the following:

• Condenser pumps

• Centrifugal chillers

• Cooling towers

• Primary chilled water pumps or air cooled condensers

• Computer room air handlers (CRAH) units

• Computer room air conditioners (CRAC) units Each data center facility is built with zoned temperature control systems. TierPoint maintains multiple air handling units at each data center facility to verify correct temperature and humidity in critical areas. The air handling units in conjunction with a central HVAC plant work to maintain temperature and humidity levels. If the temperature or humidity varies outside preset limits, an alarm is generated and facilities personnel are notified. Refer to the organization’s Data Center Briefs published to the TierPoint public website for infrastructure details specific to each facility. People The staff of TierPoint’s data center facilities provide support for the above services in each of the following functional areas:

• Data Center Operations – responsible for the completion of day to day activities within the local data center facility including EOC personnel. The daily site activities are broken into functional areas of responsibility to help ensure focus and operational proficiency. These functional areas include guard duties (physical security and site integrity), installation (service turn-up and turn-down), remote hands / eyes (monitoring, notification, administration), spares and asset management, and onsite facilities maintenance (daily checks, testing, and vendor-management);

• EOC – provides frontline technical support for TierPoint’s customers and is responsible for event monitoring, ticket handling, and issue escalation;

• Information Technology (IT) Engineering – designs and builds computing infrastructure that support internal and external customers;

• Managed Services Operations – provides post-sales service and support to all TierPoint’s managed services customers via a centralized group of senior technical resources providing systems administration, database and storage support, network and security service support (firewall, IDS, load balancing), and enterprise application support;

• Client Implementation Management – provides post-sales project management for the delivery of new customer services;

• Security – provides comprehensive security management to TierPoint’s operations, including security of the facilities, network and systems;

• Audit and Compliance – develops standards, performs regularly scheduled audits relative to defined standards, and measures and provides continuous improvement feedback, as well as assesses legal and regulatory requirements to remain in step with changing requirements;

• Solutions Engineering – provides pre-sales technical support and solutions engineering for both existing and new customers; and

• Sales – provides pre / post-sales service to TierPoint’s customers by understanding the customer’s requirements and presenting a customized package of services options that best meet the customer’s needs. Further, facilitates customer quotations and sales contracting, serving as a customer advocate.

21

Procedures TierPoint’s security policies and processes are designed to maintain the security and availability of its systems and of its customers’ data. Corporate security policies have been established that detail the procedures for restricting logical and physical access to internal and customer data from unauthorized entities. TierPoint management is responsible for directing operations and establishing, communicating, and monitoring control policies and procedures. Importance is placed on the integrity and ethical values of all TierPoint personnel, as well as maintaining sound internal controls. Organizational values and behavioral standards are communicated to all personnel through the organization’s employee handbook and training programs such as the Information Security Policy Awareness Training. TierPoint assigns responsibility and delegate authority to key personnel to effectively manage the operating functions necessary to meet organizational goals and objectives. TierPoint management helps ensure adequate staffing is maintained and that personnel possess the requisite expertise and skills based on the nature and complexity of the responsibilities and activities they perform. Information Security

TierPoint management has developed and documented formal policies and procedures, in accordance with the ISO/IEC 27001:2013 international standard, to guide personnel in security and incident handling and escalation procedures. The ISO/IEC 27001:2013 international standard consists of a comprehensive set of controls that includes information security best practices, and provides a solid security framework. TierPoint employs full-time, experienced information security professionals who direct the company's information security program. They are responsible for developing, documenting, and implementing security policies and standards and reviewing all system related security plans throughout TierPoint’s internal and production networks. As part of its security program, the security staff has established a computer security incident response program so TierPoint personnel can recognize, analyze, and handle information security incidents and threats. Human Resources (HR) Security

TierPoint has implemented formal HR security policies that include, are not limited to, the following:

• Applicants are required to complete a pre-employment background check (including Social Security number verification) and 5 panel non-DOT drug screen.

• Confidentiality and non-disclosure agreements are required to be completed by all new employees at the time of hire.

• New employees are required to review the TierPoint employee handbook and acknowledge in writing that they have read and understand the policies described within the Employee Handbook and Corporate Security Policy documents at time of hire and annually thereafter.

• Completion of the Information Security Policy Awareness Training is required for each employee on at time of hire and annually thereafter.

Managers are responsible for following and enforcing policies related to job responsibilities and levels of access. Access Requests and Access Revocation

Requests for new user account’s or changes in access levels on an existing user account must be submitted as a written request via a change request ticket from management. Subsequently, in the event of employee terminations, the terminated employees’ user accounts are deactivated by IT and security personnel prior to termination based on notifications from HR and the employee’s manager. The TierPoint access review standards document the requirements and procedures for periodic system user access reviews that include the following:

• User access list generation, inspection, and reconciliation processes.

• Access reviews of elevated privileges to network and system devices, including operating system and applicable database(s) supporting the managed infrastructure.

22

• Access revocations of user accounts for reconciliation, following a user access review, are managed by the department responsible for system administration, as a direct output of investigation.

TierPoint’s information security officer (ISO) regularly conducts internal security audits and vulnerability testing against the product network and systems to identify and correct areas of potential risk. TierPoint has designed its security policies and procedures to protect the confidentiality of its customers’ sensitive information. Management approves requests for remote access to customer systems hosted by TierPoint. TierPoint designed the network in a manner to further segregate TierPoint’s corporate network Internet Protocol (IP) address space from the specific customer IP address space. Access Authentication and Authorization

TierPoint grants access in accordance with least access and privilege necessary to successfully accomplish assigned duties. TierPoint IT resources and TierPoint customer and infrastructure environments are managed by separate IT groups who assign all passwords for their respective networked systems. Remote and local access to the customer and infrastructure environments are authenticated to provide access to authorized personnel with a valid user account and password. TierPoint administrators of these systems are required to authenticate to the TierPoint internal network domain using a separate user account and password prior to being able to access them as the customer, and infrastructure environments have been configured to logically restrict access to authorized users from within the TierPoint internal network domain only. TierPoint enforces password complexity requirements and requires users to change their passwords in accordance with TierPoint password policies that follow industry best practice including password complexity, minimum length, and expiration. Employees who have access to the TierPoint authentication database must have a unique application user account and password assigned by a member of the information security team. These user accounts are used to restrict system privileges based on job duties, project responsibilities, or assigned business activities. Employees are responsible for maintaining the confidentiality of their passwords. Systems Design

TierPoint controls and verifies product, service and design to help ensure that specified requirements are met. This process helps ensure that service or product design documentation agrees with the requestor documentation, and that designs are planned, controlled, verified, and validated prior to deployment requirements of design are documented. Design reviews are held as appropriate, and design changes are made and approved in accordance with documented procedures. Engineering and architecture personnel define responsibilities for design and development activities, as well as plan and execute those activities via project management. A plan for each design and development project is required. Plans are updated as the design evolves, but each plan address the following, as appropriate:

• Organizational and technical interfaces between groups that provide input to the design and development processes

• Required design inputs and how they are identified, documented, and reviewed for adequacy

• Required design outputs and how they are reviewed and approved prior to implementation

• Required design reviews and resulting quality records

• Required design verification approaches and resulting quality records

• Required design validation approaches

• The method for review and approval of design changes and modifications prior to implementation Upon completion of the system, operational teams evaluate the system as part of user acceptance testing.

23

Management of the Configuration Process

Change management policies and procedures are documented that outline the change management separation of duties such that authorization, development, testing and implementation are segmented functions within the process. Further, policies and procedures are in place that address the emergency change process, including documenting and authorizing emergency changes on a timely basis. The change control process is designed to manage changes to internal and shared customer systems with minimal disruptions, risk, and complexity, while maintaining agreed-upon service levels. This includes identifying a business reason behind each change and the specific configurations and services affected by the change, planning the change, and where necessary, testing the change, and having a documented back out plan; all as part of the formal method of procedure (MOP), should the change result in an unexpected state of the customer infrastructure. Customers submit change requests via the TierPoint web portal, an e-mail submission to the help desk e-mail address, or an e-mail submission to TierPoint sales and support personnel. Requests submitted through the TierPoint web portal and to the help desk e-mail account results in an automated change request ticket. TierPoint sales and support personnel manually generate change request tickets for requests received via e-mail. Attributes documented in the change request tickets include, but are not limited to, the following:

• Customer name and customer representative requesting the change

• Change description

• Priority level

• Change status

• Change history A change management system is in place to centrally maintain, manage and monitor change control activities. The ability to request infrastructure software or hardware changes is restricted to pre-authorized customer representatives. The authorized customer representatives are established at the time the customers sign their initial service contracts with TierPoint. Customers approve infrastructure software or hardware changes via a signed service order form or via a workflow enabled electronic ticketing system prior to implementation; however, customers’ approval for certain changes is inherent in their initial request. The TierPoint change control board (CCB) meets weekly to review changes for relevance, prioritization, technical accuracy, risk assessment, and appropriate notification timelines. MOPs require senior management sign-off and approval prior to execution. A change management calendar is utilized to schedule and manage approved MOPs. For certain infrastructure change requests, EOC personnel perform an impact assessment and develop a back out plan that is documented within the change management system. MOPs require post-implementation approval from the change owners. The ability to implement changes to customer infrastructure software or hardware is restricted to user accounts accessible by authorized personnel. Maintenance and Administration

There are 3 levels of maintenance events that may occur, which are noted below. Planned maintenance activities that may or may not disrupt service, in which the following procedures are followed:

• The customer is notified nine days in advance of the maintenance activity.

• The maintenance activity is performed during a standard maintenance window on Wednesday’s from 12:00 am to 6:00 am and on Sunday’s 12:00 am to 8:00 am local time of the TierPoint data center facility. Notice of planned maintenance is provided to the customer's designated point of contact by a method elected by TierPoint (telephone or e-mail). An exception to the standard window may be made if it is determined that conducting the maintenance at an alternate time would decrease risk or operational impact of the maintenance. An example of this exception would be maintenance to the managed backup infrastructure, which traditionally has its highest usage period during the 12:00 am to 6:00 am timeframe.

24

Planned emergency maintenance required to prevent a degradation or loss of service, in which the following procedures are followed:

• The customer is notified 24 hours in advance of the maintenance activity if conditions permit.

• The maintenance activity is performed during a maintenance window any day from 12:00 am to 6:00 am local time of the TierPoint data center facility. Notice of planned emergency maintenance is provided to the customer's designated point of contact by a method elected by TierPoint (telephone, e-mail, or customer dashboard via the TierPoint web portal).

Unplanned emergency maintenance required to prevent a degradation or loss of service, in which the following procedure is followed:

• TierPoint will utilize its best efforts to notify the customer in advance of the maintenance activity if conditions permit.

Patch Management

TierPoint has implemented a patch management process to help ensure contracted customer and infrastructure systems are patched in accordance with vendor recommended operating system patches. Customers and TierPoint system owners review proposed operating system patches to determine whether the patches are applied. Customers and TierPoint system owners are responsible for determining the risk of applying or not applying patches based upon the security and availability impact of those systems and any critical applications hosted on them. TierPoint staff validate that all patches have been installed and if applicable, that reboots have been completed. Physical Security

Policies and procedures are in place that govern physical security practices, to protect assets, workers, facilities, and visitors against acts such as theft, violence, and vandalism, by controlling access to the facilities. Physical access requests are documented on a standardized access request form and require the approval of the department manager. Subsequently, when an employee is terminated, an access revocation request ticket is completed and physical access is revoked as a component of the employee termination process. Data center operations management reviews the multi-factor authentication mechanisms’ user listings for stale or unauthorized accounts on at least an annual basis. Security personnel require visitors to present government issued photo identification prior to allowing access to the data center facilities for off-site employees, customers, vendors, and contractors, and issue temporary visitor badges. Additionally, visitors are required to sign a visitor log upon entering and exiting the data center facilities. When their visit to the data center facilities is complete, visitors are required to surrender their visitor badges upon exiting the data center facilities. The badges are disabled when returned. The SFW data center facility is unmanned, therefore visitors are not issued a visitor badge or required to sign a visitor log upon entering and exiting the data center facility. Physical access to each data center facility is controlled via multi-factor authentication mechanisms inclusive of secure-card access doors and biometrics scanner(s). The multi-factor authentication mechanisms are configured to log successful and failed access attempts to the data center facilities. Predefined physical security zones are utilized to define role-based access privileges to and throughout the data center facilities. Administrator access within the multi-factor authentication mechanisms is restricted to user accounts accessible by authorized data center operations and security personnel. Surveillance cameras are in place to monitor and record activity to and throughout the data center facilities. The surveillance camera systems maintain surveillance footage for a minimum of 90 days. TierPoint security and EOC personnel monitor surveillance cameras in real-time on a 24 hour per day basis. The data center facilities have continuous walls from floor to ceiling to prevent unauthorized access. Locked cabinets and / or cages are in place to prevent unauthorized access to the defined customer spaces within the data center facilities. Each customer environment is physically self-contained (as contracted) and logically separated from all other customers.

25

Environmental Security

TierPoint’s environmental operating standards establish the baseline requirements on environmental operating control activities related to facilities, mechanical and electrical infrastructure, and computer equipment within the data center facilities. The environmental operating control activities are operated by TierPoint’s business unit supporting system availability requirements commensurate with business need and assist in attaining the full performance of the installed infrastructure. The standards requirements are categorized under the following six topics:

• Personnel staffing and qualifications;

• Documentation – policies and procedures, and reference library;

• Operating conditions - operating set points, optimization, equipment rotation, and safety;

• Monitoring, testing and inspection - temperature and humidity monitoring, walkthrough inspections, generator testing and fuel storage, and fire suppression systems;

• Maintenance - preventative maintenance program, preventative maintenance frequency, maintenance management system, vendor support, and failure analysis program; and

• Planning - capacity management, life cycle and financial management. The data center facilities are designed with redundancy for key systems including UPS systems, PDUs / power panels, and cabinet power feeds. Additionally, redundant power access for customer equipment is available upon subscription via A and B power feeds, allowing for multiple power supplies. Preventative maintenance programs on environmental systems are performed at regular intervals no later than 12 months from commissioning period following manufacturer recommendations and organizational environmental operating standards. Site documentation covering facility infrastructure and maintenance activities is maintained at each data center facility. Refer to Table 4 below for the preventative maintenance intervals per data center facility. Table 4: Testing and Preventative Maintenance Intervals Per Data Center Facility

Site ID

Diesel Power Generator

Run Testing


Load Testing


Preventative Maintenance

HVAC System Preventative Maintenance

UPS System Preventative Maintenance

Fire Detection &

Suppression System


AND Weekly Quarterly Quarterly Quarterly Annually Annually

BAL Weekly Quarterly Quarterly Quarterly Annually Annually

BEL Weekly Quarterly Quarterly Quarterly Annually Annually

BET Weekly Quarterly Quarterly Quarterly Annually Annually

BOS Weekly Quarterly Quarterly Quarterly Annually Annually

CHI Weekly Quarterly Semi-Annually Quarterly Annually Annually

CL1 Weekly Quarterly Quarterly Quarterly Annually Annually

CL2 Monthly Quarterly Quarterly Quarterly Annually Annually

CL4 Weekly Quarterly Quarterly Quarterly Annually Annually

CON Weekly Quarterly Quarterly Quarterly Annually Annually

CRY Weekly Quarterly Quarterly Quarterly Annually Annually

DAL Weekly Quarterly Quarterly Quarterly Annually Annually

26

Site ID


Run Testing


Load Testing



HVAC System Preventative Maintenance

UPS System Preventative Maintenance

Fire Detection &

Suppression System


HWT Semi-Monthly Semi-Monthly Quarterly Quarterly Annually Annually

JAX Weekly Quarterly Quarterly Quarterly Annually Annually

KCM Weekly Annually Quarterly Quarterly Annually Annually

LEN Weekly Annually Quarterly Quarterly Annually Annually

LIT Weekly Quarterly Quarterly Quarterly Annually Annually

LVQ Semi-Monthly Quarterly Quarterly Quarterly Annually Annually

MID Weekly Quarterly Semi-Annually Quarterly Annually Annually

MKE Weekly Quarterly Quarterly Quarterly Annually Annually

MRL Monthly Quarterly Quarterly Quarterly Annually Annually

NSH Weekly Quarterly Quarterly Quarterly Annually Annually

OK1 Weekly Quarterly Quarterly Quarterly Annually Annually

OK2 Weekly Quarterly Quarterly Quarterly Annually Annually

PHI Quarterly Quarterly Quarterly Quarterly Annually Annually

POL Weekly Quarterly Quarterly Quarterly Annually Annually

RAL Weekly Quarterly Quarterly Quarterly Annually Annually

RTP Weekly Quarterly Quarterly Quarterly Annually Annually

SEA Weekly Semi-Annually Annually Semi-Annually Annually Annually

SFE Monthly Quarterly Semi-Annually Quarterly Annually Annually

SFW Monthly Semi-Annually Quarterly Quarterly Annually Annually

SLO Monthly Annually Semi-annually Quarterly Annually Annually

SLW Monthly Annually Semi-annually Quarterly Annually Annually

SPO Weekly Annually Quarterly Quarterly Annually Annually

SP2 Weekly Annually Quarterly Quarterly Annually Annually

TEK Semi-Monthly Quarterly Semi-Annually Quarterly Annually Annually

TUL Weekly Quarterly Quarterly Quarterly Annually Annually

VFO Monthly Quarterly Semi-Annually Quarterly Annually Annually

WAT Weekly Quarterly Quarterly Quarterly Annually Annually The following environmental systems, including facility loads, are monitored by EOC personnel 24 hours per day via an environmental monitoring tool; CRAC / CRAH units, air monitoring (temperature, humidity), water leak detectors, UPS systems, and diesel power generators. Additionally, physical walkthrough inspections of the environmental equipment are performed one time per scheduled shift daily to observe the component level status indicators for normal operations and to detect any inconsistencies or issues in the supporting infrastructure space. A facility walkthrough checklist is utilized during the inspections and in the event that an issue is detected, data center support personnel are responsible for escalating the issue as per the TierPoint facility escalation procedures until the issue has been resolved.

27

Diesel power generators are in place to provide power to the data center facilities in the event of a power outage. The diesel power generators can provide a minimum of 24 hours of runtime before additional fuel delivery is mandated; the generators can be refueled while in operation. Internal generator run tests and generator load transfer and ATS unit / switch gear testing are conducted at regular intervals to verify that generators and switching are in proper working order while under electrical load. Management ensures that the diesel power generators are inspected at regular intervals following manufacturer’s recommendations and organizational standards to verify that the diesel power generators are in proper working order. UPS systems are in place to provide battery backup power to help ensure ample time to transfer to on-site generator power in the event of a utility failure. Management ensures that UPS systems are inspected on at least an annual basis following manufacturer’s recommendations and organizational standards to verify that the UPS systems are in proper working order. Multiple HVAC systems are configured in a minimum N+1 design to provide redundancy in the event of a unit failure or maintenance. Management ensures that HVAC systems are inspected at regular intervals following manufacturer’s recommendations and organizational standards to verify that the HVAC systems are in proper working order. Data center facility equipment is protected from water damage through the combination of elevated racks, water detection sensors, and / or elevated anti-static floors. The data center facilities are protected by multi-level fire detection and suppression systems that include the following:

• Clean agent gaseous fire suppression system (FM-200, ECARO-25 or CO2), pre-action dry-pipe water sprinkler fire suppression systems, and / or wet pipe water sprinkler fire suppression systems

• Smoke and head detection sensors

• Carbon sensing equipment

• Hand-held fire extinguishers Management ensures that fire detection and suppression systems are inspected on at least an annual basis following manufacturer’s recommendations and organizational standards to verify that the fire detection and suppression systems are in proper working order. The fire suppression systems are monitored on a 24 hour per day basis by a remote third party vendor. Backup and Restoration

Backups are performed to provide the capability to restore data and software in the event of system failure or corruption. Documented work instructions for backup and restoration of contracted customer data are in place to guide EOC personnel in the backup and restoration process. Contracted customer data is backed up at intervals based on customer requirements and is monitored by EOC personnel for completion and exceptions. In the event of an exception, EOC personnel perform troubleshooting to identify the root cause and then re-run the backup job immediately or as part of the next scheduled backup job, depending on customer indicated preference within the documented work instructions. The backup infrastructure resides on private networks that are logically segregated from other networks. This includes limiting the communications between any two nodes on the management network. The management network is only used for backups and monitoring of systems, and not production communications. To help ensure that physical access to the backup infrastructure is secured, the backup infrastructure is maintained in locked cabinets and / or caged environments. Contracted customer backup media are securely stored at a location that is physically separate from the production environment. Third party vendor off-site backup media storage contracts are in place to define responsibility and accountability for system and removable media security. Contracted customer backup media is secured in a tamper resistant case prior to being transferred to the third party vendor storage location. Contracted customer off-site tape rotations are logged and maintained within an enterprise ticket management system. The ability to recall contracted customer backup media from the third party vendor off-site storage facility is restricted to user accounts accessible by authorized TierPoint personnel.

28

Business Continuity / Disaster Recovery

TierPoint’s business continuity plans are maintained by TierPoint management and include all scenarios that may occur in the geographic and political-economic areas in which TierPoint operates, including if TierPoint must vacate any or all places of business for extended periods. The business continuity plans are reviewed annually and TierPoint makes updates to accommodate issues, acquisitions, and new situations that arise. The business continuity readiness is reported to the company’s executive management annually. TierPoint’s disaster recovery plans enable a rapid response to, and successful recovery from, a disruption of operations at one of TierPoint’s data center facilities. Implementation of these plans would minimize disruption to service, mitigate financial losses, and allow a timely resumption of operations. These plans are written for a worst-case scenario and may be adapted to any situation in which operations are disrupted; such scenarios may include, but are not limited to, the following:

• Physical damage to the facility such as fire, smoke, water, or structural damage

• Lack or restriction of access to the facility due to an emergency building evacuation or during a natural disaster or other hazardous situation

• Technical failure such as a power outage, loss of telecommunications service, or hardware or software failure

• Human interference, accidental or deliberate, including sabotage, theft, and strikes TierPoint conducts quarterly file restore tests to help guide recovery personnel in restoration procedures and to validate the recovery plan, hardware, off-site software, and off-site data backups. Information Security and Incident Management

TierPoint maintains a security incident response policy that guides personnel in responding to security events on the appropriate manner of reporting. The policy corresponds with the TierPoint’s overall incident management framework. TierPoint’s security incident response policy defines the standard methods for identifying, tracking, and responding to logical security incidents, which are noted below.

• Any suspected or confirmed information security event affecting a TierPoint asset must be reported to the direct supervisor or manager of the person making the discovery and to the TierPoint ISO.

• Any suspected or real information security event affecting a TierPoint asset is classified and prioritized according to TierPoint incident management procedures.

• All security incidents the TierPoint ISO is made aware of is recorded into an incident log.

• Any information security event affecting a TierPoint asset classified as a severity 2 or higher will have an incident report created to document the incident.

TierPoint security incident management procedures document guidelines on initial event prioritization by designating a severity level for appropriate incident response, escalation, and notification. Categories of security incidents documented include, but are not limited to, the following:

• Denial of service

• Compromised asset (critical)

• Internal hacking (active)

• Sustained external hacking / port scanning and mapping (active)

• External hacking / port scanning and mapping (active) causing a service degradation

• Virus / worm (outbreak)

• Destruction of property (critical)

• Espionage / fraud / theft

29

• Warning / hoaxes

• Breach of personally identifiable information (PII), PCI, or protected health information (PHI) Customer notification and communication occurs following defined standards, and in all cases, customers are notified via telephone and / or e-mail during the initial response window of 0-15 minutes. If TierPoint’s staff or systems are unable to reach the designated customer contact, TierPoint will escalate according to instructions outlined in the pre-determined alert and notification procedures. All monitor alarms for monitored devices can be viewed from the TierPoint web portal, allowing customers to identify usage trends, diagnose bottlenecks, and plan for long-term systems changes and upgrades. All incident reports are documented within the enterprise incident management systems and incident status reports are available to customers through the TierPoint web portal. Network Vulnerability Management

Network vulnerability scans are conducted in accordance with TierPoint’s network security audit policy on management infrastructure to verify only required network ports are in use, that patching is up to date, and to identify vulnerabilities. External and internal IP scanning is conducted on at least a semi-annual basis. Vulnerabilities are categorized, reported, and tracked for remediation. Updates to systems, including code or patch updates, are managed through the change management process. TierPoint does not scan the customer-assigned IP space. All customers are provisioned with dedicated IP space behind a firewall, which marks the TierPoint security boundary. Customers may scan their IP space and are requested to notify the TierPoint ISO for verification of appropriate IP subnets. Scanning outside of the assigned subnets is prohibited and a violation of the master service agreement (MSA). Network Security

Firewall systems are in place to handle data flow between external parties and the TierPoint network. External traffic originating from the Internet is required pass through a firewall system to communicate with production servers. No direct conversations originating from the Internet pass directly through to the internal management network. The firewall systems are configured to log all modifications, including malicious activity, to the firewall system software. Logs are available for ad hoc review by security personnel. IDS’ and manual reviews are utilized to monitor and analyze the in-scope systems for possible or actual security breaches. The IDS’ are configured to alert IT personnel via e-mail notifications when certain defined thresholds have been reached. To protect data while in transit, web servers utilize transport layer security (TLS) encryption for web communication sessions. Further, encrypted VPNs are required for remote access for the security and integrity of the data passing over the public network. Network Availability

Network bandwidth and peak utilization are monitored and tracked by EOC personnel to allow for projected growth curves and to help ensure compliance with corporate standards for maximum network utilization. TierPoint has designed its network infrastructure using industry best practices. The network architecture is comprised of three distinct layers: (1) an edge layer provides connectivity to geographically diverse internet backbone provider connections; (2) a core layer allows interconnectivity of all TierPoint’s facilities and resources; and (3) a distribution layer provides connectivity for customer cabinets and cages. At the edge layer, TierPoint uses many different upstream service providers and relies upon the Border Gateway Protocol (BGP) to select the optimal routes from customer networks to the destination of the traffic leaving those networks, and vice versa. This connectivity is designed such that if connectivity is lost to any single upstream service provider, traffic can automatically be rerouted to different providers so that minimal, if any, impact is experienced.

30

The core layer is powered by routing and switching platforms. This layer is responsible for providing connectivity between the various data center facilities and for providing connectivity between the border and distribution layers within the network. The distribution layer is powered by various class switching platforms. This is the closest layer to the customer infrastructure and, as such, is responsible for providing connectivity between TierPoint customers’ environments and TierPoint core / border layers. Customer implementations are connected to TierPoint’s distribution layer network with one or more uplinks (as contracted) to provide diversity and redundancy. All layers provide redundancy via multiple platforms providing physical redundancy at the hardware layer. Incremental redundancy is provided via multiple gigabit connections to Tier 1 internet backbone providers. Bandwidth in all facilities is accessible from any one facility due to the core network design providing interconnectivity of all network and data center resources. Load balancing is incrementally available as a contracted service to enhance redundancy and distribute volume, if required. Access control technologies, such as demilitarized zones (DMZ), encryption techniques, internal firewalls, VPNs, and Virtual Local Area Networks (VLAN), along with unique user account verifications, access lists, and passwords restrict unauthorized access to customer hosts and data. Capacity (Availability) Management

TierPoint monitors the capacity utilization of physical and computing infrastructure for both internal and customers to help ensure that service delivery matches service level agreements (SLA). TierPoint evaluates the need for additional infrastructure capacity in response to growth of existing customers and / or the addition of new customers. Infrastructure capacity monitoring includes, but is not limited to, the following infrastructure:

• Data center space, power and cooling

• Disk storage

• Tape storage

• Network bandwidth

• Cloud environment EOC personnel are on call 24 hours per day for server and network performance monitoring. Enterprise monitoring systems are utilized to proactively and reactively monitor individual system health. The enterprise monitoring systems are configured to monitor customer network connections for availability and operating functionality via SNMP or TCP system health checks. The enterprise monitoring systems are configured to send alert notifications to EOC personnel when predefined metrics are exceeded on monitored network devices. Documented incident management policies and procedures are in place to guide EOC personnel in responding to customer inquiries and incidents. Customer notification and communication occurs following defined standards. Customers are required to be notified via telephone and / or e-mail during the initial response window of 0-15 minutes. If TierPoint EOC personnel are unable to reach the designated customer contact, TierPoint EOC personnel escalate the incident according to instructions outlined in the predetermined escalation procedures. EOC personnel monitor user entity inquiries and incidents on a 24 hour per day basis. Enterprise incident management systems are utilized to track incidents from initiation through resolution. Customer contact lists are available to customers and support personnel in order to provide a vehicle for authorization and escalation if applicable. Data Customers can manage and monitor their services, submit new requests, and view the status of open requests by logging into the TierPoint web portal. Data available to customer users is based on the supporting applications that feed into the TierPoint web portal.

31

Internal data is captured, which is utilized by TierPoint in delivering its Data Center Services. Such data includes, but is not limited to, the following:

• Alert notifications and monitoring reports generated from the commercial monitoring applications, including device / server monitoring applications and the BMS

• Alert notifications received from automated backup systems

• Vulnerability or security alerts received from various sources including security subscriptions, scanning tools, IDS alerts, or automated patching systems

• Incident / issue reports documented via the ticketing systems Significant Changes During the Review Period No relevant changes to the Data Center Services system occurred during the review period. Subservice Organizations No subservice organizations were included in the scope of this assessment. Therefore, the description does not address the criteria in Section 2, items (a)(i)(4), (a)(i)(5)(b) and (a)(i)(6).

CONTROL ENVIRONMENT The control environment sets the tone of an organization, influencing the control consciousness of its employees. It is the foundation for other components of internal control, providing discipline and structure. Integrity and Ethical Values The effectiveness of controls is greatly influenced by the level of integrity and ethical values of the people who create, administer, and monitor them. Integrity and ethical values are essential elements of TierPoint’s control environment, affecting the design, administration, and monitoring of other components. Integrity and ethical behavior is the product of TierPoint’s ethical and behavioral standards, how they are communicated, and how they are reinforced in daily practice. These standards include management’s actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. They also include the communication of entity values and behavioral standards to personnel through policy statements, shared values, and by personal example. Specific control activities that TierPoint has implemented in this area are described below.

• The employee handbook contains organizational policy statements, and codes of conduct and benefits and practices to which all employees are required to adhere.

• Codes of conduct, organizational policy statements, and disciplinary policies are documented and communicate entity values and behavioral standards to personnel.

• Policies and procedures require that new employees sign an employee handbook acknowledgment form indicating that they have been given access to it, and understand their responsibility for adhering to the standards, policies, and procedures contained within the handbook. The signed form is kept in the employee personnel file.

• Employees must sign a confidentiality and non-disclosure agreement to not disclose proprietary or confidential information, including customer information, to unauthorized parties.

32

• Comprehensive background checks are performed by an independent third party for all employees as a component of the hiring process. These background checks include, but are not limited to, a national criminal database check. The reports are maintained by TierPoint’s third party HR services provider.

• Management personnel routinely perform reference and employment checks on all candidates being considered for positions within TierPoint.

• Periodic meetings with staff are conducted whereby the core values and mission of TierPoint are discussed as well as ways to reinforce and improve the components of TierPoint’s related core functions.

Board of Investors and Executive Committee Oversight TierPoint’s control consciousness is influenced significantly by its board, executive committee, and external auditors. Attributes include the degree to which difficult questions are raised and pursued with management, and its interaction with external auditors. Specific control activities that TierPoint has implemented in this area are described below.

• An executive committee is in place to oversee management activities and company operations.

• The executive committee holds quarterly management meetings to discuss management activities, operational issues, and forward looking objectives.

• The executive committee communicates state of operations and company strategy to the board during formal board meetings.

• An external audit is performed on an annual basis to monitor financial statement reporting practices and management’s compliance with the entity’s objectives.

Organizational Structure and Assignment of Authority and Responsibility TierPoint’s organizational structure provides the framework within which its activities for achieving entity-wide objectives are planned, executed, controlled, and monitored. TierPoint’s management believes that establishing a relevant organizational structure includes considering key areas of authority and responsibility and appropriate lines of reporting. TierPoint has developed an organizational structure suited to its needs. This organizational structure is based, in part, on its size and the nature of its activities. TierPoint’s assignment of authority and responsibility activities include factors such as how authority and responsibility for operating activities are assigned and how reporting relationships and authorization hierarchies are established. It also includes policies relating to appropriate business practices, knowledge and experience of key personnel, and resources provided for carrying out duties. In addition, it includes policies and communications directed at ensuring that all personnel understand the entity’s objectives, know how their individual actions interrelate and contribute to those objectives, and recognize how and for what they will be held accountable. Specific control activities that TierPoint has implemented in this area are described below.

• Organizational charts are in place to communicate key areas of authority, responsibility, and appropriate lines of reporting to personnel. These charts are kept on a public folder accessible to all employees, and are updated as needed.

• TierPoint’s operating goals and objectives are communicated to the entire organization during regular staff meetings, employee performance reviews, and other written communications.

• TierPoint has established a segregation of duties, which is based upon changes and recommendations from management and, at times, independent consultants.

33

Commitment to Competence TierPoint’s management defines competence as the knowledge and skills necessary to accomplish tasks that define employees’ roles and responsibilities. TierPoint’s commitment to competence includes management’s consideration of the competence levels for particular jobs and how those levels translate into requisite skills and knowledge. Specific control activities that TierPoint has implemented in this area are described below.

• Management has considered the competence levels for particular jobs and translated required skills and knowledge levels into written position requirements for most positions.

• Management encourages ongoing training and development to maintain and enhance the skill level of personnel.

• Employees undergo an annual performance review each year. During these reviews, management reinforces and updates professional development plans for each employee.

• Each new employee undergoes an initial review to evaluate performance. For employees with sub-standard performance, a performance plan form is completed, documenting the results of the performance review competency assessment and an action plan. The action plan may include a training program to address any deficiencies or to improve knowledge and skills necessary for advancement. Accountability TierPoint’s management philosophy and operating style encompasses a broad range of characteristics. Such characteristics include management’s approach to taking and monitoring business risks and management’s attitudes toward the colocation, managed security, and cloud computing services, information processing, accounting functions, and personnel. Management is periodically briefed on regulatory and industry changes affecting services provided. Management meetings are held on a periodic basis to discuss and monitor operational issues. Specific control activities that TierPoint has implemented in this area are described below.

• Management regularly attends trade shows and conferences, and subscribes to industry and regulatory publications to stay current on any regulatory compliance or operational trends affecting the services provided.

• Management meetings are held on a regular basis and as needed to discuss operational and customer related issues.

• Management is involved in the operational planning and budgeting process.

• Management is involved in the HR planning and hiring process. TierPoint’s HR policies and practices relate to employee hiring, orientation, training, evaluation, counseling, promotion, compensation, and disciplinary activities. Specific control activities that TierPoint has implemented in this area are described below.

• TierPoint’s management has established an employee handbook that guides the hiring process to help ensure that specific elements of the hiring process are consistently executed.

• The employee handbook has been developed to communicate HR policies and practices to TierPoint personnel.

• Comprehensive background checks are performed by an independent third party for all employees as a component of the hiring process.

• Management personnel routinely perform reference and employment checks on all candidates being considered for positions within TierPoint.

34

• Management conducts performance evaluations and career development discussions with each employee on an annual basis.

RISK ASSESSMENT Risk Identification TierPoint’s risk assessment process is directed by the ISO. TierPoint has implemented and maintains a security program consisting of a security policy and a risk assessment process for safeguarding information assets and systems. The corporate security policy identifies the physical, technical, and administrative controls used by the TierPoint to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle information assets and systems. The risk assessment program considers, and mitigates, as appropriate, information security risks or vulnerabilities within critical company operations. TierPoint establishes objectives for management to identify potential events affecting their achievement. TierPoint has placed into operation a risk management process to help ensure that the chosen control activities support and align with the organization's mission and are consistent with its risk framework. Objective setting enables management to identify measurement criteria for performance, with focus on success factors. Broad objectives that TierPoint has established in this area are described below.

• Strategic Objectives – these pertain to the high level organizational goals and the alignment of those goals to support the overall mission

• Operations Objectives – these pertain to effectiveness and efficiency of the entity’s operations, including performance and profitability goals and safeguarding of resources against loss

• Reporting Objectives – these pertain to the preparation of reliable reporting

• Compliance Objectives – these pertain to adherence to laws and regulations to which the entity is subject As a part of the risk assessment process, TierPoint performs annual risk assessments to determine the minimum set of controls required to reduce and maintain risk at an acceptable level. Additional evaluations are completed when significant changes occur that potentially cause risk. Risk Factors Management considers risks that can arise from both external and internal factors including the following: External Factors

• Technological developments

• Changing customer needs or expectations

• Competition that could alter marketing or service activities

• New legislation and regulation that could force changes in policies and strategies

• Changes of accounting pronouncements

• Estimations used in financial reporting

• Complexity of financial reporting

• Natural catastrophes that could lead to changes in operations or information systems

• Economic changes that could have an impact on management decisions

35

Internal Factors

• Significant changes in policies, processes, or personnel

• Acquisition and integration activities

• Types of fraud

• Fraud incentives and pressures for employees

• Fraud opportunities

• Employee attitudes and rationalizations for fraud

• A disruption in information systems processing

• The quality of personnel hired and methods of training utilized

• Changes in operating environment

• Changes in management responsibilities Risk Analysis Management is responsible for identifying the risks that threaten achievement of the control activities stated in the managements description of the services and systems. Management has implemented a process for identifying relevant risks. This process includes estimating the significance of identified risks, assessing the likelihood of their occurrence, and deciding about actions to address them.

TRUST SERVICES CRITERIA AND RELATED CONTROL ACTIVITIES Integration with Risk Assessment Along with assessing risks, management has identified and put into effect actions needed to address those risks. In order to address risks, control activities have been placed into operation to help ensure that the actions are carried out properly and efficiently. Control activities serve as mechanisms for managing the achievement of the security and availability principles. Selection and Development of Control Activities The applicable trust criteria and related control activities are included in Section 4 of this report to eliminate the redundancy that would result from listing the items in this section and repeating them in Section 4. Although the applicable trust criteria and related control activities are included in Section 4, they are, nevertheless, an integral part of TierPoint’s description of the system. The description of the service auditor’s tests of operating effectiveness and the results of those tests are also presented in Section 4, the Testing Matrices, adjacent to the service organization’s description of controls. The description of the tests of operating effectiveness and the results of those tests are the responsibility of the service auditor and should be considered information provided by the service auditor. Trust Services Criteria Not Applicable to the In-Scope System All criteria within the security and availability are applicable to the Data Center Services. Therefore, the description does not address the (a)(i)(7) criteria in Section 2.

36

INFORMATION AND COMMUNICATION SYSTEMS Information Systems Management has implemented mechanisms to track financial and operational data to make strategic decisions and help ensure financial, operational and compliance objectives are consistently achieved. Information gathered from its network, data center facilities, customer service interactions and financial systems enable the company to understand business trends to maximize value and provide customers excellent service. Communication Systems Management is involved with day-to-day operations and provides personnel with an understanding of their individual roles and responsibilities and the relation of individual functions to the overall support of services. TierPoint’s management believes that open communication throughout the organization helps ensure that deviations from standards are identified, reported, and appropriately addressed. TierPoint’s organizational structure helps facilitate communication flow by grouping service offerings. Each individual group has a preferred method of communication (e.g., including sales portals, bulletins, etc.). Company-wide communications are facilitated using e-mails, the intranet, and portals. The structure facilitates the flow of information upstream, downstream, and across all business activities. Corporate communications are responsible for providing employees information that is pertinent to their jobs, including company news, product information, technological developments, training opportunities, and general business information. The primary instrument for communicating to employees is through TierPoint’s intranet. Corporate communications’ responsibility surrounding external communications includes releasing information or company news to the public, including quarterly and annual earnings announcements, compiling the annual report, and preparing and coordinating executive and local management interviews with media outlets. TierPoint periodically may retain public relations firms to assist the company with certain announcements.

MONITORING Monitoring of the internal control systems is a process that assesses the quality of the internal control system’s performance over time. This is primarily accomplished by ongoing monitoring activities conducted by management. Ongoing monitoring occurs during operations and includes regular management and supervisory activities, and other actions personnel take in performing their duties. Examples of TierPoint’s ongoing monitoring activities are described below.

• In carrying out its regular management activities, operating management obtains evidence that the system of internal control continues to function.

• Communications from external parties and customers corroborate internally generated information or indicate problems.

• Organization structure and supervisory activities provide oversight of control functions and identification of deficiencies.

• Training, planning sessions, and other meetings provide important feedback to management on whether controls are effective.

• Management conducts annual employee reviews to evaluate performance and determine future training needs.

37

Management is proactive in monitoring and responding to customer complaints. Customer complaints and other issues are handled immediately via designated personnel assigned to each customer. Major customer-facing issues are immediately reported to management for discussion and action. Internal Auditing

Internal audits on internal controls are performed on an annual basis, with quarterly follows-up with management on any previously identified audit findings. This process helps ensure management is proactively managing identified risks. Often evaluations take the form of self-assessments, where persons responsible for a particular unit or function will determine the effectiveness of controls for their activities. Management considers these assessments, along with any other internal control evaluations. The findings of these efforts are utilized to ensure follow-up actions are taken and subsequent evaluations are modified as necessary. External Auditing

TierPoint supports many user entities in their efforts to meet the regulatory demands of their industry or governing agency. TierPoint has assisted user entities in successfully meeting the requirements of many certifications and regulatory demands, including PCI DSS, SSAE No.16, SOC 2, HIPAA, NIST 800-53, LEED, NERC and GLBA. Incident Management The TierPoint EOCs located at the MRL, RAL, SLO, VFO data center facilities and the supporting local data center operations teams provide immediate proactive first-level monitoring and escalations for issues related to system availability. All alerts, customer-submitted tickets, and customer-updated tickets are responded to and escalated within 15 minutes (in accordance with the SLA). The EOC maintains and provides a comprehensive standard operating procedure (SOP) guide, which details methods and procedures used by all personnel for each aspect of their interaction with respect to the data center facility. Details provided within the SOP address the following:

• Responding to customer requests and validation of such requests

• Procedures on documenting issues and requests

• Emergency response procedures

• Procedures for escalation of issues

• Understanding of systems used to track and monitor the integrity of the data center facility TierPoint utilizes automated monitoring platforms that perform active checks on a pre-configured list of network segments, hosts, devices, and services, and includes robust functionality for resolving identified incidents. Monitored attributes include availability of the network, host services and ports, IP packet transmissions and loss, bandwidth utilization and performance, CPU and hard disk utilization, temperature and cooling systems, power supply and redundancy. Proactive monitoring for changes in the environment outside of normal operating conditions prevents incidents from occurring that may lead to a service outage or impairment for a user organization, due to operational personnel not being aware of change in time to respond. TierPoint utilizes enterprise incident management systems for tracking of incidents from initiation through resolution. Defined incident guidelines are in place to prioritize incidents be severity to facilitate timely resolution of identified issues. The enterprise incident management systems provide the ability to perform event correlation to identify repeated incidents and help ensure long-term resolution of issues. Incident status reports based on input into the enterprise incident management systems are made available to customers through TierPoint’s online portal allowing customer’s immediate access to updates relevant to issues specific to a user organization. TierPoint’s enterprise incident management systems also provide the functionality to the end-user to report a trouble though the online portal. The EOCs validate customer inquiries and requests to a pre-approved customer contact list. EOCs will only support those members on the authorized access list documented for the customer’s company and will not accept

38

calls, provide troubleshooting assistance or interface, in any manner, with parties other than the customer, regardless of whether such parties have purchased services from the customer. It is the customer’s responsibility to update or verify any changes in the authorized access list. Customer requests are prioritized by EOC management in accordance with documented severity classification procedures, based on severity and customer impact significance. Managed services operations consist of multiple teams with separate roles. Managed services operations provide technical support to TierPoint customers and consists of support engineers, systems engineers, team leaders, and managers. Support engineers initiate the problem response and identify, describe, prioritize, and work to immediately provide resolution. If issue escalation is required, they direct issues to the systems engineering team that can provide resolution. Systems engineers receive and resolve issues regarding software, networks, and devices, including internal issues around their specific technology specialties.

Issues can be routed to facility employees for infrastructure maintenance resolution. The final receiver of the incident ticket closes the ticket upon resolution. Evaluating and Communicating Deficiencies Deficiencies in management’s internal control system surface from many sources, including TierPoint’s ongoing monitoring procedures, separate evaluations of the internal control system, and external parties. Management has developed protocols to help ensure findings of internal control deficiencies are reported not only to the individual responsible for the function or activity involved, who is in the position to take corrective action, but also to at least one level of management above the directly responsible individual. This process enables responsible individuals to provide needed support or oversight for taking corrective action and to communicate with others in the organization whose activities may be affected. Management evaluates the specific facts and circumstances related to deficiencies in internal control procedures and makes the decision for addressing deficiencies based on whether the incident was isolated or requires a change in TierPoint’s procedures or personnel.

COMPLEMENTARY CONTROLS AT USER ENTITIES Complementary user entity controls are not required, or significant, to achieve the applicable trust services criteria. Therefore, the description does not address the (a)(i)(5)(a) criteria in Section 2.

39

SECTION 4

TESTING MATRICES

40

TESTS OF OPERATING EFFECTIVENESS AND RESULTS OF TESTS Scope of Testing This report on the controls relates to the Data Center Services system provided by TierPoint. The scope of the testing was restricted to the Data Center Services system and its boundaries as defined in Section 3. Schellman conducted the examination testing over the period November 1, 2016, to October 31, 2017. Tests of Operating Effectiveness The tests applied to test the operating effectiveness of controls are listed alongside each of the respective control activities within the Testing Matrices. Such tests were considered necessary to evaluate whether the controls were sufficient to provide reasonable, but not absolute, assurance that the applicable trust services criteria were achieved during the review period. In selecting the tests of controls, Schellman considered various factors including, but not limited to, the following:

• The nature of the control and the frequency with which it operates;

• The control risk mitigated by the control;

• The effectiveness of entity-level controls, especially controls that monitor other controls;

• The degree to which the control relies on the effectiveness of other controls; and

• Whether the control is manually performed or automated. The types of tests performed with respect to the operational effectiveness of the control activities detailed in this section are briefly described below: Test Approach Description

Inquiry Inquired of relevant personnel with the requisite knowledge and experience regarding the performance and application of the related control activity. This included in-person interviews, telephone calls, e-mails, web-based conferences, or a combination of the preceding.

Observation Observed the relevant processes or procedures during fieldwork. This included, but was not limited to, witnessing the performance of controls or evidence of control performance with relevant personnel, systems, or locations relevant to the performance of control policies and procedures.

Inspection Inspected the relevant audit records. This included, but was not limited to, documents, system configurations and settings, or the existence of sampling attributes, such as signatures, approvals, or logged events. In some cases, inspection testing involved tracing events forward to consequent system documentation or processes (e.g. resolution, detailed documentation, alarms, etc.) or vouching backwards for prerequisite events (e.g. approvals, authorizations, etc.).

Sampling

Consistent with American Institute of Certified Public Accountants (AICPA) authoritative literature, Schellman utilizes professional judgment to consider the tolerable deviation rate, the expected deviation rate, the audit risk, the characteristics of the population, and other factors, in order to determine the number of items to be selected in a sample for a particular test. Schellman, in accordance with AICPA authoritative literature, selected samples in such a way that the samples were expected to be representative of the population. This included judgmental selection methods, where applicable, to ensure representative samples were obtained.

41

System-generated population listings were obtained whenever possible to ensure completeness prior to selecting samples. In some instances, full populations were tested in cases including but not limited to, the uniqueness of the event or low overall population size. Test Results The results of each test applied are listed alongside each respective test applied within the Testing Matrices. Test results not deemed as control deviations are noted by the phrase “No exceptions noted.” in the test result column of the Testing Matrices. Any phrase other than the aforementioned, constitutes either a test result that is the result of non-occurrence, a change in the application of the control activity, or a deficiency in the operating effectiveness of the control activity. Testing deviations identified within the Testing Matrices are not necessarily weaknesses in the total system of controls, as this determination can only be made after consideration of controls in place at user entities and subservice organizations, if applicable, and other factors.

SECURITY PRINCIPLE AND CRITERIA TABLE

Control # Control Activity Specified by the Service Organization

Test Applied by the Service Auditor Test Results

CC1.0: Common Criteria Related to Organization and Management

CC1.1: The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and system requirements as they relate to security and availability.

CC1.1.1 Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees via a centralized repository and updated as needed.

Inquired of the senior director of compliance regarding organizational management to determine that organizational charts were in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system and that the organizational charts were communicated to employees via a centralized repository and updated as needed.

No exceptions noted.

Inspected the company organizational charts to determine that organizational charts were in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system.


42



Inspected the organizational charts within the company intranet to determine that organizational charts were communicated to employees via a centralized repository.


CC1.1.2 Documented position descriptions are in place to define the skills, responsibilities, and knowledge levels required for job functions within TierPoint’s organization.

Inspected the documented position descriptions for a sample of employment positions to determine that documented position descriptions were in place to define the skills, responsibilities, and knowledge levels required for job functions within TierPoint’s organization for each employment position sampled.


CC1.2: Responsibility and accountability for designing, developing, implementing, operating, maintaining, monitoring, and approving the entity’s system controls and other risk mitigation strategies are assigned to individuals within the entity with authority to ensure policies and other system requirements are effectively promulgated and implemented to meet the entity’s commitments and system requirements as they relate to security and availability.

CC1.2.1 Organizational charts are in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system. These charts are communicated to employees via a centralized repository and updated as needed.

Inquired of the senior director of compliance regarding organizational management to determine that organizational charts were in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system and that the organizational charts were communicated to employees via a centralized repository and updated as needed.


Inspected the company organizational charts to determine that organizational charts were in place to communicate the defined key areas of authority, responsibility and lines of reporting to personnel related to the design, development, implementation, operation, maintenance, and monitoring of the system.


Inspected the organizational charts within the company intranet to determine that organizational charts were communicated to employees via a centralized repository.


43






CC1.3: The entity has established procedures to evaluate the competency of personnel responsible for designing, developing, implementing, operating, maintaining, and monitoring the system affecting security or availability, and provides resources necessary for personnel to fulfill their responsibilities.




CC1.3.2 New employee hiring procedures are in place to guide the hiring process and include verification that candidates possess the required qualifications to perform the duties as outlined in the job description.

Inspected the new employee hiring policies and procedures to determine that new employee hiring procedures were in place to guide the hiring process and included verification that candidates possessed the required qualifications to perform the duties as outlined in the job description.


CC1.3.3 Employees are required to complete security awareness training at the time of hire and on an annual basis thereafter to understand their obligations and responsibilities to comply with the corporate and business unit security policies.

Inquired of the senior director of compliance regarding security awareness training to determine that employees were required to complete security awareness training at the time of hire and on an annual basis thereafter to understand their obligations and responsibilities to comply with the corporate and business unit security policies.


Inspected the training program materials and evidence of security awareness training completion for a sample of employees hired during the review period to determine that each employee sampled completed security awareness training at the time of hire.


44



Inspected the training program materials and evidence of security awareness training completion for a sample of current employees to determine that each employee sampled completed security awareness training during the review period.


CC1.3.4 Managers are required to complete employee performance evaluation reviews on an annual basis to review performance in alignment with the organizations core values.

Inquired of the senior director of compliance regarding employee performance evaluation reviews to determine that managers were required to complete employee performance evaluation reviews on an annual basis to review performance in alignment with the organizations core values.


Inspected the performance evaluation reviews for a sample of current employees to determine that managers completed employee performance evaluation reviews for each employee sampled during the review period.


CC1.4: The entity has established workforce conduct standards, implemented workforce candidate background screening procedures, and conducts enforcement procedures to enable it to meet its commitments and system requirements as they relate to security and availability.

CC1.4.1 New employee hiring procedures are in place to guide the hiring process and include verification that candidates possess the required qualifications to perform the duties as outlined in the job description.

Inspected the new employee hiring policies and procedures to determine that new employee hiring procedures were in place to guide the hiring process and included verification that candidates possessed the required qualifications to perform the duties as outlined in the job description.


CC1.4.2 An employee handbook is in place and contains organizational policy statements, codes of conduct, and benefits and practices to which all employees are required to adhere.

Inquired of the senior director of compliance regarding the employee handbook to determine that an employee handbook was in place and contained organizational policy statements, codes of conduct, and benefits and practices to which all employees were required to adhere.


Inspected the TierPoint employee handbook to determine that an employee handbook was in place and contained organizational policy statements, codes of conduct, and benefits and practices.


45



CC1.4.3 Codes of conduct, organizational policy statements, and disciplinary policies are documented and communicate entity values and behavioral standards to personnel.

Inspected the TierPoint corporate information security policy and employee handbook to determine that codes of conduct, organizational policy statements, and disciplinary policies were documented and communicated entity values and behavioral standards to personnel.


CC1.4.4 Policies and procedures require that new employees sign an employee handbook acknowledgment form indicating that they have been given access to it and understand their responsibility for adhering to the standards, policies and procedures contained within the handbook. The signed employee handbook acknowledgment form is kept in the employee personnel file.

Inquired of the senior director of compliance regarding the new employee onboarding procedures to determine that policies and procedures required that new employees signed an employee handbook acknowledgment form indicating that they had been given access to it and understand their responsibility for adhering to the standards, policies and procedures contained within the handbook and that the signed employee handbook acknowledgment form was kept in the employee personnel file.


Inspected the TierPoint employee handbook and the employee handbook acknowledgment forms for a sample of employees hired during the review period to determine that policies and procedures required that new employees signed an employee handbook acknowledgment form and that each employee sampled signed the employee handbook acknowledgment form.


CC1.4.5 Employees are required to sign a confidentiality and non-disclosure agreement to not disclose proprietary or confidential information, including client information, to unauthorized parties.

Inquired of the senior director of compliance regarding the new employee onboarding procedures to determine that employees were required to sign a confidentiality and non-disclosure agreement to not disclose proprietary or confidential information, including client information, to unauthorized parties.


Inspected the signed confidentiality and non-disclosure agreements for a sample of employees hired during the review period to determine that each employee sampled signed a confidentiality and non-disclosure agreement.


46



CC1.4.6 Comprehensive background checks are performed by an independent third party for all employees as a component of the hiring process. The background checks include, but are not limited to, a national criminal database check.

Inquired of the senior director of compliance regarding the new employee onboarding procedures to determine that comprehensive background checks were performed by an independent third party for all employees as a component of the hiring process and that the background checks included a national criminal database check.


Inspected evidence of the comprehensive background checks for a sample employees hired during the review period to determine that each employee sampled had comprehensive background checks were completed by an independent third party.


CC1.4.7 TierPoint makes available to all employees a mechanism to submit reports relating to violations stated in the code of business conduct and ethics.

Inspected the internal support portal configurations to determine that TierPoint made available to all employees a mechanism to submit reports relating to violations stated in the code of business conduct and ethics.


CC2.0: Common Criteria Related to Communications

CC2.1: Information regarding the design and operation of the system and its boundaries has been prepared and communicated to authorized internal and external users of the system to permit users to understand their role in the system and the results of system operation.

CC2.1.1 A system description is documented that includes the services provided, data, people, software, infrastructure, procedures, control environment, risk assessment, monitoring, and information and communication systems. The system description is communicated to authorized internal and external users.

Inquired of the senior director of compliance regarding the system description to determine that a system description was documented that included the services provided, control environment, risk assessment, monitoring, and information and communication systems and that it was communicated to authorized internal and external users.


Inspected the product description via the TierPoint external website and the internal system description to determine that a system description was documented that included the services provided, data, people, software, infrastructure, procedures, control environment, risk assessment, monitoring, and information and communication systems.


47



CC2.1.2 A service level agreement is in place to define the system and its boundaries to customers.

Inspected an example customer contract and service level agreement to determine that a service level agreement was in place to define the system and its boundaries to customers.


CC2.2: The entity's security and availability commitments are communicated to external users, as appropriate, and those commitments and the associated system requirements are communicated to internal users to enable them to carry out their responsibilities.

CC2.2.1 The entity's security and availability commitments and the associated system requirements are documented in customer service level agreements.

Inspected an example customer contract and service level agreement to determine that the entity's security and availability commitments and the associated system requirements were documented in customer service level agreements.


CC2.2.2 Documented policies and procedures are in place to guide personnel in the entity’s security and availability commitments and the associated system requirements. The policies and procedures are communicated to internal personnel via a centralized repository.

Inspected the TierPoint corporate information security policy and the centralized repository for policies and procedures to determine that documented policies and procedures were in place to guide personnel in the entity’s security and availability commitments and the associated system requirements and that the policies and procedures were communicated to internal personnel via a centralized repository.


CC2.2.3 Employees are required to complete security awareness training at time of hire and on an annual basis thereafter to understand their obligations and responsibilities to comply with the corporate and business unit security policies.

Inquired of the senior director of compliance regarding security awareness training to determine that employees were required to complete security training on an annual basis to understand their obligations and responsibilities to comply with the corporate and business unit security policies.






48








CC2.3: The responsibilities of internal and external users and others whose roles affect system operation are communicated to those parties.

CC2.3.1 The entity's security and availability commitments and the associated system requirements are documented in customer service level agreements.

Inspected an example customer contract and service level agreement to determine that the entity's security and availability commitments and the associated system requirements were documented in customer service level agreements.








49












CC2.4: Information necessary for designing, developing, implementing, operating, maintaining, and monitoring controls, relevant to the security and availability of the system, is provided to personnel to carry out their responsibilities.




50















CC2.5: Internal and external users have been provided with information on how to report security and availability failures, incidents, concerns, and other complaints to appropriate personnel.

CC2.5.1 Documented escalation procedures for reporting security or availability incidents are provided to internal and external users to guide users in identifying and reporting failures, incidents, concerns, and other complaints. These procedures are communicated to internal users via a centralized repository and to external users via the TierPoint website.

Inspected the escalation procedures to determine that documented escalation procedures for reporting security or availability incidents were in place to guide users in identifying and reporting failures, incidents, concerns, and other complaints.


51



Inspected the escalation procedures on the company intranet and the TierPoint website to determine that escalation procedures were communicated to internal users via a centralized repository and to external users via the TierPoint website.


CC2.5.2 EOC personnel monitor server and network performance on a 24 hour per day basis.

Inquired of the senior director of compliance regarding network monitoring to determine that EOC personnel were on call 24 hours per day for server and network performance monitoring.


Inspected the EOC staffing schedule for a sample of months during the review period to determine that EOC personnel were on call 24 hours per day for each month sampled.


CC.2.5.3 A ticketing system with a customer portal is utilized to manage system infrastructure issues such as system security breaches and other incidents. Tickets are assigned to support personnel based on the nature of the ticket.

Inquired of the senior director of compliance regarding escalation procedures to determine that a ticketing system with a customer portal was utilized to manage system infrastructure issues such as system security breaches and other incidents and that tickets were assigned to support personnel based on the nature of the ticket.


Inspected the internal and customer portal ticketing system configurations and example incident tickets closed during the review period to determine that a ticketing system with a customer portal was utilized.


CC2.6: System changes that affect internal and external users’ responsibilities or the entity's commitments and system requirements relevant to security and availability are communicated to those users in a timely manner.

CC2.6.1 A change management meeting is held on a weekly basis to discuss and communicate the ongoing and upcoming projects that affect the system.

Inquired of the senior director of compliance regarding change management meetings to determine that a change management meeting was held on a weekly basis to discuss and communicate the ongoing and upcoming projects that affected the system.


Inspected the change management meeting invitations for a sample of weeks during the review period to determine that a change management meeting was held for each week sampled.


52



CC2.6.2 Internal TierPoint personnel and customers are alerted via e-mail notification regarding changes that may affect system security and availability.

Inquired of the senior director of compliance regarding change management procedures to determine that internal TierPoint personnel and customers were alerted via e-mail notification regarding changes that may affect system security and availability.


Inspected the e-mail notifications and change descriptions for a sample of internal and shared customer infrastructure changes implemented during the review period to determine that internal TierPoint personnel and customers were alerted via e-mail notification for each change sampled.


CC3.0: Common Criteria Related to Risk Management and Design and Implementation of Controls

CC3.1: The entity (1) identifies potential threats that could impair system security and availability commitments and system requirements (including threats arising from the use of vendors and other third parties providing goods and services, as well as threats arising from customer personnel and others with access to the system), (2) analyzes the significance of risks associated with the identified threats, (3) determines mitigation strategies for those risks (including implementation of controls, assessment and monitoring of vendors and other third parties providing goods or services, as well as their activities, and other mitigation strategies), (4) identifies and assesses changes (for example, environmental, regulatory, and technological changes and results of the assessment and monitoring of controls) that could significantly affect the system of internal control, and (5) reassesses, and revises, as necessary, risk assessments and mitigation strategies based on the identified changes.

CC3.1.1 Vulnerability assessments are performed by information technology personnel utilizing a vulnerability scanning application. External and internal IP scanning is completed on a semi-annual basis. The ISO analyzes results from vulnerability scans and communicates critical vulnerabilities to system owners for remediation.

Inquired of the senior director of compliance regarding the vulnerability assessment program to determine that vulnerability assessments were performed by information technology personnel utilizing a vulnerability scanning application, that external and internal IP scanning was completed on a semi-annual basis, and that the ISO analyzed results from vulnerability scans and communicated critical vulnerabilities to system owners for remediation.


Inspected the most recently completed external and internal vulnerability assessment reports and example e-mail notifications noting critical vulnerabilities to determine that vulnerability assessments were performed utilizing a vulnerability scanning application, that external and internal IP scanning was completed during the review period, and that the ISO communicated critical vulnerabilities to system owners for remediation.


53



CC3.1.2 Documented policies and procedures are in place to guide personnel when performing the risk assessment process.

Inspected the risk assessment policies and procedures to determine that documented policies and procedures were in place to guide personnel when performing the risk assessment process.


CC3.1.3 A formal risk assessment is performed on an annual basis. Risks that are identified are rated using a risk evaluation process and are formally documented, along with mitigation strategies, for management review.

Inquired of the senior director of compliance regarding the risk assessment process to determine that a formal risk assessment was performed on an annual basis and that risks that were identified were rated using a risk evaluation process and were formally documented, along with mitigation strategies, for management review.


Inspected the most recently completed risk assessment to determine that a formal risk assessment was performed during the review period and that identified risks were formally documented for management review.


CC3.1.4 An inventory listing of all hardware and software within the scope of services are maintained and reviewed on at least an annual basis during the risk assessment process.

Inquired of the senior director of compliance regarding the risk assessment process to determine that an inventory listing of all hardware and software within the scope of services was maintained and reviewed on at least an annual basis during the risk assessment process.


Inspected the inventory listing of all hardware and software within the scope of services and the most recently completed risk assessment to determine that an inventory listing of all hardware and software within the scope of services was maintained and reviewed during the review period during the risk assessment process.


CC3.1.5 The entity’s IT security group monitors the security impact of emerging technologies and the impact of applicable laws or regulations are considered by senior management.

Inquired of the senior director of compliance regarding the monitoring of emerging technologies, laws, and regulations to determine that the entity’s IT security group monitored the security impact of emerging technologies and the impact of applicable laws or regulations were considered by senior management.


54



Inspected example security updates and notifications generated during the review period to determine that the entity’s IT security group monitored the security impact of emerging technologies.


CC3.1.6 Developments in technology and the impact of applicable laws or regulations are considered by senior management as part of the annual risk assessment and IT security planning process.

Inquired of the senior director of compliance regarding the monitoring and review of emerging technologies, laws, and regulations to determine that developments in technology and the impact of applicable laws or regulations were considered by senior management as part of the annual risk assessment and IT security planning process.


Inspected the most recently completed risk assessment to determine that developments in technology and the impact of applicable laws or regulations were considered by senior management as part of the annual risk assessment.


3.1.7 TierPoint manages vendor relationships utilizing risk and quality management methodologies that include the following activities: • Procurement process,

including a due diligence review

• Security Assessment • Binding documentation

Inspected the vendor compliance audit and risk summary for a sample of third party vendors contracted with TierPoint to determine that TierPoint managed vendor relationships utilizing risk and quality management methodologies that included the following activities for each third party vendor sampled: • Procurement process,

including a due diligence review

• Security Assessment • Binding documentation


55



CC3.2: The entity designs, develops, implements, and operates controls, including policies and procedures, to implement its risk mitigation strategy; reassesses the suitability of the design and implementation of control activities based on the operation and monitoring of those activities; and updates the controls, as necessary.






CC3.2.2 IDS and manual reviews are utilized to monitor and analyze the in-scope systems for possible or actual security breaches.

Inquired of the senior director of compliance regarding the IDS’ and the manual review process to determine that IDS’ and manual reviews were utilized to monitor and analyze the in-scope systems for possible or actual security breaches.


Inspected the IDS configurations and example security headlines generated during the review period to determine that IDS’ were utilized to monitor and analyze the in-scope systems.


56



CC3.2.3 Firewall systems are in place to handle data flow between external parties and the TierPoint network. External traffic originating from the Internet is required pass through a firewall system to communicate with production servers. No direct conversations originating from the Internet pass directly through to the internal management network.

Inquired of the senior director of compliance regarding the firewall systems to determine that firewall systems were in place to handle data flow between external parties and the TierPoint network, that external traffic originating from the Internet was required to pass through a firewall system to communicate with production servers, and that no direct conversations originating from the Internet pass directly through to the internal management network.


Inspected the network diagrams and the firewall system configurations for a sample of firewalls to determine that each firewall sampled handled data flow between external parties and the TierPoint network, that external traffic originating from the Internet was required to pass through a firewall system to communicate with production servers, and that no direct conversations originating from the Internet pass directly through to the internal management network.










57








CC3.2.7 Management maintains insurance coverage including but not limited to cybersecurity insurance to protect against dishonest acts that may be committed by personnel.

Inspected the certificate of liability to determine that management maintained insurance coverage during the review period to protect against dishonest acts by personnel.


CC4.0: Common Criteria Related to Monitoring Controls

CC4.1: The design and operating effectiveness of controls are periodically evaluated against the entity’s commitments and system requirements as they relate to security and availability, and corrections and other necessary actions relating to identified deficiencies are taken in a timely manner.




58





CC4.1.2 The vulnerability scanning application is configured to notify security personnel in the event of a scan failure.

Inspected the vulnerability scanning application notification configurations and an example alert notification generated during the review period to determine that the scanning application was configured to notify security personnel in the event of a scan failure.



Inquired of the senior director of compliance regarding the IDS’ and the manual review process to determine that IDS’ and manual reviews were utilized to monitor and analyze the in-scope systems for possible or actual security breaches.




CC4.1.4 The IDS’ are configured to alert IT personnel via e-mail notifications when certain defined thresholds have been reached.

Inspected the IDS alert notification configurations and example e-mail alert notifications generated during the review period to determine that the IDS’ were configured to alert IT personnel via e-mail notifications when certain defined thresholds had been reached.





59













CC5.0: Common Criteria Related to Logical and Physical Access Controls

CC5.1: Logical access security software, infrastructure, and architectures have been implemented to support (1) identification and authentication of authorized internal and external users; (2) restriction of authorized internal and external user access to system components, or portions thereof, authorized by management, including hardware, data, software, mobile devices, output, and offline elements; and (3) prevention and detection of unauthorized access to meet the entity’s commitments and system requirements as they relate to security and availability.

CC5.1.1 Documented standard build procedures are utilized for installation and maintenance of production servers and include use of an access control system to control access to authorized users.

Inspected the standard build procedures to determine that documented standard build procedures were utilized for installation and maintenance of production servers and included use of an access control system to control access to authorized users.


60



CC5.1.2 User access requests are documented on a standard access request ticket and require the approval of a manager.

Inquired of the senior director of compliance regarding the user access request process to determine that user access requests were documented on a standard access request ticket and required the approval of a manager.


Inspected the user access request tickets for a sample of production user access requests processed during the review period to determine that user access requests were documented on a standard access request ticket and included approval from a manager for each user access request sampled.


CC5.1.3 The in-scope systems are configured to authenticate users with a unique user account and enforce predefined user account and minimum password requirements to conform to password requirements in the corporate security policy.

Inquired of the senior director of compliance regarding logical access authentication requirements to determine that the in-scope systems were configured to authenticate users with a unique user account and enforce predefined user account and minimum password requirements to conform to password requirements in the corporate security policy.


Inspected the user access listings and the password configurations for the in-scope systems to determine that the in-scope systems were configured to authenticate users with a unique user account and enforce predefined user account and minimum password requirements.


CC5.1.4 Encrypted VPNs are required for remote access for the security and integrity of the data passing over the public network.

Inquired of the senior director of compliance regarding remote access to determine that encrypted VPNs were required for remote access for the security and integrity of the data passing over the public network.


Inspected the VPN encryption configurations to determine that encrypted VPNs were utilized.


CC5.1.5 VPN remote access requires a minimum of a valid user ID and password for authentication and two factors where available.

Inquired of the senior director of compliance regarding remote access to determine that VPN remote access required a minimum of a valid user ID and password for authentication and two factors where available.


61



Inspected the VPN authentication configurations to determine that the VPN remote access required a minimum of a valid user ID and password for authentication and two factors where available.


CC5.1.6 VPN passwords are required to conform to minimum complexity, minimum length and expiration requirements.

Inquired of the senior director of compliance regarding remote access to determine that VPN passwords were required to conform to minimum complexity, minimum length and expiration requirements.


Inspected the authentication configurations to determine that VPN passwords conformed to minimum complexity, minimum length and expiration requirements.


CC5.1.7 Predefined security groups are utilized to assign role-based access privileges and segregate access to data to the in-scope systems.

Inquired of the senior director of compliance regarding the predefined security groups to determine that predefined security groups were utilized to assign role-based access privileges and segregate access to data to the in-scope systems.


Inspected the user access listings for the in-scope systems to determine that predefined security groups were utilized.


CC5.1.8 User access reviews are performed on an annual basis to help ensure that access to data is restricted and provided for appropriate segregation of duties.

Inquired of the senior director of compliance regarding user access reviews to determine that user access reviews were performed on an annual basis to help ensure that access to data was restricted and provided for appropriate segregation of duties.


Inspected the most recently completed user access reviews to determine that user access reviews were performed during the review period.


CC5.1.9 Administrator access within the in-scope systems is restricted to user accounts accessible by authorized personnel.

Inspected the administrator user access listings for the in-scope systems with the assistance of the senior director of compliance to determine that administrator access within the in-scope systems was restricted to user accounts accessible by authorized personnel.


62



CC5.1.10 Privileged user access reviews are performed on an annual basis to help ensure that access to data is restricted and authorized.

Inquired of the senior director of compliance regarding user access reviews to determine that privileged user access reviews were performed on an annual basis to help ensure that access to data was restricted and authorized.


Inspected the most recently completed user access reviews to determine that privileged user access reviews were performed during the review period.


CC5.1.11 The in-scope network domains are configured to log access related events and send e-mail notifications to EOC personnel including, but not limited to, the following events: • Group / account creation • Group / account modification • Policy updates • Failed logins • Account lockouts • Administrator user access

Inquired of the senior director of compliance regarding the logging and monitoring of network domain user activity to determine that the in-scope network domains were configured to log access related events and send e-mail notifications to EOC personnel that included the following events: • Group / account creation • Group / account modification • Policy updates • Failed logins • Account lockouts • Administrator user access


Inspected example e-mail notifications generated during the review period for the in-scope network domains to determine that the in-scope network domains logged access related events and sent e-mail notifications to EOC personnel that included the following events: • Group / account creation • Group / account modification • Policy updates • Failed logins • Account lockouts • Administrator user access


CC5.2: New internal and external users, whose access is administered by the entity, are registered and authorized prior to being issued system credentials and granted the ability to access the system to meet the entity’s commitments and system requirements as they relate to security and availability. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.

CC5.2.1 Application users are authenticated via an authorized user account and password before being granted access to the application.



63





CC5.2.2 A termination ticket is completed and management revokes user access privileges for terminated employees as a component of the employee termination process.

Inquired of the senior director of compliance regarding the employee termination process to determine that a termination ticket was completed and management revoked user access privileges for terminated employees as a component of the employee termination process.


Inspected the employee termination tickets for a sample of employees terminated during the review period and the user listings for the in-scope systems to determine that a termination ticket was completed and management revoked user access privileges for each terminated employee sampled.










64

























65



CC5.3: Internal and external users are identified and authenticated when accessing the system components (for example, infrastructure, software, and data) to meet the entity’s commitments and system requirements as they relate to security and availability.



















66










CC5.4: Access to data, software, functions, and other IT resources is authorized and is modified or removed based on roles, responsibilities, or the system design and changes to meet the entity’s commitments and system requirements as they relate to security and availability.

CC5.4.1 User access requests are documented on a standard access request ticket and require the approval of a manager.





67



CC5.4.2 A termination ticket is completed and management revokes user access privileges for terminated employees as a component of the employee termination process.

Inquired of the senior director of compliance regarding the employee termination process to determine that a termination ticket was completed and management revoked user access privileges for terminated employees as a component of the employee termination process.


Inspected the employee termination tickets for a sample of employees terminated during the review period and the user listings for the in-scope systems to determine that a termination ticket was completed and management revoked user access privileges for each terminated employee sampled.








Inquired of the senior director of compliance regarding remote access to determine that encrypted VPNs were required for remote access for the security and integrity of the data passing over the public network. Inspected the VPN encryption configurations to determine that encrypted VPNs were utilized.





68




















CC5.5: Physical access to facilities housing the system (for example, data centers, backup media storage, and other sensitive locations, as well as sensitive system components within those locations) is restricted to authorized personnel to meet the entity’s commitments and system requirements as they relate to security and availability.

CC5.5.1 Policies and procedures are in place that govern physical security practices, to protect assets, workers, facilities, and visitors against acts such as theft, violence, and vandalism, by controlling access to the facilities.

Inspected the physical security policies and procedures to determine that policies and procedures were in place that governed physical security practices, to protect assets, workers, facilities, and visitors against acts such as theft, violence, and vandalism, by controlling access to the facilities.


69



CC5.5.2 Physical access requests are documented on a standardized access request form and require the approval of the department manager.

Inquired of the senior director of compliance regarding the badge access request process to determine that physical access requests were documented on a standardized access request form and required the approval of the department manager.


Inspected the user access request forms for a sample of physical security access requests processed during the review period to determine that physical access requests were documented on a standardized access request form and were approved by a department manager for each user access request sampled.


CC5.5.3

An access revocation request ticket is completed and physical access is revoked for terminated employees as a component of the employee termination process.

Inquired of the senior director of compliance regarding the employee termination process to determine that an access revocation request ticket was completed and physical access was revoked for terminated employees as a component of the employee termination process.


Inspected the access revocation request tickets and the secure-card access and biometric scanner user listings for a sample of employees terminated during the review period to determine that an access revocation request ticket was completed and physical access was revoked for each terminated employee sampled.


CC5.5.4 Security personnel require visitors to present government issued photo identification prior to allowing access to the data center facilities, other than SFW, for off-site employees, customers, vendors, and contractors, and issue temporary visitor badges.

Inquired of the senior director of compliance regarding the physical security access procedures to determine that security personnel required visitors to present government issued photo identification prior to allowing access to the data center facilities, other than SFW, for off-site employees, customers, vendors, and contractors, and issued temporary visitor badges.


Observed the physical security access procedures to determine that security personnel required visitors to present government issued photo identification prior to allowing access to the data center facilities, other than SFW, and issued temporary visitor badges.


70



CC5.5.5 Visitors are required to sign a visitor log upon entering and exiting the data center facilities, other than SFW.

Inquired of the senior director of compliance regarding the physical security access procedures to determine that visitors were required to sign a visitor log upon entering and exiting the data center facilities, other than SFW.


Observed the physical security access procedures to determine that visitors were required to sign a visitor log upon entering and exiting the data center facilities, other than SFW.


CC5.5.6 Visitor logs are retained for a minimum of 12 months.

Inspected the historical visitor logs to determine that visitor logs were retained for a minimum of 12 months.


CC5.5.7 Visitors are required to surrender their badges upon exiting the data center facilities, other than SFW. The badges are disabled when returned.

Inquired of the senior director of compliance regarding the physical security access procedures to determine that visitors were required to surrender their badges upon exiting the data center facilities, other than SFW, and that the badges were disabled when returned.


Observed the physical security access procedures to determine that visitors were required to surrender their badges upon exiting the data center facilities, other than SFW.


Inspected the secure-card access and biometric scanner user listings to determine that visitor badges were disabled.


CC5.5.8 Physical access to each data center facility is controlled via multi-factor authentication mechanisms inclusive of secure-card access doors and biometrics scanner(s).

Observed the multi-factor authentication mechanisms at the data center facilities to determine that physical access to each data center facility was controlled via multi-factor authentication mechanisms inclusive of secure-card access doors and biometrics scanner(s).


Inspected the secure-card access and biometric scanner user listings to determine that physical access to each data center facility was controlled via multi-factor authentication mechanisms inclusive of secure-card access doors and biometrics scanner(s).


71



CC5.5.9 The multi-factor authentication mechanisms are configured to log successful and failed access attempts to the data center facilities.

Inspected the secure-card access and biometric scanner logs for a sample of months during the review period to determine that the multi-factor authentication mechanisms were configured to log successful and failed access attempts to the data center facilities for each month sampled.


CC5.5.10 Door access logs are retained for a minimum of 90 days.

Inspected the historical secure-card access and biometric scanner logs to determine that door access logs were maintained for a minimum of 90 days.


CC5.5.11 Predefined physical security zones are utilized to define role-based access privileges to and throughout the data center facilities.

Inspected the predefined physical security zones and the secure-card access and biometric scanner user listings to determine that predefined physical security zones were utilized to define role-based access privileges to and throughout the data center facilities.


CC5.5.12 Administrator access within the multi-factor authentication mechanisms is restricted to user accounts accessible by authorized data center operations and security personnel.

Inspected the secure-card access and biometric scanner administrator user access listings with the assistance of the senior director of compliance to determine that administrator access within the multi-factor authentication mechanisms was restricted to user accounts accessible by authorized data center operations and security personnel.


CC5.5.13 Data center operations management reviews the multi-factor authentication mechanisms’ user listings for stale or unauthorized accounts on at least an annual basis.

Inquired of the senior director of compliance regarding the physical security access review process to determine that data center operations management reviewed the multi-factor authentication mechanisms’ user listings for stale or unauthorized accounts on at least an annual basis.


Inspected the most recently completed physical security access reviews to determine that data center operations management reviewed the multi-factor authentication mechanisms’ user listings during the review period.


72



CC5.5.14 The data center facilities have continuous walls from floor to ceiling to prevent unauthorized access.

Inquired of the senior director of compliance regarding the perimeter of the data center facilities to determine that the data center facilities had continuous walls from floor to ceiling to prevent unauthorized access.


Observed the perimeters of the data center facilities to determine that the data center facilities had continuous walls from floor to ceiling.


CC5.5.15 Locked cabinets and / or cages are in place to prevent unauthorized access to the defined customer spaces within the data center facilities.

Inquired of the senior director of compliance regarding the defined customer spaces within the data center facilities to determine that locked cabinets and / or cages were in place to prevent unauthorized access to the defined customer spaces within the data center facilities.


Observed the defined customer spaces within the data center facilities to determine that locked cabinets and / or cages were in place.


CC5.5.16 Surveillance cameras are in place to monitor and record activity to and throughout the data center facilities.

Observed the surveillance cameras to and throughout the data center facilities to determine that surveillance cameras were in place to monitor and record activity to and throughout the data center facilities.


CC5.5.17 The surveillance camera systems maintain surveillance footage for a minimum of 90 days.

Inspected the historical images from the surveillance camera systems to determine that the surveillance camera systems maintained surveillance footage for a minimum of 90 days.


CC5.5.18 TierPoint security and EOC personnel monitor surveillance cameras in real-time on a 24 hour per day basis.

Inquired of the senior director of compliance regarding the monitoring procedures for the data center facilities to determine that TierPoint security and EOC personnel monitored surveillance cameras in real-time on a 24 hour per day basis.


Inspected the TierPoint security and EOC staffing schedules for a sample of months during the review period to determine that TierPoint security and EOC personnel were scheduled on a 24 hour per day basis for each month sampled.


73



CC5.6: Logical access security measures have been implemented to protect against security and availability threats from sources outside the boundaries of the system to meet the entity’s commitments and system requirements.






CC5.6.2 All firewall system administrator user accounts have been changed from their default IDs.

Inspected the firewall system administrator user access listings for a sample of firewalls with the assistance of the senior director of compliance to determine that all firewall system administrator user accounts had been changed from their default IDs for each firewall sampled.


CC5.6.3 The ability to modify the firewall system software, configurations, or rulesets is restricted to user accounts accessible by authorized personnel.

Inspected the firewall system administrator user access listings for a sample of firewalls with the assistance of the senior director of compliance to determine that the ability to modify the firewall system software, configurations, or rulesets was restricted to user accounts accessible by authorized personnel for each firewall sampled.


74



CC5.6.4 The firewall systems are configured to log all modifications, including malicious activity, to the firewall system software. Logs are available for ad hoc review by security personnel.

Inquired of the senior director of compliance regarding the firewall system logs to determine that the firewall systems were configured to log all modifications, including malicious activity, to the firewall system software and that logs were available for ad hoc review by security personnel.


Inspected the firewall system logging configurations and example firewall logs generated during the review period for a sample of firewalls to determine that the firewall systems were configured to log all modifications, including malicious activity, to the firewall system software and that logs were available for ad hoc review during the review period.



Inquired of the senior director of compliance regarding the IDS and the manual review process to determine that IDS’ and manual reviews were utilized to monitor and analyze the in-scope systems for possible or actual security breaches.




CC5.6.6 Web servers utilize TLS encryption for web communication sessions.

Inspected TLS encryption configurations to determine that web servers utilized TLS encryption for web communication sessions.







75



CC5.6.8

Vulnerability assessments are performed by information technology personnel utilizing a vulnerability scanning application. External and internal IP scanning is completed on a semi-annual basis. The ISO analyzes results from vulnerability scans and communicates critical vulnerabilities to system owners for remediation.





CC5.7: The transmission, movement, and removal of information is restricted to authorized internal and external users and processes and is protected during transmission, movement, or removal, enabling the entity to meet its commitments and system requirements as they relate to security and availability.

CC5.7.1 Policies are in place that prohibits the transmission of sensitive information over the Internet or other public communications paths unless it is encrypted.

Inspected the data encryption policies to determine that policies were in place that prohibited the transmission of sensitive information over the Internet or other public communications paths unless it was encrypted.


CC5.7.2 Web servers utilize TLS encryption for web communication sessions.

Inspected TLS encryption configurations to determine that web servers utilized TLS encryption for web communication sessions.







76



CC5.7.4 The backup infrastructure is physically secured in locked cabinets and / or caged environments.

Observed the backup infrastructure within the data center facilities to determine that the backup infrastructure was physically secured in locked cabinets and / or caged environments.


CC5.7.5 Contracted customer backup media are securely stored at a location that is physically separate from the production environment.

Inspected the third party vendor off-site backup media storage service agreements to determine that contracted customer backup media were securely stored at a location that was physically separate from the production environment.


CC5.7.6 Third party vendor off-site backup media storage contracts are in place to define responsibility and accountability for system and removable media security.

Inspected the third party vendor off-site backup media storage service agreements to determine that third party vendor off-site backup media storage contracts were in place to define responsibility and accountability for system and removable media security.


CC5.7.7 Contracted customer backup media is secured in a tamper resistant case prior to being transferred to the third party vendor storage location.

Inquired of the senior director of compliance regarding the off-site tape rotation procedures for contracted customer backup media to determine that contracted customer backup media was secured in a tamper resistant case prior to being transferred to the third party vendor storage location.


Observed the backup media tamper resistant case for an example customer contracted for off-site tape rotation to determine that contracted customer backup media was secured in a tamper resistant case.


CC5.7.8 Contracted customer off-site tape rotations are logged and maintained within an enterprise ticket management system.

Inspected the example off-site tape rotation tickets generated during the review period to determine that contracted customer off-site tape rotations were logged and maintained within an enterprise ticket management system.


77



CC5.7.9 The ability to recall contracted customer backup media from the third party vendor off-site storage facility is restricted to user accounts accessible by authorized TierPoint personnel.

Inspected the third party vendor off-site storage customer authorization listings with the assistance of the senior director of compliance to determine that the ability to recall contracted customer backup media from the third party vendor off-site storage facility was restricted to user accounts accessible by authorized TierPoint personnel.


CC5.8: Controls have been implemented to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s commitments and system requirements as they relate to security and availability.

CC5.8.1 Policies and procedures are in place to protect against infection by computer viruses, malicious code, and unauthorized software.

Inspected the antivirus policies and procedures to determine that policies and procedures were in place to protect against infection by computer viruses, malicious code, and unauthorized software.


CC5.8.2 Enterprise antivirus software is installed to protect registered workstations, the internal network domain controller, and production Windows servers against infection by computer viruses, malicious codes, and unauthorized software.

Inquired of the senior director of compliance regarding the enterprise antivirus software to determine that enterprise antivirus software was installed to protect registered workstations, the internal network domain controller, and production Windows servers against infection by computer viruses, malicious codes, and unauthorized software.


Inspected the enterprise antivirus software configurations for the workstations and domain controllers and a sample of storage, backup, SSO, and cloud production Windows servers to determine that enterprise antivirus software was installed on the workstations, domain controllers, and each production Windows server sampled.


CC5.8.3 Network administrators utilize security issue monitoring services and receive alerts for critical issues that are required to be addressed immediately.

Inquired of the senior director of compliance regarding the monitoring of security related vulnerabilities to determine that network administrators utilized security issue monitoring services and received alerts for critical issues that were required to be addressed immediately.


Inspected example security related alerts generated during the review period to determine that network administrators received alerts for critical issues.


78



CC6.0: Common Criteria Related to System Operations

CC6.1: Vulnerabilities of system components to security and availability breaches and incidents due to malicious acts, natural disasters, or errors are identified, monitored, and evaluated, and countermeasures are designed, implemented, and operated to compensate for known and newly identified vulnerabilities to meet the entity’s commitments and system requirements as they relate to security and availability.






CC6.1.2 The vulnerability scanning application is configured to notify security personnel in the event of a scan failure.

Inspected the vulnerability scanning application notification configurations and an example alert notification generated during the review period to determine that the scanning application was configured to notify security personnel in the event of a scan failure.



Inquired of the senior director of compliance regarding the IDS and the manual review process to determine that IDS and manual reviews were utilized to monitor and analyze the in-scope systems for possible or actual security breaches.




79



CC6.1.4 The IDS’ are configured to alert IT personnel via e-mail notifications when certain defined thresholds have been reached.

Inspected the IDS alert notification configurations and example e-mail alert notifications generated during the review period to determine that the IDS’ were configured to alert IT personnel via e-mail notifications when certain defined thresholds had been reached.


CC6.1.5 Contracted customer data is backed up at intervals based on customer requirements.

Inquired of the senior director of compliance regarding customer backup procedures to determine that contracted customer data was backed up at intervals based on customer requirements.


Inspected the backup system interval configurations for a sample of customers subscribed to backup services to determine that contracted customer data was backed up at intervals for each customer sampled.


CC6.2: Security and availability incidents, including logical and physical security breaches, failures, and identified vulnerabilities, are identified and reported to appropriate personnel and acted on in accordance with established incident response procedures to meet the entity’s commitments and system requirements.

CC6.2.1 Documented escalation procedures are in place to guide employees in reporting, acting upon, and resolving reported events.

Inspected the escalation procedures to determine that documented escalation procedures were in place to guide employees in reporting, acting upon, and resolving reported events.


CC6.2.2 A security incident testing exercise is performed on an annual basis to reinforce situational awareness of security incidents, identification, and response.

Inquired of the senior director of compliance regarding the security incident testing exercise to determine that a security incident testing exercise was performed on an annual basis to reinforce situational awareness of security incidents, identification, and response.


Inspected the results from the most recently completed security incident testing exercise to determine that a security incident testing exercise was performed.


CC6.2.3 A ticketing system is utilized to document security violations, responses, and resolution.

Inspected the internal ticketing system configurations and example incident tickets closed during the review period to determine that a ticketing system was utilized to document security violations, responses, and resolution.


80



CC6.2.4

A change management meeting is held on a weekly basis to discuss and communicate the ongoing and upcoming projects that affect the system.





CC6.2.5 Incidents requiring a change to the in-scope systems follow the standard change control process.

Inspected the change tickets for a sample of incidents requiring a change implemented during the review period to determine that incidents requiring a change to the in-scope systems followed the standard change control process for each incident sampled.


CC6.2.6 Policies are in place that address remedial actions for lack of compliance with policies and procedures.

Inspected the TierPoint corporate information security policy and employee handbook to determine that policies were in place that addressed remedial actions for lack of compliance with policies and procedures.







81



CC7.0: Common Criteria Related to Change Management

CC7.1: The entity’s commitments and system requirements, as they relate to security and availability are addressed during the system development lifecycle, including the authorization, design, acquisition, implementation, configuration, testing, modification, approval, and maintenance of system components.

CC7.1.1 Policies and procedures are in place to help ensure that design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistent with defined system security and availability policies.

Inquired of the senior director of compliance regarding the change management policies and procedures to determine that policies and procedures were in place to help ensure that design, acquisition, implementation, configuration, modification, and management of infrastructure and software were consistent with defined system security and availability policies.


Inspected the change management policies and procedures to determine that policies and procedures were in place that addressed the design, acquisition, implementation, configuration, modification, and management of infrastructure and software.


CC7.1.2 Policies and procedures are in place that address the emergency change process, including documenting and authorizing emergency changes on a timely basis.

Inspected the emergency change management policies and procedures to determine that policies and procedures were in place that addressed the emergency change process, including documenting and authorizing emergency changes on a timely basis.







CC7.1.4 Changes made to the in-scope systems are authorized, tested, and approved prior to implementation.

Inspected the MOPs for a sample of internal and shared customer infrastructure changes implemented during the review period to determine that each change sampled was authorized, tested, and approved prior to implementation.


82



CC7.1.5 Emergency changes are tracked utilizing a change management system and are given a unique ticket number and an assigned priority level in accordance with company policy. All issues that cannot be addressed within appropriate time intervals are escalated to management to assure timely resolution.

Inquired of the senior director of compliance regarding emergency changes to determine that emergency changes were tracked utilizing a change management system and were given a unique ticket number and an assigned priority level in accordance with company policy and that all issues that could not be addressed within appropriate time intervals were escalated to management to assure timely resolution.


Inspected the MOPs for a sample of internal and shared customer infrastructure emergency changes implemented during the review period to determine that each change sampled were tracked utilizing a change management system and were given a unique ticket number and an assigned priority level.


CC7.1.6 Back out procedures are documented for each change implementation to allow for rollback of changes when changes impair system operation.

Inquired of the senior director of compliance regarding back out procedures to determine that back out procedures were documented for each change implementation to allow for rollback of changes when changes impaired system operation.


Inspected the MOPs for a sample of internal and shared customer infrastructure changes implemented during the review period to determine that back out procedures were documented for each change sampled.


CC7.1.7 The ability to implement internal and shared customer infrastructure changes within the data center services production environments is restricted to user accounts accessible by authorized personnel.

Inspected the in-scope systems’ administrator user access listings with the assistance of the senior director of compliance to determine that the ability to implement internal and shared customer infrastructure changes within the data center services production environments was restricted to user accounts accessible by authorized personnel.


83



CC7.2: Infrastructure, data, software, and policies and procedures are updated as necessary to remain consistent with the entity’s commitments and system requirements as they relate to security and availability.











CC7.2.3 A patch management methodology is in place to guide personnel in the review and deployment of patches to the production infrastructure.

Inspected the patch management methodology to determine that a patch management methodology was in place to guide personnel in the review and deployment of patches to the production infrastructure.


CC7.2.4 An automated patch management tool is utilized to monitor patch releases, distribute patches, and apply the patches to the production infrastructure.

Inspected the automated patch management tool configurations and example patch management history logs generated during the review period to determine that an automated patch management application was utilized to monitor patch releases, distribute patches, and apply the patches to the production infrastructure.


84



CC7.3: Change management processes are initiated when deficiencies in the design or operating effectiveness of controls are identified during system operation and are monitored to meet the entity’s commitments and system requirements as they relate to security and availability.






CC7.3.2 Incidents requiring a change to the in-scope systems follow the standard change control process.

Inspected the MOPs for a sample of incidents requiring a change implemented during the review period to determine that incidents requiring a change to the in-scope systems followed the standard change control process for each incident sampled.


CC7.4: Changes to system components are authorized, designed, developed, configured, documented, tested, approved, and implemented to meet the entity’s security and availability commitments and system requirements.

CC7.4.1 Policies and procedures are in place to help ensure that design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistent with defined system security and availability policies.

Inquired of the senior director of compliance regarding the change management policies and procedures to determine that policies and procedures were in place to help ensure that design, acquisition, implementation, configuration, modification, and management of infrastructure and software were consistent with defined system security and availability policies.


Inspected the change management policies and procedures to determine that policies and procedures were in place that addressed the design, acquisition, implementation, configuration, modification, and management of infrastructure and software.


CC7.4.2 Policies and procedures are in place that address the emergency change process, including documenting and authorizing emergency changes on a timely basis.

Inspected the emergency change management policies and procedures to determine that policies and procedures were in place that addressed the emergency change process, including documenting and authorizing emergency changes on a timely basis.


85








CC7.4.4 Changes made to the in-scope systems are authorized, tested, and approved prior to implementation.

Inspected the MOPs for a sample of internal and shared customer infrastructure changes implemented during the review period to determine that each change sampled was authorized, tested, and approved prior to implementation.


CC7.4.5 Emergency changes are tracked utilizing a change management system and are given a unique ticket number and an assigned priority level in accordance with company policy. All issues that cannot be addressed within appropriate time intervals are escalated to management to assure timely resolution.

Inquired of the senior director of compliance regarding emergency changes to determine that emergency changes were tracked utilizing a change management system and were given a unique ticket number and an assigned priority level in accordance with company policy and that all issues that could not be addressed within appropriate time intervals were escalated to management to assure timely resolution.


Inspected the MOPs for a sample of internal and shared customer infrastructure emergency changes implemented during the review period to determine that each change sampled were tracked utilizing a change management system and were given a unique ticket number and an assigned priority level.


CC7.4.6 Back out procedures are documented for each change implementation to allow for rollback of changes when changes impair system operation.

Inquired of the senior director of compliance regarding back out procedures to determine that back out procedures were documented for each change implementation to allow for rollback of changes when changes impaired system operation.


86



Inspected the MOPs for a sample of internal and shared customer infrastructure changes implemented during the review period to determine that back out procedures were documented for each change sampled.


CC7.4.7 The ability to implement internal and shared customer infrastructure changes within the data center services production environments is restricted to user accounts accessible by authorized personnel.

Inspected the in-scope systems’ administrator user access listings with the assistance of the senior director of compliance to determine that the ability to implement internal and shared customer infrastructure changes within the data center services production environments was restricted to user accounts accessible by authorized personnel.


AVAILABILITY PRINCIPLE AND CRITERIA TABLE



A1.1: Current processing capacity and usage are maintained, monitored, and evaluated to manage capacity demand and to enable the implementation of additional capacity to help meet the entity’s availability commitments and system requirements.

A1.1.1 Management has developed TierPoint’s definition of system downtime and determined acceptance level criteria.

Inquired of the senior director of compliance regarding system downtime and acceptance level criteria to determine that management had developed TierPoint’s definition of system downtime and determined acceptance level criteria.


Inspected the service level agreements for the in-scope services to determine that TierPoint’s definition of system downtime and determined acceptance level criteria had been developed.


A1.1.2 Redundant Internet connections are in place through multiple providers with physically diverse paths, including separate fiber entrances into the physical buildings, and redundant routers and switches are utilized to minimize system downtime.

Inquired of the senior director of compliance regarding the redundant network infrastructure to determine that redundant Internet connections were in place through multiple providers with physically diverse paths, including separate fiber entrances into the physical buildings, and that redundant routers and switches were utilized to minimize system downtime.


87



Observed the redundant fiber entrances, routers, and switches to determine that redundant Internet connections were in place through multiple providers with physically diverse paths, including separate fiber entrances into the physical buildings, and that redundant routers and switches were utilized.


Inspected the network diagrams and an inventory listing of routers and switches to determine that redundant routers and switches were utilized.


A1.1.3 The multiple Internet connections provide failover redundancy with the Internet connections. In the event of a failover, the enterprise monitoring systems generates an alert.

Inspected the Internet connection failover configurations, the enterprise monitoring system configurations, and example alert notifications generated during the review period to determine that multiple Internet connections provided failover redundancy with the internet connections and that in the event of a failover, the enterprise monitoring systems generated an alert.


A1.1.4 A BGP confederacy is utilized to allow connections to customer systems within the TierPoint network to select the best available path across multiple network providers.

Inquired of the senior director of compliance regarding the BGP within the TierPoint network to determine that a BGP confederacy was utilized to allow connections to customer systems within the TierPoint network to select the best available path across multiple network providers.


Inspected the BGP configurations to determine that a BGP confederacy was utilized.


A1.1.5 EOC personnel monitor server and network performance on a 24 hour per day basis.

Inquired of the senior director of compliance regarding network monitoring to determine that EOC personnel were on call 24 hours per day for server and network performance monitoring.


Inspected the EOC staffing schedule for a sample of months during the review period to determine that EOC personnel were on call 24 hours per day for each month sampled.


88



A1.1.6 Network bandwidth and peak utilization are monitored and tracked by EOC personnel to allow for projected growth curves and to help ensure compliance with corporate standards for maximum network utilization.

Inquired of the senior director of compliance regarding the network bandwidth and utilization monitoring procedures to determine that network bandwidth and peak utilization were monitored and tracked by EOC personnel to allow for projected growth curves and to help ensure compliance with corporate standards for maximum network utilization.


Inspected the weather map and network capacity tool configurations to determine that network bandwidth and peak utilization were monitored and tracked.


A1.1.7 Enterprise monitoring systems are utilized to proactively and reactively monitor individual system health.

Inquired of the senior director of compliance regarding the enterprise monitoring systems to determine that enterprise monitoring systems were utilized to proactively and reactively monitor individual system health.


Inspected the enterprise monitoring system configurations to determine that enterprise monitoring systems were utilized to proactively monitor individual system health.


A1.1.8 The enterprise monitoring systems are configured to monitor customer network connections for availability and operating functionality.

Inspected the enterprise monitoring system configurations for a sample of customers subscribed to availability monitoring services to determine that the enterprise monitoring system was configured to monitor customer network connections for availability and operating functionality for each customer sampled.


A1.1.09 The enterprise monitoring systems are configured to validate system availability via SNMP or TCP for customer system health checks.

Inspected the enterprise monitoring system configurations for a sample of customers subscribed to availability monitoring services to determine that the enterprise monitoring system were configured to validate system availability via SNMP or TCP for customer system health checks for each customer sampled.


89



A1.1.10 The enterprise monitoring systems are configured to send alert notifications to EOC personnel when predefined metrics are exceeded on monitored network devices.

Inspected the enterprise monitoring system alert notification configurations and an example alert generated during the review period to determine that the enterprise monitoring systems were configured to send alert notifications to EOC personnel when predefined metrics were exceeded on monitored network devices.


A1.2: Environmental protections, software, data backup processes, and recovery infrastructure are authorized, designed, developed, implemented, operated, approved, maintained, and monitored to meet the entity’s availability commitments and system requirements.

A1.2.1 Business continuity and disaster recovery plans are in place to guide personnel in procedures to protect against disruptions caused by an unexpected event.

Inspected the business continuity and disaster recovery plans to determine that business continuity and disaster recovery plans were in place to guide personnel in procedures to protect against disruptions caused by an unexpected event.


A1.2.2 System file restore tests are performed on a quarterly basis as part of the organization’s BCP testing.

Inspected evidence of the completed system file restore testing for a sample of quarters during the review period to determine that system file restore tests were performed for each quarter sampled as part of the organization’s BCP testing.


A1.2.3 Contracted customer data is backed up at intervals based on customer requirements.

Inquired of the senior director of compliance regarding customer backup procedures to determine that contracted customer data was backed up at intervals based on customer requirements.


Inspected the backup system interval configurations for a sample of customers subscribed to backup services to determine that contracted customer data was backed up at intervals for each customer sampled.


A1.2.4 EOC personnel monitor contracted customer backups for completion and exceptions.

Inquired of the senior director of compliance regarding customer backup procedures to determine that EOC personnel monitored contracted customer backups for completion and exceptions.


Inspected example backup system job logs generated during the review period for a sample of customers subscribed to backup services to determine that contracted customer backups were logged for completion and exceptions for each customer sampled.


90



A1.2.5 The backup infrastructure resides on private networks that are logically segregated from other networks.

Inspected the backup infrastructure diagrams and the backup server IP address inventory to determine that the backup infrastructure resided on private networks that were logically segregated from other networks.


A1.2.6 Contracted customer backup media are securely stored at a location that is physically separate from the production environment.

Inspected the third party vendor off-site backup media storage service agreements to determine that contracted customer backup media were securely stored at a location that was physically separate from the production environment.


A1.2.7 Documented environmental operating standards are in place to guide personnel in controls related to facilities, mechanical and electrical infrastructure, and supporting system availability requirements.

Inspected the data center environmental operating standards to determine that documented environmental operating standards were in place to guide personnel in controls related to facilities, mechanical and electrical infrastructure, and supporting system availability requirements.


A1.2.8 Site documentation covering facility infrastructure and maintenance activities is maintained at each data center facility.

Inspected the facility maintenance dashboard and maintenance calendars to determine that site documentation covering facility infrastructure and maintenance activities was maintained at each data center facility.


A1.2.9 The following environmental systems, including facility loads, are monitored via an environmental monitoring tool and / or physical walkthrough inspections of the data center facilities: • CRAH / CRAC units • Air monitoring (temperature,

humidity) • Water leak detectors • UPS systems • Diesel power generators

Inspected the environmental monitoring tool configurations or the physical walkthrough inspection checklists for a sample of dates during the review period to determine that the following environmental systems, including facility loads, were monitored via an environmental monitoring tool and / or physical walkthrough inspections of the data center facilities for each date sampled: • CRAH / CRAC units • Air monitoring (temperature,

humidity) • Water leak detectors • UPS systems • Diesel power generators


91



A1.2.10 Physical walkthrough inspections of the environmental equipment are performed one time per scheduled shift daily to observe the component level status indicators for normal operations and to detect any inconsistencies or issues in the supporting infrastructure space.

Inquired of the senior director of compliance regarding the physical walkthrough inspections of the environmental equipment to determine that physical walkthrough inspections of the environmental equipment were performed one time per scheduled shift daily to observe the component level status indicators for normal operations and to detect any inconsistencies or issues in the supporting infrastructure space.


Inspected the physical walkthrough inspection checklists for a sample of dates during the review period to determine that physical walkthrough inspections of the environmental equipment were performed for each date sampled.


A1.2.11 Multiple redundant infrastructure components are in place that include, but are not limited to, the following: • UPS systems • PDUs / power panels • Cabinet power feeds

Observed the data center facilities’ environmental equipment to determine that multiple redundant infrastructure components were in place that included the following: • UPS systems • PDUs / power panels • Cabinet power feeds


Inspected the data center redundancy diagrams to determine that multiple redundant infrastructure components were in place that included the following: • UPS systems • PDUs / power panels Cabinet power feeds


A1.2.12 Redundant power access for customer equipment is available upon subscription via A and B power feeds, allowing for multiple power supplies.

Inquired of the of the senior director of compliance regarding redundant power feeds to determine that redundant power access for customer equipment was available upon subscription via A and B power feeds, allowing for multiple power supplies.


Observed the cabinet power feeds for a sample of customers subscribed for redundant power feeds to determine that redundant power access via A and B power feeds were in place for each customer sampled.


92



A1.2.13 Diesel power generators are in place to provide power to the data center facilities in the event of a power outage.

Inquired of the senior director of compliance regarding the diesel power generators to determine that diesel power generators were in place to provide power to the data center facilities in the event of a power outage.


Observed the data center facilities’ environmental equipment to determine that diesel power generators were in place.


A1.2.14

The diesel power generators provide a minimum of 24 hours of runtime before additional fuel delivery is mandated. The generators can be refueled while in operation.

Inquired of the senior director of compliance regarding the diesel power generators to determine that the diesel power generators provided a minimum of 24 hours of runtime before additional fuel delivery was mandated and that the generators could be refueled while in operation.


Inspected the data center energy consumption reports, the diesel power generator fuel consumption specifications, and the backup power fuel tank registration certificates to determine that the diesel power generators provided a minimum of 24 hours of runtime before additional fuel delivery was mandated.


A1.2.15 Generator run testing is conducted at regular intervals to verify that the generators are in proper working order.

Inquired of the senior director of compliance regarding the generator run tests to determine that generator run tests were conducted at regular intervals to verify that the generators were in proper working order.


Inspected the preventative maintenance inspection reports for a sample of periods during the review period based on the specified intervals to determine that generator run tests were conducted at the specified intervals for each period sampled.


93



A1.2.16 Management ensures that the diesel power generators are inspected at regular intervals following manufacturer’s recommendations and organizational standards to verify that the diesel power generators are in proper working order.

Inquired of the senior director of compliance regarding the preventative maintenance performed on the environmental equipment to determine that management ensured that the diesel power generators were inspected at regular intervals following manufacturer’s recommendations and organizational standards to verify that the diesel power generators were in proper working order.


Inspected the preventative maintenance inspection reports for a sample of periods during the review period based on the specified intervals to determine that the diesel power generators were inspected at the specified intervals for each period sampled.


A1.2.17 UPS systems are in place to provide battery backup power to help ensure ample time to transfer to on-site generator power in the event of a utility failure.

Inquired of the senior director of compliance regarding the UPS systems to determine that UPS systems were in place to provide battery backup power to help ensure ample time to transfer to on-site generator power in the event of a utility failure.


Observed the data center facilities’ environmental equipment to determine that UPS systems were in place.


A1.2.18 Management ensures that UPS systems are inspected at regular intervals following manufacturer’s recommendations and organizational standards to verify that the UPS systems are in proper working order.

Inquired of the senior director of compliance regarding the preventative maintenance performed on the environmental equipment to determine that management ensured that UPS systems were inspected at regular intervals following manufacturer’s recommendations and organizational standards to verify that the UPS systems were in proper working order.


Inspected the preventative maintenance inspection reports for a sample of periods during the review period based on the specified intervals to determine that UPS systems were inspected at the specified intervals for each period sampled.


94



A1.2.19 Multiple HVAC systems are configured in a minimum N+1 design to provide redundancy in the event of a unit failure or maintenance.

Inquired of the senior director of compliance regarding the redundancy of the environmental equipment to determine that multiple HAVC systems were configured in a minimum N+1 design to provide redundancy in the event of a unit failure or maintenance.


Observed the data center facilities’ environmental equipment to determine that multiple HVAC systems were configured in a minimum N+1 design.


A1.2.20 Management ensures that HVAC systems are inspected at regular intervals following manufacturer’s recommendations and organizational standards to verify that the HVAC systems are in proper working order.

Inquired of the senior director of compliance regarding the preventative maintenance performed on the environmental equipment to determine that management ensured that HVAC systems were inspected at regular intervals following manufacturer’s recommendations and organizational standards to verify that the HVAC systems were in proper working order.


Inspected the preventative maintenance inspection reports for a sample of periods during the review period based on the specified intervals to determine that the HVAC systems were inspected at the specified intervals for each period sampled.


A1.2.21 Data center facility equipment is protected from water damage through the combination of elevated racks, water detection sensors, and / or elevated anti-static floors.

Observed the data center facilities’ environmental equipment to determine that data center facility equipment was protected from water damage through the combination of elevated racks, water detection sensors, and / or elevated anti-static floors.


95



A1.2.22 The data center facilities, other than CON, are protected by multi-level fire detection and suppression systems that include, but are not limited to, the following: • Clean agent gaseous fire

suppression system (FM-200, ECARO-25 or CO2) and / or pre-action dry-pipe water sprinkler fire suppression systems


• Carbon sensing equipment • Hand-held fire extinguishers

Observed the data center facilities’ environmental equipment to determine that the data center facilities, other than CON, were protected by multi-level fire detection and suppression systems that included the following: • Clean agent gaseous fire

suppression system (FM-200, ECARO-25 or CO2) and / or pre-action dry-pipe water sprinkler fire suppression systems


• Carbon sensing equipment • Hand-held fire extinguishers


A1.2.23 The CON data center facility is protected by multi-level fire detection and suppression systems that include, but are not limited to, the following: • Wet pipe water sprinkler fire

suppression systems • Smoke and head detection

sensors • Carbon sensing equipment • Hand-held fire extinguishers

Observed the data center facility’s environmental equipment to determine that the CON data center facility was protected by multi-level fire detection and suppression systems that included the following: • Wet pipe water sprinkler fire

suppression systems • Smoke and head detection

sensors • Carbon sensing equipment • Hand-held fire extinguishers


A1.2.24 Management ensures that fire detection and suppression systems are inspected at regular intervals following manufacturer’s recommendations and organizational standards to verify that the fire detection and suppression systems are in proper working order.

Inquired of the senior audit and compliance consultant regarding the preventative maintenance performed on the environmental equipment to determine that management ensured that fire detection and suppression systems were inspected at regular intervals following manufacturer’s recommendations and organizational standards to verify that the fire detection and suppression systems were in proper working order.


Inspected the preventative maintenance inspection reports for a sample of periods during the review period based on the specified intervals to determine that fire detection and suppression systems were inspected at the specified intervals for each period sampled.


96



A1.2.25 The fire suppression systems are monitored on a 24 hour per day basis by a remote third party vendor.

Inspected the third party vendor fire suppression system monitoring agreements to determine that the fire suppression systems were monitored on a 24 hour per day basis by a remote third party vendor.


A1.3: Recovery plan procedures supporting system recovery are tested to help meet the entity’s availability commitments and system requirements.

A1.3.1 Business continuity and disaster recovery plans are in place to guide personnel in procedures to protect against disruptions caused by an unexpected event.

Inspected the business continuity and disaster recovery plans to determine that business continuity and disaster recovery plans were in place to guide personnel in procedures to protect against disruptions caused by an unexpected event.


A1.3.2 System file restore tests are performed on a quarterly basis as part of the organization’s BCP testing.

Inspected evidence of the completed system file restore testing for a sample of quarters during the review period to determine that system file restore tests were performed for each quarter sampled as part of the organization’s BCP testing.


A1.3.3 Business continuity and disaster recovery plans are tested on at least an annual basis.

Inspected the results of the most recently completed business continuity and disaster recovery test to determine that business continuity and disaster recovery plans were tested during the review period.


97

SECTION 5

OTHER INFORMATION PROVIDED BY MANAGEMENT

98

SERVICE LEVEL AVAILABILITY

Attestation and Compliance Services · TIERPOINT, LLC . SOC 2 REPORT: FOR. DATA CENTER SERVICES . A...

Documents

Transcript of Attestation and Compliance Services · TIERPOINT, LLC . SOC 2 REPORT: FOR. DATA CENTER SERVICES . A...