| | 2.8 Compliance
03. SOC Readiness | | |
|---|
| 28.03 SOC Readiness: | | 1. Every Bespoke Application Service is unique and this Service Organisation Controls (SOC) audit report has been sponsored by the Application Service Provider (ASP) for the benefit of a large number of customers. For privacy, confidentiality and security reasons, the names of companies and dates have been excluded from this report. | | 2. This audit covers a Bespoke Application Service for the 12 months of 2017 with historical reference back more than ten years to 2004. |
| 1. Parties: | | 1. Data Controller is the customer who owns their own business data and pays for their own Bespoke Application Service to be provided according to their defined service level agreement. | | 2. Data Processor is the Application Service Provider (ASP) who operates the customers own Bespoke Application Service in return for a modest monthly fee. | | 3. Insurer is a subcontractor to the Data Controller who provides insurance according to a set of business rules in accordance with a defined tariff. The insurer will be granted access to certain business data that is authored and owned by the Data Controller. | | 4. Broker is a subcontractor to the Data Controller who in turn subcontracts to the Data Processor in return for a monthly fee. | | 5. Third Party Vendors (TPV) are subcontractors to the Data Processor as external auditors, certificate authorities, data center owners, international standards associations, security consultants, energy providers, communication network providers, domain vendors, system software vendors, email service providers, equipment vendors, training organisations, industry alliance groups, etc.. |
| 2. Ownership: | | 1. Data Controller as the customer owns their own business data and owns their own Bespoke Application Service. The Data Processor shall use its best endevours to ensure that the Data Controller has access to their own business data and may copy of their own online forms, procedures and guides as they choose. The Data Controller own their own hardware, network and software that is able to communicate with their online Internet application service. All intelectual property including copyright in the Bespoke Application Service is assigned to the Data Controller as the owner and customer. | | 2. Data Processor as the ASP own their own infrastructure that provides Bespoke Application Services to a large number of customers using the Internet. The Data Processor do not write programs, do not distribute application programs and do not recommend any specific type of software. The Data Processor does not own the Bespoke Application Service and the Bespoke Application Service is not a software product. The Data Processor provides an Internet service that includes operating the Bespoke Application Service for an on behalf of the data controller. | | 3. Insurer provide and own a catalogue of insurable options with appropriate tariffs that are used by the Data Processor when providing application services on behalf of the Data Controller. | | 4. Broker own contracts with the customer, insurer and ASP so the supply chain can provide the application service expected by all parties. The Broker is paid by the customer and pays the ASP. The Broker may be paid by the Insurer where the Insurer is paid by the Customer. The Broker may be paid by the customer and pays the Insurer. |
| S1 Security. | | 1. Organisation and Management: The criteria relevant to how the Organisation is structured and the processes the Organisation has implemented to manage and support people within its operating units. This includes criteria addressing accountability, integrity, ethical values and qualifications of personnel, and the environment in which they function. | | 2. Communications: The criteria relevant to how the Organisation communicates its policies, processes, procedures, commitments, and requirements to authorized users and other parties of the system and the obligations of those parties and users to the effective operation of the system. | | 3. Risk Management and Design and Implementation of Controls: The criteria relevant to how the entity (i) identifies potential risks that would affect the entitys ability to achieve its objectives, (ii) analyzes those risks, (iii) develops responses to those risks including the design and implementation of controls and other risk mitigating actions, and (iv) conducts ongoing monitoring of risks and the risk management process. | | 4. Monitoring of Controls: The criteria relevant to how the entity monitors the system, including the suitability, and design and operating effectiveness of the controls, and takes action to address deficiencies identified. | | 5. Logical and Physical Access Controls: The criteria relevant to how the Organisation restricts logical and physical access to the system, provides and removes that access, and prevents unauthorized access to meet the criteria for the principle(s) addressed in the engagement. | | 6. System Operations: The criteria relevant to how the Organisation manages the execution of system procedures and detects and mitigates processing deviations, including logical and physical security deviations, to meet the objective(s) of the principle(s) addressed in the engagement. | | 7. Change Management: The criteria relevant to how the Organisation identifies the need for changes to the system, makes the changes following a controlled change management process, and prevents unauthorized changes from being made to meet the criteria for the principle(s) addressed in the engagement. |
| P1 Privacy. | | 1. Notice and communications of commitments and system requirements: focuses on notice about and changes to privacy practices and commitments as well as the system requirements to internal people to carry out responsibilities. | | 2. Choice and consent: focuses on the choices related to the collection, use, retention, disclosure and disposal of personal information to data subjects. Consent must be obtained from the data subject if required and is only obtained for the one stated purpose. Basis for the determination of any implicit consent is documented. | | 3. Collection: of personal information must be collected in accordance with privacy commitments and system requirements. If explicity consent is required that consent must be communicated as well as the consequences of failure to provide consent for the request of personal information. | | 4. User, Retention and Displosal: of personal information is limited to the purposes identified in the privacy commitments and system requirements. Disposal of personal information needs to be secure and consistent with commitments and system requirements. | | 5. Access: by data subjects once identified and authenticated are given the ability to review and access their stored personal information and upon request provided with physical or electronic copies of that information. If access is denied to a data subject, notice as well as the reason for denial is provided. Data subjects are allowed to provide corrected, updated or appended information and that information is to be communicated to appropriate parties. If such corrections are denied, notice as well as the reason for denial is provided. | | 6. Disclosure and Notification: of personal information must have the consent of the data subject prior to disclosure of the information to third parties. The ASP creates and retains authorised disclosure records that are complete, accurate and timely. The ASP creates and retains unauthorised personal informatio disclosure records that are complete, accurate and timely, including data breaches. Vendors and third parties whose products or services are part of the system and have access to personal information must comply with the ASP privacy commitments and system requirements. If the said vendors or third parties have an actual or suspected unauthorized disclosure of personal information they must notify appropriate ASP personnel and act on the event to meet established incident response procedures, privacy commitments and system requirements. Notification of breaches and incidents must be reported to affected data subjects, regulators and others deemed necessary to know. A data subject may request and the ASP must keep an accounting record of personal information held and disclosure of that information. | | 7. Quality: of the personal information collected must be accurate, up-to-date, complete and relevant. | | 8. Monitoring and Environment: is deployed with a process for receiving, addressing, resolving and communicating the resolution of inquiries, complaints and disputes from data subjects and others. Compliance with privacy commitments and system requirements should be periodically monitored. Corrections and other necessary actions related to identify deficiencies are taken in a timely manner. |
| SOC 1, SOC 2 and SOC 3 | | 1. SOC-1 defines the policies and procedures implemented at a point in time. | | 2. SOC-2 defines the policies and procedures effectiveness over a period in time (annual). | | 3. SOC-3 is an SOC-2 audit with extra accounting trust principals and criteria. |
| SOC Scope | | 1. Security of information and services: | | (1) protected against unauthorised access, | | (2) protected against unauthorised disclosure, | | (2) protected against damage that could affect the ability to meet business objectives. | | 2. Availability of information and services is 24*7 without any downtime for approved people to use to meet business objectives. | | 3. Integrity of processing to be: (1) complete, (2) valid, (3) accurate, (4) timely and (5) authorised to meet business objectives. | | 4. Confidentiality of information to be fully protected from being (1) stolen or (2) lost in accordance with business objectives. | | 5. Privacy of personally identified information as it is: (1) collected, (2) used, (3) retained, (4) disclosed and (5) disposed of according to business objectives. |
| How does it work? | | 1. Encryption of all business information means that data cannot be stolen - stored data is meaningless and worthless to a criminal. Backup has been eliminated. The risk of a data breach has been eliminated. System Administration has been eliminated. Protection-by-design with pseudonymisation as recommended by GDPR is deployed. | | 2. Replication of all encrypted data to a large number of secure data centers means that data cannot be lost - business continues to be provided by other data centers when one data center is not available. Downtime has been eliminated. Programming has been eliminated. | | 3. Authentication is approved people is by multiple factors and continual monitoring to stop any criminal behaviour before a criminal can impersonate an approved person. Confidentiality leaks by phone or email have been eliminated. | | 4. Bespoke application services include continual improvements to ensure that services evolve at the same rate as the business. Extreme levels of flexibility using an artificial intelligent assistant enable improvements to be deployed without any downtime or delay. Business rules and objectives are the knowledge that provides the bespoke application service. |
| Why does it work? | | 1. Encryption of all business data is beyond the capability of other application service providers that use application programmers, but well within the capability of an artificial intelligent assistant. | | 2. Replication of all encrypted data to a large number of secure data centers is beyond the capability of other application service providers who do not have the same scale. | | 3. Authentication using multiple factors and continual monitoring is beyond the capability of other application service providers that still support obsolete passwords and login procedures. | | 4. Bespoke application services including continual improvements is beyond the capability of software vendors who do expensive programming that needs to be patched. | | 5. All support is by secure online services while software vendors leak private, confidential and sensitive information by email and phone when supporting staff and accessing business data that is not encrypted. |
| Relevant Aspects of the Control Environment, Risk Assessment Process, Information and Communication Systems, and Monitoring. | | This section provides information about the five interrelated components of ASP internal control as:- | | 1. Control Environment: Sets the tone of an organisation, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. | | 2. Control Activities: The policies and procedures that help make sure that managements directives are carried out. | | 3. Information and Communication: Systems, both automated and manual, that support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities. | | 4. Monitoring: A process that assesses the quality of internal control performance over time. | | 5. Risk Assessment: Identification and analysis of relevant risks to the achievement of its objectives, forming a basis for determining how the risks can be managed. | | ASP internal control components include controls that may have a pervasive effect on the organisation, or may affect specific processes or applications, or both. Some of the components of internal control include controls that have more of an effect at the ASP level, while other components include controls that are primarily related to specific applications. When evaluating internal control, we consider the interrelationships among the five components. |
| Control Environment | | The objectives of internal control as it relates to the Bespoke Application Service are to provide reasonable, but not absolute, assurance that controls are suitably designed and operating effectively to meet the relevant controls, that assets are protected from unauthorized use or disposition, and that transactions are executed in accordance with managements authorization and Customer instructions. Management has established and maintains controls designed to monitor compliance with established policies and procedures. The remainder of this subsection discusses the tone at the top as set by management, the integrity, ethical values, and competence of ASP people, the policies and procedures, the risk management (RM) process and monitoring, and the roles of significant control groups. The internal control structure is established and refreshed based on ASP assessment of risk facing the organisation. |
| Integrity and Ethical Values | | Integrity and ethical values are essential elements of the control environment, affecting the design, administration and monitoring of key processes. Integrity and ethical behavior are the products of ethical and behavioral standards, how they are communicated, and how they are monitored and enforced in its business activities. They include managements actions to remove or reduce incentives/pressures, and opportunities that might prompt personnel to engage in dishonest, illegal, or unethical acts. They also include the communication of the ASP values and behavioral standards to personnel through policy statements and codes of conduct, and by the examples the executives set. | | The ASP Board of Directors (the Board) and management recognize their responsibility to foster a strong ethical environment within ASP to determine that its business affairs are conducted with integrity, and in accordance with high standards of personal and corporate conduct. This responsibility is characterized and reflected in the ASP Code of Business Conduct and Ethics (the Code of Conduct), which is distributed to all people in the organisation. Specifically, people and their immediate families are prohibited from using their positions with ASP for personal or private gain, disclosing confidential information regarding Customers, or taking any action that is not in the best interest of Customers. Personal securities transactions are governed by corporate policy and account trades are reviewed to monitor adherence to ASP policy. All people are required to maintain ongoing compliance with all statements of policies, procedures, and standards of the Code of Conduct and with lawful and ethical business practices, whether or not they are specifically mentioned in the Code of Conduct. Each person is required to affirm annually that he or she received, read, understood, and complied with the requirements set forth in the Code of Conduct and the Employee Handbook. Personal recertification status is monitored periodically for compliance. |
| Organisational Structure and Assignment of Authority and Responsibility | | Organizational structure provides the framework within which its activities for achieving ASP objectives are planned, executed, controlled, and monitored. ASP has established an organisational structure that includes consideration of key areas of authority and responsibility, as well as appropriate lines of reporting. | | ASP has an established organisation structure with defined roles and responsibilities. |
| Governance and Oversight: The Board of Directors | | ASP control environment is influenced significantly by the Board and other groups (as defined later in this subsection) who are charged with governance. | | The Board consists of six directors and the Chairman. Each member of the Board possesses adequate, relevant experience, and is recognized as an individual of high integrity and good stature. The Board is actively involved in and scrutinizes the activities of ASP functional groups, and takes action with respect to its fiduciary responsibilities. Additionally, the Board raises questions and pursues key initiatives with management, as well as interacts periodically with both the internal and external auditors. Specifically, the Board meets on a regular basis to review operating performance, strategy, corporate governance and risks, and to oversee appropriate shareholder reporting. The Board is responsible for overseeing corporate governance and has discretion to delegate a broad range of powers and decisions to the Management Committee (described in the following subsection) in order to manage the business on a daily basis. The Board meets on a quarterly basis, or more frequently if necessary. The Board has three formal committees: the Nominations Committee, the Audit Committee, and the Compensation Committee. | | The Audit Committee is responsible for overseeing and monitoring the integrity of financial statements, compliance with legal and regulatory requirements as they relate to financial reporting or accounting matters. And the organisations internal accounting and financial controls; overseeing and monitoring independent auditors qualifications, independence, and performance. Providing the Board with the results of its monitoring and recommendations; providing the Board with additional information and materials as it deems necessary to make the Board aware of significant financial matters that require the attention of the Board; and overseeing the internal audit function. The Audit Committee generally meets three times a year, and has discussions with both the external and internal auditors at each meeting. |
| Governance and Oversight: The Management Committee | | The Management Committee, chaired by the Chief Executive Officer, has been delegated by the Board the responsibility for managing ASP and its business on a daily basis. Members of Management Committee draw experience from their former roles as senior executives of large international banks and organisations specializing in middle- and back-office support services for investment advisors. | | In its role, the Management Committee assigns authority and responsibility for operating activities, and establishes reporting relationships and authorization hierarchies. The Management Committee designs policies and communications so that personnel understand objectives, know how their individual actions interrelate and contribute to those objectives, and recognize how and for what they will be held accountable. The Management Committee convenes weekly. | | Lines of authority and responsibility are clearly established throughout the organisation under the Management Committee. These lines of authority and the associated responsibilities are communicated through: (1) managements philosophy and operating style, (2) organisational structure, (3) job descriptions, and (4) policy and procedure manuals. Managers are expected to be aware of their responsibilities and lead people in complying with policies and procedures. |
| Governance and Oversight: Human Resource Policies and Practices | | Human resource (HR) policies and practices relate to hiring, orienting, training, evaluating, counseling, promoting and compensating personnel. The competence and integrity of ASP people are essential elements of its control environment. The organisations ability to recruit and retain a sufficient number of competent and responsible personnel is dependent to a great extent on its HR policies and processes. | | The HR policies and processes of ASP are designed to: (1) identify and hire competent personnel, (2) provide people with the training and information they need to perform their jobs, (3) evaluate the performance of people to verify their ability to perform job assignments, and (4) through performance evaluation, identify opportunities for growth and job performance improvement. | | Formal written job descriptions are developed and maintained for each position. Each ITIL job description is reviewed and updated annually by a manager responsible for overseeing people with that description. Job description reviews occur in conjunction with the annual performance review process. The review includes evaluation of the job for incompatible duties. Changes to formal written job descriptions are submitted to HR for review and approval. Formal written job descriptions are also prepared for subcontractors who work under the direct supervision of ASP management. | | ASP has also established formal classroom instruction, web-based training, and on-the-job training programs for critical departments and functions. Programs include orientation on the basics of the functional teams operations, individualized instruction manuals for selected departments, and regularly scheduled department workshops. People are also encouraged to actively participate in professional organisations and forums to maintain their knowledge and develop awareness of issues facing ASP. |
| Governance and Oversight: New Hire Process | | Managers within the respective functional groups of the organisation determine the need for additional resources and submit formal job requisitions to senior management for approval. Once requisitions have been approved by the appropriate individual(s), HR begins sourcing for the available position. HR screens potential candidates and sends selected résumés to the respective managers. The managers review documentation, select candidates, and inform HR of individuals with whom they wish to schedule interviews. The relevant manager and HR conduct interviews and potential offers are submitted to the appropriate authority within the organisation for approval. | | Individuals offered a position at ASP are subject to background checks (as appropriate for each country with respect to local laws and regulations) prior to starting in the company. The background check for people includes substantiation of educational credentials, previous employment, compensation history, credit history, and criminal record, as applicable. Prospective people complete an employment application and sign waivers to release information for the background check. In addition, it is the policy of ASP to request employment references to determine whether the candidate is well-qualified and has the potential to be productive and successful during his or her tenure. | | In each location, people receive links to web pages containing an overview of HR policies and procedures. These offer packages include the offer letter or employment contract, the Employee Handbook, relevant compensation materials, benefit materials and the Code of Conduct. Employees are asked in signing their offer to confirm that they have read through these materials. | | HR is responsible for managing voluntary and involuntary terminations. Voluntary terminations are identified by the persons manager and are recorded in the Event Management System (EMS). HR personnel communicate with the person to identify the persons final day of employment and to inform the person of his or her rights and responsibilities. The final day is entered into the HR Management System (HRMS) and an exit interview is scheduled for that date. During the exit interview, the person is asked to return any of assets in his or her possession, including credit card, laptop, and so on. | | The HR person records the information in the Event Management System (EMS) and provides the person with a signed receipt for the items. |
| Governance and Oversight: Performance Management | | ASP has implemented a structured performance appraisal process. Managers are asked to discuss performance expectations and goals with each person at the start of the year. These objectives and development goals are documented in a web-based Performance Management System (PMS). ASP has a formal mid-year review process, and also conducts an annual performance review for each person at the completion of the calendar year. People are also required to complete an annual self-appraisal of their performance, attributes, and progress toward stated goals. Annual performance evaluations affirmed by the person, his or her manager, and director are maintained in electronic form. Managers are also strongly encouraged to have ongoing, informal conversations with people regarding their performance throughout the year. | | ASP has developed a mandatory training program for its people, including a coordinated new hire orientation program and targeted courses that must be passed to be eligible for promotion. Additional continuing professional education and development opportunities are identified through the goal-setting and development-planning process. Managers and HR identify learning plans both by role and level. It is also the managers role to identify what training a particular person requires to comprehend policies and procedures as they relate to specific job requirements. Each person has the opportunity to partake in formal training classes, on-the-job training, or online education courses. A record of training program attendance is maintained for each person. |
| Risk Assessment | | The process of identifying, assessing, and managing risks is a critical component of internal controls. The purpose of ASP risk assessment process is to identify, assess, and manage risks that affect the organisations ability to achieve its objectives. The management of ASP also monitors controls to consider whether they are operating as intended, and whether they are modified as appropriate for changes in conditions or risks facing the organisation. | | Ongoing monitoring procedures are built into the normal recurring activities of ASP and include regular management and supervisory activities. Managers of the various organisational units are regularly in touch with people and may question the accuracy of information that differs significantly from their knowledge of operations. | | ASP has established an independent organisational business unit, Risk Management (RM), that is responsible for identifying risks and monitoring the operation of the firms internal controls. RMs approach is intended to align the ASP strategy more closely with its key stakeholders, assist the organisational units with managing uncertainty more effectively, minimize threats to the business, and maximize its opportunities in the rapidly changing market environment. | | RM attempts to actively identify and mitigate significant risks through the implementation of various initiatives and continuous communication with other leadership committees and senior management, including the Management Committee. | | Process Audit Manager (PAM) is responsible for assessing the risk and control environment through rigorous evaluation of financial, operational, and administrative controls, RM practices, and compliance with laws, regulations, and policies and procedures. The Process Audit Manager reports functionally to the Chairman of the Audit Committee and administratively to the Managing Director. Process Audit Manager communicates significant findings and the status of corrective actions directly to these individuals. Process Audit Manager adheres to standards of moral and ethical conduct, including those set forth in the Employee Handbook and the Institute of Process Audit Managerors (IIA) Code of Ethics and Standards for the Professional Practice of Process Audit Managering |
| Information and Communication | | Information and communication is an integral component of internal controls. It is the process of identifying, capturing, and exchanging information in the form and time frame necessary to conduct, manage and control the operations. This process encompasses the primary classes of transactions of the organisation, including the dependence on, and complexity of, information technology. At ASP, information is identified, captured, processed, and reported by various information services, as well as through conversations with Customers, vendors, regulators, and ASP people. | | Various weekly calls are held to discuss operational efficiencies within the applicable functional areas and to disseminate new policies, procedures, controls, and other strategic initiatives within the organisation. Management meetings are held on a regular basis to provide staff with updates and key issues affecting the organisation and its people. Senior executives lead management meetings with information gathered from formal automated information services as well as conversations with various internal and external colleagues. General updates to security policies and procedures are usually communicated to the appropriate ASP people via online messages. |
| Policies and Procedures | | ASP has the following security procedures and policies in place, which are owned by the Information Security Manager: | | * Acceptable Use Policy | | * Cellular Phone and BYOD Policy | | * Disaster Recovery Manual | | * Encryption Policy | | * Enterprise Security Policy | | * General Emergency Policy | | * Information Sensitivity Policy | | * Internal Lab Security Policy | | * Internet DMZ Equipment Policy | | * Media Destruction Policy | | * Network Access/Configuration Policy | | * Password Policy | | * Patch Management Policy | | * Remote Access/VPN Policy | | * Router Security Policy | | * Server Security Policy | | * Software Policy | | * User Account Policy | | * Wireless Communication Policy | | Policies are reviewed at least annually and may be reviewed more frequently if necessary. Information Security Manager is authorized to perform reviews of policies with final approval for changes from the Information Security Manager in conjunction with other senior management. Approvals are documented via e-mail as they occur. Any changes to the policies are then communicated to people via application services and are posted on an internal web site accessible to ASP people. | | To mitigate any potential for loss or exploitation of sensitive data, ASP maintains a data sensitivity policy to determine whether the appropriate controls are in place for data of higher sensitivity. This policy classifies data into categories and specifies protection accordingly. Policy points are in place to specify privacy treatment of data. The Information Security Manager conducts vulnerability assessments of relevant data to ensure compliance with policy points. |
| Communication: Terms and Conditions | | Terms and conditions are presented to provide a mechanism for communicating the terms of service within the company and between the company, customers and Approved People. The terms and conditions outline terms and payment for services, use of services, enforcement, intellectual property rights, and warranties. Terms of service documents can be found on the ASP web site and the service level agreement can be found on the ASP web site. | | Obligations that are outlined within the terms of service and Service Level Agreement as they relate to security and availability are as follows: | | * ASP shall make all reasonable attempts to provide a 99.999 percent uptime for Bespoke Application Services. | | * ASP may schedule network maintenance periods resulting in network interruptions, but these maintenance periods have been virtually eliminated as the number of secure data centers has increased, | | * Customer understands and agrees that occasional temporary interruptions of any Internet services may occur as normal events in the provision of Internet services. | | * Indemnification of company and its affiliated parties. | | The terms of service are reviewed at least annually or more frequently when deemed necessary. Any changes are reviewed by management and sent to the Marketing Communications team for execution of the changes. Customers are notified via online services of any changes. The customer is not required to accept or agree to any change. |
| Physical Security | | Physical security costs have been eliminated by the ASP by avoiding the need for any formal office accommodation. | | ASP people have the right to work in any secure location they choose at any time that they choose. | | Nobody has physical access to any production data center while that data center has production status. | | No ASP portable or personal computing equipment exists - ASP owns racks of servers that are locked in tier-4 secure data centers. | | ASP people have the right to choose whatever kinds of desktop, laptop, tablet and smart phones they wish use any any point in time. | | Networks and computer browsers must be registered before they can be used to access any application service. | | ASP people shall never download any application software to their local desktop, laptop, tablet or smart phone - only online services shall be used. | | ASP people shall never download any business data to a local computing device. | | ASP people shall never download any email or attachment to their business computer - dedicated smart phones must be used for email and not used for any other purpose. |
| Logical Security: Organisational Structure | | ASP has implemented an information security management program (ISMP) headed by the Information Security Manager under the direction of the Security Council. The Security Council is comprised of the Demand Director, Financial Director, and Architect Director and is chaired by the Managing Director. The council establishes and reviews the security strategy and approves RM plans, security policies, Information Security Group (ISG) organisational structure and security communication plans. The council also reviews and approves changes to the system development methodology as it relates to system security and availability and publishes a quarterly security newsletter that is communicated to all ASP people. | | The ISG is comprised of the following functional units: | | * Deployment Manager | | * Change Manager | | * Development Manager | | * Operations Manager | | * Support Manager | | * Facilities Manager | | Each unit is headed by a manager who reports directly to the Architect Director. ISG personnel are active in various security organisations and are encouraged to spend at least 40 hours per year in organisation activities. Employees are expected to participate in 40 hours of continuing education in approved security classes. |
| Security Policy | | Security policies are communicated in the ASP Security Policies Manual, which is available to all people on the ASP web site. In addition, all vendors and vendor personnel with access to application service have online access to all such pages. The Manual is reviewed and continually updated by the Information Security Manager and is approved by the Security Council. The Manual includes the following elements: | | * Managing Director Statement on security practices | | * Organisation and responsibility of the Security Council | | * Organisational structure of the ISG | | * ISG roles and responsibilities | | * Link to ISG job descriptions | | * Link to the ASP Code of Conduct | | * Acceptable-Use Policy | | * Disciplinary and Sanctions Policy | | * Mobile Device Policy | | * Encryption Policy | | * Network Access/Configuration Policy | | * Password Policy | | * Patch Management Policy | | * Enterprise Security Policy | | * Data Classification Policy | | * Internet DMZ Equipment Policy | | * Media Destruction Policy | | * Remote Access/VPN Policy | | * Router Security Policy | | * Server Security Policy | | * Software Policy | | * User Account Policy | | * Wireless Communication Policy | | * Client-people security responsibilities | | On arrival and each following January, people are required to complete a web-based security awareness training program. Training must be completed by the end of January. Completion is tracked by HR using online application services. In addition, as part of this process, people with access to the application services are required to confirm that they have read the Security Policies Manual and accept responsibility for complying with it. Customer-people responsibilities are communicated in the master services agreement and are available through a link on the welcome page. |
| Security Architecture | | ASP uses role-based security architecture and requires Approved People of the system to be identified and authenticated prior to the use of any application service. Resources are protected through the use of authentication services that identify and authenticate Approved People and validate access requests against the Approved People authorized roles in access control lists. In situations in which incompatible responsibilities cannot be segregated, ASP implements monitoring of one or more of the responsibilities. Monitoring must be performed by a superior without responsibility for performing the conflicting activities or by personnel from a separate department. | | All resources are managed in the asset inventory system and each asset is assigned an owner. Owners are responsible for approving access to the resource and for performing periodic reviews of access by role. | | Defined configuration standards exist for each hardware platform and each software system. The standards are developed by a security architect and are continually updated. Standards are reviewed and approved by the architect prior to implementation. Changes are classified as: | | (1) emergency deployment, meaning that they must be deployed on all production elements within a defined number of weeks, | | (2) standard deployment, which must be deployed on all production elements within a defined number of months, and | | (3) deploy on rebuild, which is classified as being deployed only when other changes are made to the system configuration. Development servers are updated on a standard deployment or on a rebuild basis. Configuration standards include the use of locking screen savers on all work stations. |
| Identification and Authentication | | Approved people sign on to the Bespoke Application Service using a Handle, Email address and pass-phrase. People are required to separately sign on to any systems or applications that do not use the shared sign-on functionality of Application Service. Pass-phrases must conform to defined pass-phrase standards and are enforced through parameter settings in the Application Service. These settings are part of the configuration standards that assign strong and unique pass-phrases to Approved People, disable the persons ability to access the application service after a specified number of unsuccessful access attempts, and mask workstation screens, requiring reentry of the sign-in details after a period of inactivity. | | People can only access application services using approved networks and are obliged to use multiple-factor authentication services. | | Customer people access application services through the Internet using the SSL functionality of their web-browser. These customer people must supply a valid handle, email address and pass-phrase to gain access to customer application resources. Pass-phrases must conform to pass-phrase configuration requirements as assined by the Bespoke Application Service. Administration accounts use a multiple-factor digital certificate-based authentication system that is dependent on approved computers, approved networks and many other factors. |
| New People and People who have Left | | When a new person arrives are approved by their manager with a request to the HR Management Service. Access rules are predefined based on the defined roles and the persons managers rights. Application services lists include people who change role, change department, change working patterns and associated changes. | | On a regular basis, access rules for each role are reviewed in a management meeting. In evaluating role access, group members consider job description, duties requiring segregation and risks associated with access. Completed rules are reviewed and approved by the Access Control Manager. | | Managers may request changes to role access rules through the Self-Service Support dashboard. Managers document the business purpose of the change, risks associated with the change and consideration of segregation of duties. Access is approved by the Access Control Manager. | | Managers may also request a temporary access rule for an individual person for any period of time. Approved requests are submitted through the Self-Service Support to the Access Control Manager - such tasks are fully automated. | | Customer accounts are created by a customer manager at the location where the account is needed. No super-user accounts are permitted, however head-office manager accounts serve a similar purpose. Self-service support has been fully automated for approved managers with ASP monitoring for verification, but no delays by the customer. | | People are assigned their permanent pass-phrase upon initial sign-on using a one-time pass-phrase that expires in less than one hour. | | The HR system generates a list of people who have left in real-time. On a continual basis, HR offers a list of active people. The Bespoke Application Service will expire a persons account if it is not used for an unusual number of days. | | Customers are responsible for requesting that accounts are disabled for people who have left. | | On a regular basis, managers review roles assigned to their direct reports. Role lists are continually available to the managers via the self-service support dashboard. Managers review the lists and indicate the required changes using self-service support that eliminates operational delays and manual errors. |
| Encryption of Communication Outside the Boundaries | | Approved People must access application services from the Internet through the use of a leading VPN technology. Approved People are authenticated through the use of a multi-factor authentication service. | | ASP uses many diferent certificate authorities to provide digital certificates used to support encrypted communication. |
| Monitoring: Vulnerability Scanning and Monitoring | | ASP uses a Third Party Vendor (TPV) to perform quarterly security vulnerability assessment and penetration testing services on its infrastructure and software. A variety of technologies, tools, and techniques are deployed by the TPV to provide broad coverage against various types of threats. | | The TPVs services are managed by the CISO and the security architect, who meet with the TPV and the Director of IT Process Audit Manager prior to the start of quarterly testing for planning purposes. As part of this meeting, ASP provides the TPV with a current list of infrastructure and software generated by the asset management system. This information is used in planning penetration and vulnerability testing. Weekly status meeting are held between the security architect and TPV personnel to monitor the status of the testing and preliminary findings identified. | | A closing meeting is held at the conclusion of testing to formally review the results of testing and remediation plans. This meeting is attended by the CIO, CISO, security architect, and all CIO and CISO direct reports. The Director of IT Process Audit Manager also observes the meeting and prepares a report summarizing the meeting and the test results for presentation to the audit committee. | | TPV personnel and testing tools are granted access only for the period during which testing is performed and are removed upon completion of testing. Logical access is restricted to access needed to perform the functions, and all use of the access is logged. |
| Assessments | | * Penetration Testing: Penetration testing is conducted to measure the security posture of a target application service. The TPV uses an accepted industry standard penetration testing methodology specified by ASP. The TPVs approach begins with a vulnerability analysis of the target application service to determine what vulnerabilities exist that can be exploited via a penetration test, simulating a disgruntled/disaffected insider or a criminal attacker. Once vulnerabilities are identified, the TPV attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Penetration testing includes network and application layer testing as well as testing of controls and processes around the networks and applications, and occurs from both outside (external testing) and inside the application service. | | * Vulnerability Scans: Vulnerability scanning is performed by a TPV on a quarterly basis in accordance with ASP policy. The TPV uses industry standard scanning technologies and a formal methodology specified by ASP. These technologies are customized to test ASP infrastructure and system software in an efficient manner while minimizing the potential risks associated with active scanning. Retests and ondemand scans are performed on an as-needed basis. Scans are performed during non-peak windows. Tools requiring installation in the ASP application service are not permitted. Scanning is performed with approved scanning templates and with bandwidth-throttling options enabled. |
| Testing Results | | The TPV quarterly reports specify identified vulnerabilities, a level of assessed risk for each vulnerability identified and suggested remediation. The report includes an executive summary and Customer summary, which is available to ASP customers upon request. | | Individual vulnerabilities identified during penetration and vulnerability testing are logged to the event management software and managed through the incident management process. | | In addition to the quarterly testing, continuous monitoring tools are in place. Refer to Incident Management above. |
| Availability Monitoring | | A formal operations assessment is performed monthly during the management meeting. As part of this management meeting, led by the Availability Manager, service availability is reviewed. Data regarding availability-related incidents is generated from the event management system. An analysis of device outages, availability events, and capacity utilization is prepared by the Operations Manager. This report is reviewed at the management meeting. Based on the review, additional incident tickets or change management tickets may be created to address trends and patterns identified. | | People review and monitor industry-appropriate technological and regulatory changes via webcasts, seminars, and printed media. |
| Security and Availability Principles and Criteria | | Application Services are protected against unauthorized physical and logical access. | | Application Services are available for operation and use as committed or agreed. | | 1.0 Policies | | Source: Trust Services Principles and Criteria for Security (S) and Availability (A) | | S1.1 Security policies are established and periodically reviewed and approved by a designated group. | | A1.1 System availability and related security policies are established and periodically reviewed and approved by a designated group. | | 2.0 Results of Tests | | IS-03 Management shall approve a formal Information Security Policy document which shall be communicated and published to ASP people, subcontractors and other relevant external parties. | | The Information Security Policy shall establish the direction of the organisation and align to best practices, regulatory, federal/state and international laws where applicable. | | The Information Security Policy shall be supported by a strategic plan and a security program with well-defined roles and responsibilities for leadership and executive roles. | | 3.0 Updates: | | Responsibility for and maintenance of the Information Security Policy is assigned to the Information Security Manager under the direction of the Architect Director. | | The Information Security Policy is updated at least annually. | | 4.0 Communication: | | ASP publishes and communicates the Information Security Policy to ASP people and external parties at least annually. | | Inspected the Information Security Policy dated 14 Aug 2016 and noted that it included:- | | * strategic plan considerations, | | * applicable laws for the respective territories, | | * roles and responsibilities for leadership and officers, and | | * evidence of review of the update which occurred within the last year. | | Obtained evidence of the Information Security Policy being communicated to all ASP people, contractors and vendors via annual written communications and confirmation with each respective party |
| Security Policies | | Security policies include, but may not be limited to, the following matters: | | 1. Identifying and documenting the security requirements of authorized Approved People | | 2. Classifying data based on its criticality and sensitivity and that classification is used to define protection requirements, access rights and access restrictions, and retention and destruction requirements | | 3. Assessing risks on a periodic basis | | 4. Preventing unauthorized access | | 5. Adding new Approved People, modifying the access levels of existing Approved People, and removing Approved People who no longer need access | | 6. Assigning responsibility and accountability for system security | | 7. Assigning responsibility and accountability for system changes and maintenance | | 8. Testing, evaluating, and authorizing system components before implementation | | 9. Addressing how complaints and requests relating to security issues are resolved | | 10. Identifying and mitigating security breaches and other incidents | | 11. Providing for training and other resources to support its system security policies | | 12. Providing for the handling of exceptions and situations not specifically addressed in its system security policies | | 13. Providing for the identification of and consistency with applicable laws and regulations, defined commitments, service level agreements, and other contractual requirements | | 14. Providing for sharing information with third parties. |
| Availability Policies | | Service availability and related security policies include, but may not be limited to, the following matters: | | 1. Identifying and documenting the service availability and related security requirements of authorized Approved People | | 2. Classifying data based on its criticality and sensitivity and that classification is used to define protection requirements, access rights and access restrictions, and retention and destruction requirements | | 3. Assessing risks on a periodic basis | | 4. Preventing unauthorized access | | 5. Adding new Approved People, modifying the access levels of existing Approved People, and removing Approved People who no longer need access | | 6. Assigning responsibility and accountability for service availability and related security | | 7. Assigning responsibility and accountability for service changes and maintenance | | 8. Testing, evaluating, and authorizing software components before implementation | | 9. Addressing how complaints and requests relating to service availability and related security issues are resolved | | 10. Identifying and mitigating service availability and related security breaches and other incidents | | 11. Providing for training and other resources to support its service availability and related security policies | | 12. Providing for the handling of exceptions and situations not specifically addressed in its service availability and related security policies | | 13. Providing for the identification of and consistency with, applicable laws and regulations, defined commitments, service-level agreements, and other contractual requirements | | 14. Recovering and continuing service in accordance with documented customer commitments or other agreements | | 15. Monitoring system capacity to achieve customer commitments or other agreements regarding availability. |
| Policies | | Information Security Management Program (ISMP) has been developed, documented, approved, and implemented that includes administrative, technical, and physical safeguards to protect assets and data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. | | The security program should address, but not be limited to, the following areas insofar as they relate to the characteristics of the business: | | 1. Risk management | | 2. Security policy | | 3. Organisation of information security | | 4. Asset management | | 5. Human resources security | | 6. Physical and environmental security | | 7. Communications and operations management | | 8. Access control | | 9. Information systems acquisition, development, and maintenance |
| Policies | | The written ISMP includes the following elements: | | 1. Managing Director Statement on security practices | | 2. Organisation and responsibility of the Security Council | | 3. Organisational structure for Information Security | | 4. Information Security roles and responsibilities | | 5. Information Security job descriptions | | 6. Code of Conduct | | 7. Acceptable-Use Policy | | 8. Disciplinary and Sanctions Policy | | 9. Mobile Device Policy | | 10. Encryption Policy | | 11. Network Access/Configuration Policy | | 12. Password Pass-Phrase Policy | | 13. Patch Management Policy | | 14. Enterprise Security Policy | | 15. Data Classification Policy | | 16. Internet DMZ Equipment Policy | | 17. Media Destruction Policy | | 18. Remote Access/VPN Policy | | 19. Router Security Policy | | 20. Server Security Policy | | 21. Software Policy | | 22. User Account Policy | | 23. Wireless Communication Policy | | 24. Customer people security responsibilities |
| Document Control: | | 1. Document Title: SOC Readiness. | | 2. Reference: 162804. | | 3. Keywords: SOC Readiness. | | 4. Description: SOC Readiness. This document does not provide legal or financial advice. | | 5. Privacy: Public information service to who it may concern. | | 6. Issued: 11 Feb 2017. | | 7. Edition: 1.1. |
|
|