Sample - Corporate Report

[CLIENT]

DOCUMENT MANAGEMENT, DATA CAPTURE, AND PRINT OUTPUT SERVICES SYSTEMSERVICE ORGANIZATION CONTROLS (“SOC”) REPORT – SOC 2

RELEVANT TO SECURITY, AVAILABILITY, PROCESSING INTEGRITY, AND CONFIDENTIALITY

FOR THE PERIOD JANUARY 1, 2012 TO SEPTEMBER 30, 2012

Table of Contents

Section Page1 Independent Service Auditors’ Report 2

2Management of [CLIENT]’s Assertion Regarding Its Document Management, Data Capture, and Print Output Services System for the Period January 1, 2012 to September 30, 2012……………………………………………………….. 6

3 Description of [CLIENT]’s Document Management, Data Capture, and Print Output Services System for the Period January 1, 2012 to September 30, 2012 10

Background and Overview of Services 10

Other Relevant Aspects of the Control Environment, Risk Assessment,Monitoring, and Information and Communication

Control Environment 11Risk Assessment 11Monitoring 11Information and Communication 11

Document Management, Data Capture, and Print Output Services System Components

Infrastructure 12Software 12People 13Procedures 14Data 19

Subservice Organizations 20

Applicable Criteria and Related Controls 20

User-Entity Control Considerations 21

4 Independent Service Auditors’ Description of Tests of Controls and Results 23

SECTION 1INDEPENDENT SERVICE AUDITORS’

REPORT

Independent Service Auditors’ Report

To [CLIENT]

Scope

We have examined the attached description titled “Description of [CLIENT]’s Document Management, Data Capture, and Print Output Services System for the Period January 1, 2012 to September 30, 2012” (“the description”) included in Section 3 of this report and the suitability of the design and operating effectiveness of controls to meet the criteria for the security, availability, processing integrity, and confidentiality principles set forth in TSP Section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids) (“applicable trust services criteria”), throughout the period January 1, 2012 to September 30, 2012. The description indicates that certain applicable trust services criteria specified in the description can be achieved only if complementary user-entity controls contemplated in the design of [CLIENT]’s (“[CLIENT]”) controls are suitably designed and operating effectively, along with related controls at the service organization. We have not evaluated the suitability of the design or operating effectiveness of such complementary user-entity controls.

[CLIENT] uses service organizations (subservice organizations) to provide data capture and data entry services for certain clients who elect such processing services. The description indicates that certain applicable trust service criteria can only be met if controls at the subservice organizations are suitably designed and operating effectively. The description presents [CLIENT]’s Document Management, Data Capture, and Print Output Services System; its controls relevant to the applicable trust service criteria; and the types of controls that the service organization expects to be implemented, suitably designed, and operating effectively at the subservice organizations to meet certain applicable trust service criteria. The description does not include any of the controls implemented at the subservice organizations. Our examination did not extend to the services provided by the subservice organizations.

Service Organization’s Responsibilities

[CLIENT] has provided the attached assertion titled “Management of Diversified Information Technology Inc.’s Assertion Regarding its Document Management, Data Capture, and Print Output Services System for the Period January 1, 2012 to September 30, 2012,” included in Section 2 of this report which is based on the criteria identified in management’s assertion. [CLIENT] is responsible for (1) preparing the description and assertion; (2) the completeness, accuracy, and method of presentation of both the description and assertion; (3) providing the services covered by the description; (4) specifying the controls that meet the applicable trust services criteria and stating them in the description; and (5) designing, implementing, and documenting the controls to meet the applicable trust services criteria.

Page | 1

Page | 2

Service Auditors’ Responsibilities

Our responsibility is to express an opinion on the fairness of the presentation of the description based on the description criteria set forth in [CLIENT]’s assertion and on the suitability of the design and operating effectiveness of the controls to meet the applicable trust services criteria, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, (1) the description is fairly presented based on the description criteria, and (2) the controls were suitably designed and operating effectively to meet the applicable trust services criteria throughout the period January 1, 2012 to September 30, 2012.

Our examination involved performing procedures to obtain evidence about the fairness of the presentation of the description based on the description criteria and the suitability of the design and operating effectiveness of those controls to meet the applicable trust services criteria. Our procedures included assessing the risks that the description is not fairly presented and that the controls were not suitably designed or operating effectively to meet the applicable trust services criteria. Our procedures also included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the applicable trust services criteria were met. Our examination also included evaluating the overall presentation of the description. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.

Inherent Limitations

Because of their nature and inherent limitations, controls at a service organization may not always operate effectively to meet the applicable trust services criteria. Also, the projection to the future of any evaluation of the fairness of the presentation of the description or conclusions about the suitability of the design or operating effectiveness of the controls to meet the applicable trust services criteria is subject to the risks that the system may change or that controls at a service organization may become inadequate or fail.

Opinion

In our opinion, based on the description criteria identified in [CLIENT]’s assertion and the applicable trust services criteria, in all material respects:

a. The description fairly presents the system that was designed and implemented throughout the period January 1, 2012 to September 30, 2012.

Page | 3

b. The controls stated in the description were suitably designed to provide reasonable assurance that the applicable trust services criteria would be met if the controls operated effectively throughout the period January 1, 2012 to September 30, 2012, and user entities applied the complementary user-entity controls contemplated in the design of [CLIENT]’s controls throughout the period January 1, 2012 to September 30, 2012, and the subservice organizations applied, throughout the period January 1, 2012 to September 30, 2012, the types of controls expected to be implemented at the subservice organizations and incorporated in the design of the system.

c. The controls tested, which together with the complementary user-entity controls referred to in the scope paragraph of this report, and together with the types of controls expected to be implemented at the subservice organizations and incorporated in the design of the system and, if operating effectively, were those necessary to provide reasonable assurance that the applicable trust services criteria were met, operated effectively throughout the period January 1, 2012 to September 30, 2012.

Description of Tests of Controls

The specific controls we tested and the nature, timing, and results of our tests are presented in Section 4 of this report titled “Independent Service Auditors’ Description of Tests of Controls and Results”.

Intended Use

This report and the description of tests of controls and results thereof are intended solely for the information and use of [CLIENT]; user entities of [CLIENT]’s Document Management, Data Capture, and Print Output Services System during some or all of the period January 1, 2012 to September 30, 2012; and prospective user entities, independent auditors and practitioners providing services to such user entities, and regulators who have sufficient knowledge and understanding of the following:

The nature of the service provided by the service organization How the service organization’s system interacts with user entities, subservice organizations,

and other parties Internal control and its limitations Complementary user-entity controls and how they interact with related controls at the

service organization to meet the applicable trust services criteria The applicable trust services criteria The risks that may threaten the achievement of the applicable trust services criteria and

how controls address those risks

This report is not intended to be and should not be used by anyone other than these specified parties.

Page | 4

<insert firm signature>

October XX, 2012Philadelphia, Pennsylvania

Page | 5

SECTION 2MANAGEMENT OF DIVERSIFIED

INFORMATION TECHNOLOGY, INC’S ASSERTION REGARDING ITS DOCUMENT MANAGEMENT, DATA CAPTURE, AND

PRINT OUTPUT SERVICES SYSTEM FOR THE PERIOD JANUARY 1, 2012 TO

SEPTEMBER 30, 2012

October xx, 2012

We have prepared the attached description titled “Description of [CLIENT]’s Document Management, Data Capture, and Print Output Services System for the Period January 1, 2012 to September 30, 2012” (“the description”), included in Section 3 of this report, based on the criteria identified below under the heading “Description Criteria”. The description is intended to provide users with information about our Document Management, Data Capture, and Print Output Services System, particularly system controls intended to meet the criteria for the security, availability, processing integrity, and confidentiality principles set forth in TSP Section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids) (“applicable trust services criteria”). We confirm, to the best of our knowledge and belief, that:

The description fairly presents the Document Management, Data Capture, and Print Output Services System throughout the period January 1, 2012 to September 30, 2012, based on the description criteria identified below under the heading “Description Criteria”.

The controls stated in the description were suitably designed throughout the period from January 1, 2012 to September 30, 2012 to meet the applicable trust services criteria.

The controls were operating effectively throughout the period January 1, 2012 to September 30, 2012 to meet the related criteria as described in Section 4 of this report.

Description Criteria

In preparing our description and making our assertion regarding the fairness of the presentation of the description, we used the criteria below, which are the criteria for a description of a service organization’s system included in paragraph 1.33 of the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.

a. The description contains the following information:

i. The types of services provided.

Page | 4

http://www.divintech.com/Home.aspx

ii. The components of the system used to provide the services, which are the following:

Infrastructure. The physical and hardware components of a system (facilities, equipment, and networks)

Software. The programs and operating software of a system (systems, applications, and utilities).

People. The personnel involved in the operation and use of a system (developers, operators, users, and managers).

Procedures. The automated and manual procedures involved in the operation of a system.

Data. The information used and supported by a system (transactions streams, files, databases, and tables).

iii. The boundaries or aspects of the system covered by the description.

iv. How the system captures and addresses significant events and conditions.

v. The process used to prepare and deliver reports and other information to user entities and other parties.

vi. If information is provided to, or received from, subservice organizations or other parties, how such information is provided or received; the role of the subservice organization and other parties; and the procedures performed to determine that such information and its processing, maintenance, and storage are subject to appropriate controls.

vii. For each principle being reported on, the applicable trust services criteria and the related controls designed to meet those criteria, including, as applicable, complementary user-entity controls contemplated in the design of the Document Management, Data Capture, and Print Output Services System.

viii.For the subservice organizations presented using the carve-out method, the nature of the services provided by the subservice organizations; each of the applicable trust services criteria that are intended to be met by controls at the subservice organization, alone or in combination with controls at the service organizations, and the type of controls expected to be implemented at the carved-out subservice organizations to meet those criteria.

ix. Any applicable trust services criteria that are not addressed by a control at [CLIENT] or a subservice organization and the reasons therefore.

x. Other aspects of [CLIENT]’s control environment, risk assessment process, information and communication systems, and monitoring of controls that are relevant to the services provided and the applicable trust services criteria.

xi. Relevant details of changes to [CLIENT]’s Document Management, Data Capture, and Print Output Services System during the period January 1, 2012 to September 30, 2012.

Page | 5

b. The description does not omit or distort information relevant to [CLIENT]’s Document Management, Data Capture, and Print Output Services System. The description was prepared to meet the common needs of a broad range of users and may not, therefore, include every aspect of the Document Management, Data Capture, and Print Output Services System that each individual user may consider important to his or her own particular needs.

Scott A. ByersPresident & Chief Executive Officer[CLIENT]

October XX, 2012

Michael MalkemesDirector, Compliance & Risk Management[CLIENT]

October XX, 2012

Page | 6

SECTION 3DESCRIPTION OF [CLIENT]’S DOCUMENT

MANAGEMENT, DATA CAPTURE, AND PRINT OUTPUT SERVICES SYSTEM FOR

THE PERIOD JANUARY 1, 2012 TO SEPTEMBER 30, 2012

Background and Overview of Services

Headquartered in Scranton, PA, [CLIENT] has successfully served its clients since 1982 through business process outsourcing and information management solutions. With over 650 customers, [CLIENT] has firmly established itself as an industry-leader. [CLIENT] serves the Fortune 500 in healthcare, insurance and finance as well as government agencies.

[CLIENT]’s clients include seven of the top twelve United States financial services firms, three of the top ten United States life insurance Companies, four of the top ten electronic health record providers serving over 170 hospitals and 10,000 physicians and key federal agencies including the Department of Homeland Security – United States Customs, the International Trade Commission and United States Environmental Protection Agency.

[CLIENT]’s end to end document management system is a combination of systems that work together to provide secure, confidential processing and retention of documents and the critical data they contain. The components of the system include:

Communication/Distributed Output System – This system entails receiving client data and merging this data into print templates to produce correspondence, statements and printed material. Once documents are produced they are sent via mail or electronic delivery.

Image Conversion and Data Capture System – This system is a document conversion system that begins at receipt of documents in hard copy or electronic forms; documents enter into a stream at the wireless mailroom, are then converted to image on high speed scanners, data is captured either through automatic recognition software or human data entry, image and data are spot reviewed for quality and then exported to NetView or client specific systems.

Document Management and Preservation System – This system tracks location and movement of hard copy records stored in multiple secure facilities throughout the US.

The overarching framework of the system is overseen and managed by a security team consisting of the Director of Compliance and Risk Management and Director of IT Infrastructure. The Data Center and Facility Monitoring System are based at the company headquarters in Scranton, PA.

[CLIENT] has designed the systems with boundaries ensuring data security, confidentiality, processing integrity, and availability. The system is comprised of the following five components:

Infrastructure (facilities, equipment, and networks) Software (systems, applications, and utilities) People (developers, operators, users, and managers) Procedures (automated, and manual) Data (transaction streams, files, databases, and tables)

The following sections of this description define each of these five components comprising [CLIENT]’s system and other relevant aspects of [CLIENT]’s control environment, risk assessment processes, monitoring processes, and information and communication.

Page | 7

Other Relevant Aspects of the Control Environment, Risk Assessment, Monitoring, and Information and CommunicationControl Environment

[CLIENT]’s control environment reflects the overall attitude, awareness, and actions of management and others concerning the importance of controls and their emphasis within the organization and the execution of [CLIENT]’s mission. [CLIENT] provides corporate compliance and ethics training to all employees as well as physical and logical security training. At various corporate functions, executive management communicates [CLIENT]’s top 5 priorities including compliance. Periodically, the Corporate Compliance Manager provides awareness communications covering compliance, ethics, and security information.

Risk Assessment

[CLIENT] has a risk assessment process to identify and manage risks that could affect its ability to provide secure, reliable transaction processing for user entities. This process requires management to conduct an internal security audit twice per year to identify vulnerabilities and threats. Remediation steps are put in place as a result of these audits if necessary. Items that are considered during risk assessment audits include:

Changes in operating systems New information systems New security threats Operational location moves New technology Personnel changes

Monitoring

[CLIENT]’s management and supervisory personnel monitor the quality of internal control performance as a routine part of their activities. Oversight of job completion is the responsibility of supervisors and is monitored by batch monitoring and job ticket documentation. Quality assurance procedures are in place for each client and monitored based on predetermined thresholds to ensure reconciliation and processing integrity.

Information and Communication

[CLIENT] gathers information on the processing of work using reporting tools. Reports are customized for each client to track documents from entry into the system to the final reconciliation of completion. Clients are provided access to the reporting system through client specific access.

Clients are assigned a client solution executive responsible for account relationship management activities, setting strategy for account support, and developing new solutions to promote client growth as well as profitability and a client relationship executive with the responsibility to interact with key client contacts and manage day-to-day operations. [CLIENT] client relationship executives act as the voice of the clients within [CLIENT] and provide a key function in managing customer expectations and established Service Level Agreement metrics. To review activities, a formal report

Page | 8

and presentation is made to [CLIENT]'s Client service and operations group summarizing the previous month’s activity.

Document Management, Data Capture, and Print Output Services System Components

Infrastructure

Distributed, world-wide operations are maintained and managed to provide confidentiality, security, availability, processing integrity and safeguard against compromise or breach. The following facilities are included in the scope of the Document Management, Data Capture, and Print Output Services System.

Metro Area Facility Function

Raleigh, North Carolina – Millville, New Jersey Communication/Distributed Output

Scranton, Pennsylvania (Headquarters)Document Management/Preservation, Document Processing, and Data Center

Binghamton, New York Disaster Recovery

Moosic, PennsylvaniaDocument Management/Preservation and Document Processing

Delano, Pennsylvania - Gordonsville, Virginia - Exeter, Pennsylvania –Houston, Texas - Louisville, Kentucky – Los Angeles, California – Columbia, South Carolina – Hartford, Connecticut – Minneapolis, Minnesota

Document Management/Preservation

The systems are designed similarly regardless of location to provide for consistent organizational policies and procedures.

Software

[CLIENT] utilizes a mix of commercial off-the-shelf products and internally developed programs for day-to-day processing of client information. The list noted below includes the systems, applications and utilities used to produce scanned images, index data and printed invoices and statements.

Page | 9

Technology Function

IBML Image Trac3 IBML is a companywide, high speed/high volume scanner platform.

Docnetics IBML document typing and recognition software.

EMC | Captiva and AnyDoc Data capture forms and processing workflow platform.

Virtual Mailroom Automates the tracking of all inbound mail from receipt through scanning through export.

E-Fax Receives faxes digitally and processes them directly into the data capture and imaging platform.

E-Sort Data capture application program.

NetView & NetVault© Web based application used for exception processing.

WebCIRM Web based computer integrated records management and imaging system utilizing bar code technology and radio frequency scanners.

Emtex VIP Centralized queue and Print File Output Management System.

Objectif LunePlanet Press Variable data print composition software.

BARR Channel Server Print Stream blocking tool.

Production Insight Output management tracking & reporting tool.

Kodak EX300 MICR Printers Check production printers.

OCE 6250 Printers High speed black/white production printers.

Ricoh 720 Color High speed color printer.

Canon IR-150 Monochrome and MICR printer.

Pitney Bowes FPS auto-inserter High Speed document to envelope inserter.

Bell & Howell 4000 auto-inserter High Speed document to envelope inserter.

Page | 10

People

[CLIENT] has a staff of approximately 600 employees across 25 U.S. locations. Scranton, Pennsylvania is [CLIENT]’s headquarters and the Scranton Facility is the main location for outsourced document processing and workflow solutions. Morrisville, North Carolina is the main processing facility for output of printed materials.

The organization is overseen by an Executive Team consisting of the following positions and their support staff:

President/Chief Executive Officer – responsible for strategy, business development and overall leadership. The executive team members report to the President.

Chief Financial Officer/Vice President Support Services – responsible for the financial services team, human resources, compliance, risk management, facilities and IT Infrastructure.

IT Infrastructure Team responsible for Network design, log monitoring, assessment and vulnerability testing.

Human Resources Team responsible for the processes of hiring, termination, training and compliance with organizational policies.

Financial Services Team responsible for billing, procurement and payroll. Compliance & Risk Management Team responsible for facility oversight and

support, security, corporate compliance, risk management.

Chief Relationship Officer/VP Solutions – responsible for solutions, client relationship and customer service

Solutions Executive Team responsible to oversee sales and governance for each service line. It is broken down into teams supporting the Communication/Distributed Output System, Image Conversion and Data Capture System and Document Management and Preservation System.

Client Service and Interaction Team responsible for day-to-day client interaction and support on the Communication/Distributed Output System, Image Conversion and Data Capture System and fulfillment of the Document Management and Preservation System.

Chief Operations Officer/VP Global Operations – responsible for processing, fulfillment, operational functions, project management and IT Development

Communication/Distributed Output Team responsible for fulfilling client contracted actions including printing, fulfillment and output mail.

Image Conversion and Data Capture System Team responsible for the processing of documents from mailroom or electronic receipt, conversion to image, capture of data and delivery to client..

Page | 11

Chief Implementation Officer/VP Integrated Systems – responsible for processing, fulfillment, operational functions, project management and IT Development

Quality and Excellence responsible for development and monitoring of ISO and production procedures and quality.

Project Delivery & Management responsible for the management and delivery of new projects and implementation of production.

IT Systems Development responsible for design, development and maintenance of processing systems.

Procedures

[CLIENT] provides document management for the entire document lifecycle from print to image and data capture to processing, preservation, and storage. [CLIENT] specializes in large, complex, and dynamic projects and operations. [CLIENT] provides redundancy and business continuity of operations with 25 facilities located throughout the U.S. Quality control procedures are tracked and reported at the document level. The hardware and software include IBML production scanners with Captiva AnyDoc advanced capture platforms.

Security, Access and Monitoring Procedures include:

Visitor and Building Security Access Authorization Control Confidentiality Security Clearance for new hires System Monitoring Information Security Monitoring Incident Response Data Classification Availability

[CLIENT] protects client information starting with personnel policies, which are documented in [CLIENT]s Employee Handbook and in the Human Resource Hiring policies. Written job descriptions have been developed and are revised as necessary. Employees undergo comprehensive background/security checks and drug screening prior to employment and are required to sign confidentiality agreements upon hire, which state that no confidential information can be communicated outside of the organization. Mandatory training is completed annually to ensure understanding and compliance with policies on confidentiality, ethics, and privacy.

[CLIENT]’s Access Control Policy guides access approval, provisioning, removal and monitoring. Access to building areas, system network and information is granted based on job classifications and responsibilities. Management is responsible for authorizing

Page | 12

access. The Director of Risk Management and Compliance monitor and review access granted when changes are made to positions.

Solarwinds Orion System Monitoring software is used to monitor system availability and performance and provides current and historical tracking reports of performance factors including processor utilization, memory utilization, network usage, errors and disk utilization. The system monitors Cisco switches, routers, firewalls, and Windows based servers. This information is used to provide information to user entities, proactively identify concerns and plan for future system requirements. Information security monitoring is the responsibility of the Infrastructure team who review daily logs to ensure a security breach is not missed.

[CLIENT] designed its Incident Response Policy and Procedure to establish a planned course of action in case of security incidents. The procedure is a stepped process that includes initial assessment to assign a severity level, incident notification, incident containment and response, recovery, and review. Additional testing is completed twice per year to simulate a potential incident and the action taken.

Communication/Distributed Output System Procedures include:

[CLIENT]’s Communication/Distributed Output capabilities include a secure digital print and mail facility capable of producing over 1.4 billion printed images and 220 million mail pieces per year. [CLIENT] offers a suite of document composition and electronic delivery solutions to satisfy user entity needs for multi channel communications. Examples of the output capabilities include:

Invoices Statements Insurance membership materials (Identification cards, member guide

booklets, rate change notices, and other policy reference materials) Payments: check and vouchers Educational materials

Applicable Facility: Raleigh, North Carolina and Millville, New Jersey

Image Conversion and Data Capture System Procedures include:

[CLIENT]’s Image Conversion and Data Capture capabilities include a systematic and analytical way to track mail from initial receipt to image export. From the initial time of receipt, [CLIENT] uses virtual mailroom technology to track the different types of mail received from various Post Office Boxes. Mail is opened, sorted, scanned, indexed and integrated into each client’s workflow system in a seamless manner; keeping process streams separate and retaining receipt and functional information throughout the entire process [CLIENT] utilizes a combination of internal audits and client audits to measure performance against agreed upon Service Level Agreements (SLA’s). Examples of the conversion and data capture capabilities include:

Virtual mailroom

Page | 13

Conversion by scan to image Data capture – key from image and verify Live document handling and return including checks, death certificates, cds,

etc. Quality audit

Applicable Facilities: Scranton, Pennsylvania and Montage, Pennsylvania

Document Management and Preservation System Procedures include:

[CLIENT] provides a total records management solution that includes the WebCIRM records management tracking and management system and secure storage facilities. The Document Management and Preservation System tracks location and movement of hard copy records stored in multiple secure facilities throughout the US. Example of record retention capabilities include:

WebCIRM Record storage

Applicable Facilities: Scranton, Pennsylvania, Montage, Pennsylvania, Exeter, Pennsylvania, Delano, Pennsylvania, Los Angeles, California, Louisville, Kentucky, Gordonsville, Virginia, Houston, Texas

Systems Development and Maintenance The two key applications supporting the imaging operations are InputAccel and Captiva FormWare. Both software packages are developed and supported by EMC, a third-party vendor. [CLIENT] programming changes are limited to applications settings and customized modules that hook to the application interfaces. If modifications to core source code are needed, [CLIENT] requests modifications from the vendor who include them in future product releases.

Data transfer applications that provide interface between imaging applications and file transfer software packages are developed internally.

Program Modification Controls The following description of program modification controls applies to changes to existing systems and programs:

Requests for Modifications Requests for enhancements can originate from either external clients or from internal operations departments. Enhancements or modifications requested by external customers are communicated to [CLIENT] personnel, who document the client requests. Changes originating from the internal departments stem from issues identified during day-to-day processing, errors or a need for additional systems controls to minimize the probability of errors and increase the accuracy of data capture.

For all change requests, the internal [CLIENT] employee submits a request via the Web-based Elementool. Any modifications to the issue are maintained in an issue history.

Page | 14

Page | 15

The Elementool issue record contains the following information:

Title Type (change request, project, request for proposal, status rollup) Requestor Requirements Weekly report/comments System impacts Priority Customer Customer type System impacts Division/location Status manager Lead developer Status

In addition to the fields listed above, if the request originates from a customer, a Customer Change Request Form or statement of work can be attached to the issue. Members of IT senior management review the requests and work with application development teams to determine the technical scope and details for the changes.

Authorization of Changes

Approval of application system change requests is required from [CLIENT] operations management. If the change request originated from a customer, the customer must also approve the change before development can begin.

For customer-originating requests, the Customer Change Request Form, signed by [CLIENT] management, is sent to the customer for final approval and sign-off. The final form contains the following information:

Initiator of the change Overview and benefit Technical change to be made Technical implications Operational implications Test information relative to the change Implementation information relative to the change Back-out plans Target date

When required approvals and sign-offs are obtained, IT senior management assigns resources to work on the development of changes.

Page | 16

Program Testing

Application system changes are tested by both the IT and client operations groups. The following major phases are typical for application change releases:

IT testing Operations testing Identified issues resolution Approval and sign-off

Though releases differ in scope, complexity and extent of testing, the following sections are the most commonly executed steps.

IT Testing

Unit testing and debugging is conducted by the IT Development Team. The release is deployed into the test environment after unit testing has been performed locally by the IT Development Team. Formal test plans are executed by an Operational Excellence analyst with the assistance of the IT Development Team in order to cover areas of potential impact. The Operational Excellence department notifies client operations management that the new release has been installed in the test environment and is available for testing.

Operations Testing

Scan operators scan a limited number test batches into the test environment as determined by the operations management and Operational Excellence department. When the batches reach the completion stages, the production test operators start processing the batches. The Operational Excellence analyst executes the test plans and checks for errors and issues that may arise during testing. If error messages are noted or system results or behavior are deemed to be out of the ordinary, issues are reported to the Operational Excellence department. Noted issues are recorded into appropriate test results documentation along with applicable error messages, batch names and error screen printouts. Some of the releases require integrated testing with the clients. For these types of releases, account management or product management coordinates testing with the corresponding clients and collects feedback covering the observed outcomes, issues, or failures.

Approval and Sign-Off

The operations and the Operational Excellence department managers review the issues observed during each test run and determine if the tests can be considered successful. If the test is considered successful, the team’s management signs off that the release can proceed to the next stage. Results of tests of changes affecting or originated by the clients are reviewed and approved by the affected clients. Approvals are sent via e-mails. If a release is approved for rollout to the production environment, the IT project manager e-mails the release group that the release installation can be executed.

Control Over Production Programs

Page | 17

Depending on the type and complexity of a change, rollout schedules, coordination and cross-department notifications, preparation efforts and potential issues are discussed during ad-hoc pre-production release management meetings.

Rollout of changes to the production environment is the responsibility of the NetAdmin group. The only exceptions are changes to the InputAccel parameter files, which require a developer to insert parameter changes directly into the parameter file. Developers must request this access from the director of IT support prior to perform this update. Developers have no access to other production systems or files.

Production release issues and items are discussed during ad-hoc post-production implementation management meetings. In some instances, clients are also present via teleconference to provide their feedback on the results of the upgrades.

Monthly file reviews are performed on the InputAccel parameter files to verify that they have the same process install date documented in the latest approval granted by IT management. In addition, the file shares containing the application updates are reviewed for synchronization on a monthly basis by NetAdmin. If a discrepancy is encountered, the issue is reported in the form of a five-point analysis. This report also lists the corrective action taken along with the business impact.

Source and Object Code

The development teams use the CVS version control system to provide secured access to the source code, maintain different versions and history of programs, as well as to facilitate controlled changes and access to the source code. Access permissions are integrated with Microsoft Active Directory.

Documentation

Imaging applications documentation is written, updated and distributed by the [CLIENT] client operations staff and personnel responsible for training of operations staff. Standard documentation related to the operating systems and infrastructure is provided by the corresponding operating system and hardware vendors. Such technical documentation is available only to authorized IT personnel.

Data

[CLIENT]’s records and information management services encompass the following types of data in each of [CLIENT]’s core service offerings:

Print and Output System – Client data in the form of data files is output via print templates to produce correspondence, statements, and other printed material.

Image Conversion and Data Capture System – Client data in hard copy or electronic forms data is captured either through automatic recognition software or human data entry.

Page | 18

Document Management and Preservation System – This system tracks location and movement of hard copy records stored in one of [CLIENT]’s secure facilities throughout the US.

Subservice Organizations

[CLIENT] utilizes several subservice organizations to perform services for its clients. Presented below is a description of the services provided by the subservice organization, the criteria relevant to the services performed by the subservice organization and the types of controls expected at the subservice organizations.

Document Capture and Data Entry Services

[CLIENT] clients with specialized and global processing requirements may request that [CLIENT] utilize one of three subservice organizations with unique capabilities that complement [CLIENT]’s services. These subservice organizations perform capture of data from files imaged by [CLIENT], and return to [CLIENT] the capture data in machine readable format. The Criteria that relate to controls at these subservice organizations include all criteria related to the Trust Services Principles of Security, Confidentiality, Processing Integrity, and Availability for those clients which elect for [CLIENT] to use these service organization while processing is performed by these subservice organizations. The types of controls that are necessary to meet the applicable trust services criteria, either alone or in combination with controls at [CLIENT] include:

The system is protected against unauthorized access (both physical and logical).

The system is available for operation and use as committed or agreed.

System processing is complete, accurate, timely, and authorized.

Information designated as confidential is protected as committed or agreed.

Policies and procedures exist related to security, availability, processing integrity, and confidentiality and are implemented and followed.

Communication and monitoring controls are implemented related to security, availability, processing integrity, and confidentiality.

Applicable Criteria and Related Controls

The security, availability, processing integrity, and confidentiality trust services criteria and [CLIENT]’s related controls are included in Section 4 of this report, “Independent Service Auditors’ Description of Tests of Controls and Results”. Although the security, availability, processing integrity, and confidentiality trust services criteria and [CLIENT]’s related controls are included in Section 4, they are an integral part of [CLIENT]’s description of its Document Management, Data Capture, and Print Output Services System and are incorporated herein.

Page | 19

User-Entity Control Considerations

Services provided by [CLIENT] to user entities and the controls of [CLIENT] cover only a portion of the overall controls of each user entity. [CLIENT]’s controls were designed with the assumption that certain controls would be implemented by user entities. In certain situations, the application of specific controls at user entities is necessary to achieve the applicable trust principles criteria. It is not feasible for the applicable trust services criteria relating to the services outlined in this report to be achieved solely by [CLIENT]. This section highlights those internal control responsibilities that [CLIENT] believes should be present for each user entity and has considered in developing the controls described in the report. This list does not purport to be, and should not be, considered a complete listing of the controls relevant at user entities. Other controls may be required at user entities.

Information provided to [CLIENT] from user entities should be in accordance with provisions in the agreement for services between [CLIENT] and user entities.

User entities are responsible for encrypting and protecting transmissions.

User entities are responsible for maintaining and communicating to [CLIENT] a current list of employees who have authority to access systems and determine action (i.e., destruction).

The security administrators at user entities are responsible for ongoing maintenance and monitoring of their employees’ system access to [CLIENT]’s infrastructure.

User entities are responsible for reporting to [CLIENT] any known or suspected issues with security, processing integrity, confidentiality, and availability.

User entities are responsible for monitoring any processing reports provided or made available by [CLIENT].

User entities are responsible for participating in disaster recovery tests related to test if [CLIENT]’s disaster recovery procedures meet their disaster recovery needs.

Page | 20

SECTION 4INDEPENDENT SERVICE AUDITORS’

DESCRIPTION OF TESTS OF CONTROLS AND TEST RESULTS

Introduction

The purpose of this report is to provide management of [CLIENT], user entities, and other specified parties with information about controls at [CLIENT] that are intended to mitigate risks related to security, availability, processing integrity, and confidentiality. The security, availability, processing integrity, and confidentiality principles are outlined in TSP Section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Description of Types of Testing Performed

The types of tests performed to assess the effectiveness of controls included the following:

Type of Test Description

InquiryDiscussed the controls with operations, administrative personnel, and/or management who are responsible for developing, adhering to, and applying the controls to determine their understanding and compliance.

Inspection Inspected documents and reports indicating performance of the controls.

Observation Observed the application of specific controls.

Reperformance Re-performed application of the controls.

Page | 20

Security Criteria1.0 Policies: The entity defines and documents its policies for the security of its system.

Criteria 1.1: The entity’s security policies are established and periodically reviewed and approved by a designated individual or group.

Controls Test of Controls Test ResultsA written security policy has been approved by Executive Leadership.

Inquired with the Manager, Corporate Compliance and Security and inspected the Data Security Handbook and Risk Assessment Policy to determine if security policies were established, periodically reviewed and approved by Executive Leadership.

No deviations noted.

Criteria 1.2: The entity's security policies include, but may not be limited to, the following matters:a. Identifying and documenting the security requirements of authorized usersb. Classifying data based on its criticality and sensitivity and that classification is used to define protection requirements, access rights and access restrictions, and retention and destruction requirementsc. Assessing risks on a periodic basisd. Preventing unauthorized accesse. Adding new users, modifying the access levels of existing users, and removing users who no longer need accessf. Assigning responsibility and accountability for system securityg. Assigning responsibility and accountability for system changes and maintenanceh. Testing, evaluating, and authorizing system components before implementationi. Addressing how complaints and requests relating to security issues are resolvedj. Identifying and mitigating security breaches and other incidentsk. Providing for training and other resources to support its system security policiesl. Providing for the handling of exceptions and situations not specifically addressed in its system security policiesm. Providing for the identification of and consistency with applicable laws and regulations, defined commitments, service-level agreements, and other contractual requirementsn. Providing for sharing information with third parties

Controls Test of Controls Test ResultsA written Data Security Handbook identifies and documents the noted requirements “a” – “n.”

Inspected the Data Security Handbook and risk assessment policy to determine if the noted elements of “a” – “n” were included.


Page | 21

Criteria 1.3: Responsibility and accountability for developing and maintaining the entity's system security policies, and changes and updates to those policies, are assigned.

Controls Test of Controls Test ResultsManagement has assigned responsibility and accountability for the maintenance and enforcement of [CLIENT]’s security and availability policy to the Director of Compliance and Risk Management as well as the Director of IT Infrastructure.

Inspected job descriptions for the Director of IT Infrastructure and the Director of Compliance and Risk Management to determine if accountability for developing and maintaining [CLIENT]’s system security policies, and changes and updates to those policies, was assigned.


The Executive Team approves updates to policies.

Inspected meeting minutes to determine if responsibility for maintaining policies and changes or updates to security policies was assigned to the Executive Team.


2.0 Communications: The entity communicates its defined system security policies to responsible parties and authorized users.

Criteria 2.1: The entity has prepared an objective description of the system and its boundaries and communicated such description to authorized users.

Controls Test of Controls Test Results[CLIENT] prepares an objective description of the system and its boundaries and communicates it to user entities.

Inspected the system description to determine if the system and its boundaries were communicated to authorized users.


Criteria 2.2: The security obligations of users and the entity's security commitments to users are communicated to authorized users.

Controls Test of Controls Test ResultsSecurity obligations are customized to each client and are part of their contract.

Selected a sample of clients and inspected Service Level Agreements to confirm security obligations were communicated.


Internal employees are held to HIPAA guidelines and Confidentiality policies. These policies are reviewed upon hire and employees are required to sign documents acknowledging the understanding of these obligations. The policies are also reviewed annually by all personnel.

Inspected acknowledgment forms to determine if the acknowledgements forms identify the security responsibilities of employees.

Selected a sample of new hires and inspected their acknowledgement forms to determine if [CLIENT] received the signed acknowledgement.


Page | 22

2.0 Communications: The entity communicates its defined system security policies to responsible parties and authorized users.


Controls Test of Controls Test Results[CLIENT] prepares an objective description of the system and its boundaries and communicates it to user entities.

Inspected the system description to determine if the system and its boundaries were communicated to authorized users.


The Data Security Handbook, Employee Handbook with Confidentiality and HIPAA policy are published on the company intranet.

Observed the company intranet to determine if the Data Security Handbook and Employee Handbook were published.

Inspected the Data Security Handbook and HIPAA policy to determine if security obligations of users and the entity’s security commitments to users were communicated.


Page | 23

Criteria 2.3: Responsibility and accountability for the entity's system security policies and changes and updates to those policies are communicated to entity personnel responsible for implementing them.

Controls Test of Controls Test ResultsThe Director of Compliance and Risk Management and Director of IT Infrastructure have custody of and are responsible for the day-to-day maintenance of [CLIENT]’s technical security policies and recommend confidentiality, availability and processing integrity changes.

Written job descriptions have been defined and are communicated to the Director of IT Infrastructure and Director of Compliance and Risk Management.

Inquired of the Director of Compliance and Risk Management and inspected job descriptions for the Director of Compliance and Risk Management and Director of IT Infrastructure to determine if responsibilities for system security, confidentiality, availability and processing integrity policies were formally assigned.


Written process and procedure manuals for all defined security processes are provided to all IT personnel, management and client facing personnel and included in new hire and annual training and sign-off procedures.

Inspected the Data Security Handbook to determine if defined security processes were provided to all IT personnel, management, and client-facing personnel.


If any policy changes are made they are communicated by internal company-wide email by the Vice President of Finance or President.

Inquired of the Manager, Corporate Compliance and Security and determined that no policy changes were performed during the period of January 1, 2012 to September 30, 2012.

The operating effectiveness of this control activity could not be tested as there was no related activity during the period January 1, 2012 to September 30, 2012.

No deviations noted

Page | 24

Criteria 2.4: The process for informing the entity about breaches of the system security and for submitting complaints is communicated to authorized users.

Controls Test of Controls Test ResultsIT incidents (security, availability, confidentiality, or processing integrity) including potential breaches are reported to the IT Help Desk for action as defined in the Data Security Handbook.

Inspected the Data Security Handbook incident response procedures, documented escalation process, and 5 Point Process to determine if incidents and system/operational issues were communicated based upon criteria specified in the escalation document.


An 800 number and email address is provided on our website to contact our Customer Service area for any questions or issues. Clients who store data on our systems are assigned a Solutions Executive and Client Advocate who serve as their direct resolution experts.

Selected a sample of clients and inspected supporting documentation to determine if a process existed for authorized users to inform [CLIENT] of breaches and submit complaints.


Criteria 2.5: Changes that may affect system security are communicated to management and users who will be affected.Controls Test of Controls Test Results

Planned changes to system components and the scheduling of those changes are reviewed as part as part of monthly IT/Operations meetings.

For a sample of months, inspected meeting agendas and/or minutes from the monthly IT/Operations meetings to determine that changes that may affect system security, availability, processing integrity, or confidentiality were communicated to management or users who will be affected.

The operating effectiveness of this control activity could not be tested as there was no related activity during the examination period. Inquired with management at [CLIENT] to determine that no changes occurred during the period which required communication.

Inspected a sample of changes to determine that none required communication.


Page | 25

3.0: Procedures: The entity placed in operation procedures to achieve its documented system security objectives in accordance with its defined policies.

Criteria 3.1: Procedures exist to (1) identify potential threats of disruption to systems operation that would impair system security commitments and (2) assess the risks associated with the identified threats.

Controls Test of Controls Test ResultsBi-annual internal security audits are performed that review firewall rules, IDS configurations, VPN systems, Cisco Switch/Router Configs, Antivirus software, software patches, any changes to local system accounts and generic domain accounts, domain and account groups (monthly), and backup procedures. A report is composed, compiles the results of the previous steps, and assigns a grade based on predefined parameters.

A risk assessment is performed based on the vulnerabilities uncovered, the probability of a threat that would exploit that vulnerability, and the estimated value of the asset that would be compromised. Risks that rate high are given priority during the mitigation phase.

Inspected the Risk Assessment Policy to determine if procedures exist to identify potential threats of disruption and assess risks associated with the threats.

Inspected the internal vulnerability assessment results to determine the following: 1) bi-annual internal security audits were performed to identify potential threats 2) a risk assessment was performed to identify potential threats and assess risks.


Page | 26

Criteria 3.2: Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters:a. Logical access security measures to restrict access to information resources not deemed to be public.b. Identification and authentication of users.c. Registration and authorization of new users.d. The process to make changes and updates to user profiles.e. Distribution of output restricted to authorized users.f. Restriction of access to offline storage, backup data, systems, and media.g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (for example, firewalls).

Controls Test of Controls Test Resultsa. Logical access to nonpublic information resources is protected through the use of security software and operating system security.Access is defined by job description and manager authorization.Access to resources is granted to an authenticated user based on the user’s identity.Proper authorization must be completed for any access to be granted.

a. Inspected the Data Security Handbook, Windows security access reports, IBML user access list, EMC Captiva user access list, Anydoc access list and Emtex VIP access list (Raleigh) to determine 1) if logical access to nonpublic information was required to be protected through security software or operating system security 2) if authentication with a valid user ID was needed to access resources.

Inquired of the Director of IT Infrastructure and inspected privileged user access listings to determine if access was assigned and defined based on job descriptions.

Inquired of the Director of IT Infrastructure and inspected if Data Security Handbook to determine if users were required to authenticate with a unique ID and password when accessing systems.

Selected a sample of new hires and inspected new user access request forms to determine if manager authorization was obtained prior to granting system access.

Inspected a sample of IBML, Anydoc, EMC, Thunderhead portal and Emtex VIP application users to determine if access was commensurate with their job description. Also inspected all members of the IT Personnel user access group to determine if access was commensurate with their job description.


Page | 27


Controls Test of Controls Test Resultsb. Users must establish their identity to [CLIENT]’s network and application systems when accessing nonpublic resources through the use of a valid user ID that is authenticated by an associated password.

Unique user IDs are assigned to individual users.

Use of group or shared IDs is not permitted.

Passwords must contain at least eight characters, at least three character types, and are not able to repeat within 24 months.

Security configuration parameters force passwords to be changed every 30 days.Login sessions are terminated after 3 unsuccessful login attempts.

b. Inspected the Data Security Handbook to determine if users must be authenticated prior to gaining access to system resources, unique user IDs were assigned, use of group or shared IDs was not permitted, passwords must be changed, must be a minimum of eight characters with complexity in the character set and login sessions must be terminated after three failed attempts.

Inspected password configuration settings to determine if the noted settings were enforced.

Observed a user login to the network to determine if the users were prompted for a unique username and password.

Inspected the IBML Windows Group, Windows domain admin list and Emtex VIP (Raleigh) to determine if unique user IDs were assigned and the use of group or shared IDs was not permitted.See tests of controls included under Security 3.2(a).


Page | 28


Controls Test of Controls Test Resultsc. Customers must be approved and granted access to [CLIENT]’s Web site (WebCIRM), under a secure session, requiring user ID and password. Privileges are limited to specific system functionality.

The Director of Business Process Operations authorizes access privilege change requests for employees and the Vice President of Operations does so for vendors. Access is limited to specific functionality.

The ability to create or modify users and user access privileges (other than the limited functionality “customer accounts”) is limited to the security administration team.

c. Inspected the Network Solutions Certificate Authority issued to WebCIRM to determine if encryption through SSL was enforced.

Inspected the Data Security Handbook to determine if Director level approval was required for changes to access privileges for employees and vendors.

Inspected a list of employees with administrative access privileges on Windows systems, network devices and database servers to determine if access was limited to IT personnel based on job function.

See test results included in Security Criteria 3.2(a).

Page | 29


Controls Test of Controls Test Resultsd. Changes to customer accounts may be performed by the Director of Client Interaction with authorization documented on user access request forms. Changes are reflected immediately.

Unused WebCIRM customer accounts (no activity for six months) are reviewed by the Director of Client Interaction and if necessary purged from the system.

Changes to other accounts and profiles are made by the security administration team through a request on a Network Access Form and require the written approval of the Director of Business Process or other higher level Management.

d. Selected a sample of users and inspected the related user access request forms to determine if changes to customer accounts were authorized.

Inspected the CIRM User ID Recertification to determine if unused WebCIRM customer accounts were reviewed by the Director of Client Interaction.

Selected a sample of new hires and inspected Network Access Forms to determine if user account additions were approved.


e. Access to computer processing output is provided to authorized individuals based on their job description and classification of the information.

Processing output is stored in an area that reflects the classification of the information.

Processing output is distributed in accordance with the security policy based on classification of the information.

e. Inspected badge access listings to determine if access was restricted based on job responsibilities.

Inspected the Data Security handbook to determine if policies exist for the distribution of processing output based on information classification.


Page | 30


Controls Test of Controls Test Resultsf. Access to offline storage, backup data, systems, and media is limited to computer operations staff through the use of restricted physical and logical access.

f. Inspected the Data Security handbook to determine if access to sensitive data was secured through logical and physical security measures.

Inspected the computer room badge access listing to determine if access was restricted based on job responsibilities.

Inspected the list of users with system administrator capabilities on the windows systems and badge access system to determine if access was restricted based on job responsibilities.


g. Hardware and operating system configuration tables are restricted to appropriate personnel through physical access controls, native operating system security, and add-on security software.

Application software configuration tables are restricted to authorized users and monitored by the Director of Network.

Utility programs that can read, add, change, or delete data or programs are restricted to authorized technical services staff. Usage is logged and monitored by the Director of Network. A spare listing of all master passwords is stored in an encrypted file.

g. Inspected the list of users with administrative access rights on Windows systems, VPN and databases to determine if access was limited based on job need.

Inspected the Windows event log settings and Cisco access control server (ACS) settings to determine if system configuration activity was logged.

Inspected the Daily Security Log to determine if system configuration usage logs were monitored by members of the network infrastructure group.

Inquired of the Director of IT Infrastructure and observed the master password file to determine if master passwords were stored in an encrypted file.


Page | 31

Criteria 3.3: Procedures exist to restrict physical access to the defined system including, but not limited to, facilities, backup media, and other system components such as firewalls, routers, and servers.

Controls Test of Controls Test ResultsPhysical access to the computer rooms, which house [CLIENT]’s IT resources, servers, and related hardware such as firewalls and routers, is restricted to authorized individuals by card key systems and monitored by video surveillance.

Requests for physical access privileges to [CLIENT]’s computer facilities require the approval of the Director of Compliance and Risk Management.

Documented procedures exist for the identification and escalation of potential physical security breaches.Offsite backups are stored at a physical Disaster Recovery/Business Continuity site. This facility requires physical access cards and is restricted to the exact parameters as the main site.

Inspected the computer room badge access listing, operations access listing and Kirkwood facility access listing to determine if access was restricted based on job responsibilities.

Performed a tour of the data center to determine if video surveillance was in place.

Inspected physical access procedures to determine if requests to access [CLIENT]’s facilities require approval of the Director of Compliance and Risk Management.

Inspected the data security handbook and inspected the documented incident response procedures to determine if identification and escalation of potential physical security breaches were addressed.


Criteria 3.4: Procedures exist to protect against unauthorized access to system resources.Controls Test of Controls Test Results

Page | 32

Protective system processes are in place to prevent and monitor unauthorized access to system resources and unauthorized access attempts.

Inspected security logs to determine if failed login attempts and system lockouts are recorded.

Inspected network diagram, Cisco device list, and security logs to confirm that system fire walls are in use and firewall event logs are reviewed daily.

Inspected master server list and inquired of IT management that the master server list is maintained an updated by the IT department for any system changes.

Inspected and inquired about the use of IDS Snort software.

Inspected the external vulnerability assessment results to verify security reviews are being performed by external parties.


See controls included in Security Criteria 3.2. See test of controls included in Security Criteria 3.2. See test results included in Security Criteria 3.2.

Page | 33

Criteria 3.5: Procedures exist to protect against infection by computer viruses, malicious code, and unauthorized software.Controls Test of Controls Test Results

Antivirus software is in place, that prevents computer viruses, malicious code and unauthorized software including virus scans of incoming e-mail messages. Virus signatures are reviewed and updated daily.

Inquired of the Director of IT Infrastructure and observed antivirus configuration settings to determine if antivirus software was installed and virus definitions were updated daily.


Criteria 3.6: Encryption or other equivalent security techniques are used to protect user authentication information and the corresponding session transmitted over the Internet or other public networks.

Controls Test of Controls Test Results[CLIENT] uses encryption technology, VPN software, and other secure communication systems (consistent with its periodic IT risk assessment) for the transmission of private or confidential information over public networks, including user IDs and passwords.

Inspected SSL protocol permissions, SSL certificates, and VPN protocol encryption to determine if encryption technology was in use.


Criteria 3.7: Procedures exist to identify, report, and act upon system security breaches and other incidents.Controls Test of Controls Test Results

A Security Incident Response Plan (5-Point Process) is instituted for identification and resolution of potential security breaches to the information security team.

Inspected the Data Security Handbook and Security Log Sign-off Sheet to determine if a) the security incident response plan was defined and documented b) the network staff was responsible for reviewing security logs on a daily basis.

Inspected the 5-Point Analysis Procedures document to determine if a defined escalation process was established and appropriate resolution requires approval by management.


When an incident is detected or reported, a defined Security Incident Response Plan (5-Point Process) identifies severity and action to be taken. Corrective actions are implemented in accordance with defined policies and procedures.

Inspected a sample of completed 5-Point Analysis documentation to determine if the 5-Point Analysis procedures were followed.


Page | 34

Criteria 3.8: Procedures exist to classify data in accordance with classification policies and periodically monitor and update such classifications as necessary.

Controls Test of Controls Test ResultsData Classifications are used to determine access permissions as well as audit levels. The principle of least privilege is utilized to assign permissions at all levels. Permissions are assigned on Windows groups which map to a specific job function.

Propriety of data is considered during new implementations, upgrades and change order actions.

Inspected the detailed data classification assignments tracking spreadsheet used to assign and track access rights.


Criteria 3.9: Procedures exist to provide that issues of noncompliance with security policies are promptly addressed and that corrective measures are taken on a timely basis.

Controls Test of Controls Test ResultsAll incidents are tracked by management until resolved through the 5–Point incident response process.

See test of controls included in Security Criteria 3.7 See test results included in Security Criteria 3.7

Supervisors review and approve the incident response process to help make certain procedures are followed.


Criteria 3.10 Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistent with defined system security policies to enable authorized access and to prevent unauthorized access.

Controls Test of Controls Test Results[CLIENT] has adopted a formal systems development life cycle (SDLC) methodology that governs the development, acquisition, implementation, and maintenance of computerized information systems and related technology.

Inquired of the Director of IT Development, and inspected the IT Change Control Procedures and Standard Build Documentation to determine if: a) a formal methodology exists that governs the change management and SDLC processes and b) the network administration team was responsible for approving architecture and design specifications for new systems.

Inspected the Data Security Handbook to determine if system changes that cannot meet defined data security standards require approval by senior IT management.


Page | 35


Controls Test of Controls Test ResultsThe Network administration team reviews and approves the architecture and design specifications for new systems development and acquisition to help ensure consistency with [CLIENT]’s security objectives, policies, and standards.

Requested a sample of new systems development and acquisition projects to determine if the Network administration team reviewed and approved the architecture and design specifications.

The operating effectiveness of this control activity could not be tested as there was no related activity during the examination period. Inquired with management at [CLIENT] to determine that no new systems development and acquisition projects occurred during the period.

Inspected a sample of changes to determine that none were related to new systems development and acquisition.


Criteria 3.11 Procedures exist to provide that personnel responsible for the design, development, implementation, and operation of systems affecting security have the qualifications and resources to fulfill their responsibilities.

Criteria 3.12 Procedures exist to maintain system components, including configurations consistent with the defined system security policies.

Controls Test of Controls Test ResultsThe IT department maintains an up-to-date listing of all software and the respective level, version, and patches that have been applied.

Inspected the software list to determine if an up-to-date list was maintained by IT.


Requests for changes, system maintenance, and supplier maintenance are standardized and subject to documented change management procedures.

Inquired of the Director of IT Development and inspected IT Change Control Procedures and Standard Build Documentation to determine if a formal methodology exists that governs the change management and SDLC processes.

Inspected a sample of changes to determine if requests for change were standardized and subject to documented change management procedures.


Page | 36


Controls Test of Controls Test ResultsSystem configurations are tested annually and evaluated against [CLIENT]’s security policies and current service-level agreements. An exception report is prepared and remediation plans are developed and tracked.

Inspected the external Vulnerability Assessment results to determine if an assessment was performed.

Inspected the internal Vulnerability Assessment results to determine if: 1) system configurations were tested, 2) system configurations were evaluated against [CLIENT]’s security policies, 3) an exception report was prepared, and 4) remediation plans were developed/tracked.


Criteria 3.13 Procedures exist to provide that only authorized, tested, and documented changes are made to the system.

Controls Test of Controls Test ResultsChanges to system infrastructure and software are developed and tested in a separate development or test environment before implementation into production.

For a sample of environments observed test systems to determine if a separate environment was in place for the development and testing of software changes prior to promotion of changes into production.


As part of the change control policies and procedures, there is a “promotion” process (for example, from “analysis” to “development” to “testing" to "production”).

Promotion to production requires testing and approval from both clients (if a client requests the change) and [CLIENT] supervisors.

Selected a sample of changes to determine if testing and approval was obtained prior to promotion to production.


When changes are made to key systems components, "back out" plan procedures are in place for use in the event of major interruption(s).

Inquired of the Director of IT Infrastructure and observed the network backup file folder to determine if backup versions of code were maintained for changes to key systems.


Page | 37

Criteria 3.14 Procedures exist to provide that emergency changes are documented and authorized timely.

Controls Test of Controls Test ResultsRequests for changes, system maintenance, and supplier maintenance are standardized and subject to documented change management procedures.

See test of controls included in Security Criteria 3.12. See test results included in Security Criteria 3.12.

Changes are prioritized based on the date assigned in the client requested completion date field. Change requestors are kept informed about the status of their requests.

Emergency changes that require deviations from standard procedures are documented and authorized by the Director of IT.

Inspected a sample of changes to determine if: 1) changes were prioritized based on the date assigned by the client 2) status was documented 3) emergency changes were documented and authorized by the Director of IT.


Page | 38

4.0 Monitoring: The entity monitors the system and takes action to maintain compliance with its defined system security policies.Criteria 4.1: The entity's system security is periodically reviewed and compared with the defined system security policies.

Controls Test of Controls Test ResultsThe information security team monitors the system and assesses the system vulnerabilities using proprietary and publicly available tools. Potential risks are evaluated and compared to service-level agreements and other obligations of the entity. Remediation plans are proposed and implementations are monitored.

Inspected the Risk Assessment Follow-up Policy and internal vulnerability assessment results to determine if: a) the system was monitored by the internal information security team and b) results of the security reviews were reported to management.

Inquired of the Director of IT Infrastructure to determine if remediation plans were implemented.


[CLIENT] contracts with third parties to conduct periodic security reviews and vulnerability assessments. Results and recommendations for improvement are reported to management.

Inspected the Information Security Assessment Executive Summary to determine if a third party was contracted to perform security assessments.


Logs are analyzed daily to minimize repetition of issues and maintain [CLIENT]’s ability to achieve its system security objectives.

Inspected the Security Log to determine if Windows Security Logs, Firewall Logs, Cisco ACS Logs, and IDS Logs were monitored daily.


Criteria 4.2: There is a process to identify and address potential impairments to the entity's ongoing ability to achieve its objectives in accordance with its defined system security policies.

Controls Test of Controls Test ResultsBi-annual internal security audits are performed that review firewall rules, IDS configurations, VPN systems, Cisco switch and router configurations, antivirus software, software patches, changes to local system accounts, generic domain accounts, domain and account groups (monthly), backup procedures, rogue wireless access points and vulnerability scan results. A report is composed and compiles the results of the previous steps and assigns a grade based on predefined parameters.

Selected a sample of internal security audits to determine if the audits were completed in accordance with defined procedures.


Risk assessment is performed based on vulnerabilities uncovered, the probability of a threat that would exploit that vulnerability and the estimated value of the asset that would be compromised.


Page | 39

Criteria 4.3: Environmental, regulatory, and technological changes are monitored and their effect on system security is assessed on a timely basis and policies are updated for that assessment.

Controls Test of Controls Test ResultsDirector, Compliance & Risk Management and Director of IT Infrastructure are required to keep current with regulatory, environmental and technology changes by subscription to newsletters in security and safety. Additionally, Directors in IT and Facilities maintain relevant professional certifications.

Inspected job descriptions for the Director of Compliance & Risk Management and Director of IT Infrastructure to determine if security and safety responsibilities were defined.

Observed that the Director of IT Infrastructure maintains the SANS Institute Global Information Assurance Certification and SANS subscriptions and the Director of Compliance & Risk Management maintains an Associate in Risk Management certificate and reviews disaster recovery and risk related publications.


A risk assessment is performed based on the vulnerabilities uncovered, the probability of a threat that would exploit that vulnerability, and the estimated value of the asset that would be compromised.


Page | 40

Availability Criteria1.0 Policies: The entity defines and documents its policies for the availability of its system.

Criteria 1.1: The entity's system availability and related security policies are established and periodically reviewed and approved by a designated individual or group.

Controls Test of Controls Test ResultsA written availability policy has been approved by Executive Management and is implemented throughout the company.

Inquired of Manager, Corporate Compliance and Security and inspected the Availability Policy to determine if policies were written and approved by Executive Management.


Criteria 1.2: The entity's system availability and related security policies include, but may not be limited to, the following matters:a. Identifying and documenting the system availability and related security requirements of authorized users.b. Classifying data based on its criticality and sensitivity and that classification is used to define protection requirements, access rights and access restrictions, and retention and destruction requirements.c. Assessing risks on a periodic basis.d. Preventing unauthorized access.e. Adding new users, modifying the access levels of existing users, and removing users who no longer need access.f. Assigning responsibility and accountability for system availability and related security.g. Assigning responsibility and accountability for system changes and maintenance.h. Testing, evaluating, and authorizing system components before implementation.i. Addressing how complaints and requests relating to system availability and related security issues are resolved.j. Identifying and mitigating system availability and related security breaches and other incidents.k. Providing for training and other resources to support its system availability and related security policies.l. Providing for the handling of exceptions and situations not specifically addressed in its system availability and related security policies.m. Providing for the identification of and consistency with, applicable laws and regulations, defined commitments, service agreements, and other contractual requirements.n. Recovering and continuing service in accordance with documented customer commitments or other agreements.

Controls Test of Controls Test ResultsA written Security and Availability policy includes system availability matters “a” – “o”.

Inspected the written Security and Availability Policy to determine if items “a” – “o” were addressed.


Page | 41

Criteria 1.3: Responsibility and accountability for developing and maintaining the entity's system availability and related security policies, and changes and updates to those policies, are assigned.

Controls Test of Controls Test ResultsSee controls included in Security Criteria 1.3.


2.0 Communications: The entity communicates the defined system availability policies to responsible parties and authorized users.




Criteria 2.2: The availability and related security obligations of users and the entity's availability and related security commitments to users are communicated to authorized users.

Controls Test of Controls Test Results[CLIENT]’s system availability and related security commitments and required system availability and related security obligations of its customers and other external users are part of [CLIENT]’s standard services agreement.A governance process provides oversight and communication functions for the critical business processing of insurance claims to capture clients.

Selected sample clients and inspected service level agreements to determine if system availability service level agreements were documented.

Selected a sample of clients and inspected supporting documentation to determine if a process exists to provide oversight and communication functions for the critical business processing of insurance claims.


For its internal users (employees and contractors), [CLIENT]’s policies relating to system security are reviewed with new employees and contractors as part of their orientation. New employees must sign a statement signifying that they have read, understand, and will follow these policies.

Selected a sample of personnel and inspected acknowledgment forms to determine if 1) security obligations were communicated to users and acknowledged and 2) annual refresher training was received and acknowledged.


Page | 42

2.0 Communications: The entity communicates the defined system availability policies to responsible parties and authorized users.




The Data Security Handbook, Employee Handbook with Confidentiality, and HIPAA policy are published on the company intranet.


Page | 43

Criteria 2.3: Responsibility and accountability for the entity's system security policies and changes and updates to those policies are communicated to entity personnel responsible for implementing them.

Controls Test of Controls Test ResultsThe Director of Compliance and Risk Management and Director of IT Infrastructure have custody of and are responsible for the day-to-day maintenance of [CLIENT]’s technical security policies and recommend confidentiality, availability and processing integrity changes.

Written job descriptions have been defined and are communicated to the Director of IT Infrastructure and Director of Compliance and Risk Management.

Inquired of the Director of Compliance and Risk Management and inspected job descriptions for the Director of Compliance and Risk Management and Director of IT Infrastructure to determine if responsibilities for system security, confidentiality, availability and processing integrity policies were formally assigned.


Written process and procedure manuals for all defined security processes are provided to all IT personnel, management and client facing personnel and included in new hire and annual training and sign-off procedures.

Inspected the Data Security Handbook to determine if defined security processes were provided to all IT personnel, management, and client-facing personnel.


If any policy changes are made they are communicated by internal company-wide email by the Vice President of Finance or President.

Inquired of the Manager, Corporate Compliance and Security and determined that no policy changes were performed during the period of January 1, 2012 to September 30, 2012.

The operating effectiveness of this control activity could not be tested as there was no related activity during the period January 1, 2012 to September 30, 2012.

No deviations noted

Page | 44

Criteria 2.4: The process for informing the entity about breaches of the system security and for submitting complaints is communicated to authorized users.

Controls Test of Controls Test ResultsIT incidents (security, availability, confidentiality, or processing integrity) including potential breaches are reported to the IT Help Desk for action as defined in the Data Security Handbook.

Inspected the Data Security Handbook incident response procedures, documented escalation process, and 5 Point Process to determine if incidents and system/operational issues were communicated based upon criteria specified in the escalation document.


An 800 number and email address is provided on our website to contact our Customer Service area for any questions or issues. Clients who store data on our systems are assigned a Solutions Executive and Client Advocate who serve as their direct resolution experts.

Selected a sample of clients and inspected supporting documentation to determine if a process existed for authorized users to inform [CLIENT] of breaches and submit complaints.


Criteria 2.5: Changes that may affect system security are communicated to management and users who will be affected.

Controls Test of Controls Test ResultsPlanned changes to system components and the scheduling of those changes are reviewed as part as part of monthly IT/Operations meetings.

For a sample of months, inspected meeting agendas and/or minutes from the monthly IT/Operations meetings to determine that changes that may affect system security, availability, processing integrity, or confidentiality were communicated to management or users who will be affected.

The operating effectiveness of this control activity could not be tested as there was no related activity during the examination period. Inquired with management at [CLIENT] to determine that no changes occurred during the period which required communication.

Inspected a sample of changes to determine that none required communication.


Page | 45

Page | 46

3.0: Procedures: The entity placed in operation procedures to achieve its documented system security objectives in accordance with its defined policies.

Criteria 3.1: Procedures exist to (1) identify potential threats of disruption to systems operation that would impair system security commitments and (2) assess the risks associated with the identified threats.

Controls Test of Controls Test ResultsBi-annual internal security audits are performed that review firewall rules, IDS configurations, VPN systems, Cisco Switch/Router Configs, Antivirus software, software patches, any changes to local system accounts and generic domain accounts, domain and account groups (monthly), and backup procedures. A report is composed, compiles the results of the previous steps, and assigns a grade based on predefined parameters.

A risk assessment is performed based on the vulnerabilities uncovered, the probability of a threat that would exploit that vulnerability, and the estimated value of the asset that would be compromised. Risks that rate high are given priority during the mitigation phase.

Inspected the Risk Assessment Policy to determine if procedures exist to identify potential threats of disruption and assess risks associated with the threats.

Inspected the internal vulnerability assessment results to determine the following: 1) bi-annual internal security audits were performed to identify potential threats 2) a risk assessment was performed to identify potential threats and assess risks.


Page | 47


Controls Test of Controls Test Resultsa. Logical access to nonpublic information resources is protected through the use of security software and operating system security.

Access is defined by job description and manager authorization.

Access to resources is granted to an authenticated user based on the user’s identity.

Proper authorization must be completed for any access to be granted.

a. Inspected the Data Security Handbook, Windows security access reports, IBML user access list, EMC Captiva user access list, Anydoc access list and Emtex VIP access list (Raleigh) to determine 1) if logical access to nonpublic information was required to be protected through security software or operating system security 2) if authentication with a valid user ID was needed to access resources.

Inquired of the Director of IT Infrastructure and inspected privileged user access listings to determine if access was assigned and defined based on job descriptions.

Inquired of the Director of IT Infrastructure and inspected if Data Security Handbook to determine if users were required to authenticate with a unique ID and password when accessing systems.

Selected a sample of new hires and inspected new user access request forms to determine if manager authorization was obtained prior to granting system access.

Inspected a sample of IBML, Anydoc, EMC, Thunderhead portal and Emtex VIP application users to determine if access was commensurate with their job description. Also inspected all members of the IT Personnel user access group to determine if access was commensurate with


Page | 48


Controls Test of Controls Test Resultsb. Users must establish their identity to [CLIENT]’s network and application systems when accessing nonpublic resources through the use of a valid user ID that is authenticated by an associated password.

Unique user IDs are assigned to individual users.

Use of group or shared IDs is not permitted.

Passwords must contain at least eight characters, at least three character types, and are not able to repeat within 24 months.

Security configuration parameters force passwords to be changed every 30 days.Login sessions are terminated after 3 unsuccessful login attempts.

b. Inspected the Data Security Handbook to determine if users must be authenticated prior to gaining access to system resources, unique user IDs were assigned, use of group or shared IDs was not permitted, passwords must be changed, must be a minimum of eight characters with complexity in the character set and login sessions must be terminated after three failed attempts.

Inspected password configuration settings to determine if the noted settings were enforced.

Observed a user login to the network to determine if the users were prompted for a unique username and password.

Inspected the IBML Windows Group, Windows domain admin list and Emtex VIP (Raleigh) to determine if unique user IDs were assigned and the use of group or shared IDs was not permitted.See tests of controls included under Security 3.2(a).


Page | 49


Controls Test of Controls Test Resultsc. Customers must be approved and granted access to [CLIENT]’s Web site (WebCIRM), under a secure session, requiring user ID and password. Privileges are limited to specific system functionality.

The Director of Business Process Operations authorizes access privilege change requests for employees and the Vice President of Operations does so for vendors. Access is limited to specific functionality.

The ability to create or modify users and user access privileges (other than the limited functionality “customer accounts”) is limited to the security administration team.

c. Inspected the Network Solutions Certificate Authority issued to WebCIRM to determine if encryption through SSL was enforced.

Inspected the Data Security Handbook to determine if Director level approval was required for changes to access privileges for employees and vendors.

Inspected a list of employees with administrative access privileges on Windows systems, network devices and database servers to determine if access was limited to IT personnel based on job function.

See test results included in Security Criteria 3.2(a).

Page | 50


Controls Test of Controls Test Resultsd. Changes to customer accounts may be performed by the Director of Client Interaction with authorization documented on user access request forms. Changes are reflected immediately.

Unused WebCIRM customer accounts (no activity for six months) are reviewed by the Director of Client Interaction and if necessary purged from the system.

Changes to other accounts and profiles are made by the security administration team through a request on a Network Access Form and require the written approval of the Director of Business Process or other higher level Management.

d. Selected a sample of users and inspected the related user access request forms to determine if changes to customer accounts were authorized.

Inspected the CIRM User ID Recertification to determine if unused WebCIRM customer accounts were reviewed by the Director of Client Interaction.

Selected a sample of new hires and inspected Network Access Forms to determine if user account additions were approved.


Page | 51


Controls Test of Controls Test Resultse. Access to computer processing output is provided to authorized individuals based on their job description and classification of the information.

Processing output is stored in an area that reflects the classification of the information.

Processing output is distributed in accordance with the security policy based on classification of the information.

e. Inspected badge access listings to determine if access was restricted based on job responsibilities.

Inspected the Data Security handbook to determine if policies exist for the distribution of processing output based on information classification.


f. Access to offline storage, backup data, systems, and media is limited to computer operations staff through the use of restricted physical and logical access.

f. Inspected the Data Security handbook to determine if access to sensitive data was secured through logical and physical security measures.

Inspected the computer room badge access listing to determine if access was restricted based on job responsibilities.

Inspected the list of users with system administrator capabilities on the windows systems and badge access system to determine if access was restricted based on job responsibilities.


Page | 52


Controls Test of Controls Test Resultsg. Hardware and operating system configuration tables are restricted to appropriate personnel through physical access controls, native operating system security, and add-on security software.

Application software configuration tables are restricted to authorized users and monitored by the Director of Network.

Utility programs that can read, add, change, or delete data or programs are restricted to authorized technical services staff. Usage is logged and monitored by the Director of Network. A spare listing of all master passwords is stored in an encrypted file.

g. Inspected the list of users with administrative access rights on Windows systems, VPN and databases to determine if access was limited based on job need.

Inspected the Windows event log settings and Cisco access control server (ACS) settings to determine if system configuration activity was logged.

Inspected the Daily Security Log to determine if system configuration usage logs were monitored by members of the network infrastructure group.

Inquired of the Director of IT Infrastructure and observed the master password file to determine if master passwords were stored in an encrypted file.


Page | 53


Controls Test of Controls Test ResultsPhysical access to the computer rooms, which house [CLIENT]’s IT resources, servers, and related hardware such as firewalls and routers, is restricted to authorized individuals by card key systems and monitored by video surveillance.

Requests for physical access privileges to [CLIENT]’s computer facilities require the approval of the Director of Compliance and Risk Management.

Documented procedures exist for the identification and escalation of potential physical security breaches.Offsite backups are stored at a physical Disaster Recovery/Business Continuity site. This facility requires physical access cards and is restricted to the exact parameters as the main site.

Inspected the computer room badge access listing, operations access listing and Kirkwood facility access listing to determine if access was restricted based on job responsibilities.

Performed a tour of the data center to determine if video surveillance was in place.

Inspected physical access procedures to determine if requests to access [CLIENT]’s facilities require approval of the Director of Compliance and Risk Management.

Inspected the data security handbook and inspected the documented incident response procedures to determine if identification and escalation of potential physical security breaches were addressed.


Page | 54

Criteria 3.4: Procedures exist to protect against unauthorized access to system resources.

Controls Test of Controls Test ResultsProtective system processes are in place to prevent and monitor unauthorized access to system resources and unauthorized access attempts.

Inspected security logs to determine if failed login attempts and system lockouts are recorded.

Inspected network diagram, Cisco device list, and security logs to confirm that system fire walls are in use and firewall event logs are reviewed daily.

Inspected master server list and inquired of IT management that the master server list is maintained an updated by the IT department for any system changes.

Inspected and inquired about the use of IDS Snort software.

Inspected the external vulnerability assessment results to verify security reviews are being performed by external parties.


See controls included in Security Criteria 3.2.


Page | 55

Criteria 3.5: Procedures exist to protect against infection by computer viruses, malicious code, and unauthorized software.

Controls Test of Controls Test ResultsAntivirus software is in place, that prevents computer viruses, malicious code and unauthorized software including virus scans of incoming e-mail messages. Virus signatures are reviewed and updated daily.

Inquired of the Director of IT Infrastructure and observed antivirus configuration settings to determine if antivirus software was installed and virus definitions were updated daily.


Criteria 3.6: Encryption or other equivalent security techniques are used to protect user authentication information and the corresponding session transmitted over the Internet or other public networks.

Controls Test of Controls Test Results[CLIENT] uses encryption technology, VPN software, and other secure communication systems (consistent with its periodic IT risk assessment) for the transmission of private or confidential information over public networks, including user IDs and passwords.

Inspected SSL protocol permissions, SSL certificates, and VPN protocol encryption to determine if encryption technology was in use.


Page | 56

Criteria 3.7: Procedures exist to identify, report, and act upon system security breaches and other incidents.

Controls Test of Controls Test ResultsA Security Incident Response Plan (5-Point Process) is instituted for identification and resolution of potential security breaches to the information security team.

Inspected the Data Security Handbook and Security Log Sign-off Sheet to determine if a) the security incident response plan was defined and documented b) the network staff was responsible for reviewing security logs on a daily basis.

Inspected the 5-Point Analysis Procedures document to determine if a defined escalation process was established and appropriate resolution requires approval by management.


When an incident is detected or reported, a defined Security Incident Response Plan (5-Point Process) identifies severity and action to be taken. Corrective actions are implemented in accordance with defined policies and procedures.

Inspected a sample of completed 5-Point Analysis documentation to determine if the 5-Point Analysis procedures were followed.


Criteria 3.8: Procedures exist to classify data in accordance with classification policies and periodically monitor and update such classifications as necessary

Controls Test of Controls Test ResultsData Classifications are used to determine access permissions as well as audit levels. The principle of least privilege is utilized to assign permissions at all levels. Permissions are assigned on Windows groups which map to a specific job function.

Propriety of data is considered during new implementations, upgrades and change order actions.



Page | 57

Page | 58

Criteria 3.9: Procedures exist to provide that issues of noncompliance with security policies are promptly addressed and that corrective measures are taken on a timely basis.

Controls Test of Controls Test ResultsAll incidents are tracked by management until resolved through the 5–Point incident response process.


Supervisors review and approve the incident response process to help make certain procedures are followed.



Controls Test of Controls Test Results[CLIENT] has adopted a formal systems development life cycle (SDLC) methodology that governs the development, acquisition, implementation, and maintenance of computerized information systems and related technology.

Inquired of the Director of IT Development, and inspected the IT Change Control Procedures and Standard Build Documentation to determine if: a) a formal methodology exists that governs the change management and SDLC processes and b) the network administration team was responsible for approving architecture and design specifications for new systems.

Inspected the Data Security Handbook to determine if system changes that cannot meet defined data security standards require approval by senior IT management.


Page | 59


Controls Test of Controls Test ResultsThe Network administration team reviews and approves the architecture and design specifications for new systems development and acquisition to help ensure consistency with [CLIENT]’s security objectives, policies, and standards.

Requested a sample of new systems development and acquisition projects to determine if the Network administration team reviewed and approved the architecture and design specifications.

The operating effectiveness of this control activity could not be tested as there was no related activity during the examination period. Inquired with management at [CLIENT] to determine that no new systems development and acquisition projects occurred during the period.

Inspected a sample of changes to determine that none were related to new systems development and acquisition.


Criteria 3.11 Procedures exist to provide that personnel responsible for the design, development, implementation, and operation of systems affecting security have the qualifications and resources to fulfill their responsibilities.

Controls Test of Controls Test Results[CLIENT] has written job descriptions specifying the responsibilities and academic and professional requirements for key job positions.

Inspected job descriptions for key IT positions (i.e., Director, IT Support, Director, IT Development, Director, Risk Management and Compliance) to determine if job responsibilities, academic and professional requirements were documented.


Hiring procedures include a comprehensive screening of candidates for key positions and consideration of whether the verified credentials are commensurate with the proposed position. New personnel are offered employment subject to background checks and reference validation.

Inquired of the HR Specialist and inspected supporting documentation for a sample of new hires to determine if hiring procedures included an educational background check and review of employment history prior to hiring.


Page | 60

Page | 61


Controls Test of Controls Test ResultsThe IT department maintains an up-to-date listing of all software and the respective level, version, and patches that have been applied.

Inspected the software list to determine if an up-to-date list was maintained by IT.


Requests for changes, system maintenance, and supplier maintenance are standardized and subject to documented change management procedures.

Inquired of the Director of IT Development and inspected IT Change Control Procedures and Standard Build Documentation to determine if a formal methodology exists that governs the change management and SDLC processes.

Inspected a sample of changes to determine if requests for change were standardized and subject to documented change management procedures.


System configurations are tested annually and evaluated against [CLIENT]’s security policies and current service-level agreements. An exception report is prepared and remediation plans are developed and tracked.

Inspected the external Vulnerability Assessment results to determine if an assessment was performed.

Inspected the internal Vulnerability Assessment results to determine if: 1) system configurations were tested, 2) system configurations were evaluated against [CLIENT]’s security policies, 3) an exception report was prepared, and 4) remediation plans were developed/tracked.


Page | 62


Controls Test of Controls Test ResultsChanges to system infrastructure and software are developed and tested in a separate development or test environment before implementation into production.

For a sample of environments observed test systems to determine if a separate environment was in place for the development and testing of software changes prior to promotion of changes into production.


As part of the change control policies and procedures, there is a “promotion” process (for example, from “analysis” to “development” to “testing" to "production”).

Promotion to production requires testing and approval from both clients (if a client requests the change) and [CLIENT] supervisors.

Selected a sample of changes to determine if testing and approval was obtained prior to promotion to production.


When changes are made to key systems components, "back out" plan procedures are in place for use in the event of major interruption(s).

Inquired of the Director of IT Infrastructure and observed the network backup file folder to determine if backup versions of code were maintained for changes to key systems.


Criteria 3.14 Procedures exist to provide that emergency changes are documented and authorized timely.

Controls Test of Controls Test ResultsRequests for changes, system maintenance, and supplier maintenance are standardized and subject to documented change management procedures.


Page | 63

Changes are prioritized based on the date assigned in the client requested completion date field. Change requestors are kept informed about the status of their requests.

Emergency changes that require deviations from standard procedures are documented and authorized by the Director of IT.

Inspected a sample of changes to determine if: 1) changes were prioritized based on the date assigned by the client 2) status was documented 3) emergency changes were documented and authorized by the Director of IT.


Page | 64

4.0 Monitoring: The entity monitors the system and takes action to maintain compliance with its defined system security policies

Criteria 4.1 System processing integrity and security performance are periodically reviewed and compared with the defined system processing integrity and related security policies.



Criteria 4.2 There is a process to identify and address potential impairments to the entity's ongoing ability to achieve its objectives in accordance with its defined system processing integrity and related security policies.

Controls Test of Controls Test ResultsSee controls included in Security Criteria 4.2. See test of controls included in Security Criteria

4.2.See test results included in Security Criteria 4.2.

Criteria 4.3 Environmental, regulatory, and technological changes are monitored, their impact on system processing integrity and security is assessed on a timely basis, and policies are updated for that assessment.



Page | 65

Confidentiality Criteria1.0 Policies: The entity defines and documents its policies related to the system protecting confidential information, as committed or agreed.

Criteria 1.1: The entity's system confidentiality and related security policies are established and periodically reviewed and approved by a designated individual or group.

Controls Test of Controls Test ResultsConfidentiality and security policies, addressing both IT and physical security, have been approved by the Executive Team and are implemented throughout the company.

Inspected the Data Security Handbook and standard Confidentiality Agreement to determine if logical and physical security policies were addressed, implemented, and approved by the Executive Team.


Changes to the IT security policy are approved by the IT Management team prior to implementation.

Inspected executive meeting minutes to determine if changes to IT Security Policy were approved by the IT Management team prior to implementation.


Client confidentiality requirements are documented in service-level agreements, nondisclosure agreements, or other documents.Employees are required to sign confidentiality agreements.

Inspected standard employee Confidentiality Agreements and Vendor Nondisclosure Agreements to determine if confidentiality requirements were documented.

Selected a sample of new hires to determine if employees were required to sign confidentiality agreements upon hire.


Page | 66

Criteria 1.2: The entity's policies related to the system's protection of confidential information and security include, but are not limited to, the following matters:a. Identifying and documenting the confidentiality and related security requirements of authorized users.b. Classifying data based on its criticality and sensitivity that is used to define protection requirements, access rights and access restrictions, and retention and destruction requirements.c. Assessing risk on a periodic basis.d. Preventing unauthorized access.e. Adding new users, modifying the access levels of existing users, and removing users who no longer need access.f. Assigning responsibility and accountability for confidentiality and related security.g. Assigning responsibility and accountability for system changes and maintenance.h. Testing, evaluating, and authorizing system components before implementation.i. Addressing how complaints and requests relating to confidentiality and related security issues are resolved.j. Handling confidentiality and related security breaches and other incidents.k. Providing for training and other resources to support its system confidentiality and related security policies.l. Providing for the handling of exceptions and situations not specifically addressed in its system confidentiality and related security policies.m. Providing for the identification of and consistency with, applicable laws and regulations, defined commitments, service-level agreements, and other contractual requirements.n. Sharing information with third parties.

Controls Test of Controls Test ResultsSee controls included in Confidentiality Criteria 1.1.

Inspected to determine if the policies included matters “a” – “n”.See test of controls included in Confidentiality Criteria 1.1.

See test results included in Confidentiality Criteria 1.1.

Criteria 1.3: Responsibility and accountability for developing and maintaining the entity's system confidentiality and related security policies, and changes and updates to those polices, are assigned.

Controls Test of Controls Test ResultsSee controls included in Confidentiality Criteria 1.1.

See test of controls included in Confidentiality Criteria 1.1.


Page | 67

2.0 Communications: The entity communicates its defined policies related to the system's protection of confidential information to responsible parties and authorized users.

Criteria 2.1: The entity has prepared an objective description of the system and its boundaries and communicated such description to authorized users.Controls Test of Controls Test ResultsSee controls included in Security Criteria 2.1.


Criteria 2.2: The system confidentiality and related security obligations of users and the entity's confidentiality and related security commitments to users are communicated to authorized users before the confidential information is provided. This communication includes, but is not limited to, the following matters:a. How information is designated as confidential and ceases to be confidential. The handling, destruction, maintenance, storage, backup, and distribution or transmission of confidential information.b. How access to confidential information is authorized and how such authorization is rescinded.c. How confidential information is used.d. How confidential information is shared.e. If information is provided to third parties, disclosures include any limitations on reliance on the third party's confidentiality practices and controls. Lack of such disclosure indicates that the entity is relying on the third party's confidentiality practices and controls that meet or exceed those of the entity.f. Practices to comply with applicable laws and regulations addressing confidentiality.

Controls Test of Controls Test Results[CLIENT]’s confidentiality and related security commitments and required confidentiality obligations are part of the Employee Handbook and Data Security Handbook.

Client specific confidentiality policies/practices are detailed in customer contracts, service-level agreements, vendor contract terms and conditions, and a standard nondisclosure agreement. Employees assigned to clients are trained on any client specific policies.

Inspected the Data Security handbook and Confidentiality Agreement to determine if confidentiality and security commitments were communicated to employees and included the matters “a” – “e” above as well as procedures for reporting breaches, complaints and related incidents.

Selected a sample of personnel and inspected signed confidentiality and employee handbook acknowledgement forms or refresher training acknowledgements to determine if employees receive training on security and confidentiality practices/policies.


Page | 68

Criteria 2.2: The system confidentiality and related security obligations of users and the entity's confidentiality and related security commitments to users are communicated to authorized users before the confidential information is provided. This communication includes, but is not limited to, the following matters:a. How information is designated as confidential and ceases to be confidential. The handling, destruction, maintenance, storage, backup, and distribution or transmission of confidential information.b. How access to confidential information is authorized and how such authorization is rescinded.c. How confidential information is used.d. How confidential information is shared.e. If information is provided to third parties, disclosures include any limitations on reliance on the third party's confidentiality practices and controls. Lack of such disclosure indicates that the entity is relying on the third party's confidentiality practices and controls that meet or exceed those of the entity.f. Practices to comply with applicable laws and regulations addressing confidentiality.

Controls Test of Controls Test ResultsInspected standard non-disclosure and master agreements to determine if user requirements were documented.

[CLIENT] publishes its confidentiality and related security policies on its corporate intranet.

See test of controls included in Security Criteria 2.2.

See test results included in Security Criteria 2.2.

Page | 69

Criteria 2.3: Responsibility and accountability for the entity's system confidentiality and related security policies and changes and updates to those policies are communicated to entity personnel responsible for implementing them.

Controls Test of Controls Test ResultsResponsibility and accountability for establishing and updating [CLIENT]’s confidentiality and security policies have been documented in written job descriptions and communicated to the responsible personnel.



Criteria 2.4 The process for informing the entity about breaches of confidentiality and system security and for submitting complaints is communicated to authorized users.

Controls Test of Controls Test ResultsThe process for employees to inform [CLIENT] of possible confidentiality or security breaches and other incidents is defined in the Data Security Handbook, posted on the company’s intranet, and reviewed during employee orientation.



A process for customers to inform [CLIENT] of possible breaches is defined in each contract and includes a feedback mechanism to ensure the issue has been resolved.



Documented procedures exist for the identification and escalation of possible confidentiality or security breaches and other incidents.



Criteria 2.5: Changes that may affect confidentiality and system security are communicated to management and users who will be affected.

Controls Test of Controls Test ResultsSee controls included in Security Criteria 2.5. See test of controls included in Security

Criteria 2.5.See test results included in Security Criteria 2.5.

Page | 70

3.0 Procedures: The entity placed in operation procedures to achieve its documented system confidentiality objectives in accordance with its defined policies.

Criteria 3.1: Procedures exist to (1) identify potential threats of disruptions to systems operations that would impair system confidentiality commitments and (2) assess the risks associated with the identified threats.



Criteria 3.2: The system procedures related to confidentiality of inputs are consistent with the documented confidentiality policies.

Controls Test of Controls Test ResultsConfidentiality processes exist to restrict the capability to input information to only authorized individuals. This includes limitations of physical access based on specific operational or project roles and responsibilities.



Criteria 3.3: The system procedures related to confidentiality of data processing are consistent with the documented confidentiality policies.

Controls Test of Controls Test ResultsConfidentiality processes exist to monitor, in a timely manner, unauthorized attempts to access data for any purposes, or for purposes beyond the authorization level of the person accessing the data, including inappropriate or unusual actions, overrides, or bypasses applied to data and transaction processing.

Inspected Information Security Monitoring Procedures to determine if procedures to monitor unauthorized attempts to access data were documented.

Inspected the Security Log to determine if Windows Security Logs, Firewall Logs, Cisco ACS Logs, IDS Logs were monitored daily.


Page | 71

Criteria 3.4 The system procedures related to confidentiality of outputs are consistent with the documented confidentiality policies.

Controls Test of Controls Test ResultsManagement has developed and adheres to strict guidelines on appropriateness of user access to output data.



User access to output data is appropriately aligned with the user’s role and confidentiality of information.

Access to reports is restricted to those users with a legitimate business need for the information.

Selected a sample of employees and inspected their badge access to determine if access to operational areas was limited based on job function.


Criteria 3.5: The system procedures provide that confidential information is disclosed to parties only in accordance with the entity's defined confidentiality and related security policies.

Controls Test of Controls Test ResultsEmployees are required to sign a confidentiality agreement as a routine part of their employment. This agreement prohibits any disclosures of information and other data to which the employee has been granted access.



Access is provided based on job function and need. Requests for access privileges to confidential data require the approval of management.

Selected a sample of new hires and inspected their Network Access authorization form to determine if approvals were obtained before system access was granted.


Page | 72

Criteria 3.6: The entity has procedures to obtain assurance or representation that the confidentiality policies of third parties to whom information is transferred and upon which the entity relies are in conformity with the entity's defined system confidentiality and related security policies and that the third party is in compliance with its policies.

Controls Test of Controls Test ResultsAnnually management reviews representations or assurance reports from any organizations with which [CLIENT] provides confidential information to assess conformity of the service provider’s confidentiality provisions with [CLIENT]’s confidentiality policies.

Selected a sample of third-party providers and inspected their contracts to determine if confidentiality requirements were documented and representations or assurance reports were reviewed.


Criteria 3.7: In the event that a disclosed confidentiality practice is discontinued or changed to be less restrictive, the entity has procedures to protect confidential information in accordance with the system confidentiality practices in place when such information was received, or obtains customer consent to follow the new confidentiality practice with respect to the customer's confidential information.

Controls Test of Controls Test ResultsChanges to confidentiality provisions in business partner contracts are renegotiated with the business partner.

When changes resulting in less restrictive procedures are made, [CLIENT] attempts to obtain the agreement of its customers to the new procedures. Confidential information for those customers who do not agree to the new policy is either removed from the system and destroyed or isolated to receive continued protection under the old policy.

Inquired of Manager, Corporate Compliance, and Security to determine if: 1) changes to confidentiality provisions in business partner contracts were renegotiated with any business partner and 2) there were any changes performed in 2011 resulting in less restrictive procedures at [CLIENT].

The operating effectiveness of this control activity could not be tested, as there was no related activity during the period of January 1, 2012 and September 30, 2012.


Page | 73

Criteria 3.8: Procedures exist to restrict logical access to the system and the confidential information resources maintained in the system including, but not limited to, the following matters:a. Logical access security measures to restrict access to information resources not deemed to be public.b. Identification and authentication of all users.c. Registration and authorization of new users.d. The process to make changes and updates to user profiles.e. Procedures to prevent customers, groups of individuals, or other entities from accessing confidential information other than their own.f. Procedures to limit access to confidential information to only authorized employees based upon their assigned roles and responsibilities.g. Distribution of output containing confidential information restricted to authorized users.h. Restriction of access to offline storage, backup data, systems, and media.i. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (for example, firewalls).

Controls Test of Controls Test Resultsa. See controls included in Security Criteria 3.2.

See test of controls included in Security Criteria 3.2 (a).

See test results included in Security Criteria 3.2 (a).

b. See controls included in Security Criteria 3.2.

See test of controls included in Security Criteria 3.2 (b).

See test results included in Security Criteria 3.2 (b).

c. See controls included in Security Criteria 3.2.

See test of controls included in Security Criteria 3.2(c).

See test results included in Security Criteria 3.2(c).

d. See controls included in Security Criteria 3.2.

See test of controls included in Security Criteria 3.2 (d).

See test results included in Security Criteria 3.2 (d).

e. Corporate customers are assigned a unique company identifier that is required as part of the login process. Access software is used to restrict user access based on the company identifier used at login.

Individual customers have their access restricted to their own confidential information resources based on their unique user IDs.

Inspected the WebCirm user IDs and cost center codes to determine if corporate customers were assigned a unique company identifier and if access was restricted based on the company identifier used at login.


Page | 74


Controls Test of Controls Test Resultsf. Requests for privileges to access confidential customer information resources require the approval of management.Simulated customer data are used for system development and testing purposes. Confidential customer information is not used for this purpose.

Inquired of the Manager, Corporate Compliance and Security and inspected the Data Security Handbook to determine if managers were required to authorize data access requests which includes confidential customer information.

Inquired of the Manager, Corporate Compliance and Security Director of IT Development to determine if customer data was not used for system development or testing purposes.

See test of controls included in Security Criteria 3.2


Page | 75


Controls Test of Controls Test ResultsInquired of the Manager, Corporate Compliance and Security Director of IT Development to determine if customer data was not used for system development or testing purposes.



g. Access to computer processing output is provided to authorized individuals based on the classification of the information.

Access to computer processing output is authorized by job description and client specific assignments.



h. See controls included in Security Criteria 3.2.

See test of controls included in Security Criteria 3.2 (f).

See test results included in Security Criteria 3.2 (f).

i. See controls included in Security Criteria 3.2.

See test of controls included in Security Criteria 3.2 (g).

See test results included in Security Criteria 3.2 (g).


Page | 76

See controls included in Security Criteria 3.3. See test of controls included in Security Criteria 3.3.


Page | 77

Criteria 3.10 Procedures exist to protect against unauthorized access to system resources.



Criteria 3.11 Procedures exist to protect against infection by computer viruses, malicious code, and unauthorized software.



Criteria 3.12 Encryption or other equivalent security techniques are used to protect transmissions of user authentication and other confidential information passed over the Internet or other public networks.



Criteria 3.13 Procedures exist to identify, report, and act upon system confidentiality and security breaches and other incidents.



Criteria 3.14 Procedures exist to provide that system data are classified in accordance with the defined confidentiality and related security policies.



Criteria 3.15 Procedures exist to provide that issues of noncompliance with defined confidentiality and related security policies are promptly addressed and that corrective measures are taken on a timely basis.

Page | 78



Criteria 3.16 Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistent with defined confidentiality and related security policies.



Criteria 3.17 Procedures exist to help ensure that personnel responsible for the design, development, implementation, and operation of systems affecting confidentiality and security have the qualifications and resources to fulfill their responsibilities.



Criteria 3.18 Procedures exist to maintain system components, including configurations consistent with the defined system confidentiality and related security policies.






Criteria 3.20 Procedures exist to provide that emergency changes are documented and authorized (including after-the-fact approval).



Page | 79

Page | 80

Criteria 3.21 Procedures exist to provide that confidential information is protected during the system development, testing, and change processes in accordance with defined system confidentiality and related security policies.

Controls Test of Controls Test ResultsInformation designated as confidential is not stored, processed, or maintained in test or development systems and environments.

Inquired of Manager, Corporate Governance and Security and Director, IT Development, to determine if customer data was not stored, processed or maintained in test or development environments.


[CLIENT] classifies confidential information in accordance with [CLIENT]’s data classification policies and access is only granted to individuals with a business need.



Page | 81

4.0 Monitoring: The entity monitors the system and takes action to maintain compliance with its defined confidentiality policies.

Criteria 4.1 The entity's system confidentiality and security performance is periodically reviewed and compared with the defined system confidentiality and related security policies.

Controls Test of Controls Test ResultsSee controls included in Security Criteria 4.1 See test of controls included in Security


Criteria 4.2 There is a process to identify and address potential impairments to the entity's ongoing ability to achieve its objectives in accordance with its system confidentiality and related security policies.



Criteria 4.3: Environmental, regulatory, and technological changes are monitored, and their impact on system confidentiality and security is assessed on a timely basis. System confidentiality policies and procedures are updated for such changes as required.



Page | 82