1

FAQs

ACL GRC: IT & CLOUD SECURITY FREQUENTLY ASKED QUESTIONS

ADVANTAGES OF ADOPTING THE CLOUDACL GRC is designed to take advantage of the efficiency and accessibility of a cloud based, software-as-a-service (SaaS) delivery model. Our SaaS solution provides organizations with independence and agility along with a low and predictable total cost of ownership (TCO). This model allows a number of benefits:

Deployment decreases from months to days.ACL GRC is designed with the philosophy of “convention over customization,” enabling our customers to immediately leverage configurable “out of the box” functionality vs. relying on heavy customization, complexity, and the overhead costs it brings.

Time to value with a SaaS delivery model is significantly lower than with on-premise solutions. This means that implementation times are typically measured in days vs. weeks or months for other solutions.

Powerful and continuously improving functionality.ACL GRC is enhanced with robust, best practices functionality, and product improvements are delivered on a continuous delivery basis so you don’t need to wait for long release cycles or internal IT resources to use the latest product version. This ensures that the user interface and product features remain modern and up-to-date with business demands.

Low TCO and predictable costs.The SaaS delivery model takes away large up front capital or implementation costs, making the ongoing costs much lower and more predictable than legacy on-premise alternatives.

No dependence on IT resources and in-house IT service costs.ACL GRC does not require new hardware, software, or IT support for initial implementation or ongoing maintenance. Our customers can self-manage and focus on using the application for their business function, leaving the complexities of administrative management, application operation, and maintenance of the infrastructure to our global operations team.

Beautiful and easy-to-use interface.ACL GRC was designed with usability as our number one priority. Its elegant, interactive, web-based interface means that organizations can start using it quickly.

Integrated risk and control analytics and monitoring.ACL GRC integrates seamlessly with ACL on-premise desktop (ACL Analytics) and server based risk and control analytics and monitoring solutions (ACL Analytics Exchange), providing an end-to-end technology solution for audit, risk, and compliance from a single vendor.

Accessible anywhere and from any device.ACL GRC is easily and immediately accessible to employees spread across multiple locations worldwide from their PC, smartphone, or tablet.

2

FAQs

DATA SECURITY & CONTROLS

What type of security and controls are in place for data centers and sub service organizations that ACL utilizes? ACL uses industry advanced and mature infrastructure-as-a-service (IaaS) providers to host our SaaS offering from four data center locations globally (United States, Canada, Europe, and Asia). The data centers provide many physical and logical security controls and are compliant with various certifications and third-party attestations, including but not limited to: ISO 27001, PCI DSS Level 1, SSAE-16/ISAE 3402 SOC 1 (previously SAS 70 Type II), SOC 2 & 3, and HIPAA. Below are examples of these controls:

■■ User Access■■ Logical Security■■ Data Handling■■ Physical Security■■ Change Management■■ Data Integrity, Availability, and Redundancy■■ Incident Handling

These controls ensure facility and equipment safeguards for areas such as multi-factor access controls, electronic surveillance, intrusion detection systems and environmental safeguards. ACL reviews the certifications and third-party attestations provided by our sub service providers on an on-going bases to attest the services being provided and supplement complimentary elements to ACL controls.

Is an SSAE 16 (SOC) audit report available for ACL GRC? Yes, ACL has a current SSAE 16 (Service Organization Control) report prepared by a third-party auditor. This report is a comprehensive assessment of the internal controls and information security related to the ACL GRC service. Upon request and subject to customer’s execution of ACL standard non-disclosure agreement, ACL will provide a copy of its then-current SSAE 16 report upon request.

What type of security and controls does ACL have in place for ACL GRC? The ACL GRC control environment is designed to provide confidentiality, availability, and integrity for our SaaS offering. Controls that are annually audited under SSAE-16 include:

■■ Change Management■■ Logical Access■■ Data Security■■ Backup and Recovery■■ Problem Management

These controls and their supporting policies provide ACL and our customers with operational assurance.

■■ All customer data is classified and treated as confidential by ACL. ■■ ACL utilizes the “least privilege” principle, which means that account privileges are

granted to the lowest level of the user’s essential work requirements, thus greatly minimizing access to the systems and data.

■■ All access to ACL GRC is performed through secure encrypted channels.■■ An independent security assessment provider scans ACL GRC systems and certifies its

security on a daily basis.

3

FAQs

140046 - FAQ_ACL_GRC_Cloud_Security

ABOUT ACL

ACL delivers technology solutions that are transforming audit and risk management to give organizations unprecedented control over their business.

Our integrated family of products—including our cloud-based governance, risk and compliance (GRC) solution and flagship data analytics products—are used at all levels of the enterprise to help maximize growth opportunities by identifying and mitigating risk, protecting profits, and accelerating performance.

Thanks to 25 years of experience and our consultative approach, we implement flawlessly so customers realize concrete business results fast at low risk. Our actively engaged community of more than 14,000 customers around the globe—including 89% of the Fortune 500 and hundreds of governments—tells our story best.

© 2014 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners.

Learn more about what your organization can

accomplish with ACLCall 1-888-669-4225

or email info@acl.com

acl.com | references@acl.com

DATA PRIVACY

Where will my data be stored? ACL GRC is provided from four regions in the United States, Canada, Europe, and Asia in order to provide our customers with options where their data is stored. These options enable our customers to comply with data privacy location requirements.

How do you protect Personally Identifiable Information (PII)?PII is limited by our customer subscription agreements, sub service organization agreements, corresponding controls, and segregation built into our SaaS design. This ensures that any PII is isolated and protected in ACL GRC and each customer has access to its data only.

Who will have ownership of my data? You will continue to retain all rights over your data and ACL will not use your data except for the purpose of providing the service you have subscribed to.

PERFORMANCE, AVAILABILITY & DATA RECOVERYACL is committed to delivering a world-class customer experience. Our SaaS solutions are designed using architectural best practices, such as request load balancing, fail safe system design, and job isolation. We actively monitor our solutions for availability and performance to a 99.9%+ average uptime.

All regional equipment is fully redundant and data is replicated or backed-up to alternate regional locations in case of failure. In addition to this real-time redundancy, ACL backs up all audit data, including field data and attached documents that are stored in your account within ACL GRC.

To check the real-time performance of ACL GRC, please visit status.aclgrc.com. The table below presents the historical performance data of 2013.

Month Uptime Availability

Apr-2014 99.9%

Mar-2014 99.9%

Feb-2014 99.9%

Jan-2014 99.9%

Dec-2013 100%

Nov-2013 100%

Month Uptime Availability

Oct-2013 99.9%

Sep-2013 99.9%

Aug-2013 100%

Jul-2013 99.9%

Jun-2013 100%

May-2013 100%

FLEXIBILITY & SCALABILITYACL GRC is architected to scale exponentially with no impact to our customers and no need for customers’ IT intervention. This provides the flexibility to grow quickly with your business while maintaining high service levels and optimum response times as activity volume increases.