Aternity LLC...We have prepared the accompanying description of Aternity LLC’s EUEM/APM Software as a Service (SaaS) solution titled “Description of Aternity LLC’s Systems”

Aternity LLC

System and Organization Controls (SOC) 2 Report

September 1, 2019 through February 29, 2020

TABLE OF CONTENTS

I. ATERNITY LLC’S ASSERTION ............................................................................................ 1

II. INDEPENDENT SERVICE AUDITOR’S REPORT ............................................................. 4

III. DESCRIPTION OF ATERNITY LLC’S SYSTEMS ............................................................. 9

A. SYSTEM OVERVIEW ....................................................................................................................................... 9

B. INFRASTRUCTURE ........................................................................................................................................ 13

C. OTHER RELEVANT ASPECTS OF THE CONTROL ENVIRONMENT, RISK ASSESSMENT PROCESSES,

INFORMATION AND COMMUNICATION SYSTEMS, AND MONITORING CONTROLS ......................................... 19

D. CHANGES TO THE CONTROL ENVIRONMENT ................................................................................................ 23

E. APPLICABLE TRUST SERVICES CRITERIA AND RELATED CONTROLS ............................................................ 23

F. COMPLEMENTARY SUBSERVICE ORGANIZATION CONTROLS ....................................................................... 24

G. COMPLEMENTARY USER ENTITY CONTROLS ............................................................................................... 25

IV. INDEPENDENT SERVICE AUDITOR’S DESCRIPTION OF TESTS OF CONTROLS

AND RESULTS .................................................................................................................................... 26

A. INTRODUCTION ............................................................................................................................................ 26

B. APPLICABLE TRUST SERVICES CRITERIA ..................................................................................................... 26

C. TESTING OF OPERATING EFFECTIVENESS ..................................................................................................... 27

V. ADDITIONAL INFORMATION PROVIDED BY ATERNITY LLC ............................... 70

A. CONTROL EXCEPTIONS AND RIVERBED’S MANAGEMENT RESPONSES ......................................................... 70

B. HEALTH INFORMATION PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) CONTROL MAPPING ............. 71

1

I. ATERNITY LLC’S ASSERTION

We have prepared the accompanying description of Aternity LLC’s EUEM/APM Software as a Service (SaaS)

solution titled “Description of Aternity LLC’s Systems” throughout the period September 1, 2019 to February 29,

2020 (description) based on the criteria for a description of a service organization’s system in DC section 200,

2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2® Report (AICPA.

Description Criteria) (description criteria). The description is intended to provide report users with information

about the system that may be useful when assessing the risks arising from interactions with Aternity LLC’s

system, particularly information about system controls that Aternity LLC has designed, implemented, and

operated to provide reasonable assurance that its service commitments and system requirements were achieved

based on the trust services for security and availability (applicable trust services criteria) set forth in TSP section

100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy

(AICPA, Trust Services Criteria).

Aternity LLC uses a subservice organization (Amazon Web Services (AWS)) to provide cloud hosting services

to support the system. The description indicates that complementary subservice organization controls that are

suitably designed and operating effectively are necessary, along with controls at Aternity LLC to achieve

Aternity LLC’s service commitments and system requirements based on the applicable trust services criteria. The

description presents Aternity LLC’s controls, the applicable trust services criteria, and the types of

complementary subservice organization controls assumed in the design of Aternity LLC’s controls. The

description does not disclose the actual controls at the subservice organization (AWS).

The description indicates that complementary user entity controls that are suitably designed and operating

effectively are necessary, along with controls at Aternity LLC to achieve Aternity LLC’s service commitments

and system requirements based on the applicable trust services criteria. The description presents Aternity LLC’s

controls, the applicable trust services criteria, and the complementary user entity controls assumed in the design

of Aternity LLC’s controls.

2

The description discusses the training requirements for employees, which includes the need for employees to be

notified of changes to the Employee Handbook. However, during the period of September 1, 2019 to February

29, 2020, Aternity LLC did not have any updates to the Employee Handbook that would warrant the control for

notifying employees of updates to the Employee Handbook to operate for the following trust services criteria

CC1.1 COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values. The description

discusses performance reviews are completed on a periodic basis. However, during the period of September 1,

2019 to February 29, 2020, Aternity LLC did not conduct performance reviews that would warrant the control for

reviews to operate for the following trust services criteria CC1.4 COSO Principle 4: The entity demonstrates a

commitment to attract, develop, and retain competent individuals in alignment with objectives and CC1.5 COSO

Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in

alignment with objectives. The description discusses vendor selection procedures, which include the procedures

for assessing the risks and controls for new vendors supporting the production environment. However, during the

period of September 1, 2019 to February 29, 2020, Aternity LLC did not onboard any new vendors to support the

production environment that would warrant the operation of vendor selection controls for the following trust

services criteria CC3.4 COSO Principle 9: The entity identifies and assesses changes that could significantly

impact the system of internal control and CC9.2 The entity assesses and manages risks associated with vendors

and business partners. Similarly, the description discusses the need for business associates to sign a business

associate agreement if access to electronic protected health information is to be granted. However, during the

period of September 1, 2019 to February 29, 2020, Aternity LLC did not onboard any new vendor relationships

that would warrant the need for the business associate agreement control for the following trust services criteria

CC2.3 COSO Principle 15: The entity communicates with external parties regarding matters affecting the

functioning of internal control. Additionally, the description discusses the alerting for weak EUEM

configurations. However, during the period of September 1, 2019 to February 29, 2020, Aternity LLC did not

have any alerts generated for the weak configuration of EUEM that would warrant the operation of controls for

the following trust services criteria CC4.1 COSO Principle 16: The entity selects, develops, and performs

ongoing and/or separate evaluations to ascertain whether the components of internal control are present and

functioning, CC4.2 COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a

timely manner to those parties responsible for taking corrective action, including senior management and the

board of directors, as appropriate, CC5.2 COSO Principle 11: The entity also selects and develops general

control activities over technology to support the achievement of objectives, CC6.6 The entity implements logical

access security measures to protect against threats from sources outside its system boundaries, and CC7.1 To

meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations

that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.

Lastly, the description discusses the process alerting when the backups for DynmoDB fail. However, during the

period of September 1, 2019 to February 29, 2020, Aternity LLC did not have any failed DynamoDB backups

that would warrant the operation of alerting controls for the following trust services criteria CC7.5 The entity

identifies, develops, and implements activities to recover from identified security incidents and A1.2 The entity

authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors

environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.

3

We confirm, to the best of our knowledge and belief, that:

a. The description presents Aternity LLC’s system that was designed and implemented throughout the

period September 1, 2019 to February 29, 2020, in accordance with the description criteria.

b. the controls stated in the description were suitably designed throughout the period September 1, 2019

to February 29, 2020, to provide reasonable assurance that Aternity LLC’s service commitments and

system requirements would be achieved based on the applicable trust services criteria, if its controls

operated effectively throughout that period, and if the subservice organization and user entities

applied the complementary controls assumed in the design of Aternity LLC’s controls throughout

that period.

c. the controls stated in the description operated effectively throughout the period September 1, 2019 to

February 29, 2020, to provide reasonable assurance that Aternity LLC’s service commitments and

system requirements were achieved based on the applicable trust services criteria, if complementary

subservice organization controls and complementary user entity controls assumed in the design of

Aternity LLC’s controls operated effectively throughout that period.

4

II. INDEPENDENT SERVICE AUDITOR’S REPORT

To: Aternity LLC

Scope

We have examined Aternity LLC’s accompanying description of its EUEM/APM Software as a Solution (SaaS)

solution titled “Description of Aternity LLC’s Systems” throughout the period September 1, 2019 to February 29,

2020 (description) based on the criteria for a description of a service organization’s system in DC section 200,

2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2® Report (AICPA,

Description Criteria), (description criteria) and the suitability of the design and operating effectiveness of

controls stated in the description throughout the period September 1, 2019 to February 29, 2020 to provide

reasonable assurance that Aternity LLC’s service commitments and system requirements were achieved based on

the trust services criteria relevant to security and availability (applicable trust services criteria) set forth in TSP

section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and

Privacy (AICPA, Trust Services Criteria).

Aternity LLC uses a subservice organization (Amazon Web Services (AWS)) to provide cloud hosting services

to support the system. The description indicates that complementary subservice organization controls that are

suitably designed and operating effectively are necessary, along with controls at Aternity LLC, to achieve

Aternity LLC’s service commitments and system requirements based on the applicable trust services criteria. The

description presents Aternity LLC’s controls, the applicable trust services criteria, and the types of

complementary subservice organization controls assumed in the design of Aternity LLC’s controls. The

description does not disclose the actual controls at the subservice organization (AWS). Our examination did not

include the services provided by the subservice organization (AWS), and we have not evaluated the suitability of

the design or operating effectiveness of such complementary subservice controls.

The description indicates that complementary user entity controls that are suitably designed and operating

effectively are necessary, along with controls at Aternity LLC, to achieve Aternity LLC’s service commitments

and system requirements based on the applicable trust services criteria. The description presents Aternity LLC’s

controls, the applicable trust services criteria, and the complementary user entity controls assumed in the design

of Aternity LLC’s controls. Our examination did not include such complementary user entity controls and we

have not evaluated the suitability of the design or operating effectiveness of such controls.

The information included in Section V, "Additional Information Provided by Aternity LLC" is presented by

Aternity LLC’s management to provide additional information and is not a part of the description. Information

contained in Section V has not been subjected to the procedures applied in the examination of the description, the

suitability of the design of controls, and the operating effectiveness of the controls to achieve Aternity LLC’s

service commitments and system requirements based on the applicable trust services criteria, and accordingly, we

express no opinion on it.

5

Service Organization’s Responsibilities

Aternity LLC is responsible for its service commitments and system requirements and for designing,

implementing, and operating effective controls within the system to provide reasonable assurance that Aternity

LLC’s service commitments and system requirements were achieved. Aternity LLC has provided the

accompanying assertion titled “Aternity LLC’s Assertion” (assertion) about the description and the suitability of

design and operating effectiveness of controls stated therein. Aternity LLC is also responsible for preparing the

description and assertion, including the completeness, accuracy, and method of presentation of the description

and assertion; providing the services covered by the description; selecting the applicable trust services criteria

and stating the related controls in the description; and identifying the risks that threaten the achievement of the

service organization’s service commitments and system requirements.

Service Auditor’s Responsibilities

Our responsibility is to express an opinion on the description and on the suitability of design and operating

effectiveness of controls stated in the description based on our examination. Our examination was conducted in

accordance with attestation standards established by the American Institute of Certified Public Accountants.

Those standards require that we plan and perform our examination to obtain reasonable assurance about whether,

in all material respects, the description is presented in accordance with the description criteria and the controls

stated therein were suitably designed and operated effectively to provide reasonable assurance that the service

organization’s service commitments and system requirements were achieved based on the applicable trust

services criteria. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable

basis for our opinion.

An examination of the description of a service organization’s system and the suitability of the design and

operating effectiveness of controls involves the following:

Obtaining an understanding of the system and the service organization’s service commitments and

system requirements

Assessing the risks that the description is not presented in accordance with the description criteria and

that controls were not suitably designed or did not operate effectively

Performing procedures to obtain evidence about whether the description is presented in accordance with

the description criteria

Performing procedures to obtain evidence about whether controls stated in the description were suitably

designed to provide reasonable assurance that the service organization achieved its service commitments

and system requirements based on the applicable trust services criteria

Testing the operating effectiveness of controls stated in the description to provide reasonable assurance

that the service organization achieved its service commitments and system requirements based on the

applicable trust services criteria

Evaluating the overall presentation of the description

6

Our examination also included performing such other procedures as we considered necessary in the

circumstances.

Inherent Limitations

The description is prepared to meet the common needs of a broad range of report users and may not, therefore,

include every aspect of the system that individual users may consider important to meet their informational

needs.

There are inherent limitations in the effectiveness of any system of internal control, including the possibility of

human error and the circumvention of controls.

Because of their nature, controls may not always operate effectively to provide reasonable assurance that the

service organization’s service commitments and system requirements are achieved based on the applicable trust

services criteria. Also, the projection to the future of any conclusions about the suitability of the design and

operating effectiveness of controls is subject to the risk that controls may become inadequate because of changes

in conditions or that the degree of compliance with the policies or procedures may deteriorate.

Description of Tests of Controls

The specific controls we tested and the nature, timing, and results of those tests are listed in section IV.

Controls Did Not Operate During the Period Covered by the Report

Aternity LLC’s description discusses the training requirements for employees, which includes the need for

employees to be notified of changes to the Employee Handbook. However, during the period of September 1,

2019 to February 29, 2020, Aternity LLC did not have any updates to the Employee Handbook that would

warrant the control for notifying employees of updates to the Employee Handbook to operate for the following

trust services criteria CC1.1 COSO Principle 1: The entity demonstrates a commitment to integrity and ethical

values. The description discusses performance reviews are completed on a periodic basis. However, during the

period of September 1, 2019 to February 29, 2020, Aternity LLC did not conduct performance reviews that

would warrant the control for reviews to operate for the following trust services criteria CC1.4 COSO Principle

4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with

objectives and CC1.5 COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain

competent individuals in alignment with objectives. The description discusses vendor selection procedures, which

include the procedures for assessing the risks and controls for new vendors supporting the production

environment. However, during the period of September 1, 2019 to February 29, 2020, Aternity LLC did not

onboard any new vendors to support the production environment that would warrant the operation of vendor

selection controls for the following trust services criteria CC3.4 COSO Principle 9: The entity identifies and

assesses changes that could significantly impact the system of internal control and CC9.2 The entity assesses and

manages risks associated with vendors and business partners. Similarly, the description discusses the need for

business associates to sign a business associate agreement if access to electronic protected health information is

7

to be granted. However, during the period of September 1, 2019 to February 29, 2020, Aternity LLC did not

onboard any new vendor relationships that would warrant the need for the business associate agreement control

for the following trust services criteria CC2.3 COSO Principle 15: The entity communicates with external parties

regarding matters affecting the functioning of internal control. Additionally, the description discusses the

alerting for weak EUEM configurations. However, during the period of September 1, 2019 to February 29, 2020,

Aternity LLC did not have any alerts generated for the weak configuration of EUEM that would warrant the

operation of controls for the following trust services criteria CC4.1 COSO Principle 16: The entity selects,

develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal

control are present and functioning, CC4.2 COSO Principle 17: The entity evaluates and communicates internal

control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior

management and the board of directors, as appropriate, CC5.2 COSO Principle 11: The entity also selects and

develops general control activities over technology to support the achievement of objectives, CC6.6 The entity

implements logical access security measures to protect against threats from sources outside its system

boundaries, and CC7.1 To meet its objectives, the entity uses detection and monitoring procedures to identify (1)

changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly

discovered vulnerabilities. Lastly, the description discusses the process alerting when the backups for DynmoDB

fail. However, during the period of September 1, 2019 to February 29, 2020, Aternity LLC did not have any

failed DynamoDB backups that would warrant the operation of alerting controls for the following trust services

criteria CC7.5 The entity identifies, develops, and implements activities to recover from identified security

incidents and A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves,

maintains, and monitors environmental protections, software, data back-up processes, and recovery

infrastructure to meet its objectives.

Opinion

In our opinion, in all material respects,

a. the description presents Aternity LLC’s system that was designed and implemented throughout the

period September 1, 2019 to February 29, 2020, in accordance with the description criteria.

b. the controls stated in the description were suitably designed throughout the period September 1, 2019

to February 29, 2020, to provide reasonable assurance that Aternity LLC’s service commitments and

system requirements would be achieved based on the applicable trust services criteria, if its controls

operated effectively throughout that period and if the subservice organization and user entities

applied the complementary controls assumed in the design of Aternity LLC’s controls throughout

that period.

c. the controls stated in the description operated effectively throughout the period September 1, 2019 to

February 29, 2020, to provide reasonable assurance that Aternity LLC’s service commitments and

system requirements were achieved based on the applicable trust services criteria, if complementary

subservice organization and complementary user entity controls assumed in the design of Aternity

LLC’s controls operated effectively throughout that period.

8

Restricted Use

This report, including the description of tests of controls and results thereof in section IV, is intended solely for

the information and use of Aternity LLC, user entities of Aternity LLC’s EUEM/APM SaaS solution during some

or all of the period September 1, 2019 to February 29, 2020, business partners of Aternity LLC subject to risks

arising from interactions with the system, practitioners providing services to such user entities and business

partners, prospective user entities and business partners, and regulators who have sufficient knowledge and

understanding of the following:

The nature of the service provided by the service organization

How the service organization’s system interacts with user entities, business partners, subservice

organizations, and other parties

Internal control and its limitations

Complementary user entity controls and complementary subservice organization controls and how those

controls interact with the controls at the service organization to achieve the service organization’s service

commitments and system requirements

User entity responsibilities and how they may affect the user entity’s ability to effectively use the service

organization’s services

The applicable trust services criteria

The risks that may threaten the achievement of the service organization’s service commitments and

system requirements and how controls address those risks

This report is not intended to be, and should not be, used by anyone other than these specified parties.

Boston, MA

May 7, 2020

9

III. DESCRIPTION OF ATERNITY LLC’S SYSTEMS

A. SYSTEM OVERVIEW

Aternity LLC’s (Aternity’s or the Company’s) Aternity solution helps enterprises manage the digital

experience of their employees and customers. The solution allows companies to deliver superior digital

experiences to all their users, across all applications and devices. Aternity is the only end-to-end solution

that blends device-based end user experience, infrastructure, application, and network monitoring to provide

a holistic view of the users’ digital experience.

The Aternity End-User Experience Monitoring (EUEM) module provides the ability to see the entire

workforce experience on any application running on any device, providing a user-centric vantage point that

closes the visibility gap existing with network- and server-centric application performance management

tools. By effectively transforming every device — physical, virtual, and mobile — into a self-monitoring

platform that is user experience aware, enterprises are empowered with user-centric, proactive IT

management capabilities that dramatically reduce business disruptions and increase workforce productivity.

The Aternity Application Performance Monitoring (APM) module (aka AppInternals) helps customers build

and deliver high-performing applications, infrastructure, and networks on and off the cloud. It continuously

monitors them with minimal overhead to give customers end-to-end visibility and insights around-the-clock.

Allowing customers to trace every transaction, while capturing system metrics every second in

development, test, and production environments. This gives the customer multiple perspectives into end user

experience, application, network, and infrastructure performance, along with workflows for root cause

analysis and problem discovery.

The Aternity EUEM and APM modules are hosted on separate server environments within the Amazon Web

Services (AWS) infrastructure. They are integrated; however, they utilize different architectures as

described below.

10

Introduction to Aternity EUEM Solution Architecture

The architecture of the Aternity EUEM solution covers a wide range of business environments, from small-

scale deployments with a few hundred end points to large international enterprises with tens of thousands of

end points. This section provides a high-level overview of the platform’s components.

The Aternity EUEM deployment is built from a set of loosely-coupled components that are tightly

integrated to a highly-scalable solution:

End Points

Aggregation Servers (one (1) or more)

Management Server

Analytics Server

Data Warehouse (DW)

Dashboards Server

Database Servers (Vertica, Oracle, and Cassandra)

Docker Server

11

End Points are any physical or virtual entities via which Aternity monitors end user experience.

The end points are client side components and are not covered by the disaster recovery (DR) process.

Aggregation Servers are deployed in a distributed configuration. Dedicated Aggregation Servers are used

for the bi-directional communication between the End Points and the Management Server, and to aggregate

measurements from a group of End Points to pass on to the Management Server. The Aggregation Server

(one (1) copy) application is saved on a preconfigured Amazon Machine Image (AMI) that is launched as

part of the recovery procedure.

The EUEM Management Server is a core component handling core functions, system management,

external integration, user interface and reporting. All platform configuration, administration and integration

are performed centrally from the management user interface. The Management Server application is saved

on a preconfigured AMI that is launched as part of recovery procedure.

The Data Warehouse (DW) Server is a core component dedicated to handling the data arriving from the

Aggregation Servers, and populating it into the database according to the specified retention policy. On

small deployments, this server may be co-hosted with the Management Server. On medium or larger

deployments, it resides on its own dedicated host. The DW Server application is saved on a preconfigured

AMI that is launched as part of recovery procedure.

The Dashboards Server is a server hosting the Tableau Server and the Tableau Gateway instances. The

Tableau Server stores and generates the analytical dashboards available on the platform. The Tableau

Gateway handles the integration between the Tableau Server and the rest of the platform. The Dashboard

Server application is saved on a preconfigured AMI that is launched as part of the recovery procedure.

The Vertica Database Server stores the performance data from the past one (1) to two (2) years in

the Vertica format, which is most efficient for displaying in EUEM dashboards.

The Oracle Database Server hosts the Oracle Enterprise database used by the platform for storing all

historical, transient, and configuration data. A real-time clone database is used as a standby server. Data is

fully backed up twice a week and incremental backups are taken on other days using Recovery Manager

(RMAN). The backups are saved on a separate Elastic Block Store (EBS) volume storage. At the end of the

backup the backup files are copied to Amazon Simple Storage Service (S3). In the event of disaster,

Aternity will use the standby Database server or will perform a full restore using the then current backup in

a worst-case scenario.

The Cassandra Database Server stores the detailed information and measurements for monitored

devices for a maximum of seven (7) days.

https://www.vertica.com/

https://help.aternity.com/bundle/console_install_servers_guide_11_server_local/page/z_generic/glossary.html#glossentry_rrp_gqs_1t

https://help.aternity.com/bundle/console_install_servers_guide_11_server_local/page/z_generic/glossary.html#glossentry_rrp_gqs_1t

12

The EUEM Docker Server is a component containing a range of containers, which add functionality to

EUEM. Additional information on the functionality is listed below:

EUEM Vertica Scheduler is responsible for creating the time-sensitive rollup aggregations in

Vertica Database Server

EUEM Data Source for Portal provides EUEM data to the Aternity Portal™, so you can view end-

user experience data in its dashboards

EUEM SDA Server allows defining email or ServiceNow alerts on top of EUEM health events

EUEM REST API Server allows authorized users to send REST API queries to directly extract and

analyze EUEM's data without accessing EUEM's dashboards.

EUEM DPS is the data processing component, responsible for parsing and aggregating specific

measurements

EUEM Messaging Broker is built on top of the Kafka infrastructure and serves as the messaging

system between various EUEM components

Introduction to the Aternity APM Solution Architecture

The central architectural component of the APM solution is the analysis server. The analysis server stores

and processes performance data generated by the web pages and agent systems that the customer wants to

monitor. The analysis server also provides the web interface for users to manage and analyze the collected

data.

13

Server agents establish a web socket connection in order to transfer monitoring data to the Agent Redirector

service via an AWS Elastic Load Balancer service. The redirector service then sends agent configuration,

trace and other monitoring data traffic to the appropriate Analysis Server hosted in Docker containers on

AWS Elastic Compute Service and persisting storage in AWS EBS. Network and process monitoring data is

routed to AWS S3 where it is then picked up, processed, and persisted in AWS DynamoDB. AWS Cognito

service is used as a user authorization repository. AWS Lambda functions are used for isolated management

operations.

The APM collects data from web pages and from systems where an Aternity APM agent is installed:

Browser instrumentation data: The APM monitors web page performance by collecting data on

page loads and (if configured) AJAX requests in users’ web browsers. This “end user experience”

data reflects application performance from the perspective of the end user. To collect this data,

Aternity APM adds a JavaScript snippet to web pages that sends a beacon with timing data to the

Aternity SaaS analysis server.

Agent systems: Aternity APM agent software is installed on systems that are to be monitored. The

agent software collects application and environmental data:

o Application: Aternity APM monitors Java and .NET application performance by starting

with the application and measuring method start and completion times. The JIDA and .NET

sub-agents “instrument” specific classes and methods of interest and send performance data

to the Aternity SaaS analysis server.

o Environment: The Operating System (OS) sub-agent monitors key OS resources metrics

such as CPU, memory, and networking on systems where agents are installed. This date is

sent to the Aternity SaaS analysis server.

Note: Aternity APM web page and agent systems components are external to the APM servers hosted in

AWS and outside the scope of controls described in this report.

B. INFRASTRUCTURE

Aternity delivers the services on-premises, dedicated in the cloud, or as a SaaS to provide services to a

variety of customers, including manufacturing, healthcare providers, and financial services institutions. The

controls surrounding the on-premises service offering are not addressed within this report.

SaaS solutions rely exclusively on servers residing in the global AWS cloud public infrastructure. Together

these servers orchestrate a series of services hosted by Aternity with dependencies that function as a part of

the collective Aternity SaaS infrastructure.

Amazon dedicated instances are used in case electronic protected health information (ePHI) is stored.

Dedicated instances are Amazon Elastic Compute Cloud (EC2) instances that run in a virtual private cloud

(VPC) on hardware that is dedicated to a single customer. The dedicated instances are physically isolated at

the host hardware level from instances that belong to other AWS accounts.

14

Servers – Aternity EUEM servers operate exclusively on Windows based virtual servers within the AWS

environment. Aternity APM servers operate exclusively on Linux-based virtual servers within the AWS

environment.

Physical & Environmental Controls – The Aternity EUEM and APM solutions are housed exclusively

within AWS facilities. AWS issues a third party SOC 2 report. As part of management’s vendor due

diligence and ongoing monitoring process, the Company receives and reviews the AWS SOC 2 report at

least annually to ensure that appropriate physical and environmental controls are in place and operating

effectively at the subservice organization.

1) Software

Operating System Native Security – Aternity EUEM and APM utilize native security features to control

access to information resources residing on production/testing servers. Aternity EUEM utilizes Windows

native security features to control access to information resources residing on the production/ testing servers.

Access to the production Windows domain is controlled through Windows Active Directory (AD) security.

User access rights on all platforms are controlled through the use of profiles based on a person’s job

responsibilities. These profiles provide access to individuals based on their job function.

Windows security controls are automatically invoked when the operating systems are loaded. All users are

authenticated through an ID/password combination before access to network resources is granted.

Contractors, under confidentiality and non-disclosure agreements, may be given limited-privilege Windows

domain user accounts for software installation, configuration and support. Customer personnel are not given

user IDs that have the ability to authenticate on the Windows domain.

Aternity APM utilizes Linux native security features to control access to information resources residing on

the production/testing servers. Access to the Linux platform is controlled through native Linux operating

system security controls. User access rights on all platforms are controlled through the use of profiles based

on a person’s job responsibilities. These profiles provide access to individuals based on their job function.

Linux security controls are automatically invoked when the operating system is loaded. All Aternity

operations and support users are authenticated using public/private key pair combinations before access to

network resources is granted. Customer personnel are not given the ability to authenticate on the Linux

platform.

User Account Controls – Appropriate password practices are utilized and enforced by the Aternity EUEM

and APM solutions. These practices include requirements for a password that is complex, meets minimum

length requirements, and expires on a defined frequency.

15

Administrative Access Controls – Logical access to the Aternity EUEM and APM production

environments is restricted to authorized personnel who require access to perform their job functions.

Administrative access is controlled through the use of individually assigned user IDs and passwords.

Minimum password length and configuration requirements are set. Administrator accounts are removed

when a person leaves the Company or changes roles. Administrative access to the AWS management

console for the Aternity APM system also requires the use of multi-factor authentication (MFA).

Virus Detection and Prevention – Aternity EUEM utilizes McAfee virus scanning applications to examine

inbound traffic received from the Internet as well as internal traffic and data. If a virus is detected, IT

personnel are notified and will follow the Incident Response procedures if necessary.

Patching – Aternity EUEM servers utilize the Windows Software Update Service (WSUS) to manage the

deployment of patches released by Microsoft. Patches are applied within thirty (30) days of release.

All servers in the Aternity APM production environments are rebuilt periodically. All available patches are

applied automatically as part of the server build process.

2) Data

Customers use the Aternity EUEM and APM to collect and manage system and application performance

data. Customer configuration data is input from users and performance data is collected from end-user

devices, browsers, and application agents and stored in customer specific containers. Customers define their

own requirements for monitoring and, as such, the data stored may be sensitive or proprietary if the

collection of such data is necessary to satisfy the customer’s monitoring requirements. However, the

Aternity EUEM and APM SaaS should not be used to collect, store, or process protected personal

information (PPI) or ePHI. Customers who wish to collect PPI and/or ePHI must use an on-premises or

dedicated cloud solution.

3) Procedures

The Company maintains documented policies and procedures to guide personnel in classifying system

alerts, documenting incidents, monitoring performance and reporting statistics. Regular reporting is utilized

by management to identify deviations from documented policies and procedures and guide corrective

actions. Below are specific procedures as they relate to the operation of the Aternity EUEM and APM

dedicated and SaaS solutions.

Vulnerability Assessments – The Company conducts regular vulnerability scanning of APM and regular

penetration testing of the Aternity EUEM and APM environments. Vulnerabilities identified as a result of

the assessments are classified and remediation action is taken based on the classification. Product teams

utilize multiple commercial vulnerability scanning tools to assess the security of system software prior to

deployment into production. Identified vulnerabilities are investigated and resolved prior to deployment.

16

Aternity’s Information Security team subscribes to multiple threat intelligence sources that provide alerts

that rank vulnerabilities from high to low. Alerts from these sources are reviewed as they arrive and

distributed to designated representatives of Aternity’s labs, infrastructure, and product teams. Once received

by the appropriate teams, vulnerabilities are assessed to determine whether they affect the Aternity EUEM

or APM environments and what actions need to be taken. Below are details on potential actions that may be

taken based on the classification of threat intelligence information:

1. Changes required to mitigate "high-risk" vulnerabilities will be scheduled as soon as possible and

pushed to the environment via off-cycle change requests.

2. Other vulnerabilities are included in the standard build cycle. All servers are fully rebuilt and

patched when new product versions are released.

3. Threats and threat sources that may exploit identified or assessed vulnerabilities are monitored

immediately and explicitly until the vulnerabilities have been mitigated.

4. Vulnerability mitigation plans will specify, at a minimum, the proposed resolution to address

identified vulnerabilities, required tasks necessary to affect changes, and the assignment of the

required tasks to appropriate personnel.

5. Vulnerability exceptions or waivers must be documented and approved by management and the

Aternity Information Security team.

6. Appropriate testing and assessment activities are performed after vulnerability mitigation plans

have been executed to verify and validate that the vulnerabilities have been successfully

addressed.

7. Appropriate notifications are provided after vulnerability mitigation plans have been executed.

Change Management – Aternity teams track historical activities for the Aternity EUEM and APM

environments via change management records. The purpose of these records is to provide a historical audit

trail of changes applied to the environment that were initiated via customer request, system maintenance

activity, incident management, upgrade activity or proactive support. The primary goal and focus of these

activities is to ensure system stability and achieve service and performance targets.

Change requests can be initiated by internal personnel through the submission of a change request. All

change requests are documented and must include all details required to successfully implement the change,

including the reason for the change, a description of how the change is to be implemented, the impact of the

change, and a back out plan when applicable to be used in the event that the change is not successful.

Software changes undergo multiple automated and manual reviews, when applicable, before they can be

approved for deployment.

17

Monitoring Procedures – The Aternity EUEM and APM production environments are monitored by a

combination of log monitoring, analytics, alerting and reporting solutions. These solutions are configured to

monitor both core infrastructure components and individual servers and generate alerts when defined

thresholds have been exceeded. Monitoring includes key operational metrics such as CPU, memory, disk

usage, accessibility, and performance metrics.

Security Event Monitoring – Security events, including administrator activity and access anomalies, are

logged. Logs are reviewed regularly and anomalous events are investigated and resolved.

System Development Life Cycle (SDLC) – The SDLC addresses business requirements, scoping, design,

development, code review, quality assurance, and implementation of system components. The overall

process is initiated by a Product Manager (PM) who is responsible for collecting and prioritizing a high

level feature list. Development leads work with the PM and Aternity’s Chief Technology Officer (CTO) to

prioritize the list of features and decide on a high-level architecture. The development leads then work with

developers to produce detailed designs and epics/stories/tasks. Designs are reviewed by the PM and other

stakeholders and features are targeted for a release based on resource availability and estimated effort.

Development focuses on two (2) release trains:

A "stable" release train that receives only critical (typically, customer-reported) bug fixes and security

fixes. These "stable" releases come out on a monthly schedule.

A "feature" release train that receives new features. The "feature" releases come out on a six-week

cadence.

A major.minor.point versioning scheme is used for the Aternity EUEM and APM solutions. The feature

releases increment the major or minor version (typically, the minor version). The stable releases increment

just the point version.

Development of features occurs on a regular cadence. The release cadence may be adjusted from time to

time, as needed. To ensure the stability of releases, a set time period is established for feature development.

If a feature is not complete by the end of this period, it will not get included in a release. Additional time is

then allocated for bug fixing before a “lockdown” phase during which only critical fixes may be applied.

To ensure the integrity of released code, Development and Quality Assurance (QA) leads meet regularly to

coordinate across the different teams. A strict code management process has also been established.

All code is reviewed by a peer or manager before being merged into the mainline and system-level

automated tests are executed on every nightly build by the QA team. The QA team is also responsible for

developing and executing manual test plans and verifying that all bugs are properly fixed.

18

Multiple environments are maintained to facilitate the development and testing of product releases. These

environments include development, QA, staging, and production. Releases graduate from one environment

to the next as development progresses.

Backup, Recovery, and Business Continuity – The back-up and recovery process is based on the

following services and features of AWS:

Locations: Amazon Regions and Availability Zones (AZ)

Compute: Amazon EC2

Storage:

Amazon S3

Amazon EBS

Amazon Cognito

Amazon DynamoDB

Replications: Amazon Machine Images (AMI)

Networking: Amazon Route 53

Amazon Regions – AWS is available in multiple regions around the globe. Regions consist of one (1) or

more AZ. AZ are distinct locations that are engineered to be insulated from failures in other AZ. In case of

disaster the system can be duplicated to a different availability zone in the same region (preferably) or

different region that is not affected by the disaster event.

Amazon EC2 – Amazon EC2 is on-demand computing power (virtual instance) that can be created within

minutes from a web-based console.

Amazon EBS – Amazon EBS provides persistent, block-level storage volumes for Amazon EC2

applications within the same availability zone.

Amazon Machine Images (AMIs) – Preconfigured with operating systems and application stacks. The

AMIs are launched as part of the recovery procedure and reduces the time to install the software.

Amazon S3 – Amazon S3 is a cloud-based object store available through web services interfaces such as

REST and SOAP. It is designed to offer 99.999999999% availability of objects. For disaster recovery (DR),

point-in-time snapshots of Amazon EBS volumes of database backups are copied and maintained in

Amazon S3 storage, limiting any data loss to that which was created since the last recovery point and

recovery time interruption.

Amazon Cognito – Amazon Cognito is an AWS product that controls user authentication and access for

mobile applications on internet-connected devices. The service saves and synchronizes end-user data, which

enables an application developer to focus on writing code instead of building and managing the back-end

infrastructure. This can accelerate the mobile application development process.

19

Amazon DynamoDB – Amazon DynamoDB is a fully managed proprietary NoSQL database service.

Amazon Route 53 – Amazon Route 53 is a highly available and scalable domain name system (DNS) web

service. Amazon Route 53 gives the ability failover between multiple endpoints.

System and Customer Data – For Aternity EUEM, the backup and recovery processes strategy relies on

the creation of AMIs for each server as part of the installation process on AWS and when software upgrades

are installed. These images are saved in two (2) different AWS regions to ensure recoverability. Database

backups performed periodically and are saved on separate EBS volume storage and copied to S3 at the end

of backup process.

During the recovery process, impacted servers are launched using the pre-configured AMIs, required

networking and security configurations are applied, and databases are restored using backup files. The

recovery process is exercised periodically to verify the integrity of backups.

For Aternity APM, automated backups of DynamoDB occur once per day and backups of EBS volumes are

taken each hour. EBS volume backups are validated by loading them onto a separate EC2 instance to ensure

that they can be successfully used for recovery purposes. The backups are tagged with the results of the

validation test. Cognito is backed up as part of a manual process. The backups are retained forever.

Aternity APM servers in the production environment utilize AWS high-availability services to ensure

prompt recovery. Backup and restore processes are part of the regular upgrade procedures.

Security Awareness Training – Aternity conducts security awareness training during the onboarding of

new employee and annually thereafter. The training is intended to enhance employees’ understanding of

sound security practices. Training covers a wide variety of topics relative to security including the review of

security policies presently in place at Aternity. All training is conducted by the Information Security Team.

C. OTHER RELEVANT ASPECTS OF THE CONTROL ENVIRONMENT, RISK ASSESSMENT PROCESSES,

INFORMATION AND COMMUNICATION SYSTEMS, AND MONITORING CONTROLS

1) Control Environment

Aternity’s control environment is an integral part of its business activities, strategic planning, and

assessment of risks. Relevant control environmental factors that affect the services provided to user entities

are listed and described below.

20

Organizational Structure – Aternity’s operations are under the direction of the President and Chief

Executive Officer (CEO) and separated into five (5) logical groups.

Product Management: The product management team is responsible for the planning, forecasting,

and production of the product lifecycle.

Engineering: The responsibilities of this team are to engage in new product research and

development, existing product updates, quality checks and innovation.

Sales: The sales team primary duties include identifying and contacting prospects, delivering sales

presentations, closing deals, and managing existing customer relationships.

Marketing: The marketing team has overall responsibility for growing revenue and increasing

market share.

Customer Success: The customer success team is responsible for the overall implementation of the

product, client training, ongoing support, along with the overarching goal of cultivating productive

client relationships and satisfaction.

Aternity Organizational Structure

President and CEO

CFO

Finance

HR

IT

CTO and SVP Strategy

VP, Products

VP, Engineering

Chief Revenue Officer (Sales)

Chief Customer Success

Chief Marketing Officer

https://en.wikipedia.org/wiki/Product_lifecycle_(marketing)

21

Organizational Controls

Human Resources Management – Written job descriptions for employees are maintained by the Human

Resources (HR) Department. The descriptions are reviewed and updated as needed. References are sought,

credit checks are conducted, and background checks are performed for all employees hired. The

confidentiality of user entity information is explained during the new-employee orientation via the Security

Policy and all employees are required to sign an acknowledgement of the Security Policy at hire and

annually thereafter. Furthermore, the confidentiality of user entity data is explained in the employee

handbook, which is issued to each employee on their date of hire. Employees are required to take paid time

off (PTO) in accordance with company policy. All employees receive an annual written performance

evaluation and salary review. Completed appraisals are reviewed by HR and become a permanent part of the

employee’s personnel file.

Policies and Procedures – Aternity utilizes formal policies and procedures to govern major business

activities. Policy and procedures manuals include:

Anti-Bribery Compliance Policy

Background Check Policy

Bereavement Leave

Commitment against Harassment Policy

EEO Policy

Employee Referral Program

Expense Policy

Maternity or Paternity Leave Policy

PTO Policy

User of electronic Communications Policy

Other policies and procedures depending on department

Internal policies and procedures are reviewed and approved by senior management on an annual basis. All

policies and procedures are ultimately the responsibility of senior management and the Board of Directors

(Board).

Privacy and Confidentiality – Aternity does not disclose confidential internal information or customer

owned data to outside entities. Third parties that perform processing and/or other services that require access

to internal or customer owned data are prohibited from any disclosure of this information. Customer

contracts for processing services include data privacy language that requires confidential customer data to

be handled and stored in accordance with applicable data protection laws and regulations.

22

Organizational Oversight

Board of Directors – The Board is comprised of appointed members. The Board’s role is to establish goals

and objectives for Aternity and schedules quarterly meetings to review operating results. The two (2)

subcommittees, which have been established by the Board, are as follows:

Compensation Committee - The Compensation Committee oversees the acquisition and retention of

highly qualified personnel. This committee is responsible for recommending competitive salary

levels, fringe benefit plans, major personnel policies, and for oversight of the employee stock option

plan.

Audit Committee - The Audit Committee is responsible for the review and administration of

internal procedures as well as the oversight of financial reporting and risk management activities. It

also oversees the hiring, performance and independence of external auditors.

2) Risk Assessment Processes

Aternity has placed into operation a risk assessment process to identify and manage risks that could affect

the ability to provide reliable services to user entities. This process requires management to identify risks for

systems and major business operations, identify potential impacts to customers, and appropriately manage

and mitigate high and medium risk areas.

3) Information and Communication Systems

Information Systems – As part of its SaaS, Aternity establishes and maintains a secure and monitored

network environment designed to prevent and/or detect unauthorized network access and modifications. The

controls specific to these services are listed in the section titled Infrastructure above.

Communication Systems – Aternity has implemented a number of communication processes to ensure that

all employees understand their individual roles and responsibilities over controls, and to ensure that

significant events are communicated in a timely manner. The communication processes include: new

employee orientation programs; the use of electronic mail to communicate time-sensitive messages and

information; verbal communications; online department portals with policies and procedures; monthly and

quarterly internal product review sessions and written correspondence to management and staff. Each level

of management also holds periodic staff meetings as appropriate. Every employee has a written job

description and all employees are instructed of their responsibility to communicate significant issues and

exceptions to an appropriate higher level of authority within Aternity in a timely manner.

23

Aternity has also implemented various methods of communication to ensure that customers understand the

role and responsibilities of Aternity, and to ensure that significant events are communicated to customers in

a timely manner. These methods include Aternity’s organization and participation in customer group

meetings and expositions, web-based customer bulletins and newsletters, focus groups, trainings, a

dedicated customer website, notifications from Salesforce, direct e-mail, and direct phone contact.

Customers are encouraged to communicate questions and problems to the Customer Service departments

where such matters are logged and tracked until resolved.

Personnel in the Customer Service departments provide on-going communication with customers on a day-

to-day basis. The Customer Service department also communicates information regarding changes in

processing schedules, system enhancements, and other information to customers.

4) Monitoring Controls

Aternity’s management and supervisory personnel monitor the quality of internal control performance as a

routine part of their activities. To assist them in this monitoring, Aternity has implemented a variety of

reporting and on-line notification tools that measure key activities and performance metrics on critical

systems. Notification tools and reports are used to monitor significant and suspicious network activities and

system and network availability. All exceptions to normal or scheduled processing related to hardware,

software, or procedural problems are logged, reported, and resolved daily. Key indicator reports are

reviewed daily and weekly by appropriate levels of management and action is taken as necessary.

D. CHANGES TO THE CONTROL ENVIRONMENT

Aternity LLC is required to disclose relevant detail of changes to the system during the period covered.

Aternity LLC did not experience any significant changes related to the system that requires disclosure.

E. APPLICABLE TRUST SERVICES CRITERIA AND RELATED CONTROLS

The applicable trust services criteria and Aternity LLC’s controls are included in Section IV of this report,

Independent Service Auditor’s Description of Tests of Controls and Results, to eliminate the redundancy that

would result from listing them in this section and repeating them in Section IV. Although the applicable

trust services criteria and related controls are included in Section IV, they are, nevertheless, an integral part

of Aternity LLC’s description of systems.

24

F. COMPLEMENTARY SUBSERVICE ORGANIZATION CONTROLS

Aternity LLC uses a subservice organization to perform various functions to support the delivery of services

to user entities. Aternity LLC has developed and implemented a vendor monitoring process to ensure

subservice organizations have necessary internal controls. Monitoring includes the receipt and review of the

subservice organization’s SOC 2 reports.

The following is a description of the subservice organization used by Aternity LLC to support the delivery

of system:

Amazon Web Services (AWS): Provides cloud infrastructure for the servers used to store data sets and

other information. AWS is responsible for the physical and environmental security of the data centers

hosting the cloud infrastructure, including the network equipment at the facilities.

The following applicable trust services criteria are intended to be met in part by complementary subservice

organization controls implemented by the subservice organization AWS including, but not limited to, the

following:

Applicable Trust Services Criteria Complementary Subservice Organization

Controls

CC6.4

The entity restricts physical access to facilities and

protected information assets (for example, data

center facilities, back-up media storage, and other

sensitive locations) to authorized personnel to meet

the entity’s objectives.

AWS is responsible for implementing physical

security controls to restrict access to the hosted

servers and protected information assets to

authorized personnel.

CC6.5

The entity discontinues logical and physical

protections over physical assets only after the ability

to read or recover data and software from those

assets has been diminished and is no longer required

to meet the entity’s objectives.

AWS is responsible for data wiping, destroying,

and disposing of assets in their environment that

are no longer required or have reached end of life.

CC7.2

The entity monitors system components and the

operation of those components for anomalies that

are indicative of malicious acts, natural disasters,

and errors affecting the entity's ability to meet its

objectives; anomalies are analyzed to determine

whether they represent security events.

AWS is responsible for monitoring their

environment to maintain security and availability,

including having an incident handling process.

25

Applicable Trust Services Criteria Complementary Subservice Organization

Controls

A1.2

Environmental protections, software, data backup

processes, and recovery infrastructure are designed,

developed, implemented, operated, maintained, and

monitored to meet availability commitments and

requirements.

AWS is responsible for developing, implementing,

maintaining, and monitoring environmental

protections of the assets hosted in the data centers.

A1.3

The entity test recovery plan procedures supporting

system recovery to meet its objectives.

AWS is responsible for implementing and testing

recovery plan procedures to meet availability

objectives.

G. COMPLEMENTARY USER ENTITY CONTROLS

Aternity LLC’s operations were designed with the assumption that certain controls would be placed in

operation by user entities. This section describes some of the controls that should be in operation at user

entities to complement the controls at Aternity LLC. User auditors should determine whether user entities

have established controls to provide reasonable assurance over the following:

1. User entities are responsible for enforcing their own internal password policies for their

organizations. User entities are encouraged to utilize complex passwords and change their passwords

on a periodic basis.

2. User entities are responsible for periodically reviewing user access to APM and EUEM consoles to

validate the appropriateness of user access and assigned permissions.

3. User entities’ system administrator are responsible for user provisioning in the Aternity solution.

User entities are responsible for implementing an authorization process to ensure the granting,

modification, and removal of access to the solution is approved.

4. User entities’ system administrators are responsible for configuring and maintaining strong security

settings, such as inactivity timeout within the APM and EUEM consoles.

5. User entities are responsible for defining their own requirements for monitoring, and such, the data

stored or proprietary if the collection of such data is necessary to satisfy the customer’s monitoring

requirements.

26

IV. INDEPENDENT SERVICE AUDITOR’S DESCRIPTION OF TESTS OF CONTROLS AND RESULTS

A. INTRODUCTION

This section presents selected information provided by Wolf & Company, P.C. This information includes:

A description of tests performed by Wolf & Company, P.C. to determine whether Aternity LLC’s controls were operating with

sufficient effectiveness to meet the applicable trust services criteria

Results of Wolf & Company, P.C. tests of operating effectiveness

Also included in this section is information provided by Aternity LLC’s management. This information includes:

The applicable trust services criteria as set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing

Integrity, Confidentiality, and Privacy (AICPA, Trust Services Principles and Criteria)

Description of controls implemented by Aternity LLC to meet the applicable trust services criteria

B. APPLICABLE TRUST SERVICES CRITERIA

The applicable trust services criteria in scope and controls to meet the applicable trust services criteria were provided by Aternity LLC’s

management. While this information is provided by Aternity LLC, it is more beneficial to have them reported in Section IV (Independent Service

Auditor’s Description of Tests of Controls and Results) to facilitate the report of tests of controls and results of testing which is provided by Wolf

& Company, P.C. The following trust services criteria were in scope.

Security Criteria – The system is protected against unauthorized access (both physical and logical).

Availability Criteria – The system is available for operation and use as committed or agreed.

27

C. TESTING OF OPERATING EFFECTIVENESS

CC1.0 – Common Criteria Related to Control Environment

Criteria Service Organization Controls Tests Results

CC1.1 COSO Principle 1:

The entity

demonstrates a

commitment to

integrity and

ethical values.

Employees must read and acknowledge the

Employee Handbook and Proprietary

Information and Inventions Agreement

(PIIA) upon hire.

Inspected documented policies and

procedures to ensure employees are required

to read and accept the Employee Handbook

and PIIA.

No exceptions

noted.

Inspected acknowledgements to ensure a

sample of new hires read and accepted the

Employee Handbook and PIIA.

No exceptions

noted.

Employees are notified of changes to the

Employee Handbook via email.

Inquired with management to ensure

employees are notified of changes to the

Employee Handbook via email.

No exceptions

noted.

Inquired with management and determined

that there were no changes to the Employee

Handbook. Therefore, the Service Auditor

was unable to test the operating effectiveness

of the control during the audit period.

Control did not

operate during

the period.

Employees who do not comply with

Company policies and standards will be

subject to disciplinary actions.

Inspected policies and procedures to ensure

disciplinary actions for misconduct are

included.

No exceptions

noted.

The onboarding process includes background

checks for all candidates extended a job

offer.


procedures to ensure background checks are

completed for all candidates extended a job

offer.

No exceptions

noted.

Inspected the background checks for a

sample of new hires to ensure they were

completed.

No exception

noted.

28



The board of

directors

demonstrates

independence from

management and

exercises oversight

of the

development and

performance of

internal control.

The Aternity IT Security team is updated

periodically by Product Management on the

development and performance of internal

controls. Any issues or concerns identified

are reported up to the CFO and subsequently

the CEO.

Inquired with management to ensure the

Aternity IT Security team is updated





the CEO.

No exceptions

noted.

Inspected an example email correspondence

to ensure the Aternity IT Security team is

updated periodically by Product

Management on the development and

performance of internal controls.

No exceptions

noted.

The Board of Directors is comprised of

members from varying backgrounds to allow

for objective evaluation and decision

making.

Inspected the composition of the Board of

Directors to ensure Board members are from

varying backgrounds to allow for objective

evaluation and decision making.

No exceptions

noted.


Management

establishes, with

board oversight,

structures,

reporting lines,

and appropriate

authorities and

responsibilities in

the pursuit of

objectives.

Aternity’s organization charts details

reporting lines and authorities of the

Company’s employees.

Inspected Aternity’s organization charts to

ensure it details reporting lines and

authorities of the Company’s employees.

No exceptions

noted.

Roles and responsibilities are defined in

written job descriptions.

Inspected written job descriptions for

positions responsible for security and

availability to ensure roles and

responsibilities are defined.

No exceptions

noted.

Job descriptions are created or updated as

part of the hiring process. All new hires are

required to have a written job description.

Inspected onboarding procedures to ensure

written job descriptions are required to be

updated or created for new hires.

No exceptions

noted.

29


Product Management is responsible for the

development and implementation of policies

and procedures to oversee the design,

development, implementation, operation,

maintenance, and monitoring of Aternity’s

systems.

Inquired with management to the Product

Management department is assigned with the

responsibility of developing and

implementing policies and procedures to

oversee the design, development,

implementation, operation, maintenance, and

monitoring of Aternity’s systems.

No exceptions

noted.


The entity

demonstrates a

commitment to

attract, develop,

and retain

competent

individuals in

alignment with

objectives.

The ability of candidates to meet the

requirements documented in job descriptions

is evaluated as part of the hiring process.


potential new hires’ experience and

qualifications are evaluated against the job

requirements by the hiring manager.

No exceptions

noted.

Employees are required to complete

information security training upon hire and

annually thereafter. Employees must

complete and pass a quiz after security

awareness training.

Observed training materials to ensure

employees are required to be trained on

information security topics and that a quiz

must be passed after the training.

No exceptions

noted.

Inspected quiz results for a sample of

employees to ensure each sampled employee

completed and passed the required quiz.

No exception

noted.

Inspected quiz results for a sample of new

hires to ensure each sampled employee


Exception noted.

One (1) of the

three (3) sampled

new hires did not

complete the

information

security training

upon hire.

See Section V #1

for management

response.

30


Performance reviews are completed for all

employees on an annual basis.

Inspected the performance reviews

completed prior to the start of the audit

period for a sample of employees to ensure

performance reviews were not completed

during the audit period. Therefore, the

Service Auditor was unable to test the

operating effectiveness of the control during

the audit period.

Control did not

operate during

the period.


Employee Handbook and PIIA upon hire.




and PIIA.

No exceptions

noted.




No exceptions

noted.

The onboarding process includes background

checks for all candidates extended a job

offer.


procedures to ensure background checks are

completed for all candidates extended a job

offer.

No exceptions

noted.

Inspected the background checks for a

sample of new hires to ensure they were

completed.

No exception

noted.

31



The entity holds

individuals

accountable for

their internal

control

responsibilities in

the pursuit of

objectives.

Employees who do not comply with

Company policies and standards will be

subject to disciplinary actions.


disciplinary actions for misconduct are

included.

No exceptions

noted.

Performance reviews are completed for all

employees on an annual basis.

Inspected the performance reviews

completed prior to the start of the audit

period for a sample of employees to ensure

performance reviews were not completed




the audit period.

Control did not

operate during

the period.

CC2.0 – Common Criteria Related to Communication and Information


CC2.1 COSO Principle

13: The entity

obtains or

generates and uses

relevant, quality

information to

support the

functioning of

internal control.






the CEO.







the CEO.

No exceptions

noted.






No exceptions

noted.

32



14: The entity

internally

communicates

information,

including

objectives and

responsibilities for

internal control,

necessary to

support the

functioning of

internal control.

Security and availability responsibilities are

documented in internal policies and

procedures. The Company’s internal policies

and procedures are available to all employees

on the Company intranet.

Inspected the Company’s intranet to ensure

internal policies and procedures are made

available to all employees.

No exceptions

noted.


security and availability responsibilities are

documented.

No exceptions

noted.

Security reminders are sent as necessary to

educate employees on security issues or

recommended practices.

Inspected an example security reminder to

ensure employees are educated as necessary

on security issues or recommended practices.

No exceptions

noted.

The Password Policy includes procedures for

creating, changing, and safeguarding

passwords.

Inspected the Password Policy to ensure it

includes procedures for creating, changing,

and safeguarding passwords.

No exceptions

noted.

The Incident Response Plan details

procedures for internal users to report

security and availability incidents.

Inspected the Incident Response Plan to

ensure it details procedures for internal users

to report security and availability incidents.

No exceptions

noted.


Employee Handbook PIIA upon hire.




and PIIA.

No exceptions

noted.




No exceptions

noted.

Employees are required to complete

information security training upon hire and

annually thereafter. Employees must

complete and pass a quiz after security

awareness training.

Observed training materials to ensure

employees are required to be trained on

information security topics and that a quiz

must be passed after the training.

No exceptions

noted.

33


Inspected quiz results for a sample of

employees to ensure each sampled employee


No exception

noted.

Inspected quiz results for a sample of new

hires to ensure each sampled employee


Exception noted.

One (1) of the

three (3) sampled

new hires did not

complete the

information

security training

upon hire.

See Section V #1

for management

response.

34



15: The entity

communicates

with external

parties regarding

matters affecting

the functioning of

internal control.

Master service agreements between the

Company and customers detail

responsibilities and commitments related to

security. Availability responsibilities and

commitments are documented in service

level agreements (SLAs).

Inspected template customer agreements and

SLAs to ensure security and availability

commitments for the Company and

customers are defined.

No exceptions

noted.

The agreement in place between the

Company and AWS details responsibilities

for security and availability.

Inspected the agreement between the

Company and AWS to ensure it details

responsibilities for security and availability.

No exceptions

noted.

Business Associate Agreements (BAAs) are

in place with third parties who could

potentially access electronic protected health

information (ePHI).

Inspected the Business Associate Policy to

ensure it requires BAAs with third parties

who could potentially access ePHI.

No exceptions

noted.


that there are no new third parties who could

potentially access ePHI. Therefore, the



the audit period.

Control did not

operate during

the period.

The Customer Service Agreement and

Maintenance and Support Services

Agreement along with the Support website

detail the responsibilities for the Company

and customers in reporting and remediating

failures, incidents, concerns, and complaints.

Inspected the Customer Service Agreement

and Support Services Agreement to ensure

the agreements detail the responsibilities of

the Company and customers for reporting,

and remediating failures, incidents, concerns,

and complaints.

No exceptions

noted.

Inspected the Support website to ensure the

website provides details on reporting

failures, incidents, concerns, and complaints.

No exceptions

noted.

35


The Business Continuity Plan detail

procedures for communicating availability

incidents to external parties.

Inspected the Business Continuity Plan to

ensure it details procedures for

communicating availability incidents to

external parties.

No exceptions

noted.

Major and minor releases are communicated

to customers through release notes posted on

the customer portal.

Inspected a screenshot of the APM release

portal to ensure APM releases are

communicated to customers via release notes

on the customer portal.

No exceptions

noted.

Inspected a screenshot of the EUEM release

portal to ensure EUEM releases are



No exceptions

noted.

The Support website allows customers to

submit tickets for issues. The Support team

reviews all issues which are tracked through

to remediation.

Inspected the Support website to ensure it

allows customers to submit tickets for issues.

No exceptions

noted.


Support team reviews all issues and tracks

them to remediation.

No exceptions

noted.

CC3.0 – Common Criteria Related to Risk Assessment



The entity

specifies

objectives with

sufficient clarity

to enable the

identification and

assessment of

risks relating to

objectives.

The methodology for the IT risk assessments

details the need for identifying potential

threats as well as assessing the likelihood

and impact of the identified threats.

Inspected the methodology for the IT risk

assessments to ensure it identifying potential

threats and assessing the likelihood and

impact of the threats.

No exceptions

noted.

The Risk Assessment Policy describes the

Company’s requirements for the completion

of the IT risk assessments and the handling

of risk acceptance.

Inspected the Risk Assessment Policy to

ensure it describes the requirements for the

completion of the IT risk assessments and

the handling of risk acceptance.

No exceptions

noted.

36


The Vendor Management Policy defines

expectations for identifying and risk rating

all vendor relationships. The risk ratings

consider the nature of the information stored

and transmitted and the criticality of the

vendor to providing services.

Inspected the Vendor Management Policy to

ensure it defines expectations for identifying

and risk rating all vendor relationships and

risk ratings consider the nature of the

information stored and transmitted and the

criticality of the vendor to providing

services.

No exceptions

noted.


The entity

identifies risks to

the achievement

of its objectives

across the entity

and analyzes risks

as a basis for

determining how

the risks should be

managed.

The methodology for the IT risk assessments

details the need for identifying potential

threats as well as assessing the likelihood

and impact of the identified threats.

Inspected the methodology for the IT risk

assessments to ensure it details identifying

potential threats and assessing the likelihood

and impact of the threats.

No exceptions

noted.

The Risk Assessment Policy describes the

Company’s requirements for the completion

of the IT risk assessments and the handling

of risk acceptance.


ensure it describes the requirements for the

completion of the IT risk assessments and

the handling of risk acceptance.

No exceptions

noted.

The IT risk assessments identify potential

risks to the security and availability of the

system and identifies mitigating controls for

the risks.

Inspected the IT risk assessments to ensure

potential risks and mitigating controls for the

risks are identified.

No exceptions

noted.













services.

No exceptions

noted.

The vendor risk assessment rates the inherent

risk of a vendor based on the nature of the

information that is stored and transmitted,

cost, compliance, and quality of work.

Inspected the vendor risk assessment to

ensure it rates the inherent risk of a vendor

based on the nature of the information that is

stored and transmitted, cost, compliance, and

quality of work.

No exceptions

noted.

37


The IT risk assessments are presented to

management for approval.


the IT risk assessments are approved by

management on an annual basis.

No exceptions

noted.


The entity

considers the

potential for fraud

in assessing risks

to the achievement

of objectives.

The IT risk assessments considers fraudulent

activities, including the likelihood and

impact.


the assessment considers fraudulent

activities, including the likelihood and

impact.

No exceptions

noted.


The entity

identifies and

assesses changes

that could

significantly

impact the system

of internal control.

Management subscribes to threat intelligence

resources covering cybersecurity and risks

present in the external environment.

Inspected an example email to ensure

management subscribes to sources regarding

cybersecurity and risks present in the

external environment.

No exceptions

noted.

The vendor selection process includes a

review of materials to ensure the risks

associated with the vendor relationship are

understood.


ensure it details the requirements for the

vendor selection process, including a review

of materials to ensure the risks associated

with the vendor relationship are understood.

No exceptions

noted.


that there were no new subservice

organizations implemented to support the

production environment. Therefore, the



the audit period.

Control did not

operate during

the period.

Vendors that pose an increased risk are

reviewed on an annual basis.


ensure it details the requirements for an

annual review of vendors that pose an

increased risk.

No exceptions

noted.

38


Inspected the vendor review performed for

AWS to ensure the review is performed on

an annual basis.

No exceptions

noted.

The vendor risk assessment is updated by

management on at least an annual basis.


ensure it was updated within the last year.

No exceptions

noted.

CC4.0 – Common Criteria Related to Monitoring Activities



16: The entity

selects, develops,

and performs

ongoing and/or

separate

evaluations to

ascertain whether

the components of

internal control are

present and

functioning.

An availability monitoring solution is

configured to monitor the core infrastructure

and individual servers hosting EUEM. The

solution is configured to alert when failures

occur.

Inspected the EUEM Monitoring Policy to

ensure it details the availability monitoring

process.

No exceptions

noted.

Inspected the configuration of the availability

monitoring solution for EUEM to ensure the

availability of the environment is monitored

and appropriate personnel are notified of

failures.

No exceptions

noted.

Inspected an example alert to ensure the

availability monitoring solution alerts

appropriate personnel when there is a failure.

No exceptions

noted.

A performance and availability monitoring

solution is configured to monitor the core

infrastructure and individual servers hosting

APM. The solution is configured to alert

when defined thresholds have been exceeded

for memory, CPU, disk space, read/write

usage, and unavailable endpoints/internal

services.

Inspected the APM Availability Monitoring

Policy to ensure it details the performance

and availability monitoring process.

No exceptions

noted.

Inspected the configuration of the

performance and availability monitoring

solution to ensure it monitors various

availability metrics and alerts appropriate

personnel when thresholds are exceeded.

No exceptions

noted.

39




solution alerts appropriate personnel when a

threshold has been exceeded.

No exceptions

noted.

EUEM Operations personnel review uptime

monitors on a weekly basis to ensure the

availability of the infrastructure after

maintenance activities.

Inspected the reviews completed for a

sample of weeks to ensure the uptime

monitors are reviewed on a weekly basis by

the Operations team.

No exceptions

noted.

EUEM Operations personnel review

administrative activity and failed login report

on a weekly basis.


sample of weeks to ensure administrator

activity and failed logins were reviewed.

No exceptions

noted.

The APM production environment is

monitored by a log management and

analytics solution. Logs are reviewed on a

monthly basis.

Inspected the configuration of the log

management and analytics solution to ensure

it logs activity in the production

environment.

No exceptions

noted.


sample of months to ensure the CloudTrail

logs are reviewed on a monthly basis.

No exceptions

noted.

The EUEM Support team conducts a weekly

staff meeting and includes topics for

discussion like to review upcoming

maintenance schedules or outage event on to

share details and awareness.

Inspected meeting agendas for a sample of

weeks to ensure the Support team conducts a

weekly staff meeting and includes topics for

discussion like to review upcoming

maintenance schedules or outage event on to

share details and awareness.

No exceptions

noted.

A Hosting Outages Cases (CQ) Report is

generated quarterly in Salesforce to show

events for EUEM.

Inspected a sample of quarterly reports to

ensure the reports are generated and show

events for EUEM.

No exceptions

noted.

40


A third party is contracted to perform web

application penetration testing on an annual

basis.

Inspected evidence to ensure a third party has

been contracted to perform a penetration test.

No exceptions

noted.

Internal vulnerability assessments are

completed on all APM and EUEM releases

prior to implementation in the production

environment. All vulnerabilities are tracked

to resolution.

Inspected evidence to ensure internal

vulnerability assessments are completed on

the production environment and all

vulnerabilities are tracked to resolution.

No exceptions

noted.

Web server certificate and configurations are

monitored by the Operations Team. Daily

scans are run on EUEM external URLs and

weak configurations trigger an alert.

Inspected the configurations of the daily

scans of the EUEM external URLs to ensure

weak configurations trigger an alert to the

Operations Team.

No exceptions

noted.

Inquired with management to ensure no

alerts were triggered by weak configurations




the audit period.

Control did not

operate during

the period.

Monthly meetings are held for proactive

planning for availability and performance

metrics.

Inspected the policies to ensure the monthly

meeting process is defined.

No exceptions

noted.

Inspected the meeting agenda or reports for a

sample of months to ensure availability and

performance metrics are discussed.

No exceptions

noted.

Access to the production environment is

reviewed on a quarterly basis to ensure it is

restricted to authorized personnel who

require access to perform their job functions.

Inspected the System Access Request Policy

to ensure access to the production

environment is reviewed on a periodic basis.

No exceptions

noted.

41


Inspected a sample of user access reviews to

ensure the reviews are performed on a

quarterly basis and user access to the

production environment is reviewed for

appropriateness.

No exceptions

noted.


17: The entity

evaluates and

communicates

internal control

deficiencies in a

timely manner to

those parties

responsible for

taking corrective

action, including

senior

management and

the board of

directors, as

appropriate.





occur.



process.

No exceptions

noted.





failures.

No exceptions

noted.




No exceptions

noted.








services.




No exceptions

noted.






No exceptions

noted.





No exceptions

noted.

42





monthly basis.




environment.

No exceptions

noted.




No exceptions

noted.



basis.



No exceptions

noted.





to resolution.





No exceptions

noted.








Operations Team.

No exceptions

noted.






the audit period.

Control did not

operate during

the period.








No exceptions

noted.

43






appropriateness.

No exceptions

noted.

CC5.0 – Common Criteria Related to Control Activities



10: The entity

selects and

develops control

activities that

contribute to the

mitigation of risks

to the achievement

of objectives to

acceptable levels.

The Company applies appropriate controls to

lessen the likelihood and/or impact of

identified risks.


ensure the Company applies appropriate

controls to lessen the likelihood and/or

impact of identified risks.

No exceptions

noted.


the Company has identified and applied

mitigating controls to reduce the risks

presented to the system.

No exceptions

noted.

Monitoring is performed of key controls to

measure the success of the controls in

addressing relevant risks.

Inspected the policies and procedures to

ensure monitoring is performed of key

controls to measure the success of the

controls in addressing relevant risks.

No exceptions

noted.

The Disaster Recovery Plan and Business

Continuity Plan describe the Company’s

strategy for responding in the event of a

disaster.

Inspected the Disaster Recovery and

Business Continuity Plan to ensure the plan

describes the Company’s strategy for

responding in the event of a disaster.

No exceptions

noted.

44



11: The entity also

selects and

develops general

control activities

over technology to

support the

achievement of

objectives.

The Company applies appropriate controls to

lessen the likelihood and/or impact of

identified risks.


ensure the Company applies appropriate

controls to lessen the likelihood and/or

impact of identified risks.

No exceptions

noted.


the Company has identified and applied

mitigating controls to reduce the risks

presented to the system.

No exceptions

noted.





occur.



process.

No exceptions

noted.





failures.

No exceptions

noted.




No exceptions

noted.








services.




No exceptions

noted.






No exceptions

noted.

45






No exceptions

noted.



on a weekly basis.




No exceptions

noted.




monthly basis.




environment.

No exceptions

noted.




No exceptions

noted.



basis.



No exceptions

noted.





to resolution.





No exceptions

noted.








Operations Team.

No exceptions

noted.

46







the audit period.

Control did not

operate during

the period.

The Disaster Recovery Plan and Business

Continuity Plan describe the Company’s

strategy for responding in the event of a

disaster.

Inspected the Disaster Recovery and

Business Continuity Plan to ensure the plan

describes the Company’s strategy for

responding in the event of a disaster.

No exceptions

noted.

CC5.3

COSO Principle

12: The entity

deploys control

activities through

policies that

establish what is

expected and in

procedures that

put policies into

action.

The Company has documented policies and

procedures for the system that detail

implemented controls to maintain security

and availability along with compliance with

HIPAA.

Inspected the Company’s documented

policies and procedures to ensure

documentation includes controls to maintain

security, availability, and HIPAA

compliance.

No exceptions

noted.

Aternity retains historical policies and

procedures for six (6) years from the date of

its creation.

Inspected the Document Retention Policy to

ensure it requires that historical policies and

procedures be retained for six (6) years from

the date of its creation.

No exceptions

noted.

Policies and procedures are reviewed at least

annually.

Inspected the Company’s documented

policies and procedures to ensure they are

reviewed at least annually.

No exceptions

noted.

47

CC6.0 – Common Criteria Related to Logical and Physical Access Controls


CC6.1 The entity

implements logical

access security

software,

infrastructure, and

architectures over

protected

information assets

to protect them

from security

events to meet the

entity's objectives.

Logical access to the system is restricted to

authorized individuals who need access to

perform their job functions.

Inspect the Platform Access Policy and User

Access Control Policy to ensure they address

the restriction of access to systems.

No exceptions

noted.

Inspected the listing of users with access to

the production environment to ensure access

is appropriate.

No exceptions

noted.

The production environment is administered

by authorized personnel who require the

access to oversee the security and availability

of the Aternity system.

Inspected the listing of users with

administrator access to the production

environment to ensure administrator access is

appropriate.

No exceptions

noted.

Passwords are enforced on the technologies

supporting EUEM. The password settings

enforced include minimum length,

complexity requirements, and expiration.

Inspected the configuration of the password

practices enforced to access the production

environment to ensure they include password

minimum length, complexity requirements

and expiration.

No exceptions

noted.

Multifactor authentication is required to

access the technologies supporting APM.

Inspected the authentication configurations

of the technologies supporting APM to

ensure multifactor authentication is required.

No exceptions

noted.

Authentication to the application, by user

entities, requires a password that is

appropriately configured.


password requirements are appropriately

configured for user entities.

No exceptions

noted.

Inspected evidence to ensure password

requirements are appropriately configured

for user entities.

No exceptions

noted.

Password protected screensavers, configured

via Active Directory Group Policy Object

(GPO), are automatically triggered after a

period of inactivity.

Inspect the GPO to ensure password

protected screensavers are automatically

triggered after a period of inactivity.

No exceptions

noted.

48


CC6.2 Prior to issuing

system credentials

and granting

system access, the

entity registers and

authorizes new

internal and

external users

whose access is

administered by

the entity. For

those users whose

access is

administered by

the entity, user

system credentials

are removed when

user access is no

longer authorized.

Written authorization in the form of a ticket,

email, or other documented methods is

required to grant and remove access to the

production environment. This process is

documented within Policy.

Inspect the System Access Request Policy

and the Separation Process to ensure they

detail the written authorization process.

No exceptions

noted.

Inspected the written authorization for a

sample of new hires to ensure access granted

to the production environment is

documented.

No exceptions

noted.


sample of terminations to ensure access

removed from the production environment is

documented.

No exceptions

noted.








No exceptions

noted.





appropriateness.

No exceptions

noted.

49


CC6.3 The entity

authorizes,

modifies, or

removes access to

data, software,

functions, and

other protected

information assets

based on roles,

responsibilities, or

the system design

and changes,

giving

consideration to

the concepts of

least privilege and

segregation of

duties, to meet the

entity’s objectives.








No exceptions

noted.





appropriateness.

No exceptions

noted.

The production environment is administered

by authorized personnel who require the

access to oversee the security and availability

of the Aternity system.

Inspected the listing of users with

administrator access to the production

environment to ensure administrator access is

appropriate.

No exceptions

noted.

Written authorization in the form of a ticket,

email, or other documented methods is

required to grant and remove access to the

production environment. This process is

documented within Policy.

Inspect the System Access Request Policy

and the Separation Process to ensure they

detail the written authorization process.

No exceptions

noted.


sample of new hires to ensure access granted

to the production environment is

documented.

No exceptions

noted.


sample of terminations to ensure access

removed from the production environment is

documented.

No exceptions

noted.

50


CC6.4 The entity restricts

physical access to

facilities and

protected

information assets

(for example, data

center facilities,

back-up media

storage, and other

sensitive locations)

to authorized

personnel to meet

the entity’s

objectives.

Physical access to the Company’s facilities is

controlled by proximity cards.

Inspected a sample of proximity card holders

for the Company’s facilities to ensure access

is restricted to appropriate personnel.

No exceptions

noted.

Controls relating to physical access to the

hosted servers and protected information

assets are administered by the subservice

organization AWS. See the Complementary

Subservice Organization Controls above for

additional details.

N/A

N/A

CC6.5 The entity

discontinues

logical and

physical

protections over

physical assets

only after the

ability to read or

recover data and

software from

those assets has

been diminished

and is no longer

required to meet

the entity’s

objectives.

The Media Disposal Policy addresses the

removal and destruction of data and

hardware.

Inspect the Media Disposal Policy to ensure

it addresses the removal and destruction of

data and hardware.

No exceptions

noted.

Controls relating to the destruction and

disposal of hardware are administered by the

subservice organization AWS. See the

Complementary Subservice Organization

Controls above for additional details.

N/A

N/A

51


CC6.6 The entity

implements logical

access security

measures to

protect against

threats from

sources outside its

system boundaries.

A virtual firewall is set up within AWS that

restricts traffic to and from the environment.

The rule base is reviewed periodically to

identify security risks and misconfigurations.

Inspected firewall rules established to ensure

the firewall restricts traffic to and from the

environment.

No exceptions

noted.

Inspected the results of the most recent

firewall rule base review to validate the rules

are reviewed on a periodic basis.

No exceptions

noted.

A windows firewall is set up within the

network that restricts traffic to and from the

environment.

Inspected firewall rules established to ensure

the firewall restricts traffic to and from the

environment.

No exceptions

noted.

APM customer containers in the production

environment are logically segmented.

Inspected the configuration of the APM

production environment to ensure customer

containers are logically segmented.

No exceptions

noted.



basis.



No exceptions

noted.





to resolution.





No exceptions

noted.








Operations Team.

No exceptions

noted.

52







the audit period.

Control did not

operate during

the period.

CC6.7 The entity restricts

the transmission,

movement, and

removal of

information to

authorized internal

and external users

and processes, and

protects it during

transmission,

movement, or

removal to meet

the entity’s

objectives.

All data transmitted to and from the system

is encrypted.

Inspected the protocols for non-customer

facing traffic to ensure data transmitted is

encrypted.

No exceptions

noted.

Inspected the protocols and encryption

certificate for customer-facing traffic to

ensure data transmitted is encrypted.

No exceptions

noted.

The EBS volume and Amazon S3 backups

are encrypted.

Inspected the EBS configuration to ensure

volume backups are encrypted.

No exceptions

noted.

Inspected the S3 configuration to ensure

backups are encrypted.

No exceptions

noted.

CC6.8 The entity

implements

controls to prevent

or detect and act

upon the

introduction of

unauthorized or

malicious software

to meet the entity’s

objectives.

Antivirus is installed on Windows servers

and is configured to scan for viruses weekly.

Inspect the inventory of the antivirus solution

to ensure antivirus is installed on Windows

servers.

No exceptions

noted.

Inspect the configuration of the antivirus

solution to ensure scans are run on a weekly

basis.

No exceptions

noted.

The IPS generates alerts to Operations

personnel for critical events. Alerts are

reviewed and corrective action is taken as

necessary.

Inspect the IPS configuration to ensure the

system generates alerts to Operations

personnel when it detects critical events.

No exceptions

noted.

53


Inspect an example alert from the IPS to

ensure the alert was sent to Operations

personnel and corrective action was taken as

necessary.

No exceptions

noted.

Operations personnel receive weekly email

summaries from the antivirus and IPS on

threats detected.

Inspect the antivirus and IPS configuration to

ensure the systems generate weekly summary

reports to Operations personnel.

No exceptions

noted.

Inspected an example weekly email report

from the antivirus and IPS to ensure the

report was sent to Operations personnel.

No exceptions

noted.

Windows servers are patched on a monthly

basis.

Inspect the WSUS patch status report for a

sample of months to ensure patching

occurred.

No exceptions

noted.

Linux servers in the production environment

are re-built when there is a feature release, at

least annually, to incorporate necessary

security patches and configurations.

Inquired with management to ensure Linux

servers in the production environment are re-

built when there is a feature release to

incorporate necessary security patches and

configurations.

No exceptions

noted.

Inspected configuration logs ensure Linux

servers in the production environment are re-

built when there is a feature release.

No exceptions

noted.




monthly basis.




environment.

No exceptions

noted.




No exceptions

noted.

54

CC7.0 – Common Criteria Related to System Operations


CC7.1 To meet its

objectives, the

entity uses

detection and

monitoring

procedures to

identify (1)

changes to

configurations that

result in the

introduction of

new

vulnerabilities, and

(2) susceptibilities

to newly

discovered

vulnerabilities.



on a weekly basis.




No exceptions

noted.




monthly basis.




environment.

No exceptions

noted.




No exceptions

noted.



basis.



No exceptions

noted.





to resolution.





No exceptions

noted.








Operations Team.

No exceptions

noted.






the audit period.

Control did not

operate during

the period.

55


CC7.2 The entity

monitors system

components and

the operation of

those components

for anomalies that

are indicative of

malicious acts,

natural disasters,

and errors

affecting the

entity's ability to

meet its

objectives;

anomalies are

analyzed to

determine whether

they represent

security events.


procedures for detecting, assessing,

investigating, containing, and mitigating



ensure it includes the mentioned procedures.

No exceptions

noted.


procedures for internal users to report



ensure it details procedures for internal users

to report security and availability incidents.

No exceptions

noted.





occur.



process.

No exceptions

noted.





failures.

No exceptions

noted.




No exceptions

noted.








services.




No exceptions

noted.






No exceptions

noted.

56






No exceptions

noted.



on a weekly basis.




No exceptions

noted.




monthly basis.




environment.

No exceptions

noted.




No exceptions

noted.

Controls relating to incident response for the

hosted environment are administered by the




N/A

N/A

57


CC7.3 The entity

evaluates security

events to

determine whether

they could or have

resulted in a

failure of the entity

to meet its

objectives

(security incidents)

and, if so, takes

actions to prevent

or address such

failures.

Security incidents are assessed to evaluate

the exposure of an incident along with the

amount of damage.


ensure incidents are assessed to evaluate the

exposure along with the amount of damage.

No exceptions

noted.







No exceptions

noted.

CC7.4 The entity

responds to

identified security

incidents by

executing a

defined incident

response program

to understand,

contain, remediate,

and communicate

security incidents,

as appropriate.

The Business Continuity Plan details

procedures for communicating availability

incidents to external parties.

Inspected the Business Continuity Plan to

ensure it details procedures for

communicating availability incidents to

external parties.

No exceptions

noted.

Security incidents are assessed to evaluate

the exposure of an incident along with the

amount of damage.


ensure incidents are assessed to evaluate the

exposure along with the amount of damage.

No exceptions

noted.







No exceptions

noted.

58


CC7.5 The entity

identifies,

develops, and

implements

activities to

recover from

identified security

incidents.

The Incident Response Plan is tested on a

periodic basis.

Inspected test results to ensure the Incident

Response Plan is tested on a periodic basis.

No exceptions

noted.

The APM EBS volumes containing customer

instances are backed up every hour.

Appropriate personnel are notified if issues

arise with the backups.


volumes are backed up on an hourly basis.

No exceptions

noted.

Inspected an example alert to ensure

personnel are alerted of issues in the EBS

backup process.

No exceptions

noted.

The DynamoDB, Oracle, and Vertica data is

backed up to Amazon S3 on a daily basis.



Inspected the DynamoDB configuration to

ensure data is backed up on a daily basis.

No exceptions

noted.


ensure appropriate personnel are alerted of

issues.

No exceptions

noted.

Inquired with management to confirm no

DynamoDB backups failed resulting in the

alerting of personnel. Therefore, the Service

Auditor was unable to test the operating

effectiveness of the control during the audit

period.

Control did not

operate during

the period.

Inspected the Oracle configuration to ensure

data is backed up on a daily basis.

No exceptions

noted.


appropriate personnel are notified of issues.

No exceptions

noted.


personnel are alerted of issues in the Oracle

backup process.

No exceptions

noted.

Inspected the Vertica configuration to ensure


No exceptions

noted.

59




No exceptions

noted.


personnel are alerted of issues in the Vertica

backup process.

No exceptions

noted.


are encrypted.



No exceptions

noted.



No exceptions

noted.

The servers and databases in the production

environment are arranged for high-

availability through various AWS regions.

Inspected evidence showing that the servers

and databases are arranged for high-


No exceptions

noted.

APM backup restoration tests are performed

quarterly to validate the integrity of the

backup data.

Inspected the results for a sample of backup

restores to ensure the testing is performed at

least quarterly.

No exceptions

noted.

EUEM backups are tested during the release

process.

Inspected a sample of releases to ensure

backups are tested during the release process.

No exceptions

noted.

60

CC8.0 – Common Criteria Related to Change Management


CC8.1 The entity

authorizes,

designs, develops

or acquires,

configures,

documents, tests,

approves, and

implements

changes to

infrastructure,

data, software, and

procedures to meet

its objectives.

The System Development Life Cycle

addresses business requirements, scoping,

design, development, code review, quality

assurance, and implementation of system

components.

Inspected the System Development Life

Cycle to ensure it addresses planning

(business requirements, design, and

functionality), testing and code review, and

deployment of builds into production.

No exceptions

noted.

Business requirements and design

specifications are documented for all

developments.


Cycle to ensure business requirements and

design specifications are documented for

product developments.

No exceptions

noted.

Inspected a sample of APM developments to

ensure business requirements and design

specifications are documented.

No exceptions

noted.

Inspected a sample of EUEM developments

to ensure business requirements and/or

design specifications are documented.

No exceptions

noted.

All sources code is reviewed for quality and

adherence to coding standards using code

review collaboration tools.


Cycle to ensure code commits are reviewed

for quality and adherence to coding standards

using code review collaboration tools.

No exceptions

noted.


ensure code commits are reviewed for

quality and adherence to coding standards

using code review collaboration tools.

No exceptions

noted.


to ensure testing was performed when

necessary and quality assurance was

completed.

No exceptions

noted.

61


Developments undergo multiple levels of

testing including functional, performance,

longevity, and scalability testing, as

applicable.


Cycle to ensure it details the types of testing

that are performed for developments.

No exceptions

noted.


ensure testing is performed for

developments.

No exceptions

noted.


to ensure testing was performed when

necessary prior to release of the

development.

No exceptions

noted.

Leads hold daily standup meetings to discuss

the progress on new functionality and the

plan for the day.


Cycle to ensure it addresses daily standup

meetings.

No exceptions

noted.

Inspected the a sample of meeting invites to

ensure leads hold daily standup meetings to

discuss the progress on new functionality and

the plan for the day.

No exceptions

noted.

Scrum on Scrum (SOS) meetings are held

twice a week to discuss the progress on new

functionality and the plan for the coming

days.

Inquired with management to ensure SOS

meetings are held twice a week to discuss the

progress on new functionality and the plan

for the coming days.

No exceptions

noted.

Inspected the reoccurring meeting invite to

ensure leads hold daily standup meetings to

discuss the progress on new functionality and

the plan for the day.

No exceptions

noted.

Major and minor releases are communicated

to customers through release notes posted on

the customer portal.

Inspected a screenshot of the APM release

portal to ensure APM releases are



No exceptions

noted.

62


Inspected a screenshot of the EUEM release

portal to ensure EUEM releases are



No exceptions

noted.

All change requests must be formally

documented and detail the reason for the

change, a description on how the change is to

be implemented, the impact of the change,

and the back out plan should the change not

be successful, as appropriate.

Inspected the Change Management Process

to ensure it addresses the requirements for all

submitted change requests.

No exceptions

noted.

Inspected a sample of APM change requests

to ensure requests details the reason for the

change, a description on how the change is to

be implemented, the impact of the change,

and the back out plan should the change not

be successful and approval, as appropriate.

No exceptions

noted.

Inspected a sample of EUEM change

requests to ensure requests details the reason

for the change, a description on how the

change is to be implemented, the impact of

the change, and the back out plan should the

change not be successful and approval, as

appropriate.

No exceptions

noted.

Change requests can be initiated by internal

personnel through the submission of a

change request.

Inspected the Change Management Process

to ensure it addresses the internal change

requests.

No exceptions

noted.

63

CC9.0 – Common Criteria Related to Risk Mitigation


CC9.1 The entity

identifies, selects,

and develops risk

mitigation

activities for risks

arising from

potential business

disruptions.

The Disaster Recovery Plan addresses

recovering connectivity and supporting

systems to ensure customer obligations can

be met.

Inspected the Disaster Recovery Plan to

ensure the plan addresses recovering

connectivity and supporting systems so

customer obligations can be met.

No exceptions

noted.

Business continuity and disaster recovery

testing are performed on an annual basis.

Inspected the Business Continuity Plan and

Disaster Recovery Plan to ensure they detail

testing of the plans.

No exceptions

noted.

Inspected results from the testing of the

business continuity and disaster recovery

strategy to ensure it is performed annually.

No exceptions

noted.

CC9.2 The entity assesses

and manages risks

associated with

vendors and

business partners.

Third party agreements are required to

include non-disclosure/confidentiality

clauses.


ensure it details requirements for contract

language in third party agreements.

No exceptions

noted.

Inspected the agreements with in-scope

subservice organizations supporting the

system to ensure the agreements includes

non-disclosure/confidentiality clauses.

No exceptions

noted.













services.

No exceptions

noted.

The vendor risk assessment rates the inherent

risk of a vendor based on the nature of the

information that is stored and transmitted,

cost, compliance, and quality of work.


ensure it rates the inherent risk of a vendor

based on the nature of the information that is

stored and transmitted, cost, compliance, and

quality of work.

No exceptions

noted.

64


The vendor selection process includes a

review of materials to ensure the risks

associated with the vendor relationship are

understood.


ensure it details the requirements for the

vendor selection process, including a review

of materials to ensure the risks associated

with the vendor relationship are understood.

No exceptions

noted.


that there were no new subservice

organizations implemented to support the

production environment. Therefore, the



the audit period.

Control did not

operate during

the period.

Vendors that pose an increased risk are

reviewed on an annual basis.


ensure it details the requirements for an

annual review of vendors that pose an

increased risk.

No exceptions

noted.

Inspected the vendor review performed for

AWS to ensure the review is performed on

an annual basis.

No exceptions

noted.

65

A1 - Additional Criteria for Availability


A1.1 The entity

maintains,

monitors, and

evaluates current

processing

capacity and use

of system

components

(infrastructure,

data, and

software) to

manage capacity

demand and to

enable the

implementation of

additional

capacity to help

meet its

objectives.






the CEO.







the CEO.

No exceptions

noted.






No exceptions

noted.





occur.



process.

No exceptions

noted.





failures.

No exceptions

noted.




No exceptions

noted.








services.




No exceptions

noted.

66







No exceptions

noted.





No exceptions

noted.

A1.2 Environmental

protections,

software, data

backup processes,

and recovery

infrastructure are

designed,

developed,

implemented,

operated,

maintained, and

monitored to meet

availability

commitments and

requirements.

The APM EBS volumes containing customer

instances are backed up every hour.




volumes are backed up on an hourly basis.

No exceptions

noted.


personnel are alerted of issues in the EBS

backup process.

No exceptions

noted.

The DynamoDB, Oracle, and Vertica data is

backed up to Amazon S3 on a daily basis.




ensure data is backed up on a daily basis.

No exceptions

noted.


ensure appropriate personnel are alerted of

issues.

No exceptions

noted.

Inquired with management to confirm no

DynamoDB backups failed resulting in the

alerting of personnel. Therefore, the Service

Auditor was unable to test the operating

effectiveness of the control during the audit

period.

Control did not

operate during

the period.



No exceptions

noted.

67




No exceptions

noted.


personnel are alerted of issues in the Oracle

backup process.

No exceptions

noted.



No exceptions

noted.



No exceptions

noted.


personnel are alerted of issues in the Vertica

backup process.

No exceptions

noted.


are encrypted.



No exceptions

noted.



No exceptions

noted.

The servers and databases in the production

environment are arranged for high-


Inspected evidence showing that the servers

and databases are arranged for high-


No exceptions

noted.

APM backup restoration tests are performed

quarterly to validate the integrity of the

backup data.

Inspected the results for a sample of backup

restores to ensure the testing is performed at

least quarterly.

No exceptions

noted.

EUEM backups are tested during the release

process.

Inspected a sample of releases to ensure

backups are tested during the release process.

No exceptions

noted.

68





be met.





No exceptions

noted.






No exceptions

noted.

Inspected testing of the business continuity

and disaster recovery strategy to ensure it is

performed annually.

No exceptions

noted.

Controls relating to environmental

protections of the hosted environment are

administered by the subservice organization

AWS. See the Complementary Subservice

Organization Controls above for additional

details.

N/A N/A

69


A1.3 The entity

authorizes,

designs, develops

or acquires,

implements,

operates,

approves,

maintains, and

monitors

environmental

protections,

software, data

back-up

processes, and

recovery

infrastructure to

meet its

objectives.




be met.





No exceptions

noted.






No exceptions

noted.

Inspected testing of the business continuity

and disaster recovery strategy to ensure it is

performed annually.

No exceptions

noted.

Controls relating to the recovery of the

hosted environment are administered by the




N/A N/A

70

V. ADDITIONAL INFORMATION PROVIDED BY ATERNITY LLC

A. CONTROL EXCEPTIONS AND ATERNITY’S MANAGEMENT RESPONSES

The following section contains Aternity LLC’s detailed responses to the control exceptions discovered by Wolf & Company, P.C. covering the

period of September 1, 2019 to February 29, 2020.

1. One (1) of the three (3) sampled new hires did not complete the information security training upon hire.

Management Response: One (1) individual hired in February 2020 completed information security training in accordance with the Aternity LLC’s

policies; however, the completion date of the information security training occurred in March 2020. New hires are enrolled in training upon hire

and both the new hires and their managers are automatically notified of incomplete training status until all required trainings are completed.

71

B. HEALTH INFORMATION PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) CONTROL MAPPING

Aternity LLC has designed its control environment to satisfy the requirements of the Security Rule of the Health Information Portability and

Accountability Act (HIPAA). Where applicable, the design of controls implemented to achieve the criteria of the relevant AICPA trust services

principles, detailed in Section III of this report, are intended to satisfy HIPAA requirements. To assist user entities in evaluating Aternity LLC’s

compliance with the HIPAA Security Rule, we have mapped applicable HIPAA requirements to SOC controls in the tables below.

Administrative Safeguards:

The administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security

measures to protect electronic protected health information (PHI) and to manage the conduct of the covered entity's workforce in relation to the

protection of that information.

Safeguard

CFR §164.308

Safeguard Description Reference to

SOC Control

Above

(a) A covered entity or business associate must, in accordance with § 164.306:

(a)(1)(i) Standard: Security Management Process. Implement policies and procedures to prevent, detect,

contain, and correct security violations.

CC7.2.1

CC7.3.2

CC7.4.3

(a)(1)(ii) Implementation Specifications:

(a)(1)(ii)(A) Risk Analysis (Required). Conduct an accurate and thorough assessment of the potential risks and

vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information

held by the covered entity or business associate.

CC3.1.1

CC3.2.1

CC3.2.3

(a)(1)(ii)(B) Risk Management (Required). Implement security measures sufficient to reduce risks and

vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).

CC3.1.2

CC3.2.2

CC3.2.3

(a)(1)(ii)(C) Sanction Policy (Required). Apply appropriate sanctions against workforce members who fail to comply

with the security policies and procedures of the covered entity or business associate.

CC1.1.3

CC1.5.1

72

Safeguard

CFR §164.308


SOC Control

Above

(a)(1)(ii)(D) Information System Activity Review (Required). Implement procedures to regularly review records of

information system activity, such as audit logs, access reports, and security incident tracking reports.

CC4.1.4

CC4.1.12

CC4.2.7

CC5.2.4

CC6.2.2

CC6.3.1

CC7.1.1

CC7.2.5

(a)(2) Standard: Assigned Security Responsibility. Identity the security official who is responsible for the

development and implementation of the policies and procedures required by this subpart for the covered

entity or business associate.

CC1.3.4

(a)(3)(i) Standard: Workforce Security. Implement policies and procedures to ensure that all members of its

workforce have appropriate access to electronic protected health information, as provided under

paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under

paragraph (a)(4) of this section from obtaining access to electronic protected health information.

CC4.1.12

CC4.2.7

CC6.1.1

CC6.1.2

CC6.2.2

CC6.3.1

CC6.3.2


(a)(3)(ii)(A) Authorization and/or Supervision (Addressable). Implement procedures for the authorization and/or

supervision of workforce members who work with electronic protected health information or in locations

where it might be accessed.

CC6.2.1

CC6.3.3

CC6.4.1

(a)(3)(ii)(B) Workforce Clearance Procedure (Addressable). Implement procedures to determine that the access of

a workforce member to electronic protected health information is appropriate.

CC4.1.12

CC4.2.7

CC6.1.1

CC6.1.2

CC6.2.2

CC6.3.1

CC6.3.2

73

Safeguard

CFR §164.308


SOC Control

Above

(a)(3)(ii)(C) Termination Procedures (Addressable). Implement procedures for terminating access to electronic

protected health information when the employment of, or other arrangement with, a workforce member

ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section.

CC6.2.1

CC6.3.3

(a)(4)(i) Standard: Information Access Management. Implement policies and procedures for authorizing access

to electronic protected health information that are consistent with the applicable requirements of subpart E

of this part

CC6.1.1

CC6.2.1

CC6.3.3


(a)(4)(ii)(A) Isolating Healthcare Clearinghouse Functions (Required). If a health care clearinghouse is part of a

larger organization, the clearinghouse must implement policies and procedures that protect the electronic

protected health information of the clearinghouse from unauthorized access by the larger organization.

N/A

(a)(4)(ii)(B) Access Authorization (Addressable). Implement policies and procedures for granting access to

electronic protected health information, for example, through access to a workstation, transaction,

program, process, or other mechanism.

CC6.2.1

CC6.3.3

(a)(4)(ii)(C) Access Establishment and Modification (Addressable). Implement policies and procedures that, based

upon the covered entity's or the business associate's access authorization policies, establish, document,

review, and modify a user's right of access to a workstation, transaction, program, or process.

CC6.2.1

CC6.3.3

(a)(5)(i) Standard: Security Awareness and Training. Implement a security awareness and training program for

all members of its workforce (including management).

CC1.4.2

CC2.2.6

(a)(5)(ii) Implementation Specifications. Implement:

(a)(5)(ii)(A) Security Reminders (Addressable). Periodic security updates.

CC2.2.2

(a)(5)(ii)(B) Protection from Malicious Software (Addressable). Procedures for guarding against, detecting, and

reporting malicious software.

CC6.8.1

CC6.8.2

CC6.8.3

CC6.8.4

74

Safeguard

CFR §164.308


SOC Control

Above

(a)(5)(ii)(C) Log-in Monitoring (Addressable). Procedures for monitoring log-in attempts and reporting

discrepancies.

CC4.1.4

CC5.2.4

CC7.1.1

CC7.2.5

(a)(5)(ii)(D) Password Management (Addressable). Procedures for creating, changing, and safeguarding passwords. CC2.2.3

(a)(6)(i) Standard: Security Incident Procedures. Implement policies and procedures to address security

incidents.

CC2.2.4

CC7.2.1

CC7.2.2

CC7.3.1

CC7.3.2

CC7.4.2

CC7.4.3

(a)(6)(ii) Implementation specification: Response and reporting (Required). Identify and respond to suspected

or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that

are known to the covered entity or business associate; and document security incidents and their

outcomes.

CC2.2.4

CC7.2.1

CC7.2.2

CC7.3.1

CC7.3.2

CC7.4.2

CC7.4.3

(a)(7)(i) Standard: Contingency Plan. Establish (and implement as needed) policies and procedures for

responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural

disaster) that damages systems that contain electronic protected health information.

CC5.1.3

CC5.2.9

CC9.1.1

A1.2.7

A1.3.1


(a)(7)(ii)(A) Data Backup Plan (Required). Establish and implement procedures to create and maintain retrievable

exact copies of electronic protected health information.

CC7.5.3

CC7.5.5

A1.2.2

A1.2.4

75

Safeguard

CFR §164.308


SOC Control

Above

(a)(7)(ii)(B) Disaster Recovery Plan (Required). Establish (and implement as needed) procedures to restore any loss

of data.

CC7.5.6

CC7.6.7

CC9.1.1

A1.2.5

A1.2.6

A1.2.7

A1.3.1

(a)(7)(ii)(C) Emergency Mode Operation Plan (Required). Establish (and implement as needed) procedures to

enable continuation of critical business processes for protection of the security of electronic protected

health information while operating in emergency mode.

CC5.1.3

CC5.2.9

CC9.1.1

A1.2.7

A1.3.1

(a)(7)(ii)(D) Testing and Revisions Procedures (Addressable). Implement procedures for periodic testing and

revision of contingency plans

CC9.1.2

A1.2.8

A1.3.2

(a)(7)(ii)(E) Applications and data criticality analysis (Addressable). Assess the relative criticality of specific

applications and data in support of other contingency plan components

CC9.1.1

A1.2.7

A1.3.1

(a)(8) Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the

standards implemented under this rule and, subsequently, in response to environmental or operational

changes affecting the security of electronic protected health information, that establishes the extent to

which a covered entity's or business associate's security policies and procedures meet the requirements of

this subpart.

N/A

76

Safeguard

CFR §164.308


SOC Control

Above

(b)(1) Business Associate Contracts and Other Arrangements. A covered entity may permit a business

associate to create, receive, maintain, or transmit electronic protected health information on the covered

entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a),

that the business associate will appropriately safeguard the information. A covered entity is not required

to obtain such satisfactory assurances from a business associate that is a subcontractor.

CC2.3.3

CC3.1.3

CC3.2.4

CC3.4.2

CC3.4.3

CC9.2.1

CC9.2.2

CC9.2.4

CC9.2.5

(b)(2) A business associate may permit a business associate that is a subcontractor to create, receive, maintain,

or transmit electronic protected health information on its behalf only if the business associate obtains

satisfactory assurances, in accordance with§ 164.314(a), that the subcontractor will appropriately

safeguard the information.

N/A

(b)(3) Implementation specifications: Written contract or other arrangement (Required). Document the

satisfactory assurances required by paragraph (b)(1) or (b)(2) of this section through a written contract or

other arrangement with the business associate that meets the applicable requirements of§ 164.314(a).

CC2.3.3

CC9.2.1

77

Physical Safeguards:

The physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment,

from natural and environmental hazards, and unauthorized intrusion.

Safeguard

CFR §164.310


SOC Control

Above


(a)(1)(i) Standard: Facility access controls. Implement policies and procedures to limit physical access to its

electronic information systems and the facility or facilities in which they are housed, while ensuring that

properly authorized access is allowed.

CC6.4.1

(a)(2) Implementation Specifications:

(a)(2)(i) Contingency operations (Addressable). Establish (and implement as needed) procedures that allow

facility access in support of restoration of lost data under the disaster recovery plan and emergency mode

operations plan in the event of an emergency.

CC5.1.3

CC5.2.9

CC9.1.1

A1.2.7

A1.3.1

(a)(2)(ii) Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the

equipment therein from unauthorized physical access, tampering, and theft.

CC6.4.1

(a)(2)(iii) Access control and validation procedures (Addressable). Implement procedures to control and validate

a person's access to facilities based on their role or function, including visitor control, and control of

access to software programs for testing and revision.

CC6.4.1

(a)(2)(iv) Maintenance records (Addressable). Implement policies and procedures to document repairs and

modifications to the physical components of a facility which are related to security (for example,

hardware, walls, doors, and locks).

N/A

(b) Standard: Workstation use. Implement policies and procedures that specify the proper functions to be

performed, the manner in which those functions are to be performed, and the physical attributes of the

surroundings of a specific workstation or class of workstation that can access electronic protected health

information.

N/A

(c) Standard: Workstation security. Implement physical safeguards for all workstations that access

electronic protected health information, to restrict access to authorized users.

CC6.4.1

78

Safeguard

CFR §164.310


SOC Control

Above

(d)(1) Standard: Device and media controls. Implement policies and procedures that govern the receipt and

removal of hardware and electronic media that contain electronic protected health information into and out

of a facility, and the movement of these items within the facility.

CC6.5.1

(d)(2) Implementation Specifications:

(d)(2)(i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic

protected health information, and/or the hardware or electronic media on which it is stored.

CC6.5.1

(d)(2)(ii) Media re-use (Required). Implement procedures for removal of electronic protected health information

from electronic media before the media are made available for re-use.

CC6.5.1

(d)(2)(iii) Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and

any person responsible therefore.

N/A

(d)(2)(iv) Data backup and storage (Addressable). Create a retrievable, exact copy of electronic protected health

information, when needed, before movement of equipment.

N/A

79

Technical Safeguards:

The technology and the policy and procedures for its use that protect electronic protected health information (PHI) and control access to it.

Safeguard

CFR §164.312


SOC Control

Above


(a)(1) Standard: Access control. Implement technical policies and procedures for electronic information

systems that maintain electronic protected health information to allow access only to those persons or

software programs that have been granted access rights as specified in § 164.308(a)(4).

CC6.1.1

CC6.1.2

CC6.2.1

CC6.3.2

CC6.3.3

(a)(2) Implementation Specifications:

(a)(2)(i) Unique user identification (Required). Assign a unique name and/ or number for identifying and

tracking user identity.

CC6.1.1

(a)(2)(ii) Emergency Access Procedure: Establish (and implement as needed) procedures for obtaining necessary

electronic protected health information during an emergency.

CC6.2.1

CC6.3.3

CC9.1.1

A1.3.1

(a)(2)(iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session

after a predetermined time of inactivity.

CC6.1.6

(a)(2)(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic

protected health information.

CC6.7.1

CC6.7.2

CC7.5.4

A1.2.3

(b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and

examine activity in information systems that contain or use electronic protected health information.

CC4.1.4

CC5.2.4

CC7.1.1

CC7.2.5

(c)(1) Standard: Integrity. Implement policies and procedures to protect electronic protected health information

from improper alteration or destruction.

N/A

80

Safeguard

CFR §164.312


SOC Control

Above

(c)(2) Implementation specification: Mechanism to authenticate electronic protected health information

(Addressable). Implement electronic mechanisms to corroborate that electronic protected health

information has not been altered or destroyed in an unauthorized manner.

N/A

(d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity

seeking access to electronic protected health information is the one claimed.

CC6.1.3

(e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized

access to electronic protected health information that is being transmitted over an electronic

communications network.

CC6.7.1

(e)(2) Implementation Specifications:

(e)(2)(i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted

electronic protected health information is not improperly modified without detection until disposed of.

N/A

(e)(2)(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information

whenever deemed appropriate.

CC6.7.1

CC6.7.2

CC7.5.4

A1.2.3

81

Organizational Requirements:

This standard requires a covered entity to have contracts or other arrangements with business associates that will have access to the covered entity’s

electronic protected health information (EPHI).

Safeguard

CFR §164.314


SOC Control

Above

(a)(1) Standard: Business Associate Contracts or Other Arrangements. The contract or other arrangement

required by § 164.308(b)(4) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of

this section, as applicable.

CC2.3.3

CC9.2.1

(a)(2) Implementation specifications: (Required).

(a)(2)(i) Business associate contracts. The contract must provide that the business associate will—

(a)(2)(i)(A) Comply with the applicable requirements of this subpart; CC2.3.3

CC9.2.1

(a)(2)(i)(B) In accordance with § 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or

transmit electronic protected health information on behalf of the business associate agree to comply with

the applicable requirements of this subpart by entering into a contract or other arrangement that complies

with this section; and

CC2.3.3

CC9.2.1

(a)(2)(i)(C) Report to the covered entity any security incident of which it becomes aware, including breaches of

unsecured protected health information as required by § 164.410.

CC2.3.3

(a)(2)(ii) Other arrangements. The covered entity is in compliance with paragraph (a)(1) of this section, if it

has another arrangement in place that meets the requirements of § 164.504(e)(3).

N/A

(a)(2)(iii) Business Associate Contracts with Subcontractors. The requirements of paragraphs (a)(2)(i) and

(a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and

subcontractor required by § 164.308(b)(4) in the same manner as such requirements apply to contracts or

other arrangements between a covered entity and business associate.

N/A

82

Safeguard

CFR §164.314


SOC Control

Above

(b)(1) Standard: Requirements for group health plans. Except when the only electronic protected health

information disclosed to a plan sponsor is disclosed pursuant to § 164.504(f)(1)(ii) or (iii), or as

authorized under § 164.508, a group health plan must ensure that its plan documents provide that the

plan sponsor will reasonably and appropriately safeguard electronic protected health information

created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health

plan.

N/A

(b)(2) Implementation specifications (Required). The plan documents of the group health plan must be amended to incorporate

provisions to require the plan sponsor to—

(b)(2)(i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect

the confidentiality, integrity, and availability of the electronic protected health information that it

creates, receives, maintains, or transmits on behalf of the group health plan;

N/A

(b)(2)(ii) Ensure that the adequate separation required by § 164.504(f)(2)(iii) is supported by reasonable and

appropriate security measures;

N/A

(b)(2)(iii) Ensure that any agent to whom it provides this information agrees to implement reasonable and

appropriate security measures to protect the information; and

N/A

(b)(2)(iv) Report to the group health plan any security incident of which it becomes aware.

N/A

83

Policies and Procedures and Documentation Requirements:

This standard requires a covered entity to implement policies and procedures to ensure safeguards are implemented to protect electronic protected

health information (EPHI).

Safeguard

CFR §164.316


SOC Control

Above


(a) Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to

comply with the standards, implementation specifications, or other requirements of this subpart, taking

into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be

construed to permit or excuse an action that violates any other standard, implementation specification, or

other requirements of this subpart. A covered entity or business associate may change its policies and

procedures at any time, provided that the changes are documented and are implemented in accordance

with this subpart.

CC5.3.1

(b)(1) Standard: Documentation

(b)(1)(i) Maintain the policies and procedures implemented to comply with this subpart in written form. CC5.3.1

(b)(1)(ii) If an action, activity or assessment is required to be made of policies and procedures a documented,

written record of the action, activity, or assessment is required.

CC5.3.1

CC5.3.3

(b)(2) Implementation specifications:

(b)(2)(i) Time limit. (Required). Retain the documentation required of this section for six (6) years from the date

of its creation or the date it last was in effect, whichever is later.

CC5.3.2

(b)(2)(ii) Availability. (Required). Make documentation available to those persons responsible for implementing

the procedures to which the documentation pertains.

CC2.2.1

(b)(2)(iii) Updates. (Required). Review documentation periodically, and update as needed, in response to

environmental or operational changes affecting the security of the electronic protected health information.

CC5.3.3

Documents

Aternity LLC...We have prepared the accompanying description of Aternity LLC’s EUEM/APM Software as a Service (SaaS) solution titled “Description of Aternity LLC’s Systems”