Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Aternity LLC
System and Organization Controls (SOC) 2 Report
September 1, 2019 through February 29, 2020
TABLE OF CONTENTS
I. ATERNITY LLC’S ASSERTION ............................................................................................ 1
II. INDEPENDENT SERVICE AUDITOR’S REPORT ............................................................. 4
III. DESCRIPTION OF ATERNITY LLC’S SYSTEMS ............................................................. 9
A. SYSTEM OVERVIEW ....................................................................................................................................... 9
B. INFRASTRUCTURE ........................................................................................................................................ 13
C. OTHER RELEVANT ASPECTS OF THE CONTROL ENVIRONMENT, RISK ASSESSMENT PROCESSES,
INFORMATION AND COMMUNICATION SYSTEMS, AND MONITORING CONTROLS ......................................... 19
D. CHANGES TO THE CONTROL ENVIRONMENT ................................................................................................ 23
E. APPLICABLE TRUST SERVICES CRITERIA AND RELATED CONTROLS ............................................................ 23
F. COMPLEMENTARY SUBSERVICE ORGANIZATION CONTROLS ....................................................................... 24
G. COMPLEMENTARY USER ENTITY CONTROLS ............................................................................................... 25
IV. INDEPENDENT SERVICE AUDITOR’S DESCRIPTION OF TESTS OF CONTROLS
AND RESULTS .................................................................................................................................... 26
A. INTRODUCTION ............................................................................................................................................ 26
B. APPLICABLE TRUST SERVICES CRITERIA ..................................................................................................... 26
C. TESTING OF OPERATING EFFECTIVENESS ..................................................................................................... 27
V. ADDITIONAL INFORMATION PROVIDED BY ATERNITY LLC ............................... 70
A. CONTROL EXCEPTIONS AND RIVERBED’S MANAGEMENT RESPONSES ......................................................... 70
B. HEALTH INFORMATION PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) CONTROL MAPPING ............. 71
1
I. ATERNITY LLC’S ASSERTION
We have prepared the accompanying description of Aternity LLC’s EUEM/APM Software as a Service (SaaS)
solution titled “Description of Aternity LLC’s Systems” throughout the period September 1, 2019 to February 29,
2020 (description) based on the criteria for a description of a service organization’s system in DC section 200,
2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2® Report (AICPA.
Description Criteria) (description criteria). The description is intended to provide report users with information
about the system that may be useful when assessing the risks arising from interactions with Aternity LLC’s
system, particularly information about system controls that Aternity LLC has designed, implemented, and
operated to provide reasonable assurance that its service commitments and system requirements were achieved
based on the trust services for security and availability (applicable trust services criteria) set forth in TSP section
100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy
(AICPA, Trust Services Criteria).
Aternity LLC uses a subservice organization (Amazon Web Services (AWS)) to provide cloud hosting services
to support the system. The description indicates that complementary subservice organization controls that are
suitably designed and operating effectively are necessary, along with controls at Aternity LLC to achieve
Aternity LLC’s service commitments and system requirements based on the applicable trust services criteria. The
description presents Aternity LLC’s controls, the applicable trust services criteria, and the types of
complementary subservice organization controls assumed in the design of Aternity LLC’s controls. The
description does not disclose the actual controls at the subservice organization (AWS).
The description indicates that complementary user entity controls that are suitably designed and operating
effectively are necessary, along with controls at Aternity LLC to achieve Aternity LLC’s service commitments
and system requirements based on the applicable trust services criteria. The description presents Aternity LLC’s
controls, the applicable trust services criteria, and the complementary user entity controls assumed in the design
of Aternity LLC’s controls.
2
The description discusses the training requirements for employees, which includes the need for employees to be
notified of changes to the Employee Handbook. However, during the period of September 1, 2019 to February
29, 2020, Aternity LLC did not have any updates to the Employee Handbook that would warrant the control for
notifying employees of updates to the Employee Handbook to operate for the following trust services criteria
CC1.1 COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values. The description
discusses performance reviews are completed on a periodic basis. However, during the period of September 1,
2019 to February 29, 2020, Aternity LLC did not conduct performance reviews that would warrant the control for
reviews to operate for the following trust services criteria CC1.4 COSO Principle 4: The entity demonstrates a
commitment to attract, develop, and retain competent individuals in alignment with objectives and CC1.5 COSO
Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in
alignment with objectives. The description discusses vendor selection procedures, which include the procedures
for assessing the risks and controls for new vendors supporting the production environment. However, during the
period of September 1, 2019 to February 29, 2020, Aternity LLC did not onboard any new vendors to support the
production environment that would warrant the operation of vendor selection controls for the following trust
services criteria CC3.4 COSO Principle 9: The entity identifies and assesses changes that could significantly
impact the system of internal control and CC9.2 The entity assesses and manages risks associated with vendors
and business partners. Similarly, the description discusses the need for business associates to sign a business
associate agreement if access to electronic protected health information is to be granted. However, during the
period of September 1, 2019 to February 29, 2020, Aternity LLC did not onboard any new vendor relationships
that would warrant the need for the business associate agreement control for the following trust services criteria
CC2.3 COSO Principle 15: The entity communicates with external parties regarding matters affecting the
functioning of internal control. Additionally, the description discusses the alerting for weak EUEM
configurations. However, during the period of September 1, 2019 to February 29, 2020, Aternity LLC did not
have any alerts generated for the weak configuration of EUEM that would warrant the operation of controls for
the following trust services criteria CC4.1 COSO Principle 16: The entity selects, develops, and performs
ongoing and/or separate evaluations to ascertain whether the components of internal control are present and
functioning, CC4.2 COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a
timely manner to those parties responsible for taking corrective action, including senior management and the
board of directors, as appropriate, CC5.2 COSO Principle 11: The entity also selects and develops general
control activities over technology to support the achievement of objectives, CC6.6 The entity implements logical
access security measures to protect against threats from sources outside its system boundaries, and CC7.1 To
meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations
that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
Lastly, the description discusses the process alerting when the backups for DynmoDB fail. However, during the
period of September 1, 2019 to February 29, 2020, Aternity LLC did not have any failed DynamoDB backups
that would warrant the operation of alerting controls for the following trust services criteria CC7.5 The entity
identifies, develops, and implements activities to recover from identified security incidents and A1.2 The entity
authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors
environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.
3
We confirm, to the best of our knowledge and belief, that:
a. The description presents Aternity LLC’s system that was designed and implemented throughout the
period September 1, 2019 to February 29, 2020, in accordance with the description criteria.
b. the controls stated in the description were suitably designed throughout the period September 1, 2019
to February 29, 2020, to provide reasonable assurance that Aternity LLC’s service commitments and
system requirements would be achieved based on the applicable trust services criteria, if its controls
operated effectively throughout that period, and if the subservice organization and user entities
applied the complementary controls assumed in the design of Aternity LLC’s controls throughout
that period.
c. the controls stated in the description operated effectively throughout the period September 1, 2019 to
February 29, 2020, to provide reasonable assurance that Aternity LLC’s service commitments and
system requirements were achieved based on the applicable trust services criteria, if complementary
subservice organization controls and complementary user entity controls assumed in the design of
Aternity LLC’s controls operated effectively throughout that period.
4
II. INDEPENDENT SERVICE AUDITOR’S REPORT
To: Aternity LLC
Scope
We have examined Aternity LLC’s accompanying description of its EUEM/APM Software as a Solution (SaaS)
solution titled “Description of Aternity LLC’s Systems” throughout the period September 1, 2019 to February 29,
2020 (description) based on the criteria for a description of a service organization’s system in DC section 200,
2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2® Report (AICPA,
Description Criteria), (description criteria) and the suitability of the design and operating effectiveness of
controls stated in the description throughout the period September 1, 2019 to February 29, 2020 to provide
reasonable assurance that Aternity LLC’s service commitments and system requirements were achieved based on
the trust services criteria relevant to security and availability (applicable trust services criteria) set forth in TSP
section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and
Privacy (AICPA, Trust Services Criteria).
Aternity LLC uses a subservice organization (Amazon Web Services (AWS)) to provide cloud hosting services
to support the system. The description indicates that complementary subservice organization controls that are
suitably designed and operating effectively are necessary, along with controls at Aternity LLC, to achieve
Aternity LLC’s service commitments and system requirements based on the applicable trust services criteria. The
description presents Aternity LLC’s controls, the applicable trust services criteria, and the types of
complementary subservice organization controls assumed in the design of Aternity LLC’s controls. The
description does not disclose the actual controls at the subservice organization (AWS). Our examination did not
include the services provided by the subservice organization (AWS), and we have not evaluated the suitability of
the design or operating effectiveness of such complementary subservice controls.
The description indicates that complementary user entity controls that are suitably designed and operating
effectively are necessary, along with controls at Aternity LLC, to achieve Aternity LLC’s service commitments
and system requirements based on the applicable trust services criteria. The description presents Aternity LLC’s
controls, the applicable trust services criteria, and the complementary user entity controls assumed in the design
of Aternity LLC’s controls. Our examination did not include such complementary user entity controls and we
have not evaluated the suitability of the design or operating effectiveness of such controls.
The information included in Section V, "Additional Information Provided by Aternity LLC" is presented by
Aternity LLC’s management to provide additional information and is not a part of the description. Information
contained in Section V has not been subjected to the procedures applied in the examination of the description, the
suitability of the design of controls, and the operating effectiveness of the controls to achieve Aternity LLC’s
service commitments and system requirements based on the applicable trust services criteria, and accordingly, we
express no opinion on it.
5
Service Organization’s Responsibilities
Aternity LLC is responsible for its service commitments and system requirements and for designing,
implementing, and operating effective controls within the system to provide reasonable assurance that Aternity
LLC’s service commitments and system requirements were achieved. Aternity LLC has provided the
accompanying assertion titled “Aternity LLC’s Assertion” (assertion) about the description and the suitability of
design and operating effectiveness of controls stated therein. Aternity LLC is also responsible for preparing the
description and assertion, including the completeness, accuracy, and method of presentation of the description
and assertion; providing the services covered by the description; selecting the applicable trust services criteria
and stating the related controls in the description; and identifying the risks that threaten the achievement of the
service organization’s service commitments and system requirements.
Service Auditor’s Responsibilities
Our responsibility is to express an opinion on the description and on the suitability of design and operating
effectiveness of controls stated in the description based on our examination. Our examination was conducted in
accordance with attestation standards established by the American Institute of Certified Public Accountants.
Those standards require that we plan and perform our examination to obtain reasonable assurance about whether,
in all material respects, the description is presented in accordance with the description criteria and the controls
stated therein were suitably designed and operated effectively to provide reasonable assurance that the service
organization’s service commitments and system requirements were achieved based on the applicable trust
services criteria. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable
basis for our opinion.
An examination of the description of a service organization’s system and the suitability of the design and
operating effectiveness of controls involves the following:
Obtaining an understanding of the system and the service organization’s service commitments and
system requirements
Assessing the risks that the description is not presented in accordance with the description criteria and
that controls were not suitably designed or did not operate effectively
Performing procedures to obtain evidence about whether the description is presented in accordance with
the description criteria
Performing procedures to obtain evidence about whether controls stated in the description were suitably
designed to provide reasonable assurance that the service organization achieved its service commitments
and system requirements based on the applicable trust services criteria
Testing the operating effectiveness of controls stated in the description to provide reasonable assurance
that the service organization achieved its service commitments and system requirements based on the
applicable trust services criteria
Evaluating the overall presentation of the description
6
Our examination also included performing such other procedures as we considered necessary in the
circumstances.
Inherent Limitations
The description is prepared to meet the common needs of a broad range of report users and may not, therefore,
include every aspect of the system that individual users may consider important to meet their informational
needs.
There are inherent limitations in the effectiveness of any system of internal control, including the possibility of
human error and the circumvention of controls.
Because of their nature, controls may not always operate effectively to provide reasonable assurance that the
service organization’s service commitments and system requirements are achieved based on the applicable trust
services criteria. Also, the projection to the future of any conclusions about the suitability of the design and
operating effectiveness of controls is subject to the risk that controls may become inadequate because of changes
in conditions or that the degree of compliance with the policies or procedures may deteriorate.
Description of Tests of Controls
The specific controls we tested and the nature, timing, and results of those tests are listed in section IV.
Controls Did Not Operate During the Period Covered by the Report
Aternity LLC’s description discusses the training requirements for employees, which includes the need for
employees to be notified of changes to the Employee Handbook. However, during the period of September 1,
2019 to February 29, 2020, Aternity LLC did not have any updates to the Employee Handbook that would
warrant the control for notifying employees of updates to the Employee Handbook to operate for the following
trust services criteria CC1.1 COSO Principle 1: The entity demonstrates a commitment to integrity and ethical
values. The description discusses performance reviews are completed on a periodic basis. However, during the
period of September 1, 2019 to February 29, 2020, Aternity LLC did not conduct performance reviews that
would warrant the control for reviews to operate for the following trust services criteria CC1.4 COSO Principle
4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with
objectives and CC1.5 COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain
competent individuals in alignment with objectives. The description discusses vendor selection procedures, which
include the procedures for assessing the risks and controls for new vendors supporting the production
environment. However, during the period of September 1, 2019 to February 29, 2020, Aternity LLC did not
onboard any new vendors to support the production environment that would warrant the operation of vendor
selection controls for the following trust services criteria CC3.4 COSO Principle 9: The entity identifies and
assesses changes that could significantly impact the system of internal control and CC9.2 The entity assesses and
manages risks associated with vendors and business partners. Similarly, the description discusses the need for
business associates to sign a business associate agreement if access to electronic protected health information is
7
to be granted. However, during the period of September 1, 2019 to February 29, 2020, Aternity LLC did not
onboard any new vendor relationships that would warrant the need for the business associate agreement control
for the following trust services criteria CC2.3 COSO Principle 15: The entity communicates with external parties
regarding matters affecting the functioning of internal control. Additionally, the description discusses the
alerting for weak EUEM configurations. However, during the period of September 1, 2019 to February 29, 2020,
Aternity LLC did not have any alerts generated for the weak configuration of EUEM that would warrant the
operation of controls for the following trust services criteria CC4.1 COSO Principle 16: The entity selects,
develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal
control are present and functioning, CC4.2 COSO Principle 17: The entity evaluates and communicates internal
control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior
management and the board of directors, as appropriate, CC5.2 COSO Principle 11: The entity also selects and
develops general control activities over technology to support the achievement of objectives, CC6.6 The entity
implements logical access security measures to protect against threats from sources outside its system
boundaries, and CC7.1 To meet its objectives, the entity uses detection and monitoring procedures to identify (1)
changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly
discovered vulnerabilities. Lastly, the description discusses the process alerting when the backups for DynmoDB
fail. However, during the period of September 1, 2019 to February 29, 2020, Aternity LLC did not have any
failed DynamoDB backups that would warrant the operation of alerting controls for the following trust services
criteria CC7.5 The entity identifies, develops, and implements activities to recover from identified security
incidents and A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves,
maintains, and monitors environmental protections, software, data back-up processes, and recovery
infrastructure to meet its objectives.
Opinion
In our opinion, in all material respects,
a. the description presents Aternity LLC’s system that was designed and implemented throughout the
period September 1, 2019 to February 29, 2020, in accordance with the description criteria.
b. the controls stated in the description were suitably designed throughout the period September 1, 2019
to February 29, 2020, to provide reasonable assurance that Aternity LLC’s service commitments and
system requirements would be achieved based on the applicable trust services criteria, if its controls
operated effectively throughout that period and if the subservice organization and user entities
applied the complementary controls assumed in the design of Aternity LLC’s controls throughout
that period.
c. the controls stated in the description operated effectively throughout the period September 1, 2019 to
February 29, 2020, to provide reasonable assurance that Aternity LLC’s service commitments and
system requirements were achieved based on the applicable trust services criteria, if complementary
subservice organization and complementary user entity controls assumed in the design of Aternity
LLC’s controls operated effectively throughout that period.
8
Restricted Use
This report, including the description of tests of controls and results thereof in section IV, is intended solely for
the information and use of Aternity LLC, user entities of Aternity LLC’s EUEM/APM SaaS solution during some
or all of the period September 1, 2019 to February 29, 2020, business partners of Aternity LLC subject to risks
arising from interactions with the system, practitioners providing services to such user entities and business
partners, prospective user entities and business partners, and regulators who have sufficient knowledge and
understanding of the following:
The nature of the service provided by the service organization
How the service organization’s system interacts with user entities, business partners, subservice
organizations, and other parties
Internal control and its limitations
Complementary user entity controls and complementary subservice organization controls and how those
controls interact with the controls at the service organization to achieve the service organization’s service
commitments and system requirements
User entity responsibilities and how they may affect the user entity’s ability to effectively use the service
organization’s services
The applicable trust services criteria
The risks that may threaten the achievement of the service organization’s service commitments and
system requirements and how controls address those risks
This report is not intended to be, and should not be, used by anyone other than these specified parties.
Boston, MA
May 7, 2020
9
III. DESCRIPTION OF ATERNITY LLC’S SYSTEMS
A. SYSTEM OVERVIEW
Aternity LLC’s (Aternity’s or the Company’s) Aternity solution helps enterprises manage the digital
experience of their employees and customers. The solution allows companies to deliver superior digital
experiences to all their users, across all applications and devices. Aternity is the only end-to-end solution
that blends device-based end user experience, infrastructure, application, and network monitoring to provide
a holistic view of the users’ digital experience.
The Aternity End-User Experience Monitoring (EUEM) module provides the ability to see the entire
workforce experience on any application running on any device, providing a user-centric vantage point that
closes the visibility gap existing with network- and server-centric application performance management
tools. By effectively transforming every device — physical, virtual, and mobile — into a self-monitoring
platform that is user experience aware, enterprises are empowered with user-centric, proactive IT
management capabilities that dramatically reduce business disruptions and increase workforce productivity.
The Aternity Application Performance Monitoring (APM) module (aka AppInternals) helps customers build
and deliver high-performing applications, infrastructure, and networks on and off the cloud. It continuously
monitors them with minimal overhead to give customers end-to-end visibility and insights around-the-clock.
Allowing customers to trace every transaction, while capturing system metrics every second in
development, test, and production environments. This gives the customer multiple perspectives into end user
experience, application, network, and infrastructure performance, along with workflows for root cause
analysis and problem discovery.
The Aternity EUEM and APM modules are hosted on separate server environments within the Amazon Web
Services (AWS) infrastructure. They are integrated; however, they utilize different architectures as
described below.
10
Introduction to Aternity EUEM Solution Architecture
The architecture of the Aternity EUEM solution covers a wide range of business environments, from small-
scale deployments with a few hundred end points to large international enterprises with tens of thousands of
end points. This section provides a high-level overview of the platform’s components.
The Aternity EUEM deployment is built from a set of loosely-coupled components that are tightly
integrated to a highly-scalable solution:
End Points
Aggregation Servers (one (1) or more)
Management Server
Analytics Server
Data Warehouse (DW)
Dashboards Server
Database Servers (Vertica, Oracle, and Cassandra)
Docker Server
11
End Points are any physical or virtual entities via which Aternity monitors end user experience.
The end points are client side components and are not covered by the disaster recovery (DR) process.
Aggregation Servers are deployed in a distributed configuration. Dedicated Aggregation Servers are used
for the bi-directional communication between the End Points and the Management Server, and to aggregate
measurements from a group of End Points to pass on to the Management Server. The Aggregation Server
(one (1) copy) application is saved on a preconfigured Amazon Machine Image (AMI) that is launched as
part of the recovery procedure.
The EUEM Management Server is a core component handling core functions, system management,
external integration, user interface and reporting. All platform configuration, administration and integration
are performed centrally from the management user interface. The Management Server application is saved
on a preconfigured AMI that is launched as part of recovery procedure.
The Data Warehouse (DW) Server is a core component dedicated to handling the data arriving from the
Aggregation Servers, and populating it into the database according to the specified retention policy. On
small deployments, this server may be co-hosted with the Management Server. On medium or larger
deployments, it resides on its own dedicated host. The DW Server application is saved on a preconfigured
AMI that is launched as part of recovery procedure.
The Dashboards Server is a server hosting the Tableau Server and the Tableau Gateway instances. The
Tableau Server stores and generates the analytical dashboards available on the platform. The Tableau
Gateway handles the integration between the Tableau Server and the rest of the platform. The Dashboard
Server application is saved on a preconfigured AMI that is launched as part of the recovery procedure.
The Vertica Database Server stores the performance data from the past one (1) to two (2) years in
the Vertica format, which is most efficient for displaying in EUEM dashboards.
The Oracle Database Server hosts the Oracle Enterprise database used by the platform for storing all
historical, transient, and configuration data. A real-time clone database is used as a standby server. Data is
fully backed up twice a week and incremental backups are taken on other days using Recovery Manager
(RMAN). The backups are saved on a separate Elastic Block Store (EBS) volume storage. At the end of the
backup the backup files are copied to Amazon Simple Storage Service (S3). In the event of disaster,
Aternity will use the standby Database server or will perform a full restore using the then current backup in
a worst-case scenario.
The Cassandra Database Server stores the detailed information and measurements for monitored
devices for a maximum of seven (7) days.
12
The EUEM Docker Server is a component containing a range of containers, which add functionality to
EUEM. Additional information on the functionality is listed below:
EUEM Vertica Scheduler is responsible for creating the time-sensitive rollup aggregations in
Vertica Database Server
EUEM Data Source for Portal provides EUEM data to the Aternity Portal™, so you can view end-
user experience data in its dashboards
EUEM SDA Server allows defining email or ServiceNow alerts on top of EUEM health events
EUEM REST API Server allows authorized users to send REST API queries to directly extract and
analyze EUEM's data without accessing EUEM's dashboards.
EUEM DPS is the data processing component, responsible for parsing and aggregating specific
measurements
EUEM Messaging Broker is built on top of the Kafka infrastructure and serves as the messaging
system between various EUEM components
Introduction to the Aternity APM Solution Architecture
The central architectural component of the APM solution is the analysis server. The analysis server stores
and processes performance data generated by the web pages and agent systems that the customer wants to
monitor. The analysis server also provides the web interface for users to manage and analyze the collected
data.
13
Server agents establish a web socket connection in order to transfer monitoring data to the Agent Redirector
service via an AWS Elastic Load Balancer service. The redirector service then sends agent configuration,
trace and other monitoring data traffic to the appropriate Analysis Server hosted in Docker containers on
AWS Elastic Compute Service and persisting storage in AWS EBS. Network and process monitoring data is
routed to AWS S3 where it is then picked up, processed, and persisted in AWS DynamoDB. AWS Cognito
service is used as a user authorization repository. AWS Lambda functions are used for isolated management
operations.
The APM collects data from web pages and from systems where an Aternity APM agent is installed:
Browser instrumentation data: The APM monitors web page performance by collecting data on
page loads and (if configured) AJAX requests in users’ web browsers. This “end user experience”
data reflects application performance from the perspective of the end user. To collect this data,
Aternity APM adds a JavaScript snippet to web pages that sends a beacon with timing data to the
Aternity SaaS analysis server.
Agent systems: Aternity APM agent software is installed on systems that are to be monitored. The
agent software collects application and environmental data:
o Application: Aternity APM monitors Java and .NET application performance by starting
with the application and measuring method start and completion times. The JIDA and .NET
sub-agents “instrument” specific classes and methods of interest and send performance data
to the Aternity SaaS analysis server.
o Environment: The Operating System (OS) sub-agent monitors key OS resources metrics
such as CPU, memory, and networking on systems where agents are installed. This date is
sent to the Aternity SaaS analysis server.
Note: Aternity APM web page and agent systems components are external to the APM servers hosted in
AWS and outside the scope of controls described in this report.
B. INFRASTRUCTURE
Aternity delivers the services on-premises, dedicated in the cloud, or as a SaaS to provide services to a
variety of customers, including manufacturing, healthcare providers, and financial services institutions. The
controls surrounding the on-premises service offering are not addressed within this report.
SaaS solutions rely exclusively on servers residing in the global AWS cloud public infrastructure. Together
these servers orchestrate a series of services hosted by Aternity with dependencies that function as a part of
the collective Aternity SaaS infrastructure.
Amazon dedicated instances are used in case electronic protected health information (ePHI) is stored.
Dedicated instances are Amazon Elastic Compute Cloud (EC2) instances that run in a virtual private cloud
(VPC) on hardware that is dedicated to a single customer. The dedicated instances are physically isolated at
the host hardware level from instances that belong to other AWS accounts.
14
Servers – Aternity EUEM servers operate exclusively on Windows based virtual servers within the AWS
environment. Aternity APM servers operate exclusively on Linux-based virtual servers within the AWS
environment.
Physical & Environmental Controls – The Aternity EUEM and APM solutions are housed exclusively
within AWS facilities. AWS issues a third party SOC 2 report. As part of management’s vendor due
diligence and ongoing monitoring process, the Company receives and reviews the AWS SOC 2 report at
least annually to ensure that appropriate physical and environmental controls are in place and operating
effectively at the subservice organization.
1) Software
Operating System Native Security – Aternity EUEM and APM utilize native security features to control
access to information resources residing on production/testing servers. Aternity EUEM utilizes Windows
native security features to control access to information resources residing on the production/ testing servers.
Access to the production Windows domain is controlled through Windows Active Directory (AD) security.
User access rights on all platforms are controlled through the use of profiles based on a person’s job
responsibilities. These profiles provide access to individuals based on their job function.
Windows security controls are automatically invoked when the operating systems are loaded. All users are
authenticated through an ID/password combination before access to network resources is granted.
Contractors, under confidentiality and non-disclosure agreements, may be given limited-privilege Windows
domain user accounts for software installation, configuration and support. Customer personnel are not given
user IDs that have the ability to authenticate on the Windows domain.
Aternity APM utilizes Linux native security features to control access to information resources residing on
the production/testing servers. Access to the Linux platform is controlled through native Linux operating
system security controls. User access rights on all platforms are controlled through the use of profiles based
on a person’s job responsibilities. These profiles provide access to individuals based on their job function.
Linux security controls are automatically invoked when the operating system is loaded. All Aternity
operations and support users are authenticated using public/private key pair combinations before access to
network resources is granted. Customer personnel are not given the ability to authenticate on the Linux
platform.
User Account Controls – Appropriate password practices are utilized and enforced by the Aternity EUEM
and APM solutions. These practices include requirements for a password that is complex, meets minimum
length requirements, and expires on a defined frequency.
15
Administrative Access Controls – Logical access to the Aternity EUEM and APM production
environments is restricted to authorized personnel who require access to perform their job functions.
Administrative access is controlled through the use of individually assigned user IDs and passwords.
Minimum password length and configuration requirements are set. Administrator accounts are removed
when a person leaves the Company or changes roles. Administrative access to the AWS management
console for the Aternity APM system also requires the use of multi-factor authentication (MFA).
Virus Detection and Prevention – Aternity EUEM utilizes McAfee virus scanning applications to examine
inbound traffic received from the Internet as well as internal traffic and data. If a virus is detected, IT
personnel are notified and will follow the Incident Response procedures if necessary.
Patching – Aternity EUEM servers utilize the Windows Software Update Service (WSUS) to manage the
deployment of patches released by Microsoft. Patches are applied within thirty (30) days of release.
All servers in the Aternity APM production environments are rebuilt periodically. All available patches are
applied automatically as part of the server build process.
2) Data
Customers use the Aternity EUEM and APM to collect and manage system and application performance
data. Customer configuration data is input from users and performance data is collected from end-user
devices, browsers, and application agents and stored in customer specific containers. Customers define their
own requirements for monitoring and, as such, the data stored may be sensitive or proprietary if the
collection of such data is necessary to satisfy the customer’s monitoring requirements. However, the
Aternity EUEM and APM SaaS should not be used to collect, store, or process protected personal
information (PPI) or ePHI. Customers who wish to collect PPI and/or ePHI must use an on-premises or
dedicated cloud solution.
3) Procedures
The Company maintains documented policies and procedures to guide personnel in classifying system
alerts, documenting incidents, monitoring performance and reporting statistics. Regular reporting is utilized
by management to identify deviations from documented policies and procedures and guide corrective
actions. Below are specific procedures as they relate to the operation of the Aternity EUEM and APM
dedicated and SaaS solutions.
Vulnerability Assessments – The Company conducts regular vulnerability scanning of APM and regular
penetration testing of the Aternity EUEM and APM environments. Vulnerabilities identified as a result of
the assessments are classified and remediation action is taken based on the classification. Product teams
utilize multiple commercial vulnerability scanning tools to assess the security of system software prior to
deployment into production. Identified vulnerabilities are investigated and resolved prior to deployment.
16
Aternity’s Information Security team subscribes to multiple threat intelligence sources that provide alerts
that rank vulnerabilities from high to low. Alerts from these sources are reviewed as they arrive and
distributed to designated representatives of Aternity’s labs, infrastructure, and product teams. Once received
by the appropriate teams, vulnerabilities are assessed to determine whether they affect the Aternity EUEM
or APM environments and what actions need to be taken. Below are details on potential actions that may be
taken based on the classification of threat intelligence information:
1. Changes required to mitigate "high-risk" vulnerabilities will be scheduled as soon as possible and
pushed to the environment via off-cycle change requests.
2. Other vulnerabilities are included in the standard build cycle. All servers are fully rebuilt and
patched when new product versions are released.
3. Threats and threat sources that may exploit identified or assessed vulnerabilities are monitored
immediately and explicitly until the vulnerabilities have been mitigated.
4. Vulnerability mitigation plans will specify, at a minimum, the proposed resolution to address
identified vulnerabilities, required tasks necessary to affect changes, and the assignment of the
required tasks to appropriate personnel.
5. Vulnerability exceptions or waivers must be documented and approved by management and the
Aternity Information Security team.
6. Appropriate testing and assessment activities are performed after vulnerability mitigation plans
have been executed to verify and validate that the vulnerabilities have been successfully
addressed.
7. Appropriate notifications are provided after vulnerability mitigation plans have been executed.
Change Management – Aternity teams track historical activities for the Aternity EUEM and APM
environments via change management records. The purpose of these records is to provide a historical audit
trail of changes applied to the environment that were initiated via customer request, system maintenance
activity, incident management, upgrade activity or proactive support. The primary goal and focus of these
activities is to ensure system stability and achieve service and performance targets.
Change requests can be initiated by internal personnel through the submission of a change request. All
change requests are documented and must include all details required to successfully implement the change,
including the reason for the change, a description of how the change is to be implemented, the impact of the
change, and a back out plan when applicable to be used in the event that the change is not successful.
Software changes undergo multiple automated and manual reviews, when applicable, before they can be
approved for deployment.
17
Monitoring Procedures – The Aternity EUEM and APM production environments are monitored by a
combination of log monitoring, analytics, alerting and reporting solutions. These solutions are configured to
monitor both core infrastructure components and individual servers and generate alerts when defined
thresholds have been exceeded. Monitoring includes key operational metrics such as CPU, memory, disk
usage, accessibility, and performance metrics.
Security Event Monitoring – Security events, including administrator activity and access anomalies, are
logged. Logs are reviewed regularly and anomalous events are investigated and resolved.
System Development Life Cycle (SDLC) – The SDLC addresses business requirements, scoping, design,
development, code review, quality assurance, and implementation of system components. The overall
process is initiated by a Product Manager (PM) who is responsible for collecting and prioritizing a high
level feature list. Development leads work with the PM and Aternity’s Chief Technology Officer (CTO) to
prioritize the list of features and decide on a high-level architecture. The development leads then work with
developers to produce detailed designs and epics/stories/tasks. Designs are reviewed by the PM and other
stakeholders and features are targeted for a release based on resource availability and estimated effort.
Development focuses on two (2) release trains:
A "stable" release train that receives only critical (typically, customer-reported) bug fixes and security
fixes. These "stable" releases come out on a monthly schedule.
A "feature" release train that receives new features. The "feature" releases come out on a six-week
cadence.
A major.minor.point versioning scheme is used for the Aternity EUEM and APM solutions. The feature
releases increment the major or minor version (typically, the minor version). The stable releases increment
just the point version.
Development of features occurs on a regular cadence. The release cadence may be adjusted from time to
time, as needed. To ensure the stability of releases, a set time period is established for feature development.
If a feature is not complete by the end of this period, it will not get included in a release. Additional time is
then allocated for bug fixing before a “lockdown” phase during which only critical fixes may be applied.
To ensure the integrity of released code, Development and Quality Assurance (QA) leads meet regularly to
coordinate across the different teams. A strict code management process has also been established.
All code is reviewed by a peer or manager before being merged into the mainline and system-level
automated tests are executed on every nightly build by the QA team. The QA team is also responsible for
developing and executing manual test plans and verifying that all bugs are properly fixed.
18
Multiple environments are maintained to facilitate the development and testing of product releases. These
environments include development, QA, staging, and production. Releases graduate from one environment
to the next as development progresses.
Backup, Recovery, and Business Continuity – The back-up and recovery process is based on the
following services and features of AWS:
Locations: Amazon Regions and Availability Zones (AZ)
Compute: Amazon EC2
Storage:
Amazon S3
Amazon EBS
Amazon Cognito
Amazon DynamoDB
Replications: Amazon Machine Images (AMI)
Networking: Amazon Route 53
Amazon Regions – AWS is available in multiple regions around the globe. Regions consist of one (1) or
more AZ. AZ are distinct locations that are engineered to be insulated from failures in other AZ. In case of
disaster the system can be duplicated to a different availability zone in the same region (preferably) or
different region that is not affected by the disaster event.
Amazon EC2 – Amazon EC2 is on-demand computing power (virtual instance) that can be created within
minutes from a web-based console.
Amazon EBS – Amazon EBS provides persistent, block-level storage volumes for Amazon EC2
applications within the same availability zone.
Amazon Machine Images (AMIs) – Preconfigured with operating systems and application stacks. The
AMIs are launched as part of the recovery procedure and reduces the time to install the software.
Amazon S3 – Amazon S3 is a cloud-based object store available through web services interfaces such as
REST and SOAP. It is designed to offer 99.999999999% availability of objects. For disaster recovery (DR),
point-in-time snapshots of Amazon EBS volumes of database backups are copied and maintained in
Amazon S3 storage, limiting any data loss to that which was created since the last recovery point and
recovery time interruption.
Amazon Cognito – Amazon Cognito is an AWS product that controls user authentication and access for
mobile applications on internet-connected devices. The service saves and synchronizes end-user data, which
enables an application developer to focus on writing code instead of building and managing the back-end
infrastructure. This can accelerate the mobile application development process.
19
Amazon DynamoDB – Amazon DynamoDB is a fully managed proprietary NoSQL database service.
Amazon Route 53 – Amazon Route 53 is a highly available and scalable domain name system (DNS) web
service. Amazon Route 53 gives the ability failover between multiple endpoints.
System and Customer Data – For Aternity EUEM, the backup and recovery processes strategy relies on
the creation of AMIs for each server as part of the installation process on AWS and when software upgrades
are installed. These images are saved in two (2) different AWS regions to ensure recoverability. Database
backups performed periodically and are saved on separate EBS volume storage and copied to S3 at the end
of backup process.
During the recovery process, impacted servers are launched using the pre-configured AMIs, required
networking and security configurations are applied, and databases are restored using backup files. The
recovery process is exercised periodically to verify the integrity of backups.
For Aternity APM, automated backups of DynamoDB occur once per day and backups of EBS volumes are
taken each hour. EBS volume backups are validated by loading them onto a separate EC2 instance to ensure
that they can be successfully used for recovery purposes. The backups are tagged with the results of the
validation test. Cognito is backed up as part of a manual process. The backups are retained forever.
Aternity APM servers in the production environment utilize AWS high-availability services to ensure
prompt recovery. Backup and restore processes are part of the regular upgrade procedures.
Security Awareness Training – Aternity conducts security awareness training during the onboarding of
new employee and annually thereafter. The training is intended to enhance employees’ understanding of
sound security practices. Training covers a wide variety of topics relative to security including the review of
security policies presently in place at Aternity. All training is conducted by the Information Security Team.
C. OTHER RELEVANT ASPECTS OF THE CONTROL ENVIRONMENT, RISK ASSESSMENT PROCESSES,
INFORMATION AND COMMUNICATION SYSTEMS, AND MONITORING CONTROLS
1) Control Environment
Aternity’s control environment is an integral part of its business activities, strategic planning, and
assessment of risks. Relevant control environmental factors that affect the services provided to user entities
are listed and described below.
20
Organizational Structure – Aternity’s operations are under the direction of the President and Chief
Executive Officer (CEO) and separated into five (5) logical groups.
Product Management: The product management team is responsible for the planning, forecasting,
and production of the product lifecycle.
Engineering: The responsibilities of this team are to engage in new product research and
development, existing product updates, quality checks and innovation.
Sales: The sales team primary duties include identifying and contacting prospects, delivering sales
presentations, closing deals, and managing existing customer relationships.
Marketing: The marketing team has overall responsibility for growing revenue and increasing
market share.
Customer Success: The customer success team is responsible for the overall implementation of the
product, client training, ongoing support, along with the overarching goal of cultivating productive
client relationships and satisfaction.
Aternity Organizational Structure
President and CEO
CFO
Finance
HR
IT
CTO and SVP Strategy
VP, Products
VP, Engineering
Chief Revenue Officer (Sales)
Chief Customer Success
Chief Marketing Officer
21
Organizational Controls
Human Resources Management – Written job descriptions for employees are maintained by the Human
Resources (HR) Department. The descriptions are reviewed and updated as needed. References are sought,
credit checks are conducted, and background checks are performed for all employees hired. The
confidentiality of user entity information is explained during the new-employee orientation via the Security
Policy and all employees are required to sign an acknowledgement of the Security Policy at hire and
annually thereafter. Furthermore, the confidentiality of user entity data is explained in the employee
handbook, which is issued to each employee on their date of hire. Employees are required to take paid time
off (PTO) in accordance with company policy. All employees receive an annual written performance
evaluation and salary review. Completed appraisals are reviewed by HR and become a permanent part of the
employee’s personnel file.
Policies and Procedures – Aternity utilizes formal policies and procedures to govern major business
activities. Policy and procedures manuals include:
Anti-Bribery Compliance Policy
Background Check Policy
Bereavement Leave
Commitment against Harassment Policy
EEO Policy
Employee Referral Program
Expense Policy
Maternity or Paternity Leave Policy
PTO Policy
User of electronic Communications Policy
Other policies and procedures depending on department
Internal policies and procedures are reviewed and approved by senior management on an annual basis. All
policies and procedures are ultimately the responsibility of senior management and the Board of Directors
(Board).
Privacy and Confidentiality – Aternity does not disclose confidential internal information or customer
owned data to outside entities. Third parties that perform processing and/or other services that require access
to internal or customer owned data are prohibited from any disclosure of this information. Customer
contracts for processing services include data privacy language that requires confidential customer data to
be handled and stored in accordance with applicable data protection laws and regulations.
22
Organizational Oversight
Board of Directors – The Board is comprised of appointed members. The Board’s role is to establish goals
and objectives for Aternity and schedules quarterly meetings to review operating results. The two (2)
subcommittees, which have been established by the Board, are as follows:
Compensation Committee - The Compensation Committee oversees the acquisition and retention of
highly qualified personnel. This committee is responsible for recommending competitive salary
levels, fringe benefit plans, major personnel policies, and for oversight of the employee stock option
plan.
Audit Committee - The Audit Committee is responsible for the review and administration of
internal procedures as well as the oversight of financial reporting and risk management activities. It
also oversees the hiring, performance and independence of external auditors.
2) Risk Assessment Processes
Aternity has placed into operation a risk assessment process to identify and manage risks that could affect
the ability to provide reliable services to user entities. This process requires management to identify risks for
systems and major business operations, identify potential impacts to customers, and appropriately manage
and mitigate high and medium risk areas.
3) Information and Communication Systems
Information Systems – As part of its SaaS, Aternity establishes and maintains a secure and monitored
network environment designed to prevent and/or detect unauthorized network access and modifications. The
controls specific to these services are listed in the section titled Infrastructure above.
Communication Systems – Aternity has implemented a number of communication processes to ensure that
all employees understand their individual roles and responsibilities over controls, and to ensure that
significant events are communicated in a timely manner. The communication processes include: new
employee orientation programs; the use of electronic mail to communicate time-sensitive messages and
information; verbal communications; online department portals with policies and procedures; monthly and
quarterly internal product review sessions and written correspondence to management and staff. Each level
of management also holds periodic staff meetings as appropriate. Every employee has a written job
description and all employees are instructed of their responsibility to communicate significant issues and
exceptions to an appropriate higher level of authority within Aternity in a timely manner.
23
Aternity has also implemented various methods of communication to ensure that customers understand the
role and responsibilities of Aternity, and to ensure that significant events are communicated to customers in
a timely manner. These methods include Aternity’s organization and participation in customer group
meetings and expositions, web-based customer bulletins and newsletters, focus groups, trainings, a
dedicated customer website, notifications from Salesforce, direct e-mail, and direct phone contact.
Customers are encouraged to communicate questions and problems to the Customer Service departments
where such matters are logged and tracked until resolved.
Personnel in the Customer Service departments provide on-going communication with customers on a day-
to-day basis. The Customer Service department also communicates information regarding changes in
processing schedules, system enhancements, and other information to customers.
4) Monitoring Controls
Aternity’s management and supervisory personnel monitor the quality of internal control performance as a
routine part of their activities. To assist them in this monitoring, Aternity has implemented a variety of
reporting and on-line notification tools that measure key activities and performance metrics on critical
systems. Notification tools and reports are used to monitor significant and suspicious network activities and
system and network availability. All exceptions to normal or scheduled processing related to hardware,
software, or procedural problems are logged, reported, and resolved daily. Key indicator reports are
reviewed daily and weekly by appropriate levels of management and action is taken as necessary.
D. CHANGES TO THE CONTROL ENVIRONMENT
Aternity LLC is required to disclose relevant detail of changes to the system during the period covered.
Aternity LLC did not experience any significant changes related to the system that requires disclosure.
E. APPLICABLE TRUST SERVICES CRITERIA AND RELATED CONTROLS
The applicable trust services criteria and Aternity LLC’s controls are included in Section IV of this report,
Independent Service Auditor’s Description of Tests of Controls and Results, to eliminate the redundancy that
would result from listing them in this section and repeating them in Section IV. Although the applicable
trust services criteria and related controls are included in Section IV, they are, nevertheless, an integral part
of Aternity LLC’s description of systems.
24
F. COMPLEMENTARY SUBSERVICE ORGANIZATION CONTROLS
Aternity LLC uses a subservice organization to perform various functions to support the delivery of services
to user entities. Aternity LLC has developed and implemented a vendor monitoring process to ensure
subservice organizations have necessary internal controls. Monitoring includes the receipt and review of the
subservice organization’s SOC 2 reports.
The following is a description of the subservice organization used by Aternity LLC to support the delivery
of system:
Amazon Web Services (AWS): Provides cloud infrastructure for the servers used to store data sets and
other information. AWS is responsible for the physical and environmental security of the data centers
hosting the cloud infrastructure, including the network equipment at the facilities.
The following applicable trust services criteria are intended to be met in part by complementary subservice
organization controls implemented by the subservice organization AWS including, but not limited to, the
following:
Applicable Trust Services Criteria Complementary Subservice Organization
Controls
CC6.4
The entity restricts physical access to facilities and
protected information assets (for example, data
center facilities, back-up media storage, and other
sensitive locations) to authorized personnel to meet
the entity’s objectives.
AWS is responsible for implementing physical
security controls to restrict access to the hosted
servers and protected information assets to
authorized personnel.
CC6.5
The entity discontinues logical and physical
protections over physical assets only after the ability
to read or recover data and software from those
assets has been diminished and is no longer required
to meet the entity’s objectives.
AWS is responsible for data wiping, destroying,
and disposing of assets in their environment that
are no longer required or have reached end of life.
CC7.2
The entity monitors system components and the
operation of those components for anomalies that
are indicative of malicious acts, natural disasters,
and errors affecting the entity's ability to meet its
objectives; anomalies are analyzed to determine
whether they represent security events.
AWS is responsible for monitoring their
environment to maintain security and availability,
including having an incident handling process.
25
Applicable Trust Services Criteria Complementary Subservice Organization
Controls
A1.2
Environmental protections, software, data backup
processes, and recovery infrastructure are designed,
developed, implemented, operated, maintained, and
monitored to meet availability commitments and
requirements.
AWS is responsible for developing, implementing,
maintaining, and monitoring environmental
protections of the assets hosted in the data centers.
A1.3
The entity test recovery plan procedures supporting
system recovery to meet its objectives.
AWS is responsible for implementing and testing
recovery plan procedures to meet availability
objectives.
G. COMPLEMENTARY USER ENTITY CONTROLS
Aternity LLC’s operations were designed with the assumption that certain controls would be placed in
operation by user entities. This section describes some of the controls that should be in operation at user
entities to complement the controls at Aternity LLC. User auditors should determine whether user entities
have established controls to provide reasonable assurance over the following:
1. User entities are responsible for enforcing their own internal password policies for their
organizations. User entities are encouraged to utilize complex passwords and change their passwords
on a periodic basis.
2. User entities are responsible for periodically reviewing user access to APM and EUEM consoles to
validate the appropriateness of user access and assigned permissions.
3. User entities’ system administrator are responsible for user provisioning in the Aternity solution.
User entities are responsible for implementing an authorization process to ensure the granting,
modification, and removal of access to the solution is approved.
4. User entities’ system administrators are responsible for configuring and maintaining strong security
settings, such as inactivity timeout within the APM and EUEM consoles.
5. User entities are responsible for defining their own requirements for monitoring, and such, the data
stored or proprietary if the collection of such data is necessary to satisfy the customer’s monitoring
requirements.
26
IV. INDEPENDENT SERVICE AUDITOR’S DESCRIPTION OF TESTS OF CONTROLS AND RESULTS
A. INTRODUCTION
This section presents selected information provided by Wolf & Company, P.C. This information includes:
A description of tests performed by Wolf & Company, P.C. to determine whether Aternity LLC’s controls were operating with
sufficient effectiveness to meet the applicable trust services criteria
Results of Wolf & Company, P.C. tests of operating effectiveness
Also included in this section is information provided by Aternity LLC’s management. This information includes:
The applicable trust services criteria as set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing
Integrity, Confidentiality, and Privacy (AICPA, Trust Services Principles and Criteria)
Description of controls implemented by Aternity LLC to meet the applicable trust services criteria
B. APPLICABLE TRUST SERVICES CRITERIA
The applicable trust services criteria in scope and controls to meet the applicable trust services criteria were provided by Aternity LLC’s
management. While this information is provided by Aternity LLC, it is more beneficial to have them reported in Section IV (Independent Service
Auditor’s Description of Tests of Controls and Results) to facilitate the report of tests of controls and results of testing which is provided by Wolf
& Company, P.C. The following trust services criteria were in scope.
Security Criteria – The system is protected against unauthorized access (both physical and logical).
Availability Criteria – The system is available for operation and use as committed or agreed.
27
C. TESTING OF OPERATING EFFECTIVENESS
CC1.0 – Common Criteria Related to Control Environment
Criteria Service Organization Controls Tests Results
CC1.1 COSO Principle 1:
The entity
demonstrates a
commitment to
integrity and
ethical values.
Employees must read and acknowledge the
Employee Handbook and Proprietary
Information and Inventions Agreement
(PIIA) upon hire.
Inspected documented policies and
procedures to ensure employees are required
to read and accept the Employee Handbook
and PIIA.
No exceptions
noted.
Inspected acknowledgements to ensure a
sample of new hires read and accepted the
Employee Handbook and PIIA.
No exceptions
noted.
Employees are notified of changes to the
Employee Handbook via email.
Inquired with management to ensure
employees are notified of changes to the
Employee Handbook via email.
No exceptions
noted.
Inquired with management and determined
that there were no changes to the Employee
Handbook. Therefore, the Service Auditor
was unable to test the operating effectiveness
of the control during the audit period.
Control did not
operate during
the period.
Employees who do not comply with
Company policies and standards will be
subject to disciplinary actions.
Inspected policies and procedures to ensure
disciplinary actions for misconduct are
included.
No exceptions
noted.
The onboarding process includes background
checks for all candidates extended a job
offer.
Inspected documented policies and
procedures to ensure background checks are
completed for all candidates extended a job
offer.
No exceptions
noted.
Inspected the background checks for a
sample of new hires to ensure they were
completed.
No exception
noted.
28
Criteria Service Organization Controls Tests Results
CC1.2 COSO Principle 2:
The board of
directors
demonstrates
independence from
management and
exercises oversight
of the
development and
performance of
internal control.
The Aternity IT Security team is updated
periodically by Product Management on the
development and performance of internal
controls. Any issues or concerns identified
are reported up to the CFO and subsequently
the CEO.
Inquired with management to ensure the
Aternity IT Security team is updated
periodically by Product Management on the
development and performance of internal
controls. Any issues or concerns identified
are reported up to the CFO and subsequently
the CEO.
No exceptions
noted.
Inspected an example email correspondence
to ensure the Aternity IT Security team is
updated periodically by Product
Management on the development and
performance of internal controls.
No exceptions
noted.
The Board of Directors is comprised of
members from varying backgrounds to allow
for objective evaluation and decision
making.
Inspected the composition of the Board of
Directors to ensure Board members are from
varying backgrounds to allow for objective
evaluation and decision making.
No exceptions
noted.
CC1.3 COSO Principle 3:
Management
establishes, with
board oversight,
structures,
reporting lines,
and appropriate
authorities and
responsibilities in
the pursuit of
objectives.
Aternity’s organization charts details
reporting lines and authorities of the
Company’s employees.
Inspected Aternity’s organization charts to
ensure it details reporting lines and
authorities of the Company’s employees.
No exceptions
noted.
Roles and responsibilities are defined in
written job descriptions.
Inspected written job descriptions for
positions responsible for security and
availability to ensure roles and
responsibilities are defined.
No exceptions
noted.
Job descriptions are created or updated as
part of the hiring process. All new hires are
required to have a written job description.
Inspected onboarding procedures to ensure
written job descriptions are required to be
updated or created for new hires.
No exceptions
noted.
29
Criteria Service Organization Controls Tests Results
Product Management is responsible for the
development and implementation of policies
and procedures to oversee the design,
development, implementation, operation,
maintenance, and monitoring of Aternity’s
systems.
Inquired with management to the Product
Management department is assigned with the
responsibility of developing and
implementing policies and procedures to
oversee the design, development,
implementation, operation, maintenance, and
monitoring of Aternity’s systems.
No exceptions
noted.
CC1.4 COSO Principle 4:
The entity
demonstrates a
commitment to
attract, develop,
and retain
competent
individuals in
alignment with
objectives.
The ability of candidates to meet the
requirements documented in job descriptions
is evaluated as part of the hiring process.
Inquired with management to ensure
potential new hires’ experience and
qualifications are evaluated against the job
requirements by the hiring manager.
No exceptions
noted.
Employees are required to complete
information security training upon hire and
annually thereafter. Employees must
complete and pass a quiz after security
awareness training.
Observed training materials to ensure
employees are required to be trained on
information security topics and that a quiz
must be passed after the training.
No exceptions
noted.
Inspected quiz results for a sample of
employees to ensure each sampled employee
completed and passed the required quiz.
No exception
noted.
Inspected quiz results for a sample of new
hires to ensure each sampled employee
completed and passed the required quiz.
Exception noted.
One (1) of the
three (3) sampled
new hires did not
complete the
information
security training
upon hire.
See Section V #1
for management
response.
30
Criteria Service Organization Controls Tests Results
Performance reviews are completed for all
employees on an annual basis.
Inspected the performance reviews
completed prior to the start of the audit
period for a sample of employees to ensure
performance reviews were not completed
during the audit period. Therefore, the
Service Auditor was unable to test the
operating effectiveness of the control during
the audit period.
Control did not
operate during
the period.
Employees must read and acknowledge the
Employee Handbook and PIIA upon hire.
Inspected documented policies and
procedures to ensure employees are required
to read and accept the Employee Handbook
and PIIA.
No exceptions
noted.
Inspected acknowledgements to ensure a
sample of new hires read and accepted the
Employee Handbook and PIIA.
No exceptions
noted.
The onboarding process includes background
checks for all candidates extended a job
offer.
Inspected documented policies and
procedures to ensure background checks are
completed for all candidates extended a job
offer.
No exceptions
noted.
Inspected the background checks for a
sample of new hires to ensure they were
completed.
No exception
noted.
31
Criteria Service Organization Controls Tests Results
CC1.5 COSO Principle 5:
The entity holds
individuals
accountable for
their internal
control
responsibilities in
the pursuit of
objectives.
Employees who do not comply with
Company policies and standards will be
subject to disciplinary actions.
Inspected policies and procedures to ensure
disciplinary actions for misconduct are
included.
No exceptions
noted.
Performance reviews are completed for all
employees on an annual basis.
Inspected the performance reviews
completed prior to the start of the audit
period for a sample of employees to ensure
performance reviews were not completed
during the audit period. Therefore, the
Service Auditor was unable to test the
operating effectiveness of the control during
the audit period.
Control did not
operate during
the period.
CC2.0 – Common Criteria Related to Communication and Information
Criteria Service Organization Controls Tests Results
CC2.1 COSO Principle
13: The entity
obtains or
generates and uses
relevant, quality
information to
support the
functioning of
internal control.
The Aternity IT Security team is updated
periodically by Product Management on the
development and performance of internal
controls. Any issues or concerns identified
are reported up to the CFO and subsequently
the CEO.
Inquired with management to ensure the
Aternity IT Security team is updated
periodically by Product Management on the
development and performance of internal
controls. Any issues or concerns identified
are reported up to the CFO and subsequently
the CEO.
No exceptions
noted.
Inspected an example email correspondence
to ensure the Aternity IT Security team is
updated periodically by Product
Management on the development and
performance of internal controls.
No exceptions
noted.
32
Criteria Service Organization Controls Tests Results
CC2.2 COSO Principle
14: The entity
internally
communicates
information,
including
objectives and
responsibilities for
internal control,
necessary to
support the
functioning of
internal control.
Security and availability responsibilities are
documented in internal policies and
procedures. The Company’s internal policies
and procedures are available to all employees
on the Company intranet.
Inspected the Company’s intranet to ensure
internal policies and procedures are made
available to all employees.
No exceptions
noted.
Inspected policies and procedures to ensure
security and availability responsibilities are
documented.
No exceptions
noted.
Security reminders are sent as necessary to
educate employees on security issues or
recommended practices.
Inspected an example security reminder to
ensure employees are educated as necessary
on security issues or recommended practices.
No exceptions
noted.
The Password Policy includes procedures for
creating, changing, and safeguarding
passwords.
Inspected the Password Policy to ensure it
includes procedures for creating, changing,
and safeguarding passwords.
No exceptions
noted.
The Incident Response Plan details
procedures for internal users to report
security and availability incidents.
Inspected the Incident Response Plan to
ensure it details procedures for internal users
to report security and availability incidents.
No exceptions
noted.
Employees must read and acknowledge the
Employee Handbook PIIA upon hire.
Inspected documented policies and
procedures to ensure employees are required
to read and accept the Employee Handbook
and PIIA.
No exceptions
noted.
Inspected acknowledgements to ensure a
sample of new hires read and accepted the
Employee Handbook and PIIA.
No exceptions
noted.
Employees are required to complete
information security training upon hire and
annually thereafter. Employees must
complete and pass a quiz after security
awareness training.
Observed training materials to ensure
employees are required to be trained on
information security topics and that a quiz
must be passed after the training.
No exceptions
noted.
33
Criteria Service Organization Controls Tests Results
Inspected quiz results for a sample of
employees to ensure each sampled employee
completed and passed the required quiz.
No exception
noted.
Inspected quiz results for a sample of new
hires to ensure each sampled employee
completed and passed the required quiz.
Exception noted.
One (1) of the
three (3) sampled
new hires did not
complete the
information
security training
upon hire.
See Section V #1
for management
response.
34
Criteria Service Organization Controls Tests Results
CC2.3 COSO Principle
15: The entity
communicates
with external
parties regarding
matters affecting
the functioning of
internal control.
Master service agreements between the
Company and customers detail
responsibilities and commitments related to
security. Availability responsibilities and
commitments are documented in service
level agreements (SLAs).
Inspected template customer agreements and
SLAs to ensure security and availability
commitments for the Company and
customers are defined.
No exceptions
noted.
The agreement in place between the
Company and AWS details responsibilities
for security and availability.
Inspected the agreement between the
Company and AWS to ensure it details
responsibilities for security and availability.
No exceptions
noted.
Business Associate Agreements (BAAs) are
in place with third parties who could
potentially access electronic protected health
information (ePHI).
Inspected the Business Associate Policy to
ensure it requires BAAs with third parties
who could potentially access ePHI.
No exceptions
noted.
Inquired with management and determined
that there are no new third parties who could
potentially access ePHI. Therefore, the
Service Auditor was unable to test the
operating effectiveness of the control during
the audit period.
Control did not
operate during
the period.
The Customer Service Agreement and
Maintenance and Support Services
Agreement along with the Support website
detail the responsibilities for the Company
and customers in reporting and remediating
failures, incidents, concerns, and complaints.
Inspected the Customer Service Agreement
and Support Services Agreement to ensure
the agreements detail the responsibilities of
the Company and customers for reporting,
and remediating failures, incidents, concerns,
and complaints.
No exceptions
noted.
Inspected the Support website to ensure the
website provides details on reporting
failures, incidents, concerns, and complaints.
No exceptions
noted.
35
Criteria Service Organization Controls Tests Results
The Business Continuity Plan detail
procedures for communicating availability
incidents to external parties.
Inspected the Business Continuity Plan to
ensure it details procedures for
communicating availability incidents to
external parties.
No exceptions
noted.
Major and minor releases are communicated
to customers through release notes posted on
the customer portal.
Inspected a screenshot of the APM release
portal to ensure APM releases are
communicated to customers via release notes
on the customer portal.
No exceptions
noted.
Inspected a screenshot of the EUEM release
portal to ensure EUEM releases are
communicated to customers via release notes
on the customer portal.
No exceptions
noted.
The Support website allows customers to
submit tickets for issues. The Support team
reviews all issues which are tracked through
to remediation.
Inspected the Support website to ensure it
allows customers to submit tickets for issues.
No exceptions
noted.
Inquired with management to ensure the
Support team reviews all issues and tracks
them to remediation.
No exceptions
noted.
CC3.0 – Common Criteria Related to Risk Assessment
Criteria Service Organization Controls Tests Results
CC3.1 COSO Principle 6:
The entity
specifies
objectives with
sufficient clarity
to enable the
identification and
assessment of
risks relating to
objectives.
The methodology for the IT risk assessments
details the need for identifying potential
threats as well as assessing the likelihood
and impact of the identified threats.
Inspected the methodology for the IT risk
assessments to ensure it identifying potential
threats and assessing the likelihood and
impact of the threats.
No exceptions
noted.
The Risk Assessment Policy describes the
Company’s requirements for the completion
of the IT risk assessments and the handling
of risk acceptance.
Inspected the Risk Assessment Policy to
ensure it describes the requirements for the
completion of the IT risk assessments and
the handling of risk acceptance.
No exceptions
noted.
36
Criteria Service Organization Controls Tests Results
The Vendor Management Policy defines
expectations for identifying and risk rating
all vendor relationships. The risk ratings
consider the nature of the information stored
and transmitted and the criticality of the
vendor to providing services.
Inspected the Vendor Management Policy to
ensure it defines expectations for identifying
and risk rating all vendor relationships and
risk ratings consider the nature of the
information stored and transmitted and the
criticality of the vendor to providing
services.
No exceptions
noted.
CC3.2 COSO Principle 7:
The entity
identifies risks to
the achievement
of its objectives
across the entity
and analyzes risks
as a basis for
determining how
the risks should be
managed.
The methodology for the IT risk assessments
details the need for identifying potential
threats as well as assessing the likelihood
and impact of the identified threats.
Inspected the methodology for the IT risk
assessments to ensure it details identifying
potential threats and assessing the likelihood
and impact of the threats.
No exceptions
noted.
The Risk Assessment Policy describes the
Company’s requirements for the completion
of the IT risk assessments and the handling
of risk acceptance.
Inspected the Risk Assessment Policy to
ensure it describes the requirements for the
completion of the IT risk assessments and
the handling of risk acceptance.
No exceptions
noted.
The IT risk assessments identify potential
risks to the security and availability of the
system and identifies mitigating controls for
the risks.
Inspected the IT risk assessments to ensure
potential risks and mitigating controls for the
risks are identified.
No exceptions
noted.
The Vendor Management Policy defines
expectations for identifying and risk rating
all vendor relationships. The risk ratings
consider the nature of the information stored
and transmitted and the criticality of the
vendor to providing services.
Inspected the Vendor Management Policy to
ensure it defines expectations for identifying
and risk rating all vendor relationships and
risk ratings consider the nature of the
information stored and transmitted and the
criticality of the vendor to providing
services.
No exceptions
noted.
The vendor risk assessment rates the inherent
risk of a vendor based on the nature of the
information that is stored and transmitted,
cost, compliance, and quality of work.
Inspected the vendor risk assessment to
ensure it rates the inherent risk of a vendor
based on the nature of the information that is
stored and transmitted, cost, compliance, and
quality of work.
No exceptions
noted.
37
Criteria Service Organization Controls Tests Results
The IT risk assessments are presented to
management for approval.
Inspected the IT risk assessments to ensure
the IT risk assessments are approved by
management on an annual basis.
No exceptions
noted.
CC3.3 COSO Principle 8:
The entity
considers the
potential for fraud
in assessing risks
to the achievement
of objectives.
The IT risk assessments considers fraudulent
activities, including the likelihood and
impact.
Inspected the IT risk assessments to ensure
the assessment considers fraudulent
activities, including the likelihood and
impact.
No exceptions
noted.
CC3.4 COSO Principle 9:
The entity
identifies and
assesses changes
that could
significantly
impact the system
of internal control.
Management subscribes to threat intelligence
resources covering cybersecurity and risks
present in the external environment.
Inspected an example email to ensure
management subscribes to sources regarding
cybersecurity and risks present in the
external environment.
No exceptions
noted.
The vendor selection process includes a
review of materials to ensure the risks
associated with the vendor relationship are
understood.
Inspected the Vendor Management Policy to
ensure it details the requirements for the
vendor selection process, including a review
of materials to ensure the risks associated
with the vendor relationship are understood.
No exceptions
noted.
Inquired with management and determined
that there were no new subservice
organizations implemented to support the
production environment. Therefore, the
Service Auditor was unable to test the
operating effectiveness of the control during
the audit period.
Control did not
operate during
the period.
Vendors that pose an increased risk are
reviewed on an annual basis.
Inspected the Vendor Management Policy to
ensure it details the requirements for an
annual review of vendors that pose an
increased risk.
No exceptions
noted.
38
Criteria Service Organization Controls Tests Results
Inspected the vendor review performed for
AWS to ensure the review is performed on
an annual basis.
No exceptions
noted.
The vendor risk assessment is updated by
management on at least an annual basis.
Inspected the vendor risk assessment to
ensure it was updated within the last year.
No exceptions
noted.
CC4.0 – Common Criteria Related to Monitoring Activities
Criteria Service Organization Controls Tests Results
CC4.1 COSO Principle
16: The entity
selects, develops,
and performs
ongoing and/or
separate
evaluations to
ascertain whether
the components of
internal control are
present and
functioning.
An availability monitoring solution is
configured to monitor the core infrastructure
and individual servers hosting EUEM. The
solution is configured to alert when failures
occur.
Inspected the EUEM Monitoring Policy to
ensure it details the availability monitoring
process.
No exceptions
noted.
Inspected the configuration of the availability
monitoring solution for EUEM to ensure the
availability of the environment is monitored
and appropriate personnel are notified of
failures.
No exceptions
noted.
Inspected an example alert to ensure the
availability monitoring solution alerts
appropriate personnel when there is a failure.
No exceptions
noted.
A performance and availability monitoring
solution is configured to monitor the core
infrastructure and individual servers hosting
APM. The solution is configured to alert
when defined thresholds have been exceeded
for memory, CPU, disk space, read/write
usage, and unavailable endpoints/internal
services.
Inspected the APM Availability Monitoring
Policy to ensure it details the performance
and availability monitoring process.
No exceptions
noted.
Inspected the configuration of the
performance and availability monitoring
solution to ensure it monitors various
availability metrics and alerts appropriate
personnel when thresholds are exceeded.
No exceptions
noted.
39
Criteria Service Organization Controls Tests Results
Inspected an example alert to ensure the
performance and availability monitoring
solution alerts appropriate personnel when a
threshold has been exceeded.
No exceptions
noted.
EUEM Operations personnel review uptime
monitors on a weekly basis to ensure the
availability of the infrastructure after
maintenance activities.
Inspected the reviews completed for a
sample of weeks to ensure the uptime
monitors are reviewed on a weekly basis by
the Operations team.
No exceptions
noted.
EUEM Operations personnel review
administrative activity and failed login report
on a weekly basis.
Inspected the reviews completed for a
sample of weeks to ensure administrator
activity and failed logins were reviewed.
No exceptions
noted.
The APM production environment is
monitored by a log management and
analytics solution. Logs are reviewed on a
monthly basis.
Inspected the configuration of the log
management and analytics solution to ensure
it logs activity in the production
environment.
No exceptions
noted.
Inspected the reviews completed for a
sample of months to ensure the CloudTrail
logs are reviewed on a monthly basis.
No exceptions
noted.
The EUEM Support team conducts a weekly
staff meeting and includes topics for
discussion like to review upcoming
maintenance schedules or outage event on to
share details and awareness.
Inspected meeting agendas for a sample of
weeks to ensure the Support team conducts a
weekly staff meeting and includes topics for
discussion like to review upcoming
maintenance schedules or outage event on to
share details and awareness.
No exceptions
noted.
A Hosting Outages Cases (CQ) Report is
generated quarterly in Salesforce to show
events for EUEM.
Inspected a sample of quarterly reports to
ensure the reports are generated and show
events for EUEM.
No exceptions
noted.
40
Criteria Service Organization Controls Tests Results
A third party is contracted to perform web
application penetration testing on an annual
basis.
Inspected evidence to ensure a third party has
been contracted to perform a penetration test.
No exceptions
noted.
Internal vulnerability assessments are
completed on all APM and EUEM releases
prior to implementation in the production
environment. All vulnerabilities are tracked
to resolution.
Inspected evidence to ensure internal
vulnerability assessments are completed on
the production environment and all
vulnerabilities are tracked to resolution.
No exceptions
noted.
Web server certificate and configurations are
monitored by the Operations Team. Daily
scans are run on EUEM external URLs and
weak configurations trigger an alert.
Inspected the configurations of the daily
scans of the EUEM external URLs to ensure
weak configurations trigger an alert to the
Operations Team.
No exceptions
noted.
Inquired with management to ensure no
alerts were triggered by weak configurations
during the audit period. Therefore, the
Service Auditor was unable to test the
operating effectiveness of the control during
the audit period.
Control did not
operate during
the period.
Monthly meetings are held for proactive
planning for availability and performance
metrics.
Inspected the policies to ensure the monthly
meeting process is defined.
No exceptions
noted.
Inspected the meeting agenda or reports for a
sample of months to ensure availability and
performance metrics are discussed.
No exceptions
noted.
Access to the production environment is
reviewed on a quarterly basis to ensure it is
restricted to authorized personnel who
require access to perform their job functions.
Inspected the System Access Request Policy
to ensure access to the production
environment is reviewed on a periodic basis.
No exceptions
noted.
41
Criteria Service Organization Controls Tests Results
Inspected a sample of user access reviews to
ensure the reviews are performed on a
quarterly basis and user access to the
production environment is reviewed for
appropriateness.
No exceptions
noted.
CC4.2 COSO Principle
17: The entity
evaluates and
communicates
internal control
deficiencies in a
timely manner to
those parties
responsible for
taking corrective
action, including
senior
management and
the board of
directors, as
appropriate.
An availability monitoring solution is
configured to monitor the core infrastructure
and individual servers hosting EUEM. The
solution is configured to alert when failures
occur.
Inspected the EUEM Monitoring Policy to
ensure it details the availability monitoring
process.
No exceptions
noted.
Inspected the configuration of the availability
monitoring solution for EUEM to ensure the
availability of the environment is monitored
and appropriate personnel are notified of
failures.
No exceptions
noted.
Inspected an example alert to ensure the
availability monitoring solution alerts
appropriate personnel when there is a failure.
No exceptions
noted.
A performance and availability monitoring
solution is configured to monitor the core
infrastructure and individual servers hosting
APM. The solution is configured to alert
when defined thresholds have been exceeded
for memory, CPU, disk space, read/write
usage, and unavailable endpoints/internal
services.
Inspected the APM Availability Monitoring
Policy to ensure it details the performance
and availability monitoring process.
No exceptions
noted.
Inspected the configuration of the
performance and availability monitoring
solution to ensure it monitors various
availability metrics and alerts appropriate
personnel when thresholds are exceeded.
No exceptions
noted.
Inspected an example alert to ensure the
performance and availability monitoring
solution alerts appropriate personnel when a
threshold has been exceeded.
No exceptions
noted.
42
Criteria Service Organization Controls Tests Results
The APM production environment is
monitored by a log management and
analytics solution. Logs are reviewed on a
monthly basis.
Inspected the configuration of the log
management and analytics solution to ensure
it logs activity in the production
environment.
No exceptions
noted.
Inspected the reviews completed for a
sample of months to ensure the CloudTrail
logs are reviewed on a monthly basis.
No exceptions
noted.
A third party is contracted to perform web
application penetration testing on an annual
basis.
Inspected evidence to ensure a third party has
been contracted to perform a penetration test.
No exceptions
noted.
Internal vulnerability assessments are
completed on all APM and EUEM releases
prior to implementation in the production
environment. All vulnerabilities are tracked
to resolution.
Inspected evidence to ensure internal
vulnerability assessments are completed on
the production environment and all
vulnerabilities are tracked to resolution.
No exceptions
noted.
Web server certificate and configurations are
monitored by the Operations Team. Daily
scans are run on EUEM external URLs and
weak configurations trigger an alert.
Inspected the configurations of the daily
scans of the EUEM external URLs to ensure
weak configurations trigger an alert to the
Operations Team.
No exceptions
noted.
Inquired with management to ensure no
alerts were triggered by weak configurations
during the audit period. Therefore, the
Service Auditor was unable to test the
operating effectiveness of the control during
the audit period.
Control did not
operate during
the period.
Access to the production environment is
reviewed on a quarterly basis to ensure it is
restricted to authorized personnel who
require access to perform their job functions.
Inspected the System Access Request Policy
to ensure access to the production
environment is reviewed on a periodic basis.
No exceptions
noted.
43
Criteria Service Organization Controls Tests Results
Inspected a sample of user access reviews to
ensure the reviews are performed on a
quarterly basis and user access to the
production environment is reviewed for
appropriateness.
No exceptions
noted.
CC5.0 – Common Criteria Related to Control Activities
Criteria Service Organization Controls Tests Results
CC5.1 COSO Principle
10: The entity
selects and
develops control
activities that
contribute to the
mitigation of risks
to the achievement
of objectives to
acceptable levels.
The Company applies appropriate controls to
lessen the likelihood and/or impact of
identified risks.
Inspected the Risk Assessment Policy to
ensure the Company applies appropriate
controls to lessen the likelihood and/or
impact of identified risks.
No exceptions
noted.
Inspected the IT risk assessments to ensure
the Company has identified and applied
mitigating controls to reduce the risks
presented to the system.
No exceptions
noted.
Monitoring is performed of key controls to
measure the success of the controls in
addressing relevant risks.
Inspected the policies and procedures to
ensure monitoring is performed of key
controls to measure the success of the
controls in addressing relevant risks.
No exceptions
noted.
The Disaster Recovery Plan and Business
Continuity Plan describe the Company’s
strategy for responding in the event of a
disaster.
Inspected the Disaster Recovery and
Business Continuity Plan to ensure the plan
describes the Company’s strategy for
responding in the event of a disaster.
No exceptions
noted.
44
Criteria Service Organization Controls Tests Results
CC5.2 COSO Principle
11: The entity also
selects and
develops general
control activities
over technology to
support the
achievement of
objectives.
The Company applies appropriate controls to
lessen the likelihood and/or impact of
identified risks.
Inspected the Risk Assessment Policy to
ensure the Company applies appropriate
controls to lessen the likelihood and/or
impact of identified risks.
No exceptions
noted.
Inspected the IT risk assessments to ensure
the Company has identified and applied
mitigating controls to reduce the risks
presented to the system.
No exceptions
noted.
An availability monitoring solution is
configured to monitor the core infrastructure
and individual servers hosting EUEM. The
solution is configured to alert when failures
occur.
Inspected the EUEM Monitoring Policy to
ensure it details the availability monitoring
process.
No exceptions
noted.
Inspected the configuration of the availability
monitoring solution for EUEM to ensure the
availability of the environment is monitored
and appropriate personnel are notified of
failures.
No exceptions
noted.
Inspected an example alert to ensure the
availability monitoring solution alerts
appropriate personnel when there is a failure.
No exceptions
noted.
A performance and availability monitoring
solution is configured to monitor the core
infrastructure and individual servers hosting
APM. The solution is configured to alert
when defined thresholds have been exceeded
for memory, CPU, disk space, read/write
usage, and unavailable endpoints/internal
services.
Inspected the APM Availability Monitoring
Policy to ensure it details the performance
and availability monitoring process.
No exceptions
noted.
Inspected the configuration of the
performance and availability monitoring
solution to ensure it monitors various
availability metrics and alerts appropriate
personnel when thresholds are exceeded.
No exceptions
noted.
45
Criteria Service Organization Controls Tests Results
Inspected an example alert to ensure the
performance and availability monitoring
solution alerts appropriate personnel when a
threshold has been exceeded.
No exceptions
noted.
EUEM Operations personnel review
administrative activity and failed login report
on a weekly basis.
Inspected the reviews completed for a
sample of weeks to ensure administrator
activity and failed logins were reviewed.
No exceptions
noted.
The APM production environment is
monitored by a log management and
analytics solution. Logs are reviewed on a
monthly basis.
Inspected the configuration of the log
management and analytics solution to ensure
it logs activity in the production
environment.
No exceptions
noted.
Inspected the reviews completed for a
sample of months to ensure the CloudTrail
logs are reviewed on a monthly basis.
No exceptions
noted.
A third party is contracted to perform web
application penetration testing on an annual
basis.
Inspected evidence to ensure a third party has
been contracted to perform a penetration test.
No exceptions
noted.
Internal vulnerability assessments are
completed on all APM and EUEM releases
prior to implementation in the production
environment. All vulnerabilities are tracked
to resolution.
Inspected evidence to ensure internal
vulnerability assessments are completed on
the production environment and all
vulnerabilities are tracked to resolution.
No exceptions
noted.
Web server certificate and configurations are
monitored by the Operations Team. Daily
scans are run on EUEM external URLs and
weak configurations trigger an alert.
Inspected the configurations of the daily
scans of the EUEM external URLs to ensure
weak configurations trigger an alert to the
Operations Team.
No exceptions
noted.
46
Criteria Service Organization Controls Tests Results
Inquired with management to ensure no
alerts were triggered by weak configurations
during the audit period. Therefore, the
Service Auditor was unable to test the
operating effectiveness of the control during
the audit period.
Control did not
operate during
the period.
The Disaster Recovery Plan and Business
Continuity Plan describe the Company’s
strategy for responding in the event of a
disaster.
Inspected the Disaster Recovery and
Business Continuity Plan to ensure the plan
describes the Company’s strategy for
responding in the event of a disaster.
No exceptions
noted.
CC5.3
COSO Principle
12: The entity
deploys control
activities through
policies that
establish what is
expected and in
procedures that
put policies into
action.
The Company has documented policies and
procedures for the system that detail
implemented controls to maintain security
and availability along with compliance with
HIPAA.
Inspected the Company’s documented
policies and procedures to ensure
documentation includes controls to maintain
security, availability, and HIPAA
compliance.
No exceptions
noted.
Aternity retains historical policies and
procedures for six (6) years from the date of
its creation.
Inspected the Document Retention Policy to
ensure it requires that historical policies and
procedures be retained for six (6) years from
the date of its creation.
No exceptions
noted.
Policies and procedures are reviewed at least
annually.
Inspected the Company’s documented
policies and procedures to ensure they are
reviewed at least annually.
No exceptions
noted.
47
CC6.0 – Common Criteria Related to Logical and Physical Access Controls
Criteria Service Organization Controls Tests Results
CC6.1 The entity
implements logical
access security
software,
infrastructure, and
architectures over
protected
information assets
to protect them
from security
events to meet the
entity's objectives.
Logical access to the system is restricted to
authorized individuals who need access to
perform their job functions.
Inspect the Platform Access Policy and User
Access Control Policy to ensure they address
the restriction of access to systems.
No exceptions
noted.
Inspected the listing of users with access to
the production environment to ensure access
is appropriate.
No exceptions
noted.
The production environment is administered
by authorized personnel who require the
access to oversee the security and availability
of the Aternity system.
Inspected the listing of users with
administrator access to the production
environment to ensure administrator access is
appropriate.
No exceptions
noted.
Passwords are enforced on the technologies
supporting EUEM. The password settings
enforced include minimum length,
complexity requirements, and expiration.
Inspected the configuration of the password
practices enforced to access the production
environment to ensure they include password
minimum length, complexity requirements
and expiration.
No exceptions
noted.
Multifactor authentication is required to
access the technologies supporting APM.
Inspected the authentication configurations
of the technologies supporting APM to
ensure multifactor authentication is required.
No exceptions
noted.
Authentication to the application, by user
entities, requires a password that is
appropriately configured.
Inquired with management to ensure
password requirements are appropriately
configured for user entities.
No exceptions
noted.
Inspected evidence to ensure password
requirements are appropriately configured
for user entities.
No exceptions
noted.
Password protected screensavers, configured
via Active Directory Group Policy Object
(GPO), are automatically triggered after a
period of inactivity.
Inspect the GPO to ensure password
protected screensavers are automatically
triggered after a period of inactivity.
No exceptions
noted.
48
Criteria Service Organization Controls Tests Results
CC6.2 Prior to issuing
system credentials
and granting
system access, the
entity registers and
authorizes new
internal and
external users
whose access is
administered by
the entity. For
those users whose
access is
administered by
the entity, user
system credentials
are removed when
user access is no
longer authorized.
Written authorization in the form of a ticket,
email, or other documented methods is
required to grant and remove access to the
production environment. This process is
documented within Policy.
Inspect the System Access Request Policy
and the Separation Process to ensure they
detail the written authorization process.
No exceptions
noted.
Inspected the written authorization for a
sample of new hires to ensure access granted
to the production environment is
documented.
No exceptions
noted.
Inspected the written authorization for a
sample of terminations to ensure access
removed from the production environment is
documented.
No exceptions
noted.
Access to the production environment is
reviewed on a quarterly basis to ensure it is
restricted to authorized personnel who
require access to perform their job functions.
Inspected the System Access Request Policy
to ensure access to the production
environment is reviewed on a periodic basis.
No exceptions
noted.
Inspected a sample of user access reviews to
ensure the reviews are performed on a
quarterly basis and user access to the
production environment is reviewed for
appropriateness.
No exceptions
noted.
49
Criteria Service Organization Controls Tests Results
CC6.3 The entity
authorizes,
modifies, or
removes access to
data, software,
functions, and
other protected
information assets
based on roles,
responsibilities, or
the system design
and changes,
giving
consideration to
the concepts of
least privilege and
segregation of
duties, to meet the
entity’s objectives.
Access to the production environment is
reviewed on a quarterly basis to ensure it is
restricted to authorized personnel who
require access to perform their job functions.
Inspected the System Access Request Policy
to ensure access to the production
environment is reviewed on a periodic basis.
No exceptions
noted.
Inspected a sample of user access reviews to
ensure the reviews are performed on a
quarterly basis and user access to the
production environment is reviewed for
appropriateness.
No exceptions
noted.
The production environment is administered
by authorized personnel who require the
access to oversee the security and availability
of the Aternity system.
Inspected the listing of users with
administrator access to the production
environment to ensure administrator access is
appropriate.
No exceptions
noted.
Written authorization in the form of a ticket,
email, or other documented methods is
required to grant and remove access to the
production environment. This process is
documented within Policy.
Inspect the System Access Request Policy
and the Separation Process to ensure they
detail the written authorization process.
No exceptions
noted.
Inspected the written authorization for a
sample of new hires to ensure access granted
to the production environment is
documented.
No exceptions
noted.
Inspected the written authorization for a
sample of terminations to ensure access
removed from the production environment is
documented.
No exceptions
noted.
50
Criteria Service Organization Controls Tests Results
CC6.4 The entity restricts
physical access to
facilities and
protected
information assets
(for example, data
center facilities,
back-up media
storage, and other
sensitive locations)
to authorized
personnel to meet
the entity’s
objectives.
Physical access to the Company’s facilities is
controlled by proximity cards.
Inspected a sample of proximity card holders
for the Company’s facilities to ensure access
is restricted to appropriate personnel.
No exceptions
noted.
Controls relating to physical access to the
hosted servers and protected information
assets are administered by the subservice
organization AWS. See the Complementary
Subservice Organization Controls above for
additional details.
N/A
N/A
CC6.5 The entity
discontinues
logical and
physical
protections over
physical assets
only after the
ability to read or
recover data and
software from
those assets has
been diminished
and is no longer
required to meet
the entity’s
objectives.
The Media Disposal Policy addresses the
removal and destruction of data and
hardware.
Inspect the Media Disposal Policy to ensure
it addresses the removal and destruction of
data and hardware.
No exceptions
noted.
Controls relating to the destruction and
disposal of hardware are administered by the
subservice organization AWS. See the
Complementary Subservice Organization
Controls above for additional details.
N/A
N/A
51
Criteria Service Organization Controls Tests Results
CC6.6 The entity
implements logical
access security
measures to
protect against
threats from
sources outside its
system boundaries.
A virtual firewall is set up within AWS that
restricts traffic to and from the environment.
The rule base is reviewed periodically to
identify security risks and misconfigurations.
Inspected firewall rules established to ensure
the firewall restricts traffic to and from the
environment.
No exceptions
noted.
Inspected the results of the most recent
firewall rule base review to validate the rules
are reviewed on a periodic basis.
No exceptions
noted.
A windows firewall is set up within the
network that restricts traffic to and from the
environment.
Inspected firewall rules established to ensure
the firewall restricts traffic to and from the
environment.
No exceptions
noted.
APM customer containers in the production
environment are logically segmented.
Inspected the configuration of the APM
production environment to ensure customer
containers are logically segmented.
No exceptions
noted.
A third party is contracted to perform web
application penetration testing on an annual
basis.
Inspected evidence to ensure a third party has
been contracted to perform a penetration test.
No exceptions
noted.
Internal vulnerability assessments are
completed on all APM and EUEM releases
prior to implementation in the production
environment. All vulnerabilities are tracked
to resolution.
Inspected evidence to ensure internal
vulnerability assessments are completed on
the production environment and all
vulnerabilities are tracked to resolution.
No exceptions
noted.
Web server certificate and configurations are
monitored by the Operations Team. Daily
scans are run on EUEM external URLs and
weak configurations trigger an alert.
Inspected the configurations of the daily
scans of the EUEM external URLs to ensure
weak configurations trigger an alert to the
Operations Team.
No exceptions
noted.
52
Criteria Service Organization Controls Tests Results
Inquired with management to ensure no
alerts were triggered by weak configurations
during the audit period. Therefore, the
Service Auditor was unable to test the
operating effectiveness of the control during
the audit period.
Control did not
operate during
the period.
CC6.7 The entity restricts
the transmission,
movement, and
removal of
information to
authorized internal
and external users
and processes, and
protects it during
transmission,
movement, or
removal to meet
the entity’s
objectives.
All data transmitted to and from the system
is encrypted.
Inspected the protocols for non-customer
facing traffic to ensure data transmitted is
encrypted.
No exceptions
noted.
Inspected the protocols and encryption
certificate for customer-facing traffic to
ensure data transmitted is encrypted.
No exceptions
noted.
The EBS volume and Amazon S3 backups
are encrypted.
Inspected the EBS configuration to ensure
volume backups are encrypted.
No exceptions
noted.
Inspected the S3 configuration to ensure
backups are encrypted.
No exceptions
noted.
CC6.8 The entity
implements
controls to prevent
or detect and act
upon the
introduction of
unauthorized or
malicious software
to meet the entity’s
objectives.
Antivirus is installed on Windows servers
and is configured to scan for viruses weekly.
Inspect the inventory of the antivirus solution
to ensure antivirus is installed on Windows
servers.
No exceptions
noted.
Inspect the configuration of the antivirus
solution to ensure scans are run on a weekly
basis.
No exceptions
noted.
The IPS generates alerts to Operations
personnel for critical events. Alerts are
reviewed and corrective action is taken as
necessary.
Inspect the IPS configuration to ensure the
system generates alerts to Operations
personnel when it detects critical events.
No exceptions
noted.
53
Criteria Service Organization Controls Tests Results
Inspect an example alert from the IPS to
ensure the alert was sent to Operations
personnel and corrective action was taken as
necessary.
No exceptions
noted.
Operations personnel receive weekly email
summaries from the antivirus and IPS on
threats detected.
Inspect the antivirus and IPS configuration to
ensure the systems generate weekly summary
reports to Operations personnel.
No exceptions
noted.
Inspected an example weekly email report
from the antivirus and IPS to ensure the
report was sent to Operations personnel.
No exceptions
noted.
Windows servers are patched on a monthly
basis.
Inspect the WSUS patch status report for a
sample of months to ensure patching
occurred.
No exceptions
noted.
Linux servers in the production environment
are re-built when there is a feature release, at
least annually, to incorporate necessary
security patches and configurations.
Inquired with management to ensure Linux
servers in the production environment are re-
built when there is a feature release to
incorporate necessary security patches and
configurations.
No exceptions
noted.
Inspected configuration logs ensure Linux
servers in the production environment are re-
built when there is a feature release.
No exceptions
noted.
The APM production environment is
monitored by a log management and
analytics solution. Logs are reviewed on a
monthly basis.
Inspected the configuration of the log
management and analytics solution to ensure
it logs activity in the production
environment.
No exceptions
noted.
Inspected the reviews completed for a
sample of months to ensure the CloudTrail
logs are reviewed on a monthly basis.
No exceptions
noted.
54
CC7.0 – Common Criteria Related to System Operations
Criteria Service Organization Controls Tests Results
CC7.1 To meet its
objectives, the
entity uses
detection and
monitoring
procedures to
identify (1)
changes to
configurations that
result in the
introduction of
new
vulnerabilities, and
(2) susceptibilities
to newly
discovered
vulnerabilities.
EUEM Operations personnel review
administrative activity and failed login report
on a weekly basis.
Inspected the reviews completed for a
sample of weeks to ensure administrator
activity and failed logins were reviewed.
No exceptions
noted.
The APM production environment is
monitored by a log management and
analytics solution. Logs are reviewed on a
monthly basis.
Inspected the configuration of the log
management and analytics solution to ensure
it logs activity in the production
environment.
No exceptions
noted.
Inspected the reviews completed for a
sample of months to ensure the CloudTrail
logs are reviewed on a monthly basis.
No exceptions
noted.
A third party is contracted to perform web
application penetration testing on an annual
basis.
Inspected evidence to ensure a third party has
been contracted to perform a penetration test.
No exceptions
noted.
Internal vulnerability assessments are
completed on all APM and EUEM releases
prior to implementation in the production
environment. All vulnerabilities are tracked
to resolution.
Inspected evidence to ensure internal
vulnerability assessments are completed on
the production environment and all
vulnerabilities are tracked to resolution.
No exceptions
noted.
Web server certificate and configurations are
monitored by the Operations Team. Daily
scans are run on EUEM external URLs and
weak configurations trigger an alert.
Inspected the configurations of the daily
scans of the EUEM external URLs to ensure
weak configurations trigger an alert to the
Operations Team.
No exceptions
noted.
Inquired with management to ensure no
alerts were triggered by weak configurations
during the audit period. Therefore, the
Service Auditor was unable to test the
operating effectiveness of the control during
the audit period.
Control did not
operate during
the period.
55
Criteria Service Organization Controls Tests Results
CC7.2 The entity
monitors system
components and
the operation of
those components
for anomalies that
are indicative of
malicious acts,
natural disasters,
and errors
affecting the
entity's ability to
meet its
objectives;
anomalies are
analyzed to
determine whether
they represent
security events.
The Incident Response Plan details
procedures for detecting, assessing,
investigating, containing, and mitigating
security and availability incidents.
Inspected the Incident Response Plan to
ensure it includes the mentioned procedures.
No exceptions
noted.
The Incident Response Plan details
procedures for internal users to report
security and availability incidents.
Inspected the Incident Response Plan to
ensure it details procedures for internal users
to report security and availability incidents.
No exceptions
noted.
An availability monitoring solution is
configured to monitor the core infrastructure
and individual servers hosting EUEM. The
solution is configured to alert when failures
occur.
Inspected the EUEM Monitoring Policy to
ensure it details the availability monitoring
process.
No exceptions
noted.
Inspected the configuration of the availability
monitoring solution for EUEM to ensure the
availability of the environment is monitored
and appropriate personnel are notified of
failures.
No exceptions
noted.
Inspected an example alert to ensure the
availability monitoring solution alerts
appropriate personnel when there is a failure.
No exceptions
noted.
A performance and availability monitoring
solution is configured to monitor the core
infrastructure and individual servers hosting
APM. The solution is configured to alert
when defined thresholds have been exceeded
for memory, CPU, disk space, read/write
usage, and unavailable endpoints/internal
services.
Inspected the APM Availability Monitoring
Policy to ensure it details the performance
and availability monitoring process.
No exceptions
noted.
Inspected the configuration of the
performance and availability monitoring
solution to ensure it monitors various
availability metrics and alerts appropriate
personnel when thresholds are exceeded.
No exceptions
noted.
56
Criteria Service Organization Controls Tests Results
Inspected an example alert to ensure the
performance and availability monitoring
solution alerts appropriate personnel when a
threshold has been exceeded.
No exceptions
noted.
EUEM Operations personnel review
administrative activity and failed login report
on a weekly basis.
Inspected the reviews completed for a
sample of weeks to ensure administrator
activity and failed logins were reviewed.
No exceptions
noted.
The APM production environment is
monitored by a log management and
analytics solution. Logs are reviewed on a
monthly basis.
Inspected the configuration of the log
management and analytics solution to ensure
it logs activity in the production
environment.
No exceptions
noted.
Inspected the reviews completed for a
sample of months to ensure the CloudTrail
logs are reviewed on a monthly basis.
No exceptions
noted.
Controls relating to incident response for the
hosted environment are administered by the
subservice organization AWS. See the
Complementary Subservice Organization
Controls above for additional details.
N/A
N/A
57
Criteria Service Organization Controls Tests Results
CC7.3 The entity
evaluates security
events to
determine whether
they could or have
resulted in a
failure of the entity
to meet its
objectives
(security incidents)
and, if so, takes
actions to prevent
or address such
failures.
Security incidents are assessed to evaluate
the exposure of an incident along with the
amount of damage.
Inspected the Incident Response Plan to
ensure incidents are assessed to evaluate the
exposure along with the amount of damage.
No exceptions
noted.
The Incident Response Plan details
procedures for detecting, assessing,
investigating, containing, and mitigating
security and availability incidents.
Inspected the Incident Response Plan to
ensure it includes the mentioned procedures.
No exceptions
noted.
CC7.4 The entity
responds to
identified security
incidents by
executing a
defined incident
response program
to understand,
contain, remediate,
and communicate
security incidents,
as appropriate.
The Business Continuity Plan details
procedures for communicating availability
incidents to external parties.
Inspected the Business Continuity Plan to
ensure it details procedures for
communicating availability incidents to
external parties.
No exceptions
noted.
Security incidents are assessed to evaluate
the exposure of an incident along with the
amount of damage.
Inspected the Incident Response Plan to
ensure incidents are assessed to evaluate the
exposure along with the amount of damage.
No exceptions
noted.
The Incident Response Plan details
procedures for detecting, assessing,
investigating, containing, and mitigating
security and availability incidents.
Inspected the Incident Response Plan to
ensure it includes the mentioned procedures.
No exceptions
noted.
58
Criteria Service Organization Controls Tests Results
CC7.5 The entity
identifies,
develops, and
implements
activities to
recover from
identified security
incidents.
The Incident Response Plan is tested on a
periodic basis.
Inspected test results to ensure the Incident
Response Plan is tested on a periodic basis.
No exceptions
noted.
The APM EBS volumes containing customer
instances are backed up every hour.
Appropriate personnel are notified if issues
arise with the backups.
Inspected the EBS configuration to ensure
volumes are backed up on an hourly basis.
No exceptions
noted.
Inspected an example alert to ensure
personnel are alerted of issues in the EBS
backup process.
No exceptions
noted.
The DynamoDB, Oracle, and Vertica data is
backed up to Amazon S3 on a daily basis.
Appropriate personnel are notified if issues
arise with the backups.
Inspected the DynamoDB configuration to
ensure data is backed up on a daily basis.
No exceptions
noted.
Inspected the DynamoDB configuration to
ensure appropriate personnel are alerted of
issues.
No exceptions
noted.
Inquired with management to confirm no
DynamoDB backups failed resulting in the
alerting of personnel. Therefore, the Service
Auditor was unable to test the operating
effectiveness of the control during the audit
period.
Control did not
operate during
the period.
Inspected the Oracle configuration to ensure
data is backed up on a daily basis.
No exceptions
noted.
Inspected the Oracle configuration to ensure
appropriate personnel are notified of issues.
No exceptions
noted.
Inspected an example alert to ensure
personnel are alerted of issues in the Oracle
backup process.
No exceptions
noted.
Inspected the Vertica configuration to ensure
data is backed up on a daily basis.
No exceptions
noted.
59
Criteria Service Organization Controls Tests Results
Inspected the Vertica configuration to ensure
appropriate personnel are notified of issues.
No exceptions
noted.
Inspected an example alert to ensure
personnel are alerted of issues in the Vertica
backup process.
No exceptions
noted.
The EBS volume and Amazon S3 backups
are encrypted.
Inspected the EBS configuration to ensure
volume backups are encrypted.
No exceptions
noted.
Inspected the S3 configuration to ensure
backups are encrypted.
No exceptions
noted.
The servers and databases in the production
environment are arranged for high-
availability through various AWS regions.
Inspected evidence showing that the servers
and databases are arranged for high-
availability through various AWS regions.
No exceptions
noted.
APM backup restoration tests are performed
quarterly to validate the integrity of the
backup data.
Inspected the results for a sample of backup
restores to ensure the testing is performed at
least quarterly.
No exceptions
noted.
EUEM backups are tested during the release
process.
Inspected a sample of releases to ensure
backups are tested during the release process.
No exceptions
noted.
60
CC8.0 – Common Criteria Related to Change Management
Criteria Service Organization Controls Tests Results
CC8.1 The entity
authorizes,
designs, develops
or acquires,
configures,
documents, tests,
approves, and
implements
changes to
infrastructure,
data, software, and
procedures to meet
its objectives.
The System Development Life Cycle
addresses business requirements, scoping,
design, development, code review, quality
assurance, and implementation of system
components.
Inspected the System Development Life
Cycle to ensure it addresses planning
(business requirements, design, and
functionality), testing and code review, and
deployment of builds into production.
No exceptions
noted.
Business requirements and design
specifications are documented for all
developments.
Inspected the System Development Life
Cycle to ensure business requirements and
design specifications are documented for
product developments.
No exceptions
noted.
Inspected a sample of APM developments to
ensure business requirements and design
specifications are documented.
No exceptions
noted.
Inspected a sample of EUEM developments
to ensure business requirements and/or
design specifications are documented.
No exceptions
noted.
All sources code is reviewed for quality and
adherence to coding standards using code
review collaboration tools.
Inspected the System Development Life
Cycle to ensure code commits are reviewed
for quality and adherence to coding standards
using code review collaboration tools.
No exceptions
noted.
Inspected a sample of APM developments to
ensure code commits are reviewed for
quality and adherence to coding standards
using code review collaboration tools.
No exceptions
noted.
Inspected a sample of EUEM developments
to ensure testing was performed when
necessary and quality assurance was
completed.
No exceptions
noted.
61
Criteria Service Organization Controls Tests Results
Developments undergo multiple levels of
testing including functional, performance,
longevity, and scalability testing, as
applicable.
Inspected the System Development Life
Cycle to ensure it details the types of testing
that are performed for developments.
No exceptions
noted.
Inspected a sample of APM developments to
ensure testing is performed for
developments.
No exceptions
noted.
Inspected a sample of EUEM developments
to ensure testing was performed when
necessary prior to release of the
development.
No exceptions
noted.
Leads hold daily standup meetings to discuss
the progress on new functionality and the
plan for the day.
Inspected the System Development Life
Cycle to ensure it addresses daily standup
meetings.
No exceptions
noted.
Inspected the a sample of meeting invites to
ensure leads hold daily standup meetings to
discuss the progress on new functionality and
the plan for the day.
No exceptions
noted.
Scrum on Scrum (SOS) meetings are held
twice a week to discuss the progress on new
functionality and the plan for the coming
days.
Inquired with management to ensure SOS
meetings are held twice a week to discuss the
progress on new functionality and the plan
for the coming days.
No exceptions
noted.
Inspected the reoccurring meeting invite to
ensure leads hold daily standup meetings to
discuss the progress on new functionality and
the plan for the day.
No exceptions
noted.
Major and minor releases are communicated
to customers through release notes posted on
the customer portal.
Inspected a screenshot of the APM release
portal to ensure APM releases are
communicated to customers via release notes
on the customer portal.
No exceptions
noted.
62
Criteria Service Organization Controls Tests Results
Inspected a screenshot of the EUEM release
portal to ensure EUEM releases are
communicated to customers via release notes
on the customer portal.
No exceptions
noted.
All change requests must be formally
documented and detail the reason for the
change, a description on how the change is to
be implemented, the impact of the change,
and the back out plan should the change not
be successful, as appropriate.
Inspected the Change Management Process
to ensure it addresses the requirements for all
submitted change requests.
No exceptions
noted.
Inspected a sample of APM change requests
to ensure requests details the reason for the
change, a description on how the change is to
be implemented, the impact of the change,
and the back out plan should the change not
be successful and approval, as appropriate.
No exceptions
noted.
Inspected a sample of EUEM change
requests to ensure requests details the reason
for the change, a description on how the
change is to be implemented, the impact of
the change, and the back out plan should the
change not be successful and approval, as
appropriate.
No exceptions
noted.
Change requests can be initiated by internal
personnel through the submission of a
change request.
Inspected the Change Management Process
to ensure it addresses the internal change
requests.
No exceptions
noted.
63
CC9.0 – Common Criteria Related to Risk Mitigation
Criteria Service Organization Controls Tests Results
CC9.1 The entity
identifies, selects,
and develops risk
mitigation
activities for risks
arising from
potential business
disruptions.
The Disaster Recovery Plan addresses
recovering connectivity and supporting
systems to ensure customer obligations can
be met.
Inspected the Disaster Recovery Plan to
ensure the plan addresses recovering
connectivity and supporting systems so
customer obligations can be met.
No exceptions
noted.
Business continuity and disaster recovery
testing are performed on an annual basis.
Inspected the Business Continuity Plan and
Disaster Recovery Plan to ensure they detail
testing of the plans.
No exceptions
noted.
Inspected results from the testing of the
business continuity and disaster recovery
strategy to ensure it is performed annually.
No exceptions
noted.
CC9.2 The entity assesses
and manages risks
associated with
vendors and
business partners.
Third party agreements are required to
include non-disclosure/confidentiality
clauses.
Inspected the Vendor Management Policy to
ensure it details requirements for contract
language in third party agreements.
No exceptions
noted.
Inspected the agreements with in-scope
subservice organizations supporting the
system to ensure the agreements includes
non-disclosure/confidentiality clauses.
No exceptions
noted.
The Vendor Management Policy defines
expectations for identifying and risk rating
all vendor relationships. The risk ratings
consider the nature of the information stored
and transmitted and the criticality of the
vendor to providing services.
Inspected the Vendor Management Policy to
ensure it defines expectations for identifying
and risk rating all vendor relationships and
risk ratings consider the nature of the
information stored and transmitted and the
criticality of the vendor to providing
services.
No exceptions
noted.
The vendor risk assessment rates the inherent
risk of a vendor based on the nature of the
information that is stored and transmitted,
cost, compliance, and quality of work.
Inspected the vendor risk assessment to
ensure it rates the inherent risk of a vendor
based on the nature of the information that is
stored and transmitted, cost, compliance, and
quality of work.
No exceptions
noted.
64
Criteria Service Organization Controls Tests Results
The vendor selection process includes a
review of materials to ensure the risks
associated with the vendor relationship are
understood.
Inspected the Vendor Management Policy to
ensure it details the requirements for the
vendor selection process, including a review
of materials to ensure the risks associated
with the vendor relationship are understood.
No exceptions
noted.
Inquired with management and determined
that there were no new subservice
organizations implemented to support the
production environment. Therefore, the
Service Auditor was unable to test the
operating effectiveness of the control during
the audit period.
Control did not
operate during
the period.
Vendors that pose an increased risk are
reviewed on an annual basis.
Inspected the Vendor Management Policy to
ensure it details the requirements for an
annual review of vendors that pose an
increased risk.
No exceptions
noted.
Inspected the vendor review performed for
AWS to ensure the review is performed on
an annual basis.
No exceptions
noted.
65
A1 - Additional Criteria for Availability
Criteria Service Organization Controls Tests Results
A1.1 The entity
maintains,
monitors, and
evaluates current
processing
capacity and use
of system
components
(infrastructure,
data, and
software) to
manage capacity
demand and to
enable the
implementation of
additional
capacity to help
meet its
objectives.
The Aternity IT Security team is updated
periodically by Product Management on the
development and performance of internal
controls. Any issues or concerns identified
are reported up to the CFO and subsequently
the CEO.
Inquired with management to ensure the
Aternity IT Security team is updated
periodically by Product Management on the
development and performance of internal
controls. Any issues or concerns identified
are reported up to the CFO and subsequently
the CEO.
No exceptions
noted.
Inspected an example email correspondence
to ensure the Aternity IT Security team is
updated periodically by Product
Management on the development and
performance of internal controls.
No exceptions
noted.
An availability monitoring solution is
configured to monitor the core infrastructure
and individual servers hosting EUEM. The
solution is configured to alert when failures
occur.
Inspected the EUEM Monitoring Policy to
ensure it details the availability monitoring
process.
No exceptions
noted.
Inspected the configuration of the availability
monitoring solution for EUEM to ensure the
availability of the environment is monitored
and appropriate personnel are notified of
failures.
No exceptions
noted.
Inspected an example alert to ensure the
availability monitoring solution alerts
appropriate personnel when there is a failure.
No exceptions
noted.
A performance and availability monitoring
solution is configured to monitor the core
infrastructure and individual servers hosting
APM. The solution is configured to alert
when defined thresholds have been exceeded
for memory, CPU, disk space, read/write
usage, and unavailable endpoints/internal
services.
Inspected the APM Availability Monitoring
Policy to ensure it details the performance
and availability monitoring process.
No exceptions
noted.
66
Criteria Service Organization Controls Tests Results
Inspected the configuration of the
performance and availability monitoring
solution to ensure it monitors various
availability metrics and alerts appropriate
personnel when thresholds are exceeded.
No exceptions
noted.
Inspected an example alert to ensure the
performance and availability monitoring
solution alerts appropriate personnel when a
threshold has been exceeded.
No exceptions
noted.
A1.2 Environmental
protections,
software, data
backup processes,
and recovery
infrastructure are
designed,
developed,
implemented,
operated,
maintained, and
monitored to meet
availability
commitments and
requirements.
The APM EBS volumes containing customer
instances are backed up every hour.
Appropriate personnel are notified if issues
arise with the backups.
Inspected the EBS configuration to ensure
volumes are backed up on an hourly basis.
No exceptions
noted.
Inspected an example alert to ensure
personnel are alerted of issues in the EBS
backup process.
No exceptions
noted.
The DynamoDB, Oracle, and Vertica data is
backed up to Amazon S3 on a daily basis.
Appropriate personnel are notified if issues
arise with the backups.
Inspected the DynamoDB configuration to
ensure data is backed up on a daily basis.
No exceptions
noted.
Inspected the DynamoDB configuration to
ensure appropriate personnel are alerted of
issues.
No exceptions
noted.
Inquired with management to confirm no
DynamoDB backups failed resulting in the
alerting of personnel. Therefore, the Service
Auditor was unable to test the operating
effectiveness of the control during the audit
period.
Control did not
operate during
the period.
Inspected the Oracle configuration to ensure
data is backed up on a daily basis.
No exceptions
noted.
67
Criteria Service Organization Controls Tests Results
Inspected the Oracle configuration to ensure
appropriate personnel are notified of issues.
No exceptions
noted.
Inspected an example alert to ensure
personnel are alerted of issues in the Oracle
backup process.
No exceptions
noted.
Inspected the Vertica configuration to ensure
data is backed up on a daily basis.
No exceptions
noted.
Inspected the Vertica configuration to ensure
appropriate personnel are notified of issues.
No exceptions
noted.
Inspected an example alert to ensure
personnel are alerted of issues in the Vertica
backup process.
No exceptions
noted.
The EBS volume and Amazon S3 backups
are encrypted.
Inspected the EBS configuration to ensure
volume backups are encrypted.
No exceptions
noted.
Inspected the S3 configuration to ensure
backups are encrypted.
No exceptions
noted.
The servers and databases in the production
environment are arranged for high-
availability through various AWS regions.
Inspected evidence showing that the servers
and databases are arranged for high-
availability through various AWS regions.
No exceptions
noted.
APM backup restoration tests are performed
quarterly to validate the integrity of the
backup data.
Inspected the results for a sample of backup
restores to ensure the testing is performed at
least quarterly.
No exceptions
noted.
EUEM backups are tested during the release
process.
Inspected a sample of releases to ensure
backups are tested during the release process.
No exceptions
noted.
68
Criteria Service Organization Controls Tests Results
The Disaster Recovery Plan addresses
recovering connectivity and supporting
systems to ensure customer obligations can
be met.
Inspected the Disaster Recovery Plan to
ensure the plan addresses recovering
connectivity and supporting systems so
customer obligations can be met.
No exceptions
noted.
Business continuity and disaster recovery
testing are performed on an annual basis.
Inspected the Business Continuity Plan and
Disaster Recovery Plan to ensure they detail
testing of the plans.
No exceptions
noted.
Inspected testing of the business continuity
and disaster recovery strategy to ensure it is
performed annually.
No exceptions
noted.
Controls relating to environmental
protections of the hosted environment are
administered by the subservice organization
AWS. See the Complementary Subservice
Organization Controls above for additional
details.
N/A N/A
69
Criteria Service Organization Controls Tests Results
A1.3 The entity
authorizes,
designs, develops
or acquires,
implements,
operates,
approves,
maintains, and
monitors
environmental
protections,
software, data
back-up
processes, and
recovery
infrastructure to
meet its
objectives.
The Disaster Recovery Plan addresses
recovering connectivity and supporting
systems to ensure customer obligations can
be met.
Inspected the Disaster Recovery Plan to
ensure the plan addresses recovering
connectivity and supporting systems so
customer obligations can be met.
No exceptions
noted.
Business continuity and disaster recovery
testing are performed on an annual basis.
Inspected the Business Continuity Plan and
Disaster Recovery Plan to ensure they detail
testing of the plans.
No exceptions
noted.
Inspected testing of the business continuity
and disaster recovery strategy to ensure it is
performed annually.
No exceptions
noted.
Controls relating to the recovery of the
hosted environment are administered by the
subservice organization AWS. See the
Complementary Subservice Organization
Controls above for additional details.
N/A N/A
70
V. ADDITIONAL INFORMATION PROVIDED BY ATERNITY LLC
A. CONTROL EXCEPTIONS AND ATERNITY’S MANAGEMENT RESPONSES
The following section contains Aternity LLC’s detailed responses to the control exceptions discovered by Wolf & Company, P.C. covering the
period of September 1, 2019 to February 29, 2020.
1. One (1) of the three (3) sampled new hires did not complete the information security training upon hire.
Management Response: One (1) individual hired in February 2020 completed information security training in accordance with the Aternity LLC’s
policies; however, the completion date of the information security training occurred in March 2020. New hires are enrolled in training upon hire
and both the new hires and their managers are automatically notified of incomplete training status until all required trainings are completed.
71
B. HEALTH INFORMATION PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) CONTROL MAPPING
Aternity LLC has designed its control environment to satisfy the requirements of the Security Rule of the Health Information Portability and
Accountability Act (HIPAA). Where applicable, the design of controls implemented to achieve the criteria of the relevant AICPA trust services
principles, detailed in Section III of this report, are intended to satisfy HIPAA requirements. To assist user entities in evaluating Aternity LLC’s
compliance with the HIPAA Security Rule, we have mapped applicable HIPAA requirements to SOC controls in the tables below.
Administrative Safeguards:
The administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security
measures to protect electronic protected health information (PHI) and to manage the conduct of the covered entity's workforce in relation to the
protection of that information.
Safeguard
CFR §164.308
Safeguard Description Reference to
SOC Control
Above
(a) A covered entity or business associate must, in accordance with § 164.306:
(a)(1)(i) Standard: Security Management Process. Implement policies and procedures to prevent, detect,
contain, and correct security violations.
CC7.2.1
CC7.3.2
CC7.4.3
(a)(1)(ii) Implementation Specifications:
(a)(1)(ii)(A) Risk Analysis (Required). Conduct an accurate and thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information
held by the covered entity or business associate.
CC3.1.1
CC3.2.1
CC3.2.3
(a)(1)(ii)(B) Risk Management (Required). Implement security measures sufficient to reduce risks and
vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).
CC3.1.2
CC3.2.2
CC3.2.3
(a)(1)(ii)(C) Sanction Policy (Required). Apply appropriate sanctions against workforce members who fail to comply
with the security policies and procedures of the covered entity or business associate.
CC1.1.3
CC1.5.1
72
Safeguard
CFR §164.308
Safeguard Description Reference to
SOC Control
Above
(a)(1)(ii)(D) Information System Activity Review (Required). Implement procedures to regularly review records of
information system activity, such as audit logs, access reports, and security incident tracking reports.
CC4.1.4
CC4.1.12
CC4.2.7
CC5.2.4
CC6.2.2
CC6.3.1
CC7.1.1
CC7.2.5
(a)(2) Standard: Assigned Security Responsibility. Identity the security official who is responsible for the
development and implementation of the policies and procedures required by this subpart for the covered
entity or business associate.
CC1.3.4
(a)(3)(i) Standard: Workforce Security. Implement policies and procedures to ensure that all members of its
workforce have appropriate access to electronic protected health information, as provided under
paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under
paragraph (a)(4) of this section from obtaining access to electronic protected health information.
CC4.1.12
CC4.2.7
CC6.1.1
CC6.1.2
CC6.2.2
CC6.3.1
CC6.3.2
(a)(3)(ii) Implementation Specifications:
(a)(3)(ii)(A) Authorization and/or Supervision (Addressable). Implement procedures for the authorization and/or
supervision of workforce members who work with electronic protected health information or in locations
where it might be accessed.
CC6.2.1
CC6.3.3
CC6.4.1
(a)(3)(ii)(B) Workforce Clearance Procedure (Addressable). Implement procedures to determine that the access of
a workforce member to electronic protected health information is appropriate.
CC4.1.12
CC4.2.7
CC6.1.1
CC6.1.2
CC6.2.2
CC6.3.1
CC6.3.2
73
Safeguard
CFR §164.308
Safeguard Description Reference to
SOC Control
Above
(a)(3)(ii)(C) Termination Procedures (Addressable). Implement procedures for terminating access to electronic
protected health information when the employment of, or other arrangement with, a workforce member
ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section.
CC6.2.1
CC6.3.3
(a)(4)(i) Standard: Information Access Management. Implement policies and procedures for authorizing access
to electronic protected health information that are consistent with the applicable requirements of subpart E
of this part
CC6.1.1
CC6.2.1
CC6.3.3
(a)(4)(ii) Implementation Specifications:
(a)(4)(ii)(A) Isolating Healthcare Clearinghouse Functions (Required). If a health care clearinghouse is part of a
larger organization, the clearinghouse must implement policies and procedures that protect the electronic
protected health information of the clearinghouse from unauthorized access by the larger organization.
N/A
(a)(4)(ii)(B) Access Authorization (Addressable). Implement policies and procedures for granting access to
electronic protected health information, for example, through access to a workstation, transaction,
program, process, or other mechanism.
CC6.2.1
CC6.3.3
(a)(4)(ii)(C) Access Establishment and Modification (Addressable). Implement policies and procedures that, based
upon the covered entity's or the business associate's access authorization policies, establish, document,
review, and modify a user's right of access to a workstation, transaction, program, or process.
CC6.2.1
CC6.3.3
(a)(5)(i) Standard: Security Awareness and Training. Implement a security awareness and training program for
all members of its workforce (including management).
CC1.4.2
CC2.2.6
(a)(5)(ii) Implementation Specifications. Implement:
(a)(5)(ii)(A) Security Reminders (Addressable). Periodic security updates.
CC2.2.2
(a)(5)(ii)(B) Protection from Malicious Software (Addressable). Procedures for guarding against, detecting, and
reporting malicious software.
CC6.8.1
CC6.8.2
CC6.8.3
CC6.8.4
74
Safeguard
CFR §164.308
Safeguard Description Reference to
SOC Control
Above
(a)(5)(ii)(C) Log-in Monitoring (Addressable). Procedures for monitoring log-in attempts and reporting
discrepancies.
CC4.1.4
CC5.2.4
CC7.1.1
CC7.2.5
(a)(5)(ii)(D) Password Management (Addressable). Procedures for creating, changing, and safeguarding passwords. CC2.2.3
(a)(6)(i) Standard: Security Incident Procedures. Implement policies and procedures to address security
incidents.
CC2.2.4
CC7.2.1
CC7.2.2
CC7.3.1
CC7.3.2
CC7.4.2
CC7.4.3
(a)(6)(ii) Implementation specification: Response and reporting (Required). Identify and respond to suspected
or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that
are known to the covered entity or business associate; and document security incidents and their
outcomes.
CC2.2.4
CC7.2.1
CC7.2.2
CC7.3.1
CC7.3.2
CC7.4.2
CC7.4.3
(a)(7)(i) Standard: Contingency Plan. Establish (and implement as needed) policies and procedures for
responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural
disaster) that damages systems that contain electronic protected health information.
CC5.1.3
CC5.2.9
CC9.1.1
A1.2.7
A1.3.1
(a)(7)(ii) Implementation Specifications:
(a)(7)(ii)(A) Data Backup Plan (Required). Establish and implement procedures to create and maintain retrievable
exact copies of electronic protected health information.
CC7.5.3
CC7.5.5
A1.2.2
A1.2.4
75
Safeguard
CFR §164.308
Safeguard Description Reference to
SOC Control
Above
(a)(7)(ii)(B) Disaster Recovery Plan (Required). Establish (and implement as needed) procedures to restore any loss
of data.
CC7.5.6
CC7.6.7
CC9.1.1
A1.2.5
A1.2.6
A1.2.7
A1.3.1
(a)(7)(ii)(C) Emergency Mode Operation Plan (Required). Establish (and implement as needed) procedures to
enable continuation of critical business processes for protection of the security of electronic protected
health information while operating in emergency mode.
CC5.1.3
CC5.2.9
CC9.1.1
A1.2.7
A1.3.1
(a)(7)(ii)(D) Testing and Revisions Procedures (Addressable). Implement procedures for periodic testing and
revision of contingency plans
CC9.1.2
A1.2.8
A1.3.2
(a)(7)(ii)(E) Applications and data criticality analysis (Addressable). Assess the relative criticality of specific
applications and data in support of other contingency plan components
CC9.1.1
A1.2.7
A1.3.1
(a)(8) Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the
standards implemented under this rule and, subsequently, in response to environmental or operational
changes affecting the security of electronic protected health information, that establishes the extent to
which a covered entity's or business associate's security policies and procedures meet the requirements of
this subpart.
N/A
76
Safeguard
CFR §164.308
Safeguard Description Reference to
SOC Control
Above
(b)(1) Business Associate Contracts and Other Arrangements. A covered entity may permit a business
associate to create, receive, maintain, or transmit electronic protected health information on the covered
entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a),
that the business associate will appropriately safeguard the information. A covered entity is not required
to obtain such satisfactory assurances from a business associate that is a subcontractor.
CC2.3.3
CC3.1.3
CC3.2.4
CC3.4.2
CC3.4.3
CC9.2.1
CC9.2.2
CC9.2.4
CC9.2.5
(b)(2) A business associate may permit a business associate that is a subcontractor to create, receive, maintain,
or transmit electronic protected health information on its behalf only if the business associate obtains
satisfactory assurances, in accordance with§ 164.314(a), that the subcontractor will appropriately
safeguard the information.
N/A
(b)(3) Implementation specifications: Written contract or other arrangement (Required). Document the
satisfactory assurances required by paragraph (b)(1) or (b)(2) of this section through a written contract or
other arrangement with the business associate that meets the applicable requirements of§ 164.314(a).
CC2.3.3
CC9.2.1
77
Physical Safeguards:
The physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment,
from natural and environmental hazards, and unauthorized intrusion.
Safeguard
CFR §164.310
Safeguard Description Reference to
SOC Control
Above
(a) A covered entity or business associate must, in accordance with § 164.306:
(a)(1)(i) Standard: Facility access controls. Implement policies and procedures to limit physical access to its
electronic information systems and the facility or facilities in which they are housed, while ensuring that
properly authorized access is allowed.
CC6.4.1
(a)(2) Implementation Specifications:
(a)(2)(i) Contingency operations (Addressable). Establish (and implement as needed) procedures that allow
facility access in support of restoration of lost data under the disaster recovery plan and emergency mode
operations plan in the event of an emergency.
CC5.1.3
CC5.2.9
CC9.1.1
A1.2.7
A1.3.1
(a)(2)(ii) Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the
equipment therein from unauthorized physical access, tampering, and theft.
CC6.4.1
(a)(2)(iii) Access control and validation procedures (Addressable). Implement procedures to control and validate
a person's access to facilities based on their role or function, including visitor control, and control of
access to software programs for testing and revision.
CC6.4.1
(a)(2)(iv) Maintenance records (Addressable). Implement policies and procedures to document repairs and
modifications to the physical components of a facility which are related to security (for example,
hardware, walls, doors, and locks).
N/A
(b) Standard: Workstation use. Implement policies and procedures that specify the proper functions to be
performed, the manner in which those functions are to be performed, and the physical attributes of the
surroundings of a specific workstation or class of workstation that can access electronic protected health
information.
N/A
(c) Standard: Workstation security. Implement physical safeguards for all workstations that access
electronic protected health information, to restrict access to authorized users.
CC6.4.1
78
Safeguard
CFR §164.310
Safeguard Description Reference to
SOC Control
Above
(d)(1) Standard: Device and media controls. Implement policies and procedures that govern the receipt and
removal of hardware and electronic media that contain electronic protected health information into and out
of a facility, and the movement of these items within the facility.
CC6.5.1
(d)(2) Implementation Specifications:
(d)(2)(i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic
protected health information, and/or the hardware or electronic media on which it is stored.
CC6.5.1
(d)(2)(ii) Media re-use (Required). Implement procedures for removal of electronic protected health information
from electronic media before the media are made available for re-use.
CC6.5.1
(d)(2)(iii) Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and
any person responsible therefore.
N/A
(d)(2)(iv) Data backup and storage (Addressable). Create a retrievable, exact copy of electronic protected health
information, when needed, before movement of equipment.
N/A
79
Technical Safeguards:
The technology and the policy and procedures for its use that protect electronic protected health information (PHI) and control access to it.
Safeguard
CFR §164.312
Safeguard Description Reference to
SOC Control
Above
(a) A covered entity or business associate must, in accordance with § 164.306:
(a)(1) Standard: Access control. Implement technical policies and procedures for electronic information
systems that maintain electronic protected health information to allow access only to those persons or
software programs that have been granted access rights as specified in § 164.308(a)(4).
CC6.1.1
CC6.1.2
CC6.2.1
CC6.3.2
CC6.3.3
(a)(2) Implementation Specifications:
(a)(2)(i) Unique user identification (Required). Assign a unique name and/ or number for identifying and
tracking user identity.
CC6.1.1
(a)(2)(ii) Emergency Access Procedure: Establish (and implement as needed) procedures for obtaining necessary
electronic protected health information during an emergency.
CC6.2.1
CC6.3.3
CC9.1.1
A1.3.1
(a)(2)(iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session
after a predetermined time of inactivity.
CC6.1.6
(a)(2)(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic
protected health information.
CC6.7.1
CC6.7.2
CC7.5.4
A1.2.3
(b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and
examine activity in information systems that contain or use electronic protected health information.
CC4.1.4
CC5.2.4
CC7.1.1
CC7.2.5
(c)(1) Standard: Integrity. Implement policies and procedures to protect electronic protected health information
from improper alteration or destruction.
N/A
80
Safeguard
CFR §164.312
Safeguard Description Reference to
SOC Control
Above
(c)(2) Implementation specification: Mechanism to authenticate electronic protected health information
(Addressable). Implement electronic mechanisms to corroborate that electronic protected health
information has not been altered or destroyed in an unauthorized manner.
N/A
(d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity
seeking access to electronic protected health information is the one claimed.
CC6.1.3
(e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized
access to electronic protected health information that is being transmitted over an electronic
communications network.
CC6.7.1
(e)(2) Implementation Specifications:
(e)(2)(i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted
electronic protected health information is not improperly modified without detection until disposed of.
N/A
(e)(2)(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information
whenever deemed appropriate.
CC6.7.1
CC6.7.2
CC7.5.4
A1.2.3
81
Organizational Requirements:
This standard requires a covered entity to have contracts or other arrangements with business associates that will have access to the covered entity’s
electronic protected health information (EPHI).
Safeguard
CFR §164.314
Safeguard Description Reference to
SOC Control
Above
(a)(1) Standard: Business Associate Contracts or Other Arrangements. The contract or other arrangement
required by § 164.308(b)(4) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of
this section, as applicable.
CC2.3.3
CC9.2.1
(a)(2) Implementation specifications: (Required).
(a)(2)(i) Business associate contracts. The contract must provide that the business associate will—
(a)(2)(i)(A) Comply with the applicable requirements of this subpart; CC2.3.3
CC9.2.1
(a)(2)(i)(B) In accordance with § 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or
transmit electronic protected health information on behalf of the business associate agree to comply with
the applicable requirements of this subpart by entering into a contract or other arrangement that complies
with this section; and
CC2.3.3
CC9.2.1
(a)(2)(i)(C) Report to the covered entity any security incident of which it becomes aware, including breaches of
unsecured protected health information as required by § 164.410.
CC2.3.3
(a)(2)(ii) Other arrangements. The covered entity is in compliance with paragraph (a)(1) of this section, if it
has another arrangement in place that meets the requirements of § 164.504(e)(3).
N/A
(a)(2)(iii) Business Associate Contracts with Subcontractors. The requirements of paragraphs (a)(2)(i) and
(a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and
subcontractor required by § 164.308(b)(4) in the same manner as such requirements apply to contracts or
other arrangements between a covered entity and business associate.
N/A
82
Safeguard
CFR §164.314
Safeguard Description Reference to
SOC Control
Above
(b)(1) Standard: Requirements for group health plans. Except when the only electronic protected health
information disclosed to a plan sponsor is disclosed pursuant to § 164.504(f)(1)(ii) or (iii), or as
authorized under § 164.508, a group health plan must ensure that its plan documents provide that the
plan sponsor will reasonably and appropriately safeguard electronic protected health information
created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health
plan.
N/A
(b)(2) Implementation specifications (Required). The plan documents of the group health plan must be amended to incorporate
provisions to require the plan sponsor to—
(b)(2)(i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect
the confidentiality, integrity, and availability of the electronic protected health information that it
creates, receives, maintains, or transmits on behalf of the group health plan;
N/A
(b)(2)(ii) Ensure that the adequate separation required by § 164.504(f)(2)(iii) is supported by reasonable and
appropriate security measures;
N/A
(b)(2)(iii) Ensure that any agent to whom it provides this information agrees to implement reasonable and
appropriate security measures to protect the information; and
N/A
(b)(2)(iv) Report to the group health plan any security incident of which it becomes aware.
N/A
83
Policies and Procedures and Documentation Requirements:
This standard requires a covered entity to implement policies and procedures to ensure safeguards are implemented to protect electronic protected
health information (EPHI).
Safeguard
CFR §164.316
Safeguard Description Reference to
SOC Control
Above
(a) A covered entity or business associate must, in accordance with § 164.306:
(a) Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to
comply with the standards, implementation specifications, or other requirements of this subpart, taking
into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be
construed to permit or excuse an action that violates any other standard, implementation specification, or
other requirements of this subpart. A covered entity or business associate may change its policies and
procedures at any time, provided that the changes are documented and are implemented in accordance
with this subpart.
CC5.3.1
(b)(1) Standard: Documentation
(b)(1)(i) Maintain the policies and procedures implemented to comply with this subpart in written form. CC5.3.1
(b)(1)(ii) If an action, activity or assessment is required to be made of policies and procedures a documented,
written record of the action, activity, or assessment is required.
CC5.3.1
CC5.3.3
(b)(2) Implementation specifications:
(b)(2)(i) Time limit. (Required). Retain the documentation required of this section for six (6) years from the date
of its creation or the date it last was in effect, whichever is later.
CC5.3.2
(b)(2)(ii) Availability. (Required). Make documentation available to those persons responsible for implementing
the procedures to which the documentation pertains.
CC2.2.1
(b)(2)(iii) Updates. (Required). Review documentation periodically, and update as needed, in response to
environmental or operational changes affecting the security of the electronic protected health information.
CC5.3.3