LATISYS HOLDINGS, LLC SOC 2 Type 2 Report on Latisys ... · Controls Relevant to Security and Availability ... provides data center solutions, including its Colocation Services, Managed

LATISYS HOLDINGS, LLC SOC 2 Type 2 Report on Latisys’ Colocation Services, Managed Hosting, and

Managed Services System and on the Design and Operating Effectiveness of its Controls Relevant to Security and Availability

November 1, 2012 through October 31, 2013

sember

Cover

LATISYS HOLDINGS, LLC

SOC 2 Type 2 Report on Latisys’ Colocation Services, Managed Hosting, and Managed Services System and on the Design and Operating Effectiveness of its Controls Relevant to Security and Availability

November 1, 2012 through October 31, 2013

TABLE OF CONTENTS

SECTION ONE Management of Latisys’ Assertion ......................................................................................................................................... 2 SECTION TWO Independent Service Auditor’s Report .................................................................................................................................. 5 SECTION THREE Description of Latisys’ Colocation Services, Managed Hosting, and Managed Services System Company Overview ................................................................................................................................................................... 8 Components of the System ........................................................................................................................................................ 9 Boundaries of the System ........................................................................................................................................................ 16 Principles and Related Criteria ................................................................................................................................................ 16 Other Aspects of the Internal Control Environment, Risk Assessment Process, Information and Communication Systems, and Monitoring of Controls that are Relevant to the Services Provided and the Applicable Trust Services Criteria ............................................................................................................................ 17

SECTION FOUR Latisys’ Security and Availability Trust Principles and Related Controls and Independent Service Auditor’s Description of Tests of Controls and Results of Tests

Introduction ............................................................................................................................................................................. 21 Security and Availability Principles Policies ...................................................................................................................................................................... 22 Communications ....................................................................................................................................................... 26 Procedures ................................................................................................................................................................. 31 Monitoring ................................................................................................................................................................ 61

SECTION ONE

MANAGEMENT OF LATISYS’ ASSERTION

MANAGEMENT OF LATISYS’ ASSERTION REGARDING ITS COLOCATION SERVICES, MANAGED HOSTING, AND MANAGED SERVICES SYSTEM

We have prepared the attached description of Latisys Holdings, LLC (“Latisys”) Colocation Services, Managed Hosting, and Managed Services System, for the period from November 1, 2012 to October 31, 2013 (the “Description”), based on the criteria in items (a)(i)-(ii) below, which are the criteria for a description of a service organization’s system identified in paragraphs 1.34-.35 of the AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2 (SM)) (the “Description Criteria”). The Description is intended to provide users with information about the Colocation Services, Managed Hosting, and Managed Services System (the “System”), particularly System controls intended to meet the criteria for the security and availability principles set forth in TSP section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids) (“applicable trust services criteria”). We confirm, to the best of our knowledge and belief, that:

a. The Description fairly presents Latisys’ System throughout the period from November 1, 2012 to October 31, 2013 based on the following Description Criteria: i. The Description contains the following information:

(1) The types of services provided.

(2) The components of the System used to provide the services, which are the following:

Infrastructure. The physical and hardware components of a system (facilities, equipment, and networks).

Software. The programs and operating software of a system (systems, applications, and utilities).

People. The personnel involved in the operation and use of a system (developers, operators, users, and managers).

Procedures. The automated and manual procedures involved in the operation of a system.

Data. The information used and supported by a system (transaction streams, files, databases, and tables).

(3) The boundaries or aspects of the System covered by the Description.

(4) How the System captures and addresses significant events and conditions.

(5) The process used to prepare and deliver reports and other information to user entities or other parties.

(6) If information is provided to, or received from, subservice organizations or other parties, how such information is provided or received; the role of the subservice organization and other parties; and the procedures performed to determine that such information and its processing, maintenance, and storage are subject to appropriate controls.

(7) For each principle being reported on, the applicable trust services criteria and the related controls designed to meet those criteria, including, as applicable, (a) complementary user entity controls contemplated in the design of the service organization’s System, and (b) when the inclusive method is used to present a subservice organization, controls at the subservice organization.

(8) For subservice organizations presented using the carve-out method, the nature of the services provided by the subservice organization; each of the applicable trust services criteria that are intended to be met by controls at the subservice organization, alone or in combination with controls at the service organization, and the types of controls expected to be implemented at carved-out subservice organizations to meet those criteria; and, for privacy, the types of activities that the subservice organization would need to perform to comply with our privacy commitments.

(9) Any applicable trust services criteria that are not addressed by a control at the service organization or a subservice organization and the reasons thereof.

(10) Other aspects of the service organization’s control environment, risk assessment process, information and communication systems, and monitoring of controls that are relevant to the services provided and the applicable trust services criteria.

(11) Relevant details of changes to the service organization’s System during the period covered by the Description.

ii. The Description does not omit or distort information relevant to the service organization’s System while acknowledging that the Description is prepared to meet the common needs of a broad range of users and may not, therefore, include every aspect of the System that each individual user may consider important to his or her own particular needs.

b. The controls stated in the Description were suitably designed throughout the specified period to meet the applicable trust services criteria.

c. The controls stated in the Description operated effectively throughout the specified period to meet the applicable trust services criteria.

Latisys does not use subservice organizations or other parties to address its Colocation Services, Managed Hosting, and Managed Services System. Accordingly, our Description does not address the criteria in items (a)(i)(6), (a)(i)(7)(b), and (a)(i)(8). Latisys Holdings, LLC By: Wm. Evans Mullan Chief Operating Officer November 26, 2013

SECTION TWO

INDEPENDENT SERVICE AUDITOR’S REPORT

INDEPENDENT SERVICE AUDITOR’S REPORT To the Management of Latisys Holdings, LLC Englewood, Colorado Scope We have examined the accompanying description of Latisys Holdings, LLC (“Latisys”) Colocation Services, Managed Hosting, and Managed Services System, and the suitability of the design and operating effectiveness of controls to meet the criteria for the security and availability principles set forth in TSP section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy, throughout the period from November 1, 2012 to October 31, 2013. The Description indicates that certain applicable trust services criteria specified in the Description can be achieved only if complementary user entity controls contemplated in the design of Latisys’ controls are suitably designed and operating effectively, along with related controls at the service organization. We have not evaluated the suitability of the design or operating effectiveness of such complementary user entity controls. Service Organization’s Responsibilities Latisys has provided the accompanying assertion, “Management of Latisys’ Assertion Regarding its Colocation Services, Managed Hosting, and Managed Services System,” for the period from November 1, 2012 to October 31, 2013, which is based on the criteria identified in management’s assertion. Latisys is responsible for (1) preparing the Description and assertion; (2) the completeness, accuracy, and method of presentation of both the Description and assertion; (3) providing the services covered by the Description; (4) selecting the trust services principle(s) being reported on and stating the applicable trust services criteria and related controls in the Description; (5) identifying any applicable trust services criteria relevant to the principle(s) being reported on that have been omitted from the Description and explaining the reason for the omission; (6) specifying the controls that meet the applicable trust services criteria and stating them in the Description; and (7) designing, implementing, maintaining, and documenting the controls to meet the applicable trust services criteria. Service Auditor’s Responsibilities Our responsibility is to express an opinion on the fairness of the presentation of the Description based on the Description Criteria set forth in Latisys’ assertion and on the suitability of the design and operating effectiveness of the controls to meet the applicable trust services criteria, based on our examination. We conducted our examination in accordance with attestation standards established by the AICPA. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, (1) the Description is fairly presented based on the Description Criteria, and (2) the controls were suitably designed and operated effectively to meet the applicable trust services criteria throughout the period from November 1, 2012 to October 31, 2013. Our examination involved performing procedures to obtain evidence about the fairness of the presentation of the Description based on the Description Criteria and the suitability of the design and operating effectiveness of the controls to meet the applicable trust services criteria. Our procedures included assessing the risks that the Description is not fairly presented and that the controls were not suitably designed or operating effectively to meet the applicable trust services criteria. Our procedures also included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the applicable trust services criteria were met. Our examination also included evaluating the overall presentation of the Description. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.

sember

Denver Letterhead

To the Management of Latisys Holdings, LLC Inherent Limitations Because of their nature and inherent limitations, controls at a service organization may not always operate effectively to meet the applicable trust services criteria. Also, the projection to the future of any evaluation of the fairness of the presentation of the Description or conclusions about the suitability of the design or operating effectiveness of the controls to meet the applicable trust services criteria is subject to the risks that the Colocation Services, Managed Hosting, and Managed Services System (“the System”) may change or that controls at a service organization may become inadequate or fail. Opinion In our opinion, in all material respects, based on the Description Criteria identified in Latisys’ assertion and the applicable trust services criteria:

a. The Description fairly presents the System that was designed and implemented throughout the period from November 1, 2012 to October 31, 2013.

b. The controls stated in the Description were suitably designed to provide reasonable assurance that the applicable trust services criteria would be met if the controls operated effectively throughout the period from November 1, 2012 to October 31, 2013 and user entities applied the complementary user entity controls contemplated in the design of Latisys’ controls throughout the period from November 1, 2012 to October 31, 2013.

c. The controls tested, which, together with the complementary user entity controls referred to in the scope paragraph of this report, if operating effectively, were those necessary to provide reasonable assurance that the applicable trust services criteria were met, operated effectively throughout the period from November 1, 2012 to October 31, 2013.

Description of Tests of Controls The specific controls tested and the nature, timing, and results of those tests are presented in Section Four of our report titled “Latisys’ Security and Availability Trust Principles and Related Controls and Independent Service Auditor’s Description of Tests of Controls and Results of Tests.” Restricted Use This report and the description of tests of controls and results thereof are intended solely for the information and use of Latisys; user entities of Latisys’ Colocation Services, Managed Hosting, and Managed Services System during some or all of the period from November 1, 2012 to October 31, 2013; and prospective user entities, independent auditors, and practitioners providing services to such user entities, and regulators who have sufficient knowledge and understanding of the following:

• The nature of the service provided by the service organization • How the service organization’s System interacts with user entities, subservice organizations, and other parties • Internal control and its limitations • Complementary user entity controls and how they interact with related controls at the service organization to meet

the applicable trust services criteria • The applicable trust services criteria • The risks that may threaten the achievement of the applicable trust services criteria and how controls address those

risks This report is not intended to be and should not be used by anyone other than these specified parties. If report recipients are other than these specified parties (herein referred to as “non-specified users”) and have obtained this report or have access to it, use of this report is the non-specified users’ sole responsibility and at the non-specified users’ sole and exclusive risk. Non-specified users may not rely on this report and do not acquire any rights against EKS&H LLLP as a result of such access. Further, EKS&H LLLP does not assume any duties or obligations to any non-specified users who obtain this report and/or have access to it.

EKS&H LLLP

November 26, 2013 Denver, Colorado

SECTION THREE

DESCRIPTION OF LATISYS’ COLOCATION SERVICES, MANAGED HOSTING, AND MANAGED SERVICES SYSTEM

LATISYS Description of the System

Proprietary and Confidential 8

COMPANY OVERVIEW Latisys Holdings, LLC (“Latisys” or the “Company”) provides data center solutions, including its Colocation Services, Managed Hosting, and Managed Services System (the “System”), to extend and enhance the Information Technology (“IT”) infrastructure of its clients. Latisys provides colocation services and managed services built upon a robust data center infrastructure with locations in Irvine, California; Englewood, Colorado; Oak Brook, Illinois; and Ashburn, Virginia. Colocation Services Colocation services allow companies to house their voice, computing, and networking equipment within a highly connected, redundant, and secure facility. Colocation enables small to medium-sized companies to leverage a large company infrastructure, to be cost-effective, and to build their IT services on a solid foundation of power and connectivity. Colocation services are also ideal for creating a centralized computing location for companies with distributed physical locations. Managed Hosting Managed Servers Latisys can provision, install, configure, monitor, troubleshoot, and maintain Intel-based servers with the client’s required compute processing capability, for the client to run supported operating systems and applications. Clients subscribe to specific hardware capabilities, and Latisys can provide those capabilities as a service. Latisys can manage the day-to-day operation and maintenance of the server hardware, allowing the client to focus on managing their software environment. Virtualization Latisys can install and provide any applicable licensing for Microsoft- and VMware-based hypervisors, which enable the virtualization of multiple servers onto a single physical host or cluster of physical hosts for Latisys Managed Servers. Managed Virtualization includes the installation of and configuration of resource allocations to guest operating systems (as separately licensed) for each virtual server instance and ongoing break-fix support for the hypervisor and supported functionality for high availability where utilized. Managed Services Latisys provides a suite of managed services that can be subscribed to individually or in conjunction with other Latisys services. These managed services utilize the best technology and practices to bring enterprise-class services to small and medium-sized clients. These managed services offerings include: Data Protection Latisys’ data protection service utilizes a disk-based backup system that is scalable and secure. Nightly updates indicate the success of the data backups, the amount of data protected, and the detail of the directories that were protected. This product provides unlimited scalability and rapid backup-and-restore processes with speeds of up to 20 GB per hour. The reporting data available allows IT personnel to know exactly what has been protected and provides proof that data is being protected in accordance with necessary compliance guidelines. Replicated Data Protection Latisys can also replicate client data to another data center. This service provides comprehensive protection of data in the case of a catastrophic disaster at the Latisys location. In such a case, the client would have its data fully protected and available at an alternate data center.



Managed Firewall Firewall services are available to protect customer information. Latisys’ security products utilize Cisco hardware. The firewall can be applied to dedicated hosted solutions, colocation infrastructure, and point-to-point data circuits that connect to Latisys’ facility. Firewalls provide a critical layer of protection for customer data. When used with proper patch and system administration, firewalls can prevent unauthorized users from gaining access or exploiting flaws in operating system software or applications that might otherwise allow unauthorized access to data. Intrusion Prevention System An Intrusion Prevention System (“IPS”) is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real time, to block or prevent those activities. Latisys’ network-based IPS monitors the customer’s traffic and will either alert on malicious traffic or communicate to the firewall necessary information to block malicious traffic. Virtual Private Network Deploying a Virtual Private Network (“VPN”) allows employees or other authorized personnel to gain access to infrastructure that is otherwise protected by a firewall or other filtering rules. A VPN will encrypt data transferred from the user’s location to the destination server, preventing third parties from intercepting data in transit between locations. Solutions can extend application availability by pooling the resources of two or more servers together in a configuration that allows the customer to determine the amount of bandwidth throughput, sessions, and protocols that are available for each application. Storage Area Network Latisys provides reliable and cost-effective Storage Area Network (“SAN”) services to customers that need high-speed and high-volume data storage. A SAN is an architecture that attaches remote computer storage devices (such as disk arrays, tape libraries, and optical jukeboxes) to servers in such a way that, to the operating system, the devices appear to be locally attached. COMPONENTS OF THE SYSTEM The System is comprised of the following components:

Infrastructure (facilities, equipment, and networks) Software (systems, applications, and utilities) People (developers, operators, users, and managers) Procedures (automated and manual) Data (transaction streams, files, databases, and tables)

The following sections of this description define each of these five components comprising the System. Infrastructure The Latisys IT environment is spread over all of the Latisys facilities. Housed within each data center are the supporting operating system platforms (UNIX, Linux, and Windows-based), networking components (routers, switches, firewalls), and data storage devices. The data centers are interconnected to each other by an Internet Protocol (“IP”) based network architecture. The IT personnel who support these data centers are primarily based at the Company’s corporate office facilities in Colorado.



The Latisys Engineering team is presently responsible for supporting approximately 300 servers supporting the in-scope technology solutions. These servers are summarized below by operating system and the various purposes served.

Operating System Server Purpose

UNIX: HP-UX 11.11 HP-UX 11.23 AIX Solaris 8

Database servers System management tools Networking systems Backup/recovery services Web servers and file transfer protocols (“FTP”) Monitoring tools Application servers

Linux: Redhat Linux AS 2.1 Redhat Linux ES 3.0 Redhat Linux EX 4.0 RHES 4.0 RHES 5.0 RHES 6.2

Web servers and proxies Backup/recovery services Monitoring tools FTP services Application servers

Windows: Windows 2000 Windows 2003 Windows NT4 Windows NT5 Windows 2008 Windows 7

Monitoring tools Application servers Database servers FTP services Backup/recovery services Domain controllers

WM Ware: ESX 3.5 ESX 4.0 ESXi 4.0 ESXi 4.1 ESXi 5.0 U1

System management tools Networking systems Backup/recovery services Web servers and FTP Monitoring tools Application servers

Latisys has data center facilities in Irvine, California; Englewood, Colorado; Oak Brook, Illinois; and Ashburn, Virginia. The facilities have the following features: Space

Latisys has over 200,000 square feet of production data center space, featuring static-dissipating raised floors, supporting custom caged space, full cabinets, half cabinets, one-third cabinets, and single rack units of space for customer equipment.

Each location offers custom caged space built-to-suit, including cabinet, rack, and internal cabling configurations. Cabinet space includes adjustable vertical rails and cable management systems.

Latisys’ facilities maintain high security standards for building access and perimeter monitoring. All inter-building area access is monitored and enforced by proxy card key access, biometric hand scanners, and motion detection cameras. All access information and video surveillance is logged and available to customers for review upon request.



Fire detection devices and systems within each data center are monitored both within the Network Operation Center (“NOC”) and by backup third-party monitoring services. The monitoring system informs the NOC staff of the specific alarm generating the warning and its location. The data center has sensors installed both above and below the raised floor to detect gases that rise with the airflow in the data center, as well as heavy gases that tend to settle under the floor. The fire suppression system is a pre-action dry pipe, which discharges water only from the appropriate locations when the heat in the data center increases enough to trigger a fire sprinkler head. The discharge of a sprinkler signals the emergency power-off switch, which simultaneously turns off the electrical power to the data center.

Cooling and humidity are controlled by computer room air conditioning units and air handling units featuring N+1 redundancy. The systems keep the operating environment in the data centers at 72 degrees with 35% humidity, with a variation of no more than 8 degrees of temperature and 4% humidity, which conforms to the temperature and humidity specifications outlined in the 2008 American Society of Heating, Refrigerating and Air Conditioning Engineers Environmental Guidelines for Datacom Equipment.

Each facility has an on-site NOC that is staffed 24x7x365 to monitor all aspects of the overall health of the data centers. In addition to monitoring the facilities, the NOC is available for remote hands service for customers. Remote hands service allows customers to direct NOC technicians to do tasks on their equipment, including reboots, console commands, and drive swaps.

The data center facilities have enough scalable space for customers’ future growth needs. Power

All Latisys facilities feature multiple commercial power entrances and transformers, providing multiple paths to help mitigate the potential loss of commercial power to the building.

For critical systems at all facilities, Automatic Transfer Switches are on stand-by to transfer power from the commercial source to a bank of diesel generators in the event of commercial power loss.

During the transfer from commercial to generated power, constant conditioned power is supplied to critical systems via Uninterruptible Power Supply (“UPS”) systems.

Access

Latisys provides customers with high-speed Internet access via its fully redundant, high-capacity data network. By default, dual network connections to a customer’s space start at 10 Mbps and scale up to 10 Gbps. This link can support multiple configurations of layer 2 and layer 3 failover technologies. The use of a redundant link minimizes downtime in the event of a single device failure on the customer’s or on Latisys’ equipment.

Customers may also choose to connect to other telecommunications carriers within the facility for private-line access to customer locations and/or remote offices. Customers connect to such carriers by purchasing an inter-facility cross-connect from Latisys. Cross-connects have several configurations and are either copper or fiber optic connections.

Software Software used by the Engineering and IT teams to manage and support the Latisys IT environment includes:

System and network monitoring Security monitoring Help desk support

The Latisys IT environment described herein does not include application software supporting the technology solutions provided by Latisys to individual clients or Latisys’ business unit applications.



People The following is the functional reporting structure of Latisys:

Management Profiles Operations of Latisys are under the direction of a management team that ultimately reports to the Board of Managers of Latisys Holdings, LLC. The management team of Latisys includes: Peter Stevenson - President/Chief Executive Officer Peter Stevenson is the President/Chief Executive Officer of Latisys, a company he co-founded in 2007 with sector-focused private equity investors who are actively engaged in the consolidation of colocation and managed services businesses. Mr. Stevenson also serves as a member of the Board of Directors at Search Force, a growing Search Engine Optimization software as a service company, and plays an active role with investors and management in guiding the operational and strategic development of Latisys. Mr. Stevenson has over 25 years of experience in the communications and IT services industries. His visionary, yet pragmatic business approach – where he encourages an environment of collaboration while setting a high standard for performance within the organization – has led to positive growth throughout his career. Prior to founding Latisys, Mr. Stevenson was Chief Executive Officer of Globix Corporation, an American Stock Exchange-listed company, and served as a member of the Board of Directors of Globix. After joining Globix in April 2002, Mr. Stevenson led the transformation of an organization that had just emerged from Chapter 11 into a profitable, leading global provider of managed services, colocation, IP infrastructure, and fiber network services. Globix completed the sale of its managed services, colocation, and IP infrastructure assets in 2006 and its fiber network assets in 2007. Prior to joining Globix, Mr. Stevenson was a Senior Consultant to Communications Technology Advisors LLC, a restructuring and telecom advisory boutique firm focused on distressed telecommunications companies, where he provided strategic planning, restructuring, and overall business counsel to investors and management. From 2003 through 2004, Mr. Stevenson was a member of the Board of Directors for Focal Communications, a $350 million national competitive local exchange carrier (“CLEC”) that was sold to Broadwing in 2004. He was also a member of the Board of Directors’ compensation committee.

Peter K. StevensonPresident/CEO

Douglas A. ButlerChief Financial Officer

W. Evans MullanChief Operating Officer

Randal R. ThompsonChief Sales Officer

Latisys Holdings, LLCBoard of Managers

Finance, HR, Law and Marketing Staff

Operations, Engineering &

Customer Care Staff

Sales Staff



Mr. Stevenson was a co-founder of Net Uno, one of the largest cable television, CLEC, and Internet Service Providers in Venezuela, which he and his partners built both organically and through acquisition. During his tenure with Net Uno, he resided in Venezuela for two years. After returning to the U.S. at the end of 2000, he continued to serve as a strategic advisor to the Board of Directors through the end of 2001. Prior to this, Mr. Stevenson was a Partner and Vice President for Wave International, an international telecom investment and management firm focused on developing companies in international markets. Earlier in his career, he spent approximately 13 years at Bell Atlantic Corporation in various sales and marketing roles, including as Managing Director in the Corporate Development Group. Mr. Stevenson graduated with a Bachelor of Science degree from Saint Francis University in Loretto, Pennsylvania. Doug Butler - Chief Financial Officer Doug Butler is the Chief Financial Officer and a co-founder of Latisys, with over 20 years of experience as an executive and investment banker for the telecommunications and infrastructure industry. Prior to cofounding Latisys, Mr. Butler served as Chief Financial Officer for Looking Glass Networks, a Chicago-based nationwide provider of metropolitan fiber-optic network services, which was acquired by Level 3 Communications in 2006. Prior to joining Looking Glass Networks, he served as Chief Financial Officer for Cambrian Communications, a Virginia-based startup that developed a state-of-the-art fiber network between Washington, D.C., and New York City. Prior to joining Cambrian, Mr. Butler was an investment banker for ten years with Barclays Capital, focused on debt capital markets and the telecommunications industry. Mr. Butler is a graduate of Princeton University. Wm. Evans Mullan - Chief Operating Officer Wm. Evans Mullan is a co-founder of Latisys. He is responsible for the day-to-day management of the data center facilities and the ongoing integration of functions across the centers. Mr. Mullan most recently served as Vice President for First Avenue Networks. As a member of the executive team, he helped grow the company from a $25 million market capitalization to over $800 million. Prior to joining First Avenue Networks, Mr. Mullan was Vice President of Operations at Winstar with executive responsibility for several different areas, including the network management center, operations support staff, and customer provisioning. Previously, Mr. Mullan worked for Hill Associates and lectured to executive and management audiences within Fortune 50 companies on advanced communications technologies. Mr. Mullan has 20 years of sales and sales management experience with First Avenue Networks, Bell Atlantic, Hill Associates, and Net 2000 Consulting Services. He has sold complex telecommunication solutions and services to federal government agencies, Fortune 500 companies, and national telecom carriers. Mr. Mullan received a Bachelor of Arts in History from the University of Virginia in Charlottesville, Virginia. Randal Thompson - Chief Sales Officer Randal Thompson, with over 15 years of experience in the data center and managed services industries, serves as Latisys’ Chief Sales Officer. He is responsible for leading a national team that is laser-focused on aggressively driving revenue through direct and channel sales. Mr. Thompson most recently served as Senior Vice President, Global Sales, at data center, network, and IT infrastructure services provider Internap, where he oversaw the global sales organization, including direct/channel sales, sales engineering, and client management. Mr. Thompson successfully led domestic and international selling organizations for the $230 million publicly traded firm using a collaborative yet focused management style and achieved significant increases in year-over-year gross margins, average deal size, and sales bookings during his tenure.



Prior to Internap, Mr. Thompson served seven years in various executive sales positions at MCI, including as Director of Sales, Major and National Accounts, where he led an 85-person sales organization accountable for $150 million in annual revenue. Mr. Thompson was named to the Internap and MCI President’s Clubs for 12 straight years, demonstrating a commitment to delivering consistent results. Mr. Thompson received a Bachelor of Science in Criminal Justice from the University of New Haven in West Haven, Connecticut. Functional Responsibilities Sales and Channel Development Under the direction of Randal Thompson, Latisys’ solutions-based sales force is the first point of contact for those interested in the Company’s services. Together, with the expertise of the Engineering team, the Sales team helps design a solution to meet each client’s unique business needs. Data Center Operations The Operations team oversees the activities related to all physical operations in the facility, including Network Center Operations, Facility Operations, and Implementations. Engineering and IT The Engineers are the point of escalation for complex issues regarding network infrastructure and server/solution issues. They also provide customer infrastructure design and implementation as needed, along with professional services related to Latisys’ managed services offering. In addition, they evaluate the latest technologies for future solutions and infrastructure improvements. Engineers are located at each of the Latisys facilities and serve customers at all facilities. Finance, Human Resources, Legal, and IT All finance, human resources, legal, and marketing needs are handled by Doug Butler’s staff. Many of the staff are located in the Englewood, Colorado, office, though representatives are also located at each of the facilities. Customer Care All customer care issues are handled by Wm. Evans Mullan’s staff. Many of the staff are located in the Ashburn, Virginia, office, though representatives are also located at each of the facilities.



The following is a functional organization chart that represents how each of the facilities is staffed:

The Vice President of Data Center Operations directs all of the infrastructure-related activities, along with construction of new Latisys facilities. Construction Managers are responsible for every aspect of making a new facility ready for Latisys’ use. The Director of Data Center Operations oversees the activities related to all physical operations in the facility. The Facilities Manager and Mechanical Engineer are responsible for systems, such as the heating, ventilation, and air conditioning units and water treatment systems. The Operations Engineers manage other systems, such as the generators and the UPS systems. This team is often found working together to make sure all systems are operating in harmony throughout the facility. The Vice President of Customer Care manages all aspects of customer service. This includes the Technical Operations Manager, whose team is the first point of contact for customers. The Network Operations team is led by a NOC Supervisor, along with several staff members, to cover Latisys’ 24x7x365 hours of operation. The Implementations team leads all customer installations. They coordinate with the Data Center Operations team and the Sales team to make sure that installations are proceeding according to schedule for everything from simple to complex colocation and managed hosting/services installations. The Vice President of Engineering is responsible for delivering engineering services to customers in all facilities, along with the internal IT staff, to support Latisys. Team members are found at all four facilities and are not limited to serving customers only in their facility. Engineers provide Tier 3 support, along with managing the network and software systems critical to Latisys’ customers. Engineers also do all of the network and managed services provisioning for new customers.



Procedures Latisys has documented policies and procedures to support the operations and controls over its physical and logical environments. Specific examples of the relevant policies and procedures include the following:

Policy management and communication System security administration Server security configuration Network operations Enterprise change management Incident/problem management Physical security administration Tape backup and off-site storage

Data Latisys does not control customer-specific hardware, operating systems, databases, applications, or any other content loaded on the customer’s hardware. BOUNDARIES OF THE SYSTEM The boundaries of a system are the specific aspects of a service organization’s infrastructure, software, people, procedures, and data necessary to provide its services. The boundaries of Latisys’ System include applications and infrastructure that directly support the services provided to Latisys’ customers. Any applications, databases, and infrastructure that indirectly support the services provided to Latisys’ customers are not included within the boundaries of Latisys’ System. For example, as Latisys does not have access to customer data, criteria related to data classification are not within the boundaries of the System. PRINCIPLES AND RELATED CRITERIA The five attributes of a system are known as principles, and they are defined as follows:

Security: The system is protected against unauthorized access (both physical and logical). Availability: The system is available for operation and use, as committed or agreed. Processing Integrity: System processing is complete, accurate, timely, and authorized. Confidentiality: Information designated as confidential is protected, as committed or agreed. Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the

commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and the Canadian Institute of Chartered Accountants.

The Trust Services Principles and Criteria are organized into four broad categories:

Policies: The entity has defined and documented its policies relevant to the particular principle. Communications: The entity has communicated its defined policies to authorized users. Procedures: The entity uses procedures to achieve its objectives in accordance with its defined policies. Monitoring: The entity monitors the system and takes action to maintain compliance with its defined policies.

This report is focused solely on the Security and Availability principles and does not include the Processing Integrity, Confidentiality, and Privacy Principles. Latisys’ applicable criteria supporting the Security and Availability principles, related controls, and complementary user entity controls are included in Section Four of this report, “Latisys’ Security and Availability Trust Principles and Related Controls and Independent Service Auditor’s Description of Tests of Controls and Results of Tests,” to eliminate the redundancy that would result from listing them in this section and repeating them in Section Four. Although the applicable criteria and related controls are included in Section Four, they are, nevertheless, an integral part of the Company’s description of its System.



OTHER ASPECTS OF THE INTERNAL CONTROL ENVIRONMENT, RISK ASSESSMENT PROCESS, INFORMATION AND COMMUNICATION SYSTEMS, AND MONITORING OF CONTROLS THAT ARE RELEVANT TO THE SERVICES PROVIDED AND THE APPLICABLE TRUST SERVICES CRITERIA Control Environment The control environment provides an atmosphere in which people conduct their activities and carry out their control responsibilities. The control environment sets the tone of an organization by influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, and competence of the entity’s people; management’s philosophy and operating style; the way management assigns authority and responsibility; the way management organizes and develops its people; and the attention and direction provided by the Board of Managers. The objective of the control environment is to establish and promote a collective attitude toward achieving effective internal control over the entity’s business. Written position descriptions for all Latisys employees are maintained by the human resources department. The descriptions are reviewed regularly and revised as necessary. Latisys’ vacation policy is structured to encourage employees to take vacation in the calendar year in which it is earned. Employees earn 15 days of paid time off throughout the year and are expected to take the time they have earned on a regular basis. All employees receive an annual written performance evaluation. These reviews are based on employee-stated goals and objectives that are prepared and reviewed with the employee’s supervisor. Completed appraisals are reviewed by senior management and human resources and become a permanent part of the employee’s personnel file. Risk Assessment Risk assessment is the component of the Company’s internal control environment that involves identifying and analyzing risks (both internal and external) relevant to achieving business objectives. Latisys has placed into operation processes to identify and manage risks that could affect its ability to provide reliable colocation services and managed services. These processes require management to identify significant risks inherent in providing colocation services and managed services for clients and to implement appropriate measures to monitor and manage these risks. One of those processes is the Shift Report that is prepared at the end of each shift by the Network Operations personnel. The Shift Report contains information regarding items noticed on facility walkthroughs, corporate network issues, customer issues, hosting customer issues, and miscellaneous issues. The Network Operations staff reviews these reports for the previous 24 hours before their shift so they are aware of any ongoing issues and can follow up on any outstanding items, if necessary. Emergency Procedures Each facility has an emergency response plan to bring needed resources together in an organized manner to deal with an adverse event related to the safety and security of the facility. In addition, written emergency procedures have been developed, which encompass the various types of emergencies that could occur. Emergency procedures are documented, and evacuation routes and exits are identified and posted in various locations in the facility. Information and Communication Information and communication is the component of internal control that ensures pertinent information is identified, captured, and communicated in a form and timeframe that enables people to carry out their responsibilities. Information systems produce reports containing operational, financial, and compliance-related information that make it possible to run and control the business. They deal with internally generated data, as well as information about external events, activities, and conditions necessary to make informed business decisions. Effective communication also must occur, in a broader sense, throughout the Company. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. Individuals must understand their own role in the internal control system, as well as how individual activities relate to the work of others. Individuals must have a means of communicating significant information upwards within the Company, the objective of which is to ensure that information relevant to operating the business and the maintenance of internal controls and records is identified, captured, and communicated to the appropriate individuals on a timely basis.



Latisys uses various methods of communication to help ensure that all employees understand their individual roles and Company controls, as well as to guarantee significant events are communicated timely. Continuous communications and hands-on training help ensure that employees are aware of significant policy and organizational events and changes, as well as significant issues and exceptions, in a timely manner. Latisys uses a Web-based, internally developed Enterprise Resource Planning (“ERP”) system for quoting and order management, account and contact management, and reporting. ERP is a centralized system supporting all data centers and is used by multiple functional groups within the Company. The confidentiality of client information is stressed during the new-employee orientation program. Latisys provides a mandatory orientation and training program for all employees and encourages additional outside training and education. All employees are required to sign a confidentiality agreement acknowledging their obligation to treat Latisys and client information in a confidential manner. As a matter of communicated policy, information concerning Latisys’ clients, employees, processes, and suppliers is confidential and is not to be disclosed to outside parties. This includes requests for employment references, which should always be directed to the human resources department for the proper response. Employees are trained to make all reasonable efforts to avoid conflicts of interest. This includes communications or relationships with co-workers, former employees, job applicants, vendors, clients, or competitors that could reasonably impair one’s ability to act in Latisys’ best interests. Monitoring Monitoring is a process that assesses the quality of the Company’s internal control performance over time. Effective monitoring is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Ongoing monitoring occurs in the course of operations and includes regular management and supervisory activities and other actions personnel take in the performance of their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported throughout the Company, with serious matters reported to top management and the Board of Managers. The objective of monitoring is to detect and remediate control deficiencies throughout the entire system of internal control. Management and supervisory personnel monitor the quality of internal control performance as a routine part of the quality control process. To assist in this monitoring, Latisys implemented a series of key-indicator management reports that measure the results of various processes involved in client service. All exceptions to standard operating procedures are logged, reported, and resolved daily, including the results of the standard internal audit procedures. This quality control process provides assurance that service levels are defined and managed in a manner that provides a common understanding of performance levels by which the quality of services offered to Latisys’ clients will be measured. User Entity Control Considerations Latisys’ control policies and procedures over its System cover only a portion of the overall control structure of each user. It is not feasible for the control objectives to be solely achieved by Latisys. Therefore, each Latisys user’s internal control structure must be evaluated in conjunction with Latisys’ control policies and procedures summarized in the report. User controls and technical configurations should be monitored, reviewed, and kept current to meet user requirements. User auditors should evaluate the impact of these controls and technical configurations on the control environment at the user entities. User management is responsible for the following:

The Latisys Master Services Agreement – Specifies the responsibilities of Latisys and customer organizations. Users and user auditors should refer to the agreement with respect to these responsibilities.

Backup of Files – Users are also responsible for the backup of all data files, report files, and programs resident on their in-house systems that are used to communicate with Latisys’ systems and for the backup of all data files, report files, and programs resident on their systems that are colocated at Latisys. Backup service may be obtained from Latisys as agreed upon between the customer and Latisys. Appropriate backup procedures should be in place to safeguard such media from intentional or unintentional changes or damage.



Access Controls – User entity control considerations should include, but are not limited to: o Latisys’ colocation customers should review badge authorization data with Latisys at least annually and in the

event of employee reorganizations or terminations. o Latisys’ customers should review Supervisory Point of Contact (“SPOC”) data on file with Latisys at least

annually and in the event of employee reorganizations or terminations. o The SPOC is responsible for verifying that all the required access authorization forms for colocation customer

employees, vendors, and contractors are completely filled out and forwarded to the Latisys security staff for processing.

o The SPOC is responsible for verifying that the Latisys staff is immediately notified in writing of any employment or access rights changes to employees, vendors, or contractors who have been issued Latisys security access badges.

Firewall – Users are responsible for defining security policies and access lists that are appropriate for their environment. Latisys will establish firewall rules specific to a user’s environment to meet the policies defined by users, as well as throughput and Network Address Translation requirements.

Data Protection – Users are responsible for determining the data to be backed up by providing Latisys with include and exclude lists. Users also set retention policies regarding the data that is under the data protection service. Users can schedule the frequency of backups and the backup windows during which the backup processing occurs. Users must provide Latisys with the appropriate contact information for notifications, including reporting the results of backups. Colocation and remote backup users are responsible for installing the backup agent provided. Latisys provides optional off-site replication, which requires the same parameters to be defined.

Replicated Data Protection – Users are responsible for determining the data to be replicated by providing Latisys with include and exclude lists. Users also set retention policies regarding the data that is under the replicated data protection service. Users must provide Latisys with the appropriate contact information for notifications, including reporting the results of replicated data. Colocation and remote backup users are also responsible for installing the backup agent provided.

Virtual Private Network – Users are responsible for providing necessary user names and complex passwords for remote VPN accounts. Customers subscribing to site-to-site VPNs are responsible for their remote IP security device and for configuring it properly. Customers subscribing to a remote-access VPN are responsible for the proper installation of the VPN client within its own environment. Latisys will establish the user- and/or site-access rights as directed by the client.

Intrusion Prevention System – Users are responsible for deciding whether to utilize the platform as an Intrusion Prevention System or an IPS. The customer also decides whether it wants to monitor the alerts from the platform or have an outsourced vendor (Alert Logic) perform this function.

Load Balancing – Users are responsible for providing the methodology regarding how the load balancer distributes the traffic in their environment. The user also determines its throughput requirements and manner in which Latisys checks the health of the applications on the servers.

Storage Area Network – Users are responsible for determining the number, size, and disk class of volumes needed to support their environment. Users also determine if their environment requires snapshots. If so, the users are responsible for setting snapshot schedules, retention policies, and classifications. Users will also decide the necessary redundancy (single-path or multi-path) and connectivity they require (Internet small computer system interface or Fibre Channel). Colocation customers who use SAN services are responsible for providing, installing, and maintaining host bus adapters for their environment.

Periodic Intrusion Testing – Each user should perform periodic intrusion testing of its internal firewall and network servers to verify the user’s assets and Internet connections are protected against unauthorized access from the World Wide Web and other remote sources.

The list of user entity control considerations presented above does not represent a comprehensive set of all the controls that should be employed by user entities. Other controls may be required at user entities.

SECTION FOUR

LATISYS’ SECURITY AND AVAILABILITY TRUST PRINCIPLES AND RELATED CONTROLS AND INDEPENDENT SERVICE AUDITOR’S DESCRIPTION OF TESTS OF CONTROLS AND RESULTS OF TESTS

Latisys Description of Tests of Controls and Results of Tests

ProprietaryandConfidential 21

INTRODUCTION This examination was conducted in accordance with the AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2). This section presents the following information provided by Latisys Holdings, LLC (“Latisys” or the “Company”):

The relevant security and availability trust services criteria. The controls established and specified by Latisys to meet the relevant security and availability trust services

criteria. Although the relevant security and availability trust services criteria and related controls are presented in Section Four, they are an integral part of Latisys’ description of its Colocation Services, Managed Hosting, and Managed Services System (the “System”). Also included in this section is the following information provided by the independent service auditor, EKS&H LLLP (“EKS&H”):

A description of the testing performed by EKS&H to determine whether Latisys’ controls were operating with sufficient effectiveness to achieve the relevant security and availability trust services criteria. EKS&H determined the nature, timing, and extent of the testing performed.

The results of EKS&H’s tests of operating effectiveness.

As discussed in Section Three of this report, the following criteria are not applicable to the services provided by Latisys:

Security and Availability 1.2 – Criteria b., classification of data, is not applicable to the services offered by Latisys as Latisys does not have access to customer data.

Security 3.2e and Availability 3.5e – Distribution of output restricted to authorized users, is not applicable to the services offered by Latisys as Latisys does not distribute output.

Security 3.8 and Availability 3.11 – Procedures exist to classify data in accordance with classification policies and periodically monitor and update such classifications as necessary. As Latisys does not have access to customer data, this criterion does not apply to the services provided to its customers.



Policies: The entity defines and documents its policies for the security and availability of its system.

Security and Availability Policy Criteria 1.1 Description

The entity’s security policies are established and periodically reviewed and approved by a designated individual or group. The entity’s system availability and related security policies are established and periodically reviewed and approved by a designated individual or group.

No. Control Activity Tests of Operating Effectiveness Results of Testing

1.1 Latisys has in place a formal and comprehensive compilation of documented policies, including the Latisys Enterprise Information Security Policy and the Latisys Physical Access Policy. All policies are assigned responsibility to appropriate management and are updated as changes occur and reviewed for appropriate updates at a minimum of an annual basis. They are centrally stored and accessible to all appropriate personnel for regular review. Policies cover the following areas: Purpose Policy statement Goals and objectives Roles and responsibilities All positions Applicability Authority Revision history

Inquiry and Inspection Inquired of management and inspected Latisys policies to determine whether security and availability policies are in place that include a section on security awareness. Inspection For a selection of policies, inspected the policies to determine whether changes were reviewed and approved by appropriate stakeholders.

No deviations noted. No deviations noted.





The entity’s security policies include, but may not be limited to, the following matters: a. Identifying and documenting the system availability and related security requirements of authorized users. b. Classifying data based on its criticality and sensitivity, and that classification is used to define protection requirements, access rights and access restrictions,

and retention and destruction requirements. c. Assessing risks on a periodic basis. d. Preventing unauthorized access. e. Adding new users, modifying the access levels of existing users, and removing users who no longer need access. f. Assigning responsibility and accountability for system security. g. Assigning responsibility and accountability for system changes and maintenance. h. Testing, evaluating, and authorizing system components before implementation. i. Addressing how complaints and requests relating to system availability and related security issues are resolved. j. Identifying and mitigating security breaches and other incidents. k. Providing for training and other resources to support its system security policies. l. Providing for the handling of exceptions and situations not specifically addressed in its system security policies. m. Providing for the identification of and consistency with applicable laws and regulations, defined commitments, service-level agreements (“SLAs”), and other

contractual requirements. n. (SECURITY ONLY) Providing for sharing information with third parties. o. (AVAILABILITY ONLY) Recovering and continuing service in accordance with documented customer commitments or other agreements. p. (AVAILABILITY ONLY) Monitoring system capacity to achieve customer commitments or other agreements regarding availability.

See discussion in Section Three about criteria 1.2b not being within the boundaries of the System.





1.2 Latisys’ security and availability policies address the following: a. Identifying and documenting the security requirements of

authorized users. b. Assessing risks on a periodic basis. c. Preventing unauthorized access. d. Adding new users, modifying the access levels of existing users,

and removing users who no longer need access. e. Assigning responsibility and accountability for system security. f. Assigning responsibility and accountability for system changes

and maintenance. g. Testing, evaluating, and authorizing system components before

implementation. h. Addressing how complaints and requests relating to security

issues are resolved. i. Identifying and mitigating security breaches and other incidents. j. Providing for training and other resources to support its system

security policies. k. Providing for the handling of exceptions and situations not

specifically addressed in its system security policies. l. Providing for the identification of and consistency with applicable

laws and regulations, defined commitments, SLAs, and other contractual requirements.

m. (SECURITY ONLY) Providing for sharing information with third parties.

n. (AVAILABILITY ONLY) Recovering and continuing service in accordance with documented customer commitments or other agreements.

o. (AVAILABILITY ONLY) Monitoring system capacity to achieve customer commitments or other agreements regarding availability.

Inquiry and Inspection Inquired of management and inspected Latisys policies and/or customer documents (master services agreements (“MSAs”), SLAs, and contracts) to determine whether documentation addresses the areas noted in the Company’s description of controls (a)-(o) for the in-scope technology.

No deviations noted.





Responsibility and accountability for developing and maintaining the entity’s system security policies, and changes and updates to those policies, are assigned.

Responsibility and accountability for developing and maintaining the entity’s system availability and related security policies, and changes and updates to those policies, are assigned.


1.3 Latisys has in place a documented listing of appropriate ownership for all security policies and procedures as directed by the Chief Operating Officer. Personnel assigned maintenance responsibilities are communicated with during an annual job performance review to assure understanding of commitment.

Inquiry and Inspection Inquired of management and inspected Latisys policy ownership listing to determine whether responsibility and accountability for developing and maintaining the entity’s system availability and related security policies are assigned. Inspection For a selection of policies, inspected the policies to determine whether changes were reviewed and approved by appropriate stakeholders.




Communications: The entity communicates its defined system security and availability policies to responsible parties and authorized users.

Security and Availability Communication Criteria 2.1 Description

The entity has prepared an objective description of the system and its boundaries and communicated such description to authorized users.


2.1 Latisys’ descriptions of services provided are documented and available on its website. All contracts entered into with user entities outline the scope of services to be provided and are detailed in its MSAs, SLAs, and other contracts.

Inquiry and Inspection Corroborated with management and inspected Latisys’ website and customer agreement documents (MSAs, SLAs, and contracts) to determine whether management communicates boundaries and obligations. Inspection For a selection of new customers, inspected the completed customer agreements (MSAs, SLAs, and contracts) to determine whether the description of the system and its boundaries are communicated to authorized users.



The security obligations of users and the entity’s security commitments to users are communicated to authorized users.

The availability and related security obligations of users and the entity’s availability and related security commitments to users are communicated to authorized users.


2.2 Roles and responsibilities within the Company are defined, documented, and understood through the requirement of all employees to read and acknowledge understanding and adherence to the Associate Handbook and policies within and receive a copy of their documented job descriptions, roles, and responsibilities. Personnel have sufficient authority to exercise the roles and responsibilities assigned to them.

Inquiry and Inspection Inquired of management and, for a selection of new employees, inspected evidence of written job descriptions, as well as acknowledgement of Associate Handbook and job descriptions, to determine whether the security obligations of users and the entity’s security commitments to users are communicated to authorized users.






2.3 The Employee/Associate Handbook is distributed to all new employees. Employees are required to sign an Acknowledgement Form indicating that the employee has become familiar with the Handbook. The Acknowledgement Form is returned to human resources.

Inspection For a selection of new employees, inspected the completed Acknowledgement Form for the Employee/Associate Handbook to determine whether employees are required to familiarize themselves with Latisys policies and acknowledge their understanding and willingness to comply with Latisys policies.


2.4 Latisys’ descriptions of services provided are documented and available on its website. All contracts entered into with user entities outline the scope of services to be provided and are detailed in its MSAs, SLAs, and other contracts.

Inquiry and Inspection Corroborated with management and inspected Latisys’ website and customer agreement documents (MSAs, SLAs, and contracts) to determine whether management communicates boundaries and obligations. Inspection For a selection of new customers, inspected the completed customer agreements (MSAs, SLAs, and contracts) to determine whether the description of the system and its boundaries are communicated to authorized users.



Responsibility and accountability for the entity’s system security policies and changes, and updates to those policies, are communicated to entity personnel responsible for implementing them.

Responsibility and accountability for the entity’s system availability and related security policies, and changes and updates to those policies, are communicated to entity personnel responsible for implementing them.









2.6 An organization chart exists with separation of management responsibilities.

Inspection Inquired of management and inspected the organization chart to determine whether the design of the entity’s organization would allow for separation of management responsibilities.


2.7 Latisys has in place a documented listing of appropriate ownership for all security policies and procedures as directed by the Chief Operating Officer. Personnel assigned maintenance responsibilities are communicated with during an annual job performance review to assure understanding of commitment.

Inquiry and Inspection Inquired of management and inspected the Latisys policy ownership listing to determine whether responsibility and accountability for developing and maintaining the entity’s system availability and related security policies are assigned. Inspection For a selection of policies, inspected the policies to determine whether changes were reviewed and approved by appropriate stakeholders.






The process for informing the entity about breaches of the system security and for submitting complaints is communicated to authorized users.

The process for informing the entity about system availability issues and breaches of system security and for submitting complaints is communicated to authorized users.


2.8 Latisys has in place an Engineering Escalation Procedures that is communicated to staff and is regularly updated. Appropriate security staff train for incident response. Latisys has in place a comprehensive incident response plan that is communicated to staff and is regularly updated. Appropriate staff trains for incident response. Customers are reminded of their responsibilities with respect to incident response, and they are documented within the contracts and SLAs with Latisys.

Inquiry and Inspection For a selection of customers, corroborated with management and inspected the completed customer agreements (MSAs, SLAs, and contracts) to determine whether management communicates the process for informing the entity about system availability issues and breaches of the system security and for submitting complaints to authorized users. Inspection Inspected the Company's escalation and incident response procedures to determine whether Latisys has in place a comprehensive incident response plan that is communicated to staff and is regularly updated. Inspection For a selection of policies and procedures changed during the period, inspected evidence to determine whether employees acknowledged their agreement to the changed policy or procedure.

No deviations noted. No deviations noted. No deviations noted.





Changes that may affect system security are communicated to management and users who will be affected.

Changes that may affect system availability and system security are communicated to management and users who will be affected.


2.9 Prior to all updates, an assessment of potentially affected systems and customers is performed and appropriate communications to internal personnel and customers is performed.

Inquiry Inquired of management to determine whether prior to all updates, an assessment of potentially affected systems and customers is performed and appropriate communications to internal personnel and customers is performed. Inspection Inspected a selection of changes to determine whether the change was authorized, documented, tested, a back-out plan was documented, and that customers affected by the change were notified prior to moving changes to production.


2.10 Changes to hardware and software require the creation of a service ticket that identifies the details of the pending change. All customer-impacting changes must adhere to the change management process, which requires that all service tickets be reviewed at a weekly change control meeting and scheduled for implementation into production.

Inquiry and Inspection Inquired of management and inspected a selection of changes to determine whether the change was authorized, documented, tested, and a back-out plan was documented and that customers affected by the change were notified prior to moving changes to production. Inquiry and Inspection Inquired of management and inspected a selection of weekly management meeting minutes to determine whether customer impacting changes were reviewed and communicated.




Procedures: The entity placed in operation procedures to achieve its documented system security and availability objectives in accordance with its defined policies.

Security and Availability Procedures Criteria 3.1 Description

Procedures exist to (1) identify potential threats of disruptions to systems operation that would impair system security commitments and (2) assess the risks associated with the identified threats.

Procedures exist to (1) identify potential threats of disruptions to systems operation that would impair system availability commitments and (2) assess the risks associated with the identified threats.


3.1

Latisys performs comprehensive risk assessments on a continual basis. All identified threats are assessed for validity, and appropriate actions are carried out based on the resulting assessment of risk. The process is documented and maintained, and all remediation activities must be approved first by senior management.

Inspection For a selection of weeks, obtained and inspected the risk assessment documentation to determine whether potential threats were identified and resolutions were made to address the risks identified.


3.2 Performance software is used to monitor the availability and system health of the network.

Inquiry and Observation Inquired of management and observed the use of IDS, IPS, and network performance software at each location, in addition to the monitoring of routers, servers, and communication lines, to determine whether potential threats of disruptions to systems operation that would impair system availability commitments were identified.


3.3

Each facility monitors all Latisys routers, servers, and communication lines to verify customer access is available at all times.

Inquiry and Observation Inquired of management and observed the use of Foreseer to monitor whether routers, servers and communication lines are available at all times and that customer access is available at all times.


3.4 The facility monitors its network using management-chosen IDS for threat management, monitoring, and alerting. The system sends alerts to the NOC should a possible security event occur.

Inquiry and Observation Inquired of management and observed the use of Foreseer for threat management, monitoring, and alerting. Observed that Foreseer alerts the NOC should a possible security event occur.






3.5 Corporate traffic is monitored via IPS devices and reviewed for any potential incidents.



Availability Procedures Criteria 3.2 Description

Measures to prevent or mitigate threats have been implemented consistent with the risk assessment when commercially practicable.


3.6 The NOC for each location is fully staffed 24x7x365 with trained personnel.

Inquiry and Observation Inquired of management and observed the NOC for each location to determine whether the NOC for each location is fully staffed 24x7x365 with trained personnel. Inspection Inspected the NOC personnel schedule to determine whether personnel are staffed 24x7x365.


3.7 Smoke detection and fire suppression equipment is in place at each location, which is monitored both within the NOC and by a third party. Ashburn, Irvine, Oakbrook, and Denver have the VESDA system in place.

Inquiry and Observation Inquired of management and observed the smoke detection and fire suppression equipment at each location to determine whether the equipment is in place and is monitored by the NOC and a third party. Inspection Inspected a sample maintenance log for smoke detection for each location to determine whether periodic checks and maintenance procedures are documented as performed.






3.8 The fire suppression systems in place for all locations are pre-action, dry pipe, which discharge water only from the appropriate zones/locations when the temperature in the data center increases to a specified level and triggers a fire sprinkler head. The discharge of a sprinkler signals the emergency power-off switch, which simultaneously turns off the electrical power to the data center.

Inquiry and Observation Inquired of management and observed the smoke detection and fire suppression equipment at each location to determine whether the equipment is in place and is monitored by the NOC and a third party. Inspection Inspected a selection of maintenance logs for the fire suppression equipment for each location to determine whether periodic checks and maintenance procedures are documented as performed.


3.9 Cooling and humidity are controlled by air handling units featuring redundancies. The systems keep the operating environment in the data centers at temperature and humidity values that are consistent with the standards defined in TC 9.9 by the American Society of Heating, Refrigerating and Air Conditioning Engineers (“ASHRAE”) and considered best practice. The NOC is alerted if temperature or humidity levels rise or fall outside of ASHRAE thresholds.

Observation Observed that air conditioning, humidity, water detection, and temperature sensors are present at each location. Observed the temperature and humidity settings at each location to determine whether the values are consistent with the standards defined in TC 9.9 by ASHRAE. Observed the configuration settings of the alerting system at each location to determine whether the NOC is alerted if temperature of humidity levels rise or fall outside of defined thresholds. Inspection Inspected a selection of HVAC maintenance logs for each location to determine whether periodic checks and maintenance procedures are documented as performed.


3.10 Equipment used to monitor environmental controls is secured in the NOC at each location to keep the equipment safe.

Inquiry and Observation Inquired of management and observed that equipment used to monitor environmental controls is secured in the NOC at each location to keep the equipment safe.






3.11 Constant power is provided to critical systems via Automatic Transfer Switches (“ATS”) and/or logic within the switchgear to transfer power from the commercial source to a bank of redundant diesel generators in the event of commercial power loss.

Observation and Inspection Observed the ATS and/or logic within the switchgear present at each location and inspected the ATS Power Transfer Report to determine whether power is transferred from commercial sources to a bank of redundant diesel generators when commercial power is lost.


3.12 During the transfer from commercial to generated power, constant conditioned power is supplied to critical systems via UPS systems.

Observation and Inspection Observed UPS systems present at each location and inspected a selection of UPS maintenance logs for each location to determine whether periodic checks and maintenance procedures are documented as performed.


3.13 The facilities employ fully redundant power with diesel generators for backup. Each facility’s generators are tested at least monthly with a no-load test and at least annually with a full-load test.

Observation and Inspection Observed generators present at each location and inspected a selection of maintenance logs for generators for each location to determine whether periodic checks and maintenance procedures are documented as performed. Inspection Inspected a selection of monthly no-load generator tests and the most recent annual full-load test to determine whether periodic internal checks and maintenance procedures were documented as performed.


3.14 Facility walkthroughs are performed routinely for all facilities and data centers. During facility walkthroughs, environmental aspects are observed; any noted issues are escalated according to data center procedures.

Inquiry Inquired of management to determine whether facility walkthroughs are performed routinely at each location for all facilities and data centers and that during facility walkthroughs, environmental aspects are observed; any noted issues are escalated according to data center procedures. Inspection For a selection of days, obtained and inspected facility walkthrough documentation for each location to determine whether NOC personnel documented the results of walkthroughs of the data centers and that any issues noted were escalated according to data center procedures.






Procedures exist to provide for backup, off-site storage, restoration, and disaster recovery, consistent with the entity’s defined system availability and related security policies.


3.15 Backup software is used to produce and maintain backups of the network configurations. A backup configuration is produced daily.

Inspection Inspected the backup software configurations to determine whether router and switch configurations are scheduled to be backed up daily. Inspection For a selection of days, inspected backup logs to determine whether backups of router and switch configurations were performed daily and whether failed backups were rerun without errors.


3.16 The Company performs regular backups of its customer system according to a prescribed schedule and routine. Logs of backups are generated to indicate success or failure. These logs are monitored to verify that media is reliable and backup files are suitable for recovery. Failures are investigated to determine appropriate mitigating steps to take.

Inspection Inspected the backup software configurations to determine whether customer systems are scheduled to be backed up daily. Inspection For a selection of days, determined whether backups of the customer systems were performed daily, troubleshooting is performed if backups fail, and failed backups were rerun the next day without errors.



Procedures exist to provide for the integrity of backup data and systems maintained to support the entity’s defined system availability and related security policies.


3.17 Periodic successful restorations demonstrate that data on backup tapes retain integrity and are readily available for restoration.

Inspection Inspected the backup restore log to determine whether backup restores were completed successfully, evidencing the integrity and availability of restorations.





Security Procedures Criteria 3.2a and Availability Procedures Criteria 3.5a Description

Procedures exist to restrict logical access to the defined system, including, but not limited to, the following matters:

Logical access security measures to restrict access to information resources not deemed to be public.


3.18 Changes to the facility logical access controls within the security system are made only by users who have rights to the security system. Those users are limited to authorized personnel.

Inquiry and Inspection Inquired of management and inspected the list of users with managed services logical access to determine whether administrative access to the security system was limited to authorized personnel.


3.19 The company utilizes Windows Active Directory to centrally manage authentication and access to its asset management application and network devices.

Inspection Inspected the Active Directory groups with access to the asset management application and network devices to determine whether access is appropriate commensurate with job duties and authenticates through Windows Active Directory.


3.20 Remote connections to internal applications and services are secured through VPN and/or SSL to maximize security.

Observation and Inquiry Inquired of management and observed that remote connections to the Latisys network are secured through Windows VPN and are controlled through Active Directory group permissions. Inspection Inspected the Active Directory groups/users with VPN and/or SSL access to internal applications and services to determine whether access is appropriate.


3.21 Customers are given either a shared virtual firewall or a dedicated virtual firewall. Every customer has its own set of security policies. The customers are then connected to the firewall via their own VLAN.

Inspection For a selection of new customers, inspected evidence of subscription to managed firewall services and firewall settings to determine whether each customer that is contracted for firewall services is protected by a shared or dedicated virtual firewall.






3.22 Only authorized personnel have physical access to the managed services hardware, software, and appliances.

Inquiry and Inspection Inquired of management and inspected the listing of users with physical access to the managed services hardware, software, and appliances to determine whether access is restricted to authorized personnel.


Security Procedures Criteria 3.2b and Availability Procedures Criteria 3.5b Description


Identification and authentication of users.


3.23 A password management policy is in place and has been documented, including the following standards: Passwords must be six or more characters

in length. Passwords must meet complexity

requirements. Passwords must be stored in encrypted

format.

Inspection Inspected the Active Directory Domain password policy to determine whether the following are met: Passwords are six or more characters in length. Passwords must meet complexity requirements. Passwords are stored in encrypted format.


3.24 The company utilizes Windows Active Directory to centrally manage authentication and access to its asset management application and network devices.

Inspection Inspected the Active Directory groups with access to the asset management application and network devices to determine whether access is appropriate commensurate with job duties and authenticates through Windows Active Directory.






3.25 Both the user-access VPNs and site-to-site VPN access are provided through authentication.

Observation and Inquiry Inquired of management and observed that user-access VPNs and site-to-site VPNs authenticate through Windows Active Directory. Inspection Inspected the Windows Active Directory groups/users with VPN and/or SSL access to internal applications and services to determine whether access is appropriate.


3.26 The facility protects its private network through redundant firewalls and routers that provide the first line of defense against unauthorized access to the Company's internal network infrastructure.

Inquiry Inquired of management to determine whether the facility protects its private network through redundant firewalls and routers that provide the first line of defense against unauthorized access to the Company’s internal network infrastructure. Inspection Inspected the network diagram to determine whether redundant firewalls and routers, multiple backbones, and numerous carrier connections are in place.





Security Procedures Criteria 3.2c and Availability Procedures Criteria 3.5c Description


Registration and authorization of new users.


3.27 A new employee’s manager must submit to human resources/office administration a New Employee Access Request Worksheet for the appropriate profile levels to access any of the systems required for the new employee’s specific job. New system access or access changes for existing employees is granted based on a request to IT and must be approved by the employee’s manager. A new customer must submit to human resources/office administration at least one Supervisory Point of Contact (“SPOC”) Form to identify a contact who can provide access verification. The SPOC must submit an access request for customer users to be granted access to the facilities.

Inspection For a selection of new hires, inspected the New Employee Access Request Worksheet and current employee access rights to determine whether the worksheet was approved by the employee’s manager for access and whether the access granted agreed to the access requested. Inspection For a selection of new customers, inspected the ERP customer user screenshots and SPOC Forms to determine whether access verification was provided for all users identified in the ERP system.





Security Procedures Criteria 3.2d and Availability Procedures Criteria 3.5d Description


The process to make changes and updates to user profiles.


3.28 When an employee is terminated, human resources initiates a ticket to ensure that access to all of the facilities and resources is removed. The routing of the ticket includes: Notification to the IT department to

remove all network and application access. Revocation of physical access through the

Security/ID badge. If the badge is unable to be reclaimed, the badge is deactivated in the security system.

Keys, electronic access devices, badges, and any Company material are obtained from separated employee.

When a customer requests access to be removed, network engineers initiate a ticket to ensure that access to all of the facilities and resources is removed.

Inspection For a selection of employees terminated during the period, inspected the termination ticket and Active Directory access to determine whether logical and physical access was removed for the employee. Inspection Obtained and inspected the population of Salesforce tickets to gain an understanding of the standard ticketing process. As Latisys is unable to generate a population of customers that were removed during the period, selected a sample of Salesforce tickets for testing since the removal of customers follows the same process as standard ticketing. For a selection of Salesforce tickets, inspected the ticket to determine whether the ticket was assigned a severity level and was addressed within the time frame defined by Latisys policies and procedures.






3.29 The facility uses a SPOC and Technical Point of Contact (“TPOC”) process whereby authorized individuals must be pre-approved to initiate requested assistance regarding their equipment (remote hands). The authorized individuals’ information is entered into ERP. When contacting the NOC for remote hands assistance, a customer must provide his/her name and password. All information must match that entered into ERP, or remote hands assistance will not be provided. Vendors must have authorization by an authorized Company representative to either access a cabinet or to be escorted by an authorized facility employee.

Inspection For a selection of requests for new customer access, inspected the access request form to determine whether the request came from the authorized customer contact per the customer account information in the ERP system.


Security Procedures Criteria 3.2e and Availability Procedures Criteria 3.5e Description


Distribution of output restricted to authorized users.

See discussion in Section Three about criteria not within the boundaries of the System.




Security Procedures Criteria 3.2f and Availability Procedures Criteria 3.5f Description


Restriction of access to offline storage, backup data, systems, and media.


3.30 Physical access to offline storage, backup data, systems, and media is limited to authorized personnel through the use of physical access controls.

Observation Observed the location of offline storage, backup data, systems, and media, and noted that physical access is restricted by dual-factor authentication, including badge access and biometric hand scanners. Inquiry and Inspection Inquired of management and inspected the listing of users with access to the NOC to determine whether access is restricted to authorized personnel.


Security Procedures Criteria 3.2g and Availability Procedures Criteria 3.5g Description


Restriction of access to system configuration, superuser functionality, master passwords, powerful utilities, and security devices (for example, firewalls).


3.31 All access to network equipment within the facilities is controlled through access lists placed on all management interfaces. These access lists will only allow connections from appropriate IP addresses.

Inspection Inspected ACL settings on each network device to determine whether only Latisys IP addresses are allowed and all others are denied access.





Security Procedures Criteria 3.3 and Availability Procedures Criteria 3.6 Description

Procedures exist to restrict physical access to the defined system, including, but not limited to, facilities, backup media, and other system components, such as firewalls, routers, and servers.

Procedures exist to restrict physical access to the defined system, including, but not limited to, facilities, backup media, and other system components, such as firewalls, routers, and servers.


3.32 When a new staff member is hired, documentation is provided to the NOC to set up the employee’s access to the facility. Access is limited to the areas the employee should reasonably be expected to work. Human resources has an Employee Orientation Checklist that ensures that certain items are discussed with and issued to the new employee. When a new customer is added, physical access is requested by the authorized SPOC for the customer.

Inspection For a selection of new hires, inspected the New Employee Access Request Worksheet and Employee Orientation Checklist to determine whether the worksheet was approved by the employee’s manager for access granted to the employee and whether the checklist was completed on a timely basis. Inspection For a selection of customer access granted during the period, inspected the access checklist to determine whether physical access was requested by the authorized SPOC for the customer.


3.33 There are digital cameras that are continuously monitored by the NOC and cover all data center entrances, as well as all building entrances. The images are captured on drives and retained for 90 days.

Inquiry and Observation Inquired of management and observed the NOC for each location to determine whether security cameras were continuously monitored for all data center and building entrances by the NOC and that recordings were retained for 90 days.


3.34 Entrances to the building are secured by card access outside of business hours. Entrances to the data center floor space are controlled by access cards and, in some cases, biometric hand-scanning readers.

Inquiry and Observation Inquired of management and observed entrances to the building at each location to determine whether entrances are secured by card access outside of business hours. Observed the entrances to the data center floor space for each location to determine whether access is controlled by access cards and also biometric devices in some cases.






3.35 All data center visitors must surrender a driver’s license or other government-issued ID to receive an access card and may not recover his/her ID until the same access card is returned upon departure. Visitors must be authorized by a Latisys employee or a customer and are required to have an escort at all times.

Inquiry and Observation Inquired of management and observed the visitor sign-in process for each location to determine whether visitors must be authorized by a Latisys employee or customer, whether the visitor is required to surrender a driver’s license or other government-issued ID to receive an access card, and whether visitors are required to have an escort at all times.






3.36 Access to data center facilities is restricted to the operational staff, colocation customers who have been granted access by an authorized Company representative, Latisys authorized vendors, and customer-authorized visitors.

Inquiry and Observation Inquired of management and observed the visitor sign-in process for each location to determine whether visitors must be authorized by a Latisys employee or customer, whether the visitor is required to surrender a driver’s license or other government-issued ID to receive an access card, and whether visitors are required to have an escort at all times. Inquiry and Inspection Inquired of management and inspected the listing of users with physical access to the managed services hardware, software, and appliances to determine whether access is restricted to authorized personnel. Inspection For a selection of new hires, inspected the New Employee Access Request Worksheet and Employee Current Access to determine whether the worksheet was approved by the employee’s manager for access and whether the access granted agreed to the access requested. Inspection For a selection of new customers, inspected the ERP customer user screenshots and SPOC Forms to determine whether access verification was provided for all users identified in the ERP system. Inspection For a selection of employees terminated during the period, inspected the termination ticket and Windows Active Directory access to determine whether logical and physical access was removed for the employee.

No deviations noted. No deviations noted. No deviations noted. No deviations noted. No deviations noted.





3.37 The facility uses a SPOC and TPOC process whereby authorized individuals must be pre-approved to initiate requested assistance regarding their equipment (remote hands). The authorized individuals’ information is entered into ERP. When contacting the NOC for remote hands assistance, a customer must provide his/her name and password. All information must match that entered into ERP, or remote hands assistance will not be provided. Vendors must have authorization by an authorized Company representative to either access a cabinet or to be escorted by an authorized facility employee.

Inspection For a selection of requests for new customer access, inspected the access request form to determine whether the request came from the authorized customer contact per the customer account information in the ERP system.


3.38 All common area cabinets in the data center are secured with locks. Access to each customer’s cabinets/cages is determined by an authorized Company representative for the account. Only persons with completed data center access authorization forms are granted access to the data center.

Inquiry and Observation Inquired of management and observed the common area cabinets to determine whether common area cabinets are secured with locks and are restricted to authorized customers. Inspection For a selection of new hires, inspected the New Employee Access Request Worksheet and Employee Current Access to determine whether the worksheet was approved by the employee’s manager for access and whether the access granted matched what was requested. Inspection For a selection of new customers, inspected the ERP customer user screenshots and SPOC Forms to determine whether access verification was provided for all users identified in the ERP system.






3.39 All core network equipment is maintained in an isolated secure space with limited access.

Inquiry and Observation Inquired of management and observed the core network equipment in the data center to determine whether core network equipment is in a secure location with limited access.


3.40 Vendors of the facility, such as electricians or HVAC technicians, must also have documentation on file, authorized by a member of management, in order to gain access to the data center for infrastructure projects and maintenance. While on-site, a vendor must surrender his/her driver’s license or other government-issued ID in exchange for a badge, which is used while at the facility. The areas of the facility to which the vendor has access are determined and controlled within the access controls system.

Inquiry and Inspection Inquired of management and observed the vendors sign in process for each location to determine whether vendors must be authorized by a Latisys employee or customer, whether the vendor is required to surrender a driver's license or other government-issued identification to receive an access card, and whether vendors are authorized by a member of management.


3.41 Security/ID badges are required for all employees and remain in the employee’s possession at all times. The employee’s supervisor or manager must approve the issuance of a Security/ID badge and the level of access to various areas of the facility.

Inquiry and Observation Inquired of management and observed that Security/ID badges are required for all employees and remain in the employee’s possession at all times. Inspection For a selection of employees with access to the data center, inspected the badge request form to determine whether the employee's supervisor or manager approved the issuance of the badge and the level of access requested.


3.42 Changes to the facility logical access controls within the security system are made only by users who have rights to the security system. Those users are limited to authorized personnel.

Inquiry and Inspection Inquired of management and inspected the list of users with managed services logical access to determine whether administrative access to the security system was limited to authorized personnel.






3.43 When an employee is terminated, human resources initiates a ticket to ensure that access to all of the facilities and resources is removed. The routing of the ticket includes: Notification to the IT department to

remove all network and application access. Revocation of physical access through the

Security/ID badge. If the badge is unable to be reclaimed, the badge is deactivated in the security system.

Keys, electronic access devices, badges, and any Company material are obtained from separated employee.

When a customer requests access to be removed, network engineers initiate a ticket to ensure that access to all of the facilities and resources is removed.

Inspection For a selection of employees terminated during the period, inspected the termination ticket and Active Directory access to determine whether logical and physical access was removed for the employee. Inspection Obtained and inspected the population of Salesforce tickets to gain an understanding of the standard ticketing process. As Latisys is unable to generate a population of customers that were removed during the period, selected a sample of Salesforce tickets for testing since the removal of customers follows the same process as standard ticketing. For a selection of Salesforce tickets, inspected the ticket to determine whether the ticket was assigned a severity level and was addressed within the time frame defined by Latisys policies and procedures.


3.44 Physical access to the systems used for managed services is controlled by the same controls that provide access to the data center and is restricted to limited and appropriate personnel.

Inquiry and Observation Inquired of management and observed that physical access to the managed services system is restricted by dual-factor authentication, including badge access and biometric hand scanners. Inspection Inspected the list of users with managed services access to determine whether physical access to the system used for managed services is limited to authorized personnel.






Procedures exist to protect against unauthorized access to system resources.

Procedures exist to protect against unauthorized access to system resources.


3.45 A password management policy is in place and has been documented, including the following standards: Passwords must be six or more characters

in length. Passwords must meet complexity

requirements. Passwords must be stored in encrypted

format.

Inspection Inspected the Active Directory Domain password policy to determine whether the following are met: Passwords are six or more characters in length. Passwords must meet complexity requirements. Passwords are stored in encrypted format.









3.47 The facility protects its private network through redundant firewalls and routers that provide the first line of defense against unauthorized access to the Company's internal network infrastructure.

Inquiry Inquired of management to determine whether the facility protects its private network through redundant firewalls and routers that provide the first line of defense against unauthorized access to the Company’s internal network infrastructure. Inspection Inspected the network diagram to determine whether redundant firewalls and routers, multiple backbones, and numerous carrier connections are in place.








3.50 Logical access to the systems used for managed services and logs are controlled by strong passwords using Windows Active Directory or local system accounts that are tied to each authorized user for the device.

Inspection Inspected the Active Directory groups used for managed services and logs to determine whether access is restricted to authorized users and follow password requirements as outlined in the security policy.


3.51 Only authorized personnel have physical access to the managed services hardware, software, and appliances.

Inquiry and Inspection Inquired of management and inspected the listing of users with physical access to the managed services hardware, software, and appliances to determine whether access is restricted to authorized personnel.






Procedures exist to protect against infection by computer viruses, malicious code, and unauthorized software.

Procedures exist to protect against infection by computer viruses, malicious code, and unauthorized software.


3.52 Current antivirus software and virus signatures are used to protect all computing systems and certain other systems, such as electronic mail systems.

Inspection For a selection of in-scope servers, inspected evidence of antivirus software to determine whether the software and signatures are in place and current.


3.53 Vendor software security updates are applied on a monthly basis.

Inspection For a selection of months, inspected evidence of security updates to determine whether vendor software security updates were applied.



Encryption or other equivalent security techniques are used to protect user authentication information and the corresponding session transmitted over the Internet or other public networks.

Encryption or other equivalent security techniques are used to protect user authentication information and the corresponding session transmitted over the Internet or other public networks.









3.55 Customers are given either a shared virtual firewall or a dedicated virtual firewall. Every customer has its own set of security policies. The customers are then connected to the firewall via their own VLAN.

Inspection For a selection of new customers, inspected evidence of subscription to managed firewall services and firewall settings to determine whether each customer that is contracted for firewall services is protected by a shared or dedicated virtual firewall.



Procedures exist to identify, report, and act upon system security breaches and other incidents.

Procedures exist to identify, report, and act upon system availability and related security breaches and other incidents.









Procedures exist to classify data in accordance with classification policies and periodically monitor and update such classifications as necessary. See discussion in Section Three about criteria not within the boundaries of the System.





Procedures exist to provide that issues of non-compliance with system security policies are promptly addressed and that corrective measures are taken on a timely basis.

Procedures exist to provide that issues of non-compliance with system availability and related security policies are promptly addressed and that corrective measures are taken on a timely basis.


3.58 Metrics are prepared, reported, and maintained for the SLA related to the network, which is 99% uptime of the managed services devices. The uptime metrics are provided by the monitoring platform.

Inspection Inspected the network SLA report for the last 365 days to determine whether metrics are prepared, reported, and maintained for the SLA related to the network, which is 99% uptime.


3.59 Latisys has in place an Engineering Escalation Procedures that is communicated to staff and is regularly updated. Appropriate security staff train for incident response. Latisys has in place a comprehensive incident response plan that is communicated to staff and is regularly updated. Appropriate staff trains for incident response. Customers are reminded of their responsibilities with respect to incident response, and they are documented within the contracts and SLAs with Latisys.

Inquiry and Inspection For a selection of customers, corroborated with management and inspected the completed customer agreements (MSAs, SLAs, and contracts) to determine whether management communicates the process for informing the entity about system availability issues and breaches of the system security and for submitting complaints to authorized users. Inspection Inspected the Company's escalation and incident response procedures to determine whether Latisys has in place a comprehensive incident response plan that is communicated to staff and is regularly updated. Inspection For a selection of policies and procedures changed during the period, inspected evidence to determine whether employees acknowledged their agreement to the changed policy or procedure.






Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistent with defined system security policies.

Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistent with defined system availability and related security policies.


3.60 The facility supplies a number of 10/100/1000 Mbps Ethernet connections from diverse redundant distribution switches. These distribution switches are connected to dual redundant core switches, which are connected to two-edge routers. All networking equipment is supported by vendor maintenance contracts and backed up by spares.

Inspection Inspected the network diagram to determine whether redundant distribution and core switches are set up to provide uninterrupted Ethernet connections. Inquiry and Observation Inquired of management and observed the critical spares inventory for each location to determine whether spare parts are kept for critical hardware.





3.62 Change management procedures require a service request ticket to be created that includes a description of the change, the date and time of the change, a list of the service(s) that will or could be impacted, installation instructions, back-out instructions, and approval to initiate all changes to production systems.

Inquiry and Inspection Inquired of management and inspected a selection of changes to determine whether the change was authorized, documented, tested, and a back-out plan was documented and that customers affected by the change were notified prior to moving changes to production.






3.63 All changes to the production environment are approved by the Change Committee, the Director of IT, or the General Manager before the changes are placed into the production environment.

Inquiry and Inspection Inquired of management and inspected a selection of changes to determine whether the change was approved by the Change Committee, the Director of IT, or the General Manager before the changes were placed into the production environment.


3.64 Audit logs are used to track all changes made to the ERP system.

Inspection Inspected a selection of ERP system audit logs to determine whether there is user accountability and that logging is turned on for all activity.


3.65 The Service Desk is responsible for: Informing customers of multiple

customer-facing outage events (unplanned outages) within 30 minutes of discovery.

Providing notice to customers of restorations of their service in the event of an unplanned outage and providing them with an After Action Report if requested.

Providing notification regarding downtime (planned system and network outages) in the timeframes specified in the Change Control Notification Procedures based on the assessed risk and urgency.

Inquiry and Inspection Inquired of management and inspected a selection of unplanned outage (P0) tickets to determine whether customers were notified of unplanned outages, tickets were tracked until resolution, and an After Action Report was sent to the customer if requested. Inquiry and Inspection Inquired of management and inspected a selection of changes to determine whether the change was authorized, documented, tested, and a back-out plan was documented and that customers affected by the change were notified prior to moving changes to production.






Procedures exist to provide that personnel responsible for the design, development, implementation, and operation of systems affecting security have the qualifications and resources to fulfill their responsibilities.

Procedures exist to provide that personnel responsible for the design, development, implementation, and operation of systems affecting availability and security have the qualifications and resources to fulfill their responsibilities.





3.67 Staff evaluations are performed regularly.

Inquiry and Inspection Inquired of management and, for a selection of employees, inspected evidence of periodic performance evaluations to determine whether personnel responsible for the design, development, implementation, and operation of systems affecting availability and security have the qualifications and resources to fulfill their responsibilities.






Procedures exist to maintain system components, including configurations consistent with the defined system security policies.

Procedures exist to maintain system components, including configurations consistent with the defined system availability and related security policies.


3.68 The facility supplies a number of 10/100/1000 Mbps Ethernet connections from diverse redundant distribution switches. These distribution switches are connected to dual redundant core switches, which are connected to two-edge routers. All networking equipment is supported by vendor maintenance contracts and backed up by spares.

Inspection Inspected the network diagram to determine whether redundant distribution and core switches are set up to provide uninterrupted Ethernet connections. Inquiry and Observation Inquired of management and observed the critical spares inventory for each location to determine whether spare parts are kept for critical hardware.


3.69 The facility has multiple active Internet connections with multiple backbone providers. All connections are redundant.

Inspection Inspected the network diagram and the contracts for the redundant internet service providers to determine whether multiple internet connections with multiple backbone providers exist.


3.70 The facility has numerous carrier connections available for cross-connections into colocation customers' cabinets.

Inspection Inspected the network diagram to determine whether cross-connections into colocation customers’ cabinets exist.





3.72 Each facility monitors all Latisys routers, servers, and communication lines to verify customer access is available at all times.







3.73 An inventory of critical spares for all managed services devices is maintained, or a rapid spare support contract is in place with the vendor.

Inquiry and Observation Inquired of management and observed the critical spares inventory for each location to determine whether spare parts are kept for critical hardware.


















Procedures exist to provide that only authorized, tested, and documented changes are made to the system.

Procedures exist to provide that only authorized, tested, and documented changes are made to the system.


















Procedures exist to provide that emergency changes are documented and authorized timely.

Procedures exist to provide that emergency changes are documented and authorized (including after-the-fact approval).


3.82 The Latisys change management procedure covers all emergency changes. All changes are performed after a peer review and management approval.

Inspection For a selection of emergency changes, inspected change documentation to determine whether changes were performed after a peer review and management approval.




Monitoring: The entity monitors the system and takes action to maintain compliance with its defined system security and availability policies.

Security and Availability Monitoring Criteria 4.1 Description

The entity’s system availability and security performance is periodically reviewed and compared with the defined system security policies.

The entity’s system availability and security performance is periodically reviewed and compared with the defined system availability and related security policies.


4.1 The NOC for each location is fully staffed 24x7x365 with trained personnel.

Inquiry and Observation Inquired of management and observed the NOC for each location to determine whether the NOC for each location is fully staffed 24x7x365 with trained personnel. Inspection Inspected the NOC personnel schedule to determine whether personnel are staffed 24x7x365.


4.2 There are digital cameras that are continuously monitored by the NOC and cover all data center entrances, as well as all building entrances. The images are captured on drives and retained for 90 days.

Inquiry and Observation Inquired of management and observed the NOC for each location to determine whether security cameras were continuously monitored for all data center and building entrances by the NOC and that recordings were retained for 90 days.



















There is a process to identify and address potential impairments to the entity’s ongoing ability to achieve its objectives in accordance with its defined system security policies.

There is a process to identify and address potential impairments to the entity’s ongoing ability to achieve its objectives in accordance with its defined system availability and related security policies.















4.10 The Service Desk is responsible for: Informing customers of multiple

customer-facing outage events (unplanned outages) within 30 minutes of discovery.

Providing notice to customers of restorations of their service in the event of an unplanned outage and providing them with an After Action Report if requested.

Providing notification regarding downtime (planned system and network outages) in the timeframes specified in the Change Control Notification Procedures based on the assessed risk and urgency.

Inquiry and Inspection Inquired of management and inspected a selection of unplanned outage (P0) tickets to determine whether customers were notified of unplanned outages, tickets were tracked until resolution, and an After Action Report was sent to the customer if requested. Inquiry and Inspection Inquired of management and inspected a selection of changes to determine whether the change was authorized, documented, tested, and a back-out plan was documented and that customers affected by the change were notified prior to moving changes to production.






Environmental, regulatory, and technological changes are monitored and their effect on system security is assessed on a timely basis; policies are updated for that assessment.

Environmental, regulatory, and technological changes are monitored and their effect on system availability and security is assessed on a timely basis; policies are updated for that assessment.


4.11 Smoke detection and fire suppression equipment is in place at each location, which is monitored both within the NOC and by a third party. Ashburn, Irvine, Oakbrook, and Denver have the VESDA system in place.

Inquiry and Observation Inquired of management and observed the smoke detection and fire suppression equipment at each location to determine whether the equipment is in place and is monitored by the NOC and a third party. Inspection Inspected a sample maintenance log for smoke detection for each location to determine whether periodic checks and maintenance procedures are documented as performed.


4.12 The fire suppression systems in place for all locations are pre-action, dry pipe, which discharge water only from the appropriate zones/locations when the temperature in the data center increases to a specified level and triggers a fire sprinkler head. The discharge of a sprinkler signals the emergency power-off switch, which simultaneously turns off the electrical power to the data center.

Inquiry and Observation Inquired of management and observed the smoke detection and fire suppression equipment at each location to determine whether the equipment is in place and is monitored by the NOC and a third party. Inspection Inspected a selection of maintenance logs for the fire suppression equipment for each location to determine whether periodic checks and maintenance procedures are documented as performed.






4.13 Cooling and humidity are controlled by air handling units featuring redundancies. The systems keep the operating environment in the data centers at temperature and humidity values that are consistent with the standards defined in TC 9.9 by the American Society of Heating, Refrigerating and Air Conditioning Engineers (“ASHRAE”) and considered best practice. The NOC is alerted if temperature or humidity levels rise or fall outside of ASHRAE thresholds.

Observation Observed that air conditioning, humidity, water detection, and temperature sensors are present at each location. Observed the temperature and humidity settings at each location to determine whether the values are consistent with the standards defined in TC 9.9 by ASHRAE. Observed the configuration settings of the alerting system at each location to determine whether the NOC is alerted if temperature of humidity levels rise or fall outside of defined thresholds. Inspection Inspected a selection of HVAC maintenance logs for each location to determine whether periodic checks and maintenance procedures are documented as performed.


4.14 Equipment used to monitor environmental controls is secured in the NOC at each location to keep the equipment safe.

Inquiry and Observation Inquired of management and observed that equipment used to monitor environmental controls is secured in the NOC at each location to keep the equipment safe.


4.15 Constant power is provided to critical systems via Automatic Transfer Switches (“ATS”) and/or logic within the switchgear to transfer power from the commercial source to a bank of redundant diesel generators in the event of commercial power loss.

Observation and Inspection Observed the ATS and/or logic within the switchgear present at each location and inspected the ATS Power Transfer Report to determine whether power is transferred from commercial sources to a bank of redundant diesel generators when commercial power is lost.


4.16 During the transfer from commercial to generated power, constant conditioned power is supplied to critical systems via UPS systems.

Observation and Inspection Observed UPS systems present at each location and inspected a selection of UPS maintenance logs for each location to determine whether periodic checks and maintenance procedures are documented as performed.






4.17 The facilities employ fully redundant power with diesel generators for backup. Each facility’s generators are tested at least weekly with a no-load test and annually with a full-load test.

Observation and Inspection Inquired and observed generators present at each location to determine whether periodic checks and maintenance procedures are documented as performed. Inspection Obtained and inspected a selection of weekly no-load generators tests and the most recent annual full-load test to determine whether periodic internal checks and maintenance procedures were documented as performed.


4.18 Facility walkthroughs are performed routinely for all facilities and data centers. During facility walkthroughs, environmental aspects are observed; any noted issues are escalated according to data center procedures.

Inquiry Inquired of management to determine whether facility walkthroughs are performed routinely at each location for all facilities and data centers and that during facility walkthroughs, environmental aspects are observed; any noted issues are escalated according to data center procedures. Inspection For a selection of days, obtained and inspected facility walkthrough documentation for each location to determine whether NOC personnel documented the results of walkthroughs of the data centers and that any issues noted were escalated according to data center procedures.


4.19 Metrics are prepared, reported, and maintained for the SLA related to the network, which is 99% uptime of the managed services devices. The uptime metrics are provided by the monitoring platform.

Inspection Inspected the network SLA report for the last 365 days to determine whether metrics are prepared, reported, and maintained for the SLA related to the network, which is 99% uptime.






4.20 Latisys performs comprehensive risk assessments on a continual basis. All identified threats are assessed for validity, and appropriate actions are carried out based on the resulting assessment of risk. The process is documented and maintained, and all remediation activities must be approved first by senior management.

Inspection For a selection of weeks, obtained and inspected the risk assessment documentation to determine whether potential threats were identified and resolutions were made to address the risks identified.














Documents

LATISYS HOLDINGS, LLC SOC 2 Type 2 Report on Latisys ... · Controls Relevant to Security and Availability ... provides data center solutions, including its Colocation Services, Managed