Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
1
3
Section II –
Management’s Report of Its Assertions on the Effectiveness of Its Controls over the
Lark Technologies Pte. Ltd.’s Lark Suite Services System Based on Trust Services
Criteria for Security, Availability, Confidentiality and Privacy
December 31, 2019
We, as management of Lark Technologies Pte. Ltd. (“Lark Technologies” or “we” or the
“Service Organization”), are responsible for:
• Identifying the Lark Technologies’ Lark Suite Services System (the “System”) and
describing the boundaries of the System, which are presented in Section III;
• Identifying our principal service commitments and system requirements;
• Identifying the risks that would threaten the achievement of its principal service
commitments and service requirements that are the objectives of our system, which
are presented in Section III;
• Identifying, designing, implementing, operating, and monitoring effective controls
over the System to mitigate risks that threaten the achievement of the principal service
commitments and system requirement; and
• Selecting the trust services categories that are the basis of our assertion.
We assert that the controls over the System were effective throughout the period June 1, 2019
to November 30, 2019, to provide reasonable assurance that the principal service commitments
and system requirements were achieved based on the criteria relevant to Security, Availability,
Confidentiality and Privacy set forth in the AICPA’s TSP section 100, 2017 Trust Services
Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Very truly yours,
Lark Technologies Pte. Ltd.
4
Section III – Description of Lark Technologies Pte. Ltd.’s Lark Suite Services System
Relevant to Security, Availability, Confidentiality and Privacy Throughout the Period June 1, 2019 to November 30, 2019
Overview of the Organization
Founded in 2018, Lark Technologies Pte. Ltd. (“Lark Technologies” or “the Company”)
provides cloud-based Software-as-a-Service (“SaaS”) as the core of its service. The Company
is dedicated to developing and providing secure, stable and reliable cloud-based office suite
solutions with a mission to enable user entities to transform the way they work and provide
cloud-based office suite services.
Lark Technologies provides the new generation office suite SaaS – Lark Suite, which is mobile-
friendly, supports real-time collaboration and provides single access. Lark Suite helps user
entities improve work efficiency and reduce production cost and administrative cost, so as to
enable them to shift to more efficient, better coordinated and more secure intelligentized
businesses. Meanwhile, the Company has leveraged information technology and application
systems to support the implementation of control activities related to the development and
operation of Lark Suite.
Scope of the Report and System Boundaries
The services of Lark Suite within the scope of the report are as follows:
Lark Instant Message (“IM”)
Lark IM (“Lark”) supports online communication, transmission of text messages, documents
and pictures as well as voice and video communication via IM technology. The messages
(including text, picture, voice, video and document) sent via Lark will be stored in the client
terminal of sender and receiver and the backend database of Lark as well.
Online Document
Online Document (“Docs”) supports multiple users to edit online document simultaneously.
The formats of the document include Word and Excel. Multiple users can collaborate with each
other to edit the same document and the document can be set as private or shared. Docs are
prohibited to share outside the tenant by default, unless the document is set to share outside the
tenant. Users are able to insert various types of contents in the document, including comments,
other documents, tables and contact group cards.
Cloud Storage
Cloud Storage supports high-speed uploads and downloads, previews of multi-format files. All
files are stored in cloud computing environment in real time to build online corporate
knowledge center, rather than stored locally. Cloud Storage also enables the historical record to
be traced back or restored at any time that allows users to view, edit, share and access their files
anywhere, on any device to make the most of knowledge resources.
5
Calendar
Calendar is designed to help businesses and users coordinate and arrange personnel, conference
rooms and other resources to achieve more intelligent synergy of schedule management.
Calendar supports schedule creation, conference invitation, one-click conference group
creation, schedule sharing, subscription to others’ schedules and public calendar creation, etc.
Audio/Video Conference
Audio/Video Conference supports efficient, high-definition and stable teleconference and
remote office for up to 10 people for free via Internet. If the number of attendees needs to be
increased, the user entity can apply for chargeable function.
Open Platform
Open Platform provides user entities with efficient application development and use capability.
Open Platform provides simple and easy-to-use development environment to help user entities
develop stable and secure applications quickly, which are not only available for themselves but
also for a large number of other user entities as the products of the Application Center on Open
Platform. As a user, user entity can integrate the third-party applications purchased from the
Application Center into its Lark Suite tenant. The third-party applications include applets, H5
and robots, etc.
The report only covers Lark IM, Docs, Cloud Storage, Calendar, Audio/Video Conference and
Open Platform of Lark Suite which is deployed in Amazon Web Services (“AWS” or the
“subservice organization”), and excludes the internal controls (such as elastic compute
service, physical access and physical environmental security, etc.) implemented by AWS.
Principal Service Commitments and System Requirements
Lark Technologies designs its processes and procedures related to the service systems to meet
its service commitments and system requirements for Lark Suite services. Those service
commitments and system requirements are based on the service commitments that Lark
Technologies makes to its user entities, and the operational, and compliance requirements that
Lark Technologies has established for the services.
Security, availability, confidentiality and privacy commitments to user entities are documented
and communicated in agreements with user entities. Security, availability, confidentiality and
privacy commitments are established by setting up standards and protocols and include, but are
not limited to, the following:
• Applying management controls, operation controls and technological controls to
protect business data and confidential information to guarantee the sustainable
operation of business and application systems;
• Deploying encryption technologies to protect business data and confidential
information in transit; and
• Applying management controls, operation controls and technological controls to
ensure the compliance and security for personal information’s collection, usage,
retention, disclosure and disposal.
Lark Technologies establishes operational requirements that support the achievement of
6
security, availability, confidentiality and privacy commitments and other system requirements.
Such requirements are communicated in the Company’s system policies and procedures and
system design documentation. Information security policies define an organization-wide
approach about how systems and data are protected. These include policies around how the
internal control system is operated, how the internal application systems and networks are
managed and how employees are hired and trained. In addition to these policies, standard
operating procedures have been developed and documented on how to carry out specific manual
and automated processes required in the development and operation of the service systems.
Software and Infrastructure
Lark Technologies takes advantage of information technology system and application system
to support the effective implementation of control activities related to Lark Suite. Lark
Technologies has deployed a series of management information systems to support its operation
and maintenance management, including human resource management, identity authentication,
authority management, development and test management, key management, security
vulnerability management, system operation management, etc.
Lark Technologies has established a series of formal polies and procedures to regulate software
and infrastructure related specifications and management requirements, covering identity and
access management, software security development and change management, data security and
key management, security vulnerability and security incident management, system operation
management, availability management, privacy protection, etc.
Lark Technologies uses subservice organizations to provide IT equipment colocation service.
The Company has signed service agreements with subservice organizations to define the
requirements over access management to server rooms and environment security, etc. The
Company reviews monthly inspection report of server rooms provided by the subservice
organizations every month and carries out security inspection of the data centers at least once a
year. The inspection covers environmental management of infrastructure, access and
authorization management and asset security management, etc. If any exception identified, the
Company communicates the inspection results to the subservice organizations in a timely
manner.
Lark Technologies uses AWS to provide Elastic Compute Service to host Lark Suite. The
Description includes only the controls of Lark Technologies and excludes controls of the
subservice organization. The Description does not extend to controls of AWS.
Lark Technologies acquires the System and Organization Controls (“SOC”) reports from AWS,
so as to evaluate whether the internal control requirements of the cloud computing services
provided by AWS which are utilized by the Company have been met. If exceptions are noted,
the Company communicates with AWS for follow-up measures.
People
Lark Technologies has established a comprehensive organizational structure and has clearly
defined responsibilities of employee in different positions and roles. In the meantime, Lark
Technologies utilizes Human Resource management system to maintain employee information
7
on their job responsibilities, departments and reporting lines.
Lark Technologies has established a structured onboarding process to help new employees
understand their responsibilities in information security, code of conduct and performance
evaluation. Before the new employee is hired, the Human Resources Department conducts
background check subject to the laws and regulations of the country according to the
importance of the employee’s position, to ensure that the recruitment meets the Company's
rules and regulations. In addition, new employees must sign off the confidentiality agreement
prior to joining the Company, which describe the employee’s obligations and responsibilities
on information security.
Lark Technologies has established a series of information security training and learning
mechanism to meet the Company’s requirements. Newly hired employees are required to
participate in trainings on corporate culture, rules and regulations, information security, and
reward and punishment mechanisms. Meanwhile, the Company organizes the trainings to
enhance employees' professional knowledge and skills and information security awareness on
an aperiodic basis.
Procedures
Lark Technologies has designed and implemented a series of procedures in its routine operation
and management in terms of security, availability, confidentiality and privacy, including but
not limited to:
• Control Environment
• Information and Communication
• Risk Assessment
• Monitoring
• Product Security
• Identity and Access Management
• Change Management
• Data Security and Key Management
• Security Vulnerability and Security Incident Management
• Endpoint Security
• Capacity, Backup and Business Continuity Management
• Privacy Protection
Data and Confidentiality
Lark Technologies has established formal policies to regulate data security management
procedures. In the meantime, Lark Technologies has established a series of controls to ensure
the security and confidentiality of data transmission, storage, access and disposal process.
Lark Suite uses pull and push mechanisms for two-ways protection of message data to ensure
the reachability of message; uses the key mechanism to support the encrypted storage of data;
provides communication channel based on security encryption protocol for data transmission.
Lark Technologies agrees with the user entity in the privacy policy that when the service is
8
terminated, the corresponding data will be disposed according to the user entity’s requirements.
Availability
Lark Technologies analyzes and plans the capacity needs of Lark Suite every year, then forms
capacity management plans based on the analysis results, to ensure that the Company has
sufficient resource for business development. Meanwhile, Lark Technologies has designed and
implemented technical control measures and management processes to regulate the expansion
and reduction of capacity management under the daily operation, so as to ensure the availability
of server resource.
Lark Technologies has established strategies of backup, backup retention and backup
monitoring to ensure the availability of the Lark Suite.
Lark Technologies has developed business continuity management plan to provide guidelines
of emergency response and recovery measures to scenarios that may lead to business disruption.
The Company performs analysis of business influences and risk assessment on an annual basis
to identify the key business activities, identifying the potential business threat, evaluation of
risk level and develops risk response strategy.
Lark Technologies has defined the emergency plan and response process for different emergent
scenarios and documented in emergency response plan. The Company organizes disaster
recovery drill at least once a year for pre-defined scenarios that may lead to business disruption.
Privacy
Lark Technologies has developed Software Privacy Policy which describes the definition of
personal information and describes the requirements of collection, usage, retention, disclosure
and disposal of personal information. In the meantime, Lark Technologies assesses the
compliance of privacy protection at least once a year to monitor the compliance with various
data protection regulations.
The Company provides users the ability to access and confirm their personal information. The
Company stipulates the channels to raise objections or complaints for the users in Software
Privacy Policy. If a user has any objection or complaint about the Company’s way to handle
his or her information, the user can contact the Company via email. The Company will respond
to user’s request in a timely manner, and send the follow up results to the user.
In addition, the Company has formulated formal policies to regulate the classification, response
and emergency handling procedure of data leakage incidents.