CICA 5970 Report on Internal Control - VirtGroup - Home Of

cica 5970 report on internal control 1 fusepoint managed services inc. cica 5970 report on internal control for the mississauga data centre as of nove...

91 downloads 628 Views 605KB Size
CICA 5970 REPORT ON INTERNAL CONTROL

FUSEPOINT MANAGED SERVICES INC. CICA 5970 REPORT ON INTERNAL CONTROL FOR THE MISSISSAUGA DATA CENTRE As of November 30, 2009 and Tests of Operating Effectiveness for the Period of June 1, 2009 to November 30, 2009

1

CICA 5970 REPORT ON INTERNAL CONTROL

TABLE OF CONTENTS Auditor’s Report ...................................................................................................................................................3 Section 2 — Fusepoint’s Description of Controls ................................................................................................5 Overview of Fusepoint Managed Services ....................................................................................................5 Scope of this report for the Mississauga Data Centre ...................................................................................5 Control Environment ......................................................................................................................................7 Risk Assessment ...........................................................................................................................................8 Information and Communication....................................................................................................................8 Monitoring ................................................................................................................................................... 12 Control Objectives and Related Controls ................................................................................................... 14 Complementary User Organization Control Considerations ...................................................................... 16 Changes to Controls ................................................................................................................................... 18 Section 3 — Information Provided by the Service Auditor ................................................................................ 18 Introduction ................................................................................................................................................. 20

2

CICA 5970 REPORT ON INTERNAL CONTROL

Auditor’s Report

To: Fusepoint Managed Services We have audited the accompanying description of general controls related to Fusepoint Managed Services’ (“Fusepoint”) fully managed hosting and server colocation services related to its data centre in Mississauga. Fusepoint’s management is responsible for the completeness, accuracy and method of presentation of the description of the fully managed hosting and server colocation services related to its data centre in Mississauga, as well as the control objectives and related controls required. Our responsibility is to express an opinion based on our audit. We conducted our audit in accordance with the standards established by The Canadian Institute of Chartered Accountants (CICA) for audits of controls at a service organization. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether (1) the accompanying description presents fairly, in all material respects, the aspects of Fusepoint’s controls that may be relevant to a user organization’s internal control as it relates to an audit of financial statements; (2) the controls included in the description were suitably designed to achieve the control objectives specified in the description, if those controls were complied with satisfactorily and user organizations applied the controls contemplated in the design of Fusepoint’s controls; and (3) such controls had been placed in operation as at November 30, 2009. Our audit included those procedures we considered necessary in the circumstances to obtain a reasonable basis for our opinion. The control objectives were specified by management of Fusepoint. In our opinion, the accompanying description of the aforementioned service presents fairly, in all material respects, the relevant aspects of Fusepoint’s controls that had been placed in operation as at November 30, 2009. Also, in our opinion, the controls, as described, are suitably designed to provide reasonable assurance that the specified control objectives would be achieved if the described controls were complied with satisfactorily and user organizations applied the controls contemplated in the design of Fusepoint’s controls. In addition to the procedures we considered necessary to express our opinion in the previous paragraph, we applied tests to specific controls, listed in Section 3, to obtain evidence about their effectiveness in meeting the control objectives, described in Section 3, during the period from June 1, 2009 to November 30, 2009. The specific controls and the nature, timing, extent and results of the tests are listed in Section 3. This information has been provided to user organizations of Fusepoint and to their auditors to be taken into consideration, along with information about the internal control at user organizations, when making assessments of control risk for user organizations. Fusepoint states in control activity 4.1 in its description of general controls that it has an uninterruptible power supply (UPS) and diesel generator to provide backup power to all essential operations and systems, and that these systems are tested on at least an annual basis. However, on July 20, 2009, the power transfer scheme for the Mississauga Data Centre did not perform as expected when an abnormal power failure with Enersource (Mississauga Hydro) occurred caused by a cable fault. The data centre lost power when the UPS batteries were 3

CICA 5970 REPORT ON INTERNAL CONTROL

depleted and the generators, although available to run were prevented from properly delivering power to the UPS system, resulting in an exception for this control activity. This exception resulted in the non-achievement of the control objective “Controls provide reasonable assurance that continuous power is provided to the data centre and its systems”. In our opinion, except for the matters described in the preceding paragraph, the controls that were tested, as described in Section 3, were operating with sufficient effectiveness to provide reasonable assurance that the control objectives specified in Section 3 were achieved during the period from June 1, 2009 to November 30, 2009. The relative effectiveness and significance of specific controls at Fusepoint and their effect on assessments of control risk at user organizations are dependent on their interaction with the controls and other factors present at individual user organizations. We have performed no procedures to evaluate the effectiveness of controls at individual user organizations and, accordingly, we express no opinion on the achievement of control objectives at individual user organizations. The description of controls at Fusepoint is as at November 30, 2009, and information about tests of the operating effectiveness of specific controls covers the period from June 1, 2009 to November 30, 2009. Any projection of such information to the future is subject to the risk that, because of change, the description may no longer portray the controls in existence. The potential effectiveness of specific controls at Fusepoint is subject to inherent limitations and, accordingly, errors or fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that changes made to the system or controls, changes in processing requirements or changes required because of the passage of time may alter the validity of such conclusions. This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers.

Vancouver, BC, Canada December 22, 2009

Chartered Accountants

4

CICA 5970 REPORT ON INTERNAL CONTROL

SECTION 2 — FUSEPOINT’S DESCRIPTION OF CONTROLS Overview of Fusepoint Managed Services Fusepoint Managed Services (“Fusepoint”), founded in 1999, is a leading North American provider of fully managed hosting and IT solutions tailored to the needs of mid-sized and large enterprises. Delivering significant cost, time-to-market, security and staffing advantages, Fusepoint's solutions include system migration and integration; e-business security; network architecture design; business continuity/disaster recovery; and intranet/extranet optimization. Fusepoint provides proactive end to end solution management covering all key areas of managed infrastructure: Security; Storage Management; Network Management; Customer Care; Monitoring and Reporting. Fusepoint’s primary security related goals and objectives include the ability to: 

Create a trusted customer environment



Provide High Availability and Reliability



Manage Risk



Provide Scalability and Extendibility

Understanding that this takes an integrated approach of people, processes and technology, many leading organizations such as Royal Canadian Mint, Mountain Equipment Co-op, Clearview Strategic Partners and Dominion Bond Rating Service have chosen Fusepoint to be their provider of choice to ensure their online applications and infrastructure are available and secure. Scope of this report for the Mississauga Data Centre This report describes the control structure of Fusepoint Managed Services, as it relates to Fusepoint’s data centre in Mississauga as of November 30, 2009, and tests of operating effectiveness for the period of June 1, 2009 to November 30, 2009. The control objectives and related control activities covered herein describe the general computer controls used in delivering Fusepoint’s Fully Managed Infrastructure Services and Colocation Hosting Services. It has been prepared to provide information for use by Fusepoint’s management, its customers that rely upon these services, and the auditors of those customers. Fusepoint provides two tiers of services: Fully Managed Infrastructure Services and Colocation Hosting Services. The Fully Managed Infrastructure Services encompasses the following:

5

CICA 5970 REPORT ON INTERNAL CONTROL

Fusepoint Colocation Hosting Services encompass the following:

6

CICA 5970 REPORT ON INTERNAL CONTROL

This report only covers general computer controls for the infrastructure encompassed by the services above on which a customer’s application may be hosted. Application level controls are not in scope for the services described above, and therefore are not in scope for this report. Fusepoint personnel are not responsible for or involved in performing any financial reporting processes or internal controls related to financial reporting for any Fusepoint customer or any of their customer’s applications. Control Environment Generally, an organization’s control environment represents the collective effort of various factors on establishing, enhancing or mitigating the effectiveness of specific controls. Such factors include but are not limited to the following: 

Integrity and ethical values



Management’s philosophy and operating style



Organizational structure



Assignment of authority and responsibility



Human resource policies and practice

The control environment reflects the overall attitude, awareness and actions of the Board and management concerning all other components of internal controls and their emphasis within the organization. Integrity and Ethical Values Fusepoint expects that its employees will act ethically and with integrity. All Fusepoint personnel are therefore governed by several personnel policies and agreements. They include a non-disclosure agreement, code of conduct and a security policy staff agreement. All new Fusepoint staff are required to sign these agreements as a condition of employment. Management’s philosophy and operating style Fusepoint recognizes the importance of strong controls around information security and privacy, and is committed to implementing best practices. Selection of best-of-breed systems helps promote Fusepoint’s secured environment. Fusepoint undergoes regular external audits, such as the Canadian Institute of Chartered Accountants (CICA) Section 5970 Audit, the U.S. Statement of Auditing Standards (SAS) 70 Audit, Payment Card Industry (PCI) Data Security Standard Audit, and the HP Service Provider Certification. Organization Structure Fusepoint is divided into the departments as shown by the organizational chart below: President & CEO

Finance

Hosting and Infrastructure Management

Operations

Client Experience

Sales

Facilities

Security

Eastern Region

Marketing

Central/Western Region

Human Resources

Application Services

Quebec City

Montreal

Information security and internal control is a business responsibility shared by all members of Fusepoint’s Executive Team. Assignment of authority and responsibility The Executive Team has approved an Information Security Policy which applies to all employees, and which delegates responsibility for the management of Information Security to the Vice-President Operations. This 7

CICA 5970 REPORT ON INTERNAL CONTROL

policy is updated and reviewed to keep the policy current. Continual updating of the policy ensures that it has addresses an ever changing risk environment. . The Security Team is led by the Director of Security who reports to the Vice-President Operations. The Security Team has day-to-day operational responsibility for information security and related internal controls and assists the Vice-President Operations with developing security policies, promoting security awareness and defining security standards. It also meets with and reports weekly to the Vice-President Operations to ensure the coordination and implementation of policies and practices across the company. The Security Team is segregated from the other Operations teams. The Security Team does not perform any operational function performed by the Operations teams. The Security Team is also not responsible for or involved in performing any financial reporting processes or controls for any Fusepoint customer or any of their customer’s applications. Members of the Security Team have the appropriate qualifications and skills to fulfill their duties. The Operations teams themselves are segregated from each other based on platform (Microsoft, UNIX, network, etc). All employees of Fusepoint have written job descriptions which clearly delineate each staff member’s roles and responsibilities within the organization. Human Resources Policies and Practice A formal workflow procedure for both the hiring, termination and any position/responsibility changes of employees and contractors has been developed to ensure all steps are completed. This procedure is initiated by the Human Resources (HR) Department for all changes, and each change is reviewed by the HR Department to ensure the procedure is completed. Upon hiring, personnel agreements (described in next paragraph) are signed. Personnel with access to customer data are required to go through criminal background screening. Upon termination, access privileges are revoked immediately and physical authentication credentials such as access cards and authentication tokens are retrieved. Upon position/responsibility change, access privileges are adjusted/revoked as required. Fusepoint has a defined security program in place for its employees. Annual security awareness training is mandatory for all employees as part of this program. All Fusepoint employees are required to sign a nondisclosure agreement, code of conduct and a security policy staff agreement as a condition of employment. Logical access security policies and procedures are documented, and Fusepoint employees have access to all security policies and procedures via Fusepoint’s intranet. Risk Assessment Technical Security and Risk Management A vulnerability management process has been implemented that includes periodic internal and external scanning of managed customer servers. Assessments of patches and security updates from hardware and software vendors are performed by the Security Team, who then coordinates their deployment with the Operations Teams. Back-out procedures are documented in change requests in the event of a failure occurring during the change. Procedures are in place and rules have been enabled to prevent access via insecure network services and protocols. Redundancy is built into the network (for example, use of switches and load balancers) to ensure the continuity of network operations. Information and Communication Fusepoint has several information systems in place to support its Fully Managed Infrastructure Services and Colocation Hosting Services. Those systems are: 

Customer WebCare portal and Request Management System (RMS)

8

CICA 5970 REPORT ON INTERNAL CONTROL



Automated facility and environmental monitoring systems



Fusepoint Monitoring System, which includes the Netcool Application



Physical access management system (for proximity card readers)



Logical access authentication systems



Intrusion Detection System



Event log monitoring systems



Backup management systems

Standard Operating Procedures Formalized Standard Operation Procedures (SOP) are used to ensure that where problems are identified, they are recorded, brought to the attention of the appropriate personnel, actioned, followed up and analyzed to identify trends that might indicate a more extensive issue. The SOP has been documented, and includes prescribed procedures for incident management, change management, patch management and data centre access. Fusepoint is not involved in application job scheduling and execution as they are managed and monitored by their customers. Priority 1 and 2 Ticket Workflow: Customer Contacts Operations Centre (OC)

Customer

No Authorized Technical Contact creates a ticket by sending via WebCare or calling OC

Authorized Technical Contact pages on-duty Team Leader

Was 15 minute response time observed?

Yes

Problem is being resolved

Updates Received Hourly?

Authorized Trouble Reporter calls Director of Hosting Operations

No

Tickt created via WebCare?

No

Is caller an authorized Technical Contact?

No

OC advised caller to contact Authorized Technical Contact

OC

No

Yes

Yes

OC is paged of new ticket

Ticket Number assigned to case

OC Contacts customer within 15 minutes to verify problem

Work to resolve begins immediately

Was 15 minute response time observed?

Yes

Resolution in Progress

OC Technician resolves the problem within 15 minutes of notification?

Yes

Yes

No

OC sends hourly status updates to customer until resolved

Ticket Escalated to 2nd Level

Problem resolved within 2 hours of notification?

No

Findings and results are documented in the original ticket

Customer is notified the ticket is resolved

Ticket escalated to Director, Operations

Director escalates internally/ externally until problem resolved

Post-Incident Report sent to customer

Ticket is Closed

Figure 1: Standard Operating Procedure when customer contacts OC

9

CICA 5970 REPORT ON INTERNAL CONTROL

Priority 1 and 2 Ticket Workflow: OC Contacts Customer

Level 2 resolves ticket within 30 minutes of problem start?

OC Receives Alert Has a problem been confirmed?

Yes

No

OC continues to monitor customer

Problem Identified as Fusepoint Responsibility?

OC

Ticket Number assigned to case

Customer is notified the ticket is resolved

Post-Incident Report sent to customer

Ticket escalated to Engineer

Yes Ticket Assigned to Level 2

Findings and results are documented in the original ticket

No

Yes OC verifies trouble exists

Yes

Yes

Engineer resolves problem within 1 hour of start?

No

Yes Director escalates internally/ externally until problem resolved

Problem resolved within 2 hours of problem Start? No

Notification sent to Customerwithin 15 minutes of verification

Director, Hosting Operations Notified

No

Customer Notified

Ticket escalated to Manager, Technical Services

OC provides updates every 30 minutes until resolved

Ticket is Closed

Yes

Update Received within 30 minutes of problem start?

No

Customer calls OC Manager cell phone

OC Manager Available?

Customer

Customer receives notification of problem with ticket number

Yes

Customer Receives Notification, works with Fusepoint to Resolve

Updates Received every 30 minutes?

Resolution in Progress

Yes No

No

Customer calls Manager, Technical Services cell phone

Manager, Technical Services Available?

No

Customer calls Director, Operations cell phone

Figure 2: Standard Operating Procedure when OC contacts customer

Change Management Fusepoint is responsible for managing changes related to their customers’ system software, infrastructure and environment. Fusepoint’s customers are responsible for managing application changes including the maintenance of any application program libraries. Change requests, alerts from monitoring sensors, and incident reports are all centrally managed through Fusepoint’s Request Management System (RMS). Only authorized customer personnel have access to the RMS through the WebCare customer portal. Change requests and problems are communicated to Fusepoint through WebCare, and if telephone line support is used by the customer, pertinent details of the conversation are entered into the RMS by the Operations Centre (OC). Fusepoint has documented change control procedures. Operations Management administers and coordinates the change process from initiation to implementation. Changes are requested according to a published workflow, and notification is sent to the appropriate approver based on the nature of the change (see diagram on the following pages). Every change request is assigned a unique ticket number in the RMS. Change requests require the change details to be documented including the back-out procedures in the event of failure during the change. Problems incurred during a change are logged into the RMS ticket and resolved before the ticket is closed. Specific windows and time lines have been established for system software, infrastructure and environment changes to be implemented to minimize disruption to production environments.

10

CICA 5970 REPORT ON INTERNAL CONTROL

Change Request 1st Phase Approval Process Short-cut for emergency changes

Engineer Prepares FCR, Attaches to Change Ticket Problems Encountered Post-Change

Yes Emergency Change?

Back for Review Ticket Assigned Directly to CM

No

Problems Encountered Pre-Change

TL Reviews Ticket

CM Discusses with TL st

1 Iteration? No Yes CM Discusses with M/TS

Ticket Submitted to CM

Ticket Assigned to TL for Review / Revision TL, M/TS and CM Review Change and Make Necessary Modifications

Yes CM Brings FCR to Weekly TL Review Board

CM Gets CAB or D/O and VP/O Approval

1st Phase Approval Meeting (D/O, M/TS, CM)

CM Updates Ticket

Yes Revisions Needed? Revise? No

Needs CAB Approval?

No Yes

No

Present to CAB

Get VP Operations Approval

Change Not Approved. File for reference

Legend: FCR: Fusepoint Change Request TL: Team Lead M/TS: Manager, Technical Services CM: Change Manager D/O: Director, Operations CAB: Change Advisory Board VP/O: Vice President, Operations

No

End Process

Change Approved? Yes 1. CM Updates Ticket 2. CM Assigns Ticket to Change Requestor 3. CM Updates Change Calendar 4. CM Sends Customer Notification

Change Process

Figure 3: Phase 1 Change Approval Process

11

CICA 5970 REPORT ON INTERNAL CONTROL

Logical and Physical Access Fusepoint’s responsibility for logical access administration over their customers systems is limited to the network and infrastructure. Fusepoint’s customers manage logical access at the application level. Logical access security policies and procedures are documented, and Fusepoint employees have access to all security policies and procedures via Fusepoint’s intranet. All Fusepoint employees are required to sign a non-disclosure agreement, code of conduct and a security policy staff agreement as a condition of employment. Annual security awareness training is also mandatory for all employees. Only authorized staff groups within Fusepoint have logical access to restricted access network segments, production data, programs or resources. Fusepoint staff use unique user IDs to access programs and data. All role-based and administrative passwords are stored within a secured database protected and maintained by the Security Team, and access is restricted to Operations personnel only. Access control is enforced using automated access controls (e.g. two-factor authentication, complex passwords with minimum-length, account lockout for multiple unsuccessful logins, etc.). Access to the Mississauga Data Centre is restricted through physical access controls. Only authorized Fusepoint staff or visitors who have been pre-authorized are granted access. Network and Operating System Security Fusepoint’s production network architecture has been implemented to separate the network into multiple zones. Redundant and shared firewalls have been used to separate public-facing Web servers in the demilitarized zone from the back-end application and database servers in the trusted zone. Fusepoint’s office desktop machines and any development workstations are on a network separate from the production network, and are not within the scope of this report. Intrusion Detection Software systems and monitoring procedures have been implemented to identify unauthorized network access. For internal servers, fully managed customers’ servers and subscribed colocation customers’ servers, Fusepoint staff will respond to IDS alerts. (No response is provided to colocation customers that do not subscribe to the IDS service.) Virtual Private Network (VPN) has been implemented for secure remote access into the internal production networks and systems. Pertinent anti-virus engines and signatures are installed on the Windows-based and Linux-based servers, and signatures are updated daily for internal servers and for customers who have subscribed to the anti-virus service. Hardening procedures have been developed and maintained for production server operating systems. Data Centre Facilities The Mississauga Data Centre has systems in place to protect computer hardware and equipment from fire and environmental damage. An uninterruptible power supply and diesel generator provide backup power to all essential operations and systems including the computer room, and these systems are tested on at least a quarterly basis and after any significant change to power infrastructure. Reviews of power systems are performed to ensure that there is sufficient power capacity. Daily incremental backups and weekly full backups are performed for internal servers, fully managed customers and colocation customers who subscribe to the backup service. When a backup is performed, two copies are made: one that remains on-site, and one that is shipped off-site. Media integrity checks are performed during the backup process to ensure that the backup can be restored if needed. Monitoring Quality Assurance Fusepoint has implemented a Quality Assurance (QA) function that is independent of its Operations group, and a QA person has been appointed to ensure that standard operating procedures are followed. The QA 12

CICA 5970 REPORT ON INTERNAL CONTROL

function is responsible for reviewing business operations, customer contracts, etc. to assess compliance with policies and procedures. Adherence to operating procedures is enforced by QA process. The Fusepoint Security Team is responsible for monitoring the implementation and compliance of the information security program through periodic audits, compliance checks and use of various technology tools. Facilities and System Monitoring Security cameras have been placed in operation in and are monitored 24 × 7 in the Network Operations Room. The Fusepoint Monitoring System provides an automated central monitoring system that is used to monitor servers and network devices for system utilization, hardware failure and performance on a real-time basis. Automated tools and technologies have been implemented to monitor Fusepoint’s hardware and software, along with environmental factors such as temperature, power and humidity. The core of the Fusepoint Monitoring System is the Netcool application which performs normalization and correlation of the collected data for all facilities and system monitoring except for specific systems monitor physical conditions in each data centre. Netcool is monitored by personnel in the Operations Centre (OC), who can then create tickets in the Request Management System (RMS) if required using data fed in from Netcool. Systems that are not interfaced with Netcool are directly monitored by the OC.

13

CICA 5970 REPORT ON INTERNAL CONTROL

Control Objectives and Related Controls This subsection provides a list of control objectives and related controls that have been tested for operating effectiveness. These control objectives and related controls are also listed in Section 3 of this report, “Information Provided by the Service Auditor”. Although the listing of the control objectives and related controls in both Sections 2 and 3 of this report may seem redundant, the list in this section has been provided for convenience for Canadian audiences used to the conventions for service auditor’s reports in Canada. Administration and Organization 1.0

Controls provide reasonable assurance that defined security program is in place and that Fusepoint employees are aware of this security program. 1.1

A mandatory annual security awareness program has been placed in operation to educate Fusepoint employees about Fusepoint’s security program and to articulate details of the program.

1.2

Fusepoint employees are required in the hiring process to execute a legally binding nondisclosure agreement which includes terms and conditions related to maintaining the nondisclosure of information that is confidential to either Fusepoint or its customers.

1.3

Fusepoint employees are required in the hiring process to sign that they have received and read both Fusepoint’s Code of Conduct and Fusepoint’s Security Policy.

1.4

Criminal background screening is performed during the hiring process on technical employees and contractors with either physical or logical access to operations areas and customer data.

1.5

Access privileges are revoked immediately and physical authentication credentials such as access cards and authentication tokens are retrieved upon termination of an employee or contractor.

1.6

Access privileges for employees who change departments or responsibilities are modified accordingly.

Facilities 2.0

3.0

Controls provide reasonable assurance that physical access to the data centre is restricted to appropriate personnel. 2.1

Access to the data centre is controlled through proximity card readers, and only authorized Fusepoint staff are issued proximity reader access cards.

2.2

Access privileges are granted on the basis of that person’s need to perform specific job functions, and a bi-annual review of access privileges is performed.

2.3

Physical security incidents and exceptions are reviewed by the Security Team. Reported physical security incidents that are classified as major in the Request Management System (RMS) are escalated to Vice-President Operations

2.4

Visitors to the data centre must be pre-authorized, and must sign-in before being granted physical access to the data centre.

2.5

The servers and other equipment for Managed Services (as opposed to Co-located servers) can only be physically accessed by authorized Fusepoint staff.

Controls provide reasonable assurance that computer hardware and equipment are protected against fire and environmental damage. 3.1

A fire detection and suppression system has been placed in operation in the data centre. Testing of fire detection and suppression equipment is performed at least annually.

14

CICA 5970 REPORT ON INTERNAL CONTROL

4.0

3.2

Alarm panels and alerts are in place to monitor and detect facility environmental settings, such as temperature and moisture.

3.3

Climate control systems regulate air temperature within the computer rooms. Temperature monitoring equipment continuously monitors environmental conditions.

3.4

There are separate climate control units in place to protect against failure of individual units. An automated monitoring system is in place to alarm computer operations employees in the event of failure of the environmental control equipment in the computer room.

3.5

An equipment and facilities maintenance program that includes at least annual maintenance and/or testing is in place to ensure that the facilities and equipment are kept in working order.

Controls provide reasonable assurance that continuous power is provided to the data centre and its systems. 4.1

An uninterruptible power supply and diesel generator provides backup power to all essential operations and systems including the computer room. These systems are tested on at least a quarterly basis, and after any significant change to power infrastructure. Exception noted: On July 20, 2009, the power transfer scheme for the Mississauga Data Centre did not perform as expected when an abnormal power failure with Enersource (Mississauga Hydro) occurred caused by a cable fault. The data centre lost power when the UPS batteries were depleted and the generators, although available to run were prevented from properly delivering power to the UPS system, resulting in an exception for this control activity.

4.2

A daily review of power systems is performed to ensure that there is sufficient power capacity for the data centre.

Logical Access and Security 5.0

Controls provide reasonable assurance that inadvertent or unauthorized access to customers’ data and programs is prevented or detected. 5.1

Production servers and equipment are located on restricted access network segments, and automated authentication controls are in place to restrict access to these network segments to authorized personnel.

5.2

Only authorized staff groups within Fusepoint have logical access to restricted access network segments, production data, programs or resources. Logical access is only possible through Fusepoint’s offices, or through VPN using two-factor authentication. Fusepoint staff use unique user IDs to access programs and data.

5.3

Annual reviews of logical access privileges are performed.

5.4

The Security Team monitors and assesses new security alerts and advisories. Patches and other fixes are applied according to the priority level assigned by the Security Team.

5.5

Event log monitoring tools for operating systems, firewalls and Intrusion Detection Systems (IDSs) are configured to send alerts on unauthorized access attempts and other unusual events to the Netcool Application monitored by the OC.

5.6

An automated security incident escalation procedure is enforced by the Request Management System (RMS), requiring Fusepoint staff to respond to incidents within documented timelines depending on their priority level. Incidents that are not responded to within the defined timeline are automatically escalated to the next staff level by the Netcool Application.

5.7

Pertinent anti-virus engines and signatures are installed on the Windows-based servers, and signatures are updated daily.

5.8

Firewalls are in place to prevent unauthorized network traffic, and to separate Fusepoint’s network into multiple zones. 15

CICA 5970 REPORT ON INTERNAL CONTROL

5.9

Firewall rules are reviewed quarterly.

5.10

Intrusion Detection Systems are in place to detect unauthorized or suspicious traffic and send alerts to the Netcool Application monitored by the OC.

Change Management / Problem Resolution 6.0

Controls provide reasonable assurance that modifications to system software and infrastructure are authorized.

7.0

6.1

Change requests can only be made by authorized customer personnel or authorized Fusepoint staff.

6.2

Changes are reviewed and then signed off by the appropriate Team Lead, and finally approved by the Fusepoint Change Advisory Board or Vice President of Operations.

6.3

Changes are supported by back out plans to enable recovery in the event of problems being encountered during implementation.

6.4

Fusepoint personnel are not responsible for or involved in performing any financial reporting processes or internal controls related to financial reporting for any Fusepoint customer or any of Fusepoint customer’s applications.

Controls provide reasonable assurance that change requests are addressed on a timely basis. 7.1

An automated change escalation procedure is enforced by the Request Management System (RMS), requiring Fusepoint staff to address change requests within documented timelines depending on their priority level. Change requests that are not responded to within the defined timeline are automatically escalated to the next staff level by the RMS.

Backup and Recovery 8.0

Controls provide reasonable assurance that backups for recovering software and data files are maintained in the event of a disruption or a disaster. 8.1

Daily incremental backups and weekly full backups are performed with one copy kept on-site and a duplicate copy kept off-site.

8.2

Off-site data is stored in a protected environment. Backups are sent off-site daily, and the Network Operation Centre (OC) personnel are responsible for shipping and receiving tapes.

8.3

Off-site tape counts are reconciled with on-site records at least annually.

8.4

Backups are tested using backup media integrity checks during the backup process.

Complementary User Organization Control Considerations The relative effectiveness and significance of specific controls at Fusepoint and their effect on assessments of control risk at any customer of Fusepoint are dependent on their interaction with the controls and other factors present in the customer’s environment. No procedures were performed to evaluate the effectiveness of controls at any of Fusepoint customers. It is the responsibility of each customer’s management and their auditors to ensure that appropriate application level controls and procedures and general computer controls and procedures are in place and performed in the end-user controlled environment to complement the system of controls in place within the Fusepoint environment. Those complementary controls are: 

that the creation, modification and deletion of user accounts at the application level are appropriately authorized and performed by the customer;



that application level authentication controls have been placed in operation;



if passwords are used for authentication at the application level, those passwords are changed on a regular basis; 16

CICA 5970 REPORT ON INTERNAL CONTROL



that the customer performs a regular review of application level user accounts and access privileges;



that complex passwords are required for all application level user accounts;



that the customer performs adequate change control procedures including approval of application changes and maintenance of appropriate access controls that promote segregation of duties;



that where appropriate, the customer approves application job scheduling and execution, appropriately restricts access to job scheduling and execution, and appropriately monitors job execution (e.g. batch job processing);



that customer personnel provided access to Fusepoint’s WebCare customer portal are appropriately authorized;



that customer personnel who are the designated communication contacts with Fusepoint are appropriately authorized, and Fusepoint is informed of any changes of authorized personnel on a timely basis;



that customer personnel who visit Fusepoint’s Mississauga Data Centre are appropriately authorized;



that the customer performs adequate testing of application changes prior to their promotion to the production environment;



that the customer performs adequate security testing or receives reasonable assurance of the security of any application level code that is developed outside of Fusepoint’s environment;



unless the customer subscribes to Fusepoint’s anti-virus service, that the customer installs anti-virus software on its Windows servers and updates the anti-virus signatures on a daily basis; and



that the customer places into operation any other internal controls (e.g. segregation of duties, reconciliations, etc.) that are necessary for its financial reporting processes or for the application it is using within Fusepoint’s environment.

Furthermore, for customers using Fusepoint’s server colocation service, the following controls need to be placed in operation for co-located servers where Fusepoint does not manage or have access to the servers: 

the creation, modification and deletion of accounts at the operating system and database level for any servers are appropriately authorized and performed by the customer;



that operating system and database level passwords are changed on a regularly recurring basis;



that the customer performs a regularly recurring review of operating system and database level passwords user accounts and access privileges;



unless the customer subscribes to Fusepoint’s backup service, that the customer backs up server data on a regular basis, and tests the restoration of data from the backup on a regular basis;



unless the customer subscribes to Fusepoint’s IDS service, that the customer implements its own controls for detecting and responding to any incidents of unauthorized access or use; and



that each customer device (servers, routers, switches, etc.): o have two independent power supplies, o has one power supply is connected to the “A” power source and the other is connected to the “B” power source within their assigned cabinet, and o is inspected by the customer to confirm that the independent power supplies are properly connected to the appropriate power sources within their assigned cabinet.

17

CICA 5970 REPORT ON INTERNAL CONTROL

Changes to Controls The following changes to the controls have been made since the last report for the period ending November 30, 2008: 

The Fusepoint Security Committee has become defunct in January, 2009. The Security Team led by the Director of Security is responsible for day-to-day operations for information security and related internal controls and assists the Vice-President Operations with developing security policies, promoting security awareness and defining security standards. The Security Team also meets with and reports weekly to the Vice-President Operations to ensure the coordination and implementation of policies and practices across the company and reports to the Vice-President Operations.



An upgrade was made in March 2009 to the uninterruptible power supply of the Mississauga Data Centre to replace aging UPS infrastructure and to provide additional capacity to meet customer requirements.



Fusepoint re-tested the transfer scheme after the July 20, 2009 event by simulating power failures to the building and could not re-produce the condition that happened on July 20, 2009. In any event, Fusepoint is in progress of implementing a replacement technology for the breaker scheme to better handle such a condition. Fusepoint has contracted the third party to assist in the engineering of this solution which includes several suppliers. The project began in August of 2009 and is expected to complete in April of 2010.



Fusepoint has hired and implemented on-site 24 x 7 staff for building operations coverage along with updated procedures should such an unlikely event such as July 20, 2009 re-occur in the interim. This coverage will continue going forward.



Fusepoint has increased the frequency of testing on the uninterruptible power supply from an annual basis to a quarterly basis to ensure that the uninterruptible power supply and diesel generator provide backup power and to avoid re-occurrence of power loss such as the July 20, 2009 event. Additionally, Fusepoint will perform testing on the systems after any significant change to power infrastructure.

18

CICA 5970 REPORT ON INTERNAL CONTROL

SECTION 3 — INFORMATION PROVIDED BY THE SERVICE AUDITOR The following section on tests of operating effectiveness is intended to provide interested parties with information sufficient to obtain an understanding of those aspects of Fusepoint’s controls that may be relevant to customer organizations’ internal control, and to reduce the assessed level of control risk below the maximum for certain financial statement assertions. This report, when coupled with an understanding of the internal control in place at customer organizations, is intended to assist in the assessment of the total internal control surrounding Fusepoint’s fully managed hosting and server colocation services related to its data centre in Mississauga.

19

Fusepoint Managed Services

Report on Tests of Operating Effectiveness

Introduction

This section of the report contains the description of the tests performed by Grant Thornton LLP (Canada) to assess the operating effectiveness of controls at Fusepoint Managed Services (“Fusepoint”) for the period from June 1, 2009 to November 30, 2009 for its Mississauga Data Centre. The Description of Controls has been provided by the management of Fusepoint. Furthermore, Fusepoint has selected all control objectives in the Description of Controls to be in scope for the testing of operating effectiveness. For each control tested for operating effectiveness, an indication of the nature, timing, extent and results of the tests have been provided. In the following tables, any exceptions or other information identified by the tests that could be relevant to user auditors have been provided in the column labelled “Results”. If no exceptions or other relevant information was identified, then the remark “No relevant exceptions noted” has been given.

20

Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre

1.0

Controls provide reasonable assurance that defined security program is in place and that Fusepoint employees are aware of this security program.

Fusepoint control activity

Grant Thornton test of control

Results

1.1

1.

No relevant exceptions noted.

A mandatory annual security awareness program has been placed in operation to educate Fusepoint employees about Fusepoint’s security program and to articulate details of the program.

Inspection: Attendance lists for sessions of the security awareness program held between June 1, 2009 and November 30, 2009 were obtained and inspected. Complete employee lists were reconciled against the security awareness attendance list to confirm that training was provided to all staff. The service auditor inspected documentation confirming that attendance to the security awareness program was mandatory.

2.

Inspection: The service auditor inspected

No relevant exceptions noted.

documentation on the annual security awareness program and assessed their adequacy in relation to security policies in force. The service auditor also inspected documentation confirming mandatory attendance. 1.2

1.3

Fusepoint employees are required in the hiring process to execute a legally binding non-disclosure agreement which includes terms and conditions related to maintaining the non-disclosure of information that is confidential to either Fusepoint or its customers.

1.

Fusepoint employees are required in the hiring process to sign that they have received and read both Fusepoint’s Code of Conduct and Fusepoint’s Security Policy.

1.

Inspection: For the entire population of employees

No relevant exceptions noted.

hired between June 1, 2009 and November 30, 2009, the service auditor inspected copies of NonDisclosure Agreements to confirm they were signed by the employee concerned. Inspection: For the entire population of employees

No relevant exceptions noted.

from the Mississauga Data Centre, employee files were reviewed to confirm the existence of signatures acknowledging the acceptance of the Code of Conduct and Security Policy.

This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers

21

Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre

1.0

Controls provide reasonable assurance that defined security program is in place and that Fusepoint employees are aware of this security program.

Fusepoint control activity

Grant Thornton test of control

Results

1.4

Criminal background screening is performed during the hiring process on technical employees and contractors with either physical or logical access to operations areas and customer data.

1.

No relevant exceptions noted.

Access privileges are revoked immediately and physical authentication credentials such as access cards and authentication tokens are retrieved upon termination of an employee or contractor.

1.

Access privileges for employees who change departments or responsibilities are modified accordingly.

1.

1.5

1.6

Inspection: The service auditor inspected a copy of criminal background check reports for the entire population of employees and contractors who were hired between June 1, 2009 and November 30, 2009, and were granted access to the operations areas of the Mississauga Data Centre. Inspection: For the entire population of employees

No relevant exceptions noted.

terminated between June 1, 2009 and November 30, 2009, at the Mississauga Data Centre, the service auditor inspected the termination checklists and verified that all steps in the termination checklist were completed, including the notification of the termination, the updating of HR records, the termination of the user account, and the retrieval of company property. Inspection: For the entire population of employees

No relevant exceptions noted.

who changed departments or responsibilities at the Mississauga Data Centre, between June 1, 2009 and November 30, 2009, the service auditor inspected documentation to verify that access privileges were modified accordingly.

This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers

22

Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre

2.0

Controls provide reasonable assurance that physical access to the data centre is restricted to appropriate personnel.

Fusepoint control activity

Grant Thornton test of control

Results

2.1

Access to the data centre is controlled through proximity card readers, and only authorized Fusepoint staff are issued proximity reader access cards.

1.

No relevant exceptions noted.

Access privileges are granted on the basis of that person’s need to perform specific job functions, and a bi-annual review of access privileges is performed.

1.

2.2

Inspection: The service auditor inspected a listing of all Fusepoint employees and contractors who have proximity card access to the Mississauga Data Centre. For all employees/contractors, the service auditor verified that access was appropriately authorized based on the employee/contractor’s role. Inspection: The service auditor inspected a listing of

No relevant exceptions noted.

all Fusepoint employees and contractors who have proximity card access to the Mississauga Data Centre. The listing was reviewed to ensure that all staff who have proximity card access require access as part of their job function. 2.

Inspection/Inquiry: The service auditor inspected

No relevant exceptions noted.

documentation and inquired with Security Team members to confirm that regular reviews of the access privileges granted at the Mississauga Data Centre were performed. 3.

Inspection: The service auditor inspected a sample of

No relevant exceptions noted.

signed check-out sheets for the keys to the locked cabinets at the Mississauga Data Centre and confirmed that only appropriate individuals were granted access to the keys. 4.

Observation: For the Mississauga Data Centre, the

No relevant exceptions noted.

service auditor observed the use of an employee access card for an employee who was not granted access to confirm that access is denied and the access attempt was recorded.

This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers

23

Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre

2.0

Controls provide reasonable assurance that physical access to the data centre is restricted to appropriate personnel.

Fusepoint control activity

Grant Thornton test of control

Results

2.3

Physical security incidents and exceptions are reviewed by the Security Team. Reported physical security incidents that are classified as major in the Request Management System (RMS) are escalated to Vice-President Operations

1.

No instances of the control activity were identified in the audit period.

Visitors to the data centre must be preauthorized, and must sign-in before being granted physical access to the data centre.

1.

2.4

Inquiry: The service auditor inquired with Fusepoint’s Director of Security to verify that the Fusepoint Security Team reviewed physical security incidents at the Mississauga Data Centre and physical security incidents classified as major were escalated to VicePresident Operations. Inquiry: The service auditor inquired with Fusepoint

No relevant exceptions noted.

Operations Centre staff at the Mississauga Data Centre to confirm that all visitors must sign in at reception and obtain a visitor’s pass. 2.

Inspection: The service auditor inspected visitor sign-

No relevant exceptions noted.

in sheets for the Mississauga Data Centre for a sample of visitors in the period between June 1, 2009 and November 30, 2009 to verify that those visitors had been pre-authorized with an RMS ticket. 2.5

The servers and other equipment for Managed Services (as opposed to Co-located servers) can only be physically accessed by authorized Fusepoint staff.

1.

Observation: The service auditor visited the

No relevant exceptions noted.

Mississauga Data Centre and confirmed the following. Physical controls that restrict access to servers and other Managed Services equipment ensure that only authorized Fusepoint staff have access.

This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers

24

Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre

3.0

Controls provide reasonable assurance that computer hardware and equipment are protected against fire and environmental damage.

Fusepoint control activity

Grant Thornton test of control

Results

3.1

A fire detection and suppression system has been placed in operation in the data centre. Testing of fire detection and suppression equipment is performed at least annually.

2.

No relevant exceptions noted.

Alarm panels and alerts are in place to monitor and detect facility environmental settings, such as temperature and moisture.

1.

3.2

Observation/Inspection: The service auditor observed that Fire Detection and Suppression systems are installed in the Mississauga Data Centre. The service auditor inspected equipment maintenance documents to determine that fire detection is tested annually. Observation/Inquiry: The service auditor visited the

No relevant exceptions noted.

Mississauga Data Centre. Through observation and inquiry with Fusepoint personnel, the service auditor verified that alarm panels and alerts are in place to monitor facility environmental settings, such as temperature and moisture. 2.

Observation: The service auditor observed that

No relevant exceptions noted.

automated systems are used by Operations Centre personnel for monitoring. 3.3

Climate control systems regulate air temperature within the computer rooms. Temperature monitoring equipment continuously monitors environmental conditions.

1.

Observation/Inquiry: The service auditor observed

No relevant exceptions noted.

that air conditioning units were deployed in the computer room to regulate air temperature at the Mississauga Data Centre. The service auditor observed that fail-over units for the same exist by way of separate chiller units and Air Handling Units. Through inquiry with Fusepoint personnel, the service auditor confirmed that these provide redundancy through automatic fail-over. The service auditor established that temperature sensors send out automated alarm notifications in case defined temperature thresholds are crossed.

This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers

25

Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre

3.0

Controls provide reasonable assurance that computer hardware and equipment are protected against fire and environmental damage.

Fusepoint control activity

Grant Thornton test of control

Results

3.4

There are separate climate control units in place to protect against failure of individual units. An automated monitoring system is in place to alarm computer operations employees in the event of failure of the environmental control equipment in the computer room.

1.

No relevant exceptions noted.

An equipment and facilities maintenance program that includes at least annual maintenance and/or testing is in place to ensure that the facilities and equipment are kept in working order.

1.

3.5

Observation: The service auditor visited the Mississauga Data Centre and observed that fail-over units are in place for climate control.

2.

Inspection: For the Mississauga Data Centre, the

No relevant exceptions noted.

service auditor inspected evidence to verify that automated monitoring systems alert computer operations employees via email in the event of a failure in environmental control equipment. Inspection: For the Mississauga Data Centre, the

No relevant exceptions noted.

service auditor inspected lease agreement/other lease contracts to determine that the lease agreement contains provisions for repair to facilities, building structure, etc. Specifically, the service auditor made note of the lease date to determine that contracts have been updated as required in the lease deed. The service auditor inspected evidence of inspection/maintenance carried out on the electrical, fire detection & suppression systems, and power backup equipment.

This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers

26

Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre

4.0

27

Controls provide reasonable assurance that continuous power is provided to the data centre and its systems.

Fusepoint control activity

Grant Thornton test of control

Results

4.1

1.

Exceptions noted: On July 20, 2009, the power transfer scheme for the Mississauga Data Centre did not perform as expected when an abnormal power failure with Enersource (Mississauga Hydro) occurred caused by a cable fault. The data centre lost power when the UPS batteries were depleted and the generators, although available to run were prevented from properly delivering power to the UPS system, resulting in an exception for this control activity.

An uninterruptible power supply and diesel generator provides backup power to all essential operations and systems including the computer room. These systems are tested on at least a quarterly basis, and after any significant change to power infrastructure.

Inspection: The service auditor inspected evidence by way of maintenance reports and filled-in checklists from the period June 1, 2009 to November 30, 2009 and confirmed that regular testing of the system is carried out at the Mississauga Data Centre.

Fusepoint has increased the frequency of testing on the uninterruptible power supply from an annual basis to a quarterly basis to ensure that the uninterruptible power supply and diesel generator provide backup power and to avoid re-occurrence of power loss such as the July 20, 2009 event. Additionally, Fusepoint will perform testing on the systems after any significant change to power infrastructure.

4.2

A daily review of power systems is performed to ensure that there is sufficient power capacity for the data centre.

1.

Inquiry: The service auditor inquired with the facilities

No relevant exceptions noted.

staff at the Mississauga Data Centre to confirm that a daily review of power systems is performed to ensure that there is sufficient power capacity for each data centre. 2.

Inspection: For the Mississauga Data Centre, the

No relevant exceptions noted.

service auditor inspected evidence to verify that power use is regularly compared to the power capacity and growth forecasting is performed.

This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers

Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre

5.0

Controls provide reasonable assurance that inadvertent or unauthorized access to customers’ data and programs is prevented or detected.

Fusepoint control activity

Grant Thornton test of control

Results

5.1

1.

No relevant exceptions noted.

Production servers and equipment are located on restricted access network segments, and automated authentication controls are in place to restrict access to these network segments to authorized personnel.

Inspection/Observation: The service auditor inspected network diagrams to confirm the existence of restricted access network segments. It was observed that a user ID, password, and RSA token was required to access production servers on restricted networks.

2.

Observation: The service auditor observed the

No relevant exceptions noted.

Systems Administrator logging into restricted network segment to verify that automated authentication controls are in place to restrict access to production servers and equipment to only authorized personnel. 5.2

Only authorized staff groups within Fusepoint have logical access to restricted access network segments, production data, programs or resources. Logical access is only possible through Fusepoint’s offices, or through VPN using two-factor authentication. Fusepoint staff use unique user IDs to access programs and data.

1.

Inspection: The service auditor inspected the user

No relevant exceptions noted.

access controls to determine whether they are configured so that only authorized staff groups have access. A sample of access logs was reviewed to determine whether only users in authorized staff groups have access to the restricted network segment. 2.

Observation: The service auditor observed that the

No relevant exceptions noted.

use of a VPN using two-factor authentication is required, unless the user is physically in Fusepoint’s offices. 3.

Observation/Inquiry: The service auditor observed

No relevant exceptions noted.

system configurations and inquired with Fusepoint personnel to verify that unique user IDs are required to access programs and data.

This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers

28

Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre

5.0

Controls provide reasonable assurance that inadvertent or unauthorized access to customers’ data and programs is prevented or detected.

Fusepoint control activity

Grant Thornton test of control

Results

5.3

Annual reviews of logical access privileges are performed.

1.

No relevant exceptions noted.

The Security Team monitors and assesses new security alerts and advisories. Patches and other fixes are applied according to the priority level assigned by the Security Team.

1.

Event log monitoring tools for operating systems, firewalls and Intrusion Detection Systems (IDSs) are configured to send alerts on unauthorized access attempts and other unusual events to the Netcool Application monitored by the OC.

1.

An automated security incident escalation procedure is enforced by the Request Management System (RMS), requiring Fusepoint staff to respond to incidents within documented timelines depending on their priority level. Incidents that are not responded to within the defined timeline are

1.

5.4

5.5

5.6

Inspection/Inquiry: The service auditor inspected documentation and inquired with the Security Team to verify that reviews are a part of the regular Internal Security Audit.

Inspection: The service auditor inspected a sample of

No relevant exceptions noted.

alerts related to vulnerability/patch information published by vendors and advisory services and corresponding Fusepoint Security Bulletins (FSB). The service auditor also confirmed that the alerts were assigned and applied based on priority level. Inspection/Inquiry: The service auditor inspected a

No relevant exceptions noted.

sample of automated alerts from the Netcool application regarding unauthorized access attempts and other unusual events that were generated by the event log monitoring system. The service auditor also inquired with OC personnel to verify that they use NetCool for monitoring. Inspection: The service auditor inspected RMS

No relevant exceptions noted.

configuration settings to confirm that an automated security incident escalation procedure is enforced by the RMS, requiring Fusepoint staff to respond to incidents within documented timelines depending on their priority level.

This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers

29

Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre

5.0

Controls provide reasonable assurance that inadvertent or unauthorized access to customers’ data and programs is prevented or detected.

Fusepoint control activity automatically escalated to the next staff level by the Netcool Application.

Grant Thornton test of control

Results

2.

No relevant exceptions noted.

Inspection: For the Mississauga Data Centre, the service auditor inspected configuration settings for the Netcool Application to ensure that incidents that are not responded to within the defined timeline are automatically escalated to the next staff level.

3.

Inquiry/Inspection: The service auditor confirmed

No relevant exceptions noted.

that administrative access at both the application and the operating system level for both the RMS and Netcool is restricted to appropriate personnel.

5.7

5.8

5.9

Pertinent anti-virus engines and signatures are installed on the Windows-based servers, and signatures are updated daily.

1.

Firewalls are in place to prevent unauthorized network traffic, and to separate Fusepoint’s network into multiple zones.

1.

Firewall rules are reviewed quarterly.

1.

Inspection: The service auditor inspected a sample of

No relevant exceptions noted.

Windows-based servers in the Mississauga Data Centre to verify that the anti-virus solution was installed and that the signature was not out of date.

Inspection: The service auditor inspected network

No relevant exceptions noted.

diagrams for the Mississauga Data Centre. It was verified that there are several levels of access controls and networks have been segmented into multiple zones. Inspection: For the Mississauga Data Centre, the

No relevant exceptions noted.

service auditor inspected a sample of RMS tickets from the period June 1, 2009 to November 30, 2009 to confirm that reviews of the firewall rules were performed quarterly.

This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers

30

Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre

5.0

Controls provide reasonable assurance that inadvertent or unauthorized access to customers’ data and programs is prevented or detected.

Fusepoint control activity

Grant Thornton test of control

Results

5.10 Intrusion Detection Systems are in place to detect unauthorized or suspicious traffic and send alerts to the Netcool Application monitored by the OC.

1.

No relevant exceptions noted.

Inspection/Inquiry: For the Mississauga Data Centre, the service auditor inspected evidence that the Netcool application received alerts from the IDS, and RMS tickets were subsequently created for those alerts.

This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers

31

Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre

6.0

Controls provide reasonable assurance that modifications to system software and infrastructure are authorized

Fusepoint control activity

Grant Thornton test of control

Results

6.1

Change requests can only be made by authorized customer personnel or authorized Fusepoint staff.

1.

No relevant exceptions noted.

Changes are reviewed and then signed off by the appropriate Team Lead, and finally approved by the Fusepoint Change Advisory Board or Vice President of Operations.

1.

Changes are supported by back out plans to enable recovery in the event of problems being encountered during implementation.

1.

Fusepoint personnel are not responsible for or involved in performing any financial reporting processes or internal controls related to financial reporting for any Fusepoint customer or any of Fusepoint customer’s applications.

1.

6.2

6.3

6.4

Observation/Inquiry: For the Mississauga Data Centre, the service auditor inquired with Fusepoint personnel and observed that changes can only be requested through Fusepoint’s Request Management System (RMS). The service auditor also observed that only customers or authorized Fusepoint staff can access the RMS, which is restricted through authentication controls. Inspection: For the Mississauga Data Centre, the

No relevant exceptions noted.

service auditor inspected documentation related to a sample of change requests to verify that the change requests have been reviewed and signed off by the appropriate Team Lead and then approved. Inspection: For the Mississauga Data Centre, the

No relevant exceptions noted.

service auditor inspected documentation related to a sample of changes during the period June 1, 2009 and November 30, 2009. From the documentation, the Service Auditor verified that the change description included a back-out plan in the event of a problem being encountered during implementation of the change. Inquiry/Inspection: For the Mississauga Data

No relevant exceptions noted.

Centre, the service auditor inquired with Security and Operation Teams, and inspected documented job descriptions to confirm that they did not perform any financial reporting processes or internal controls for a customer. 2.

Inspection: For the Mississauga Data Centre, the

No relevant exceptions noted.

service auditor inspected a sample of RMS tickets

This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers

32

Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre

6.0

Controls provide reasonable assurance that modifications to system software and infrastructure are authorized

Fusepoint control activity

Grant Thornton test of control

Results

assigned to Security or Operation Teams and confirmed that they did not perform any financial reporting processes or internal controls for a customer.

This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers

33

Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre

7.0

Controls provide reasonable assurance that change requests are addressed on a timely basis.

Fusepoint control activity

Grant Thornton test of control

Results

7.1

1.

No relevant exceptions noted.

An automated change escalation procedure is enforced by the Request Management System (RMS), requiring Fusepoint staff to address change requests within documented timelines depending on their priority level. Change requests that are not responded to within the defined timeline are automatically escalated to the next staff level by the RMS.

Inspection: For the Mississauga Data Centre, the service auditor inspected a sample of RMS tickets to confirm that security escalation procedures were followed for security incidents, and that priority levels assigned were in accordance with established procedures.

2.

Inspection: For the Mississauga Data Centre, the

No relevant exceptions noted.

service auditor inspected a sample of RMS tickets to verify that hardware and software issues were logged in the RMS ticketing system and were escalated according to problem severity.

This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers

34

Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre

8.0

Controls provide reasonable assurance that backups for recovering software and data files are maintained in the event of a disruption or a disaster.

Fusepoint control activity

Grant Thornton test of control

Results

8.1

Daily incremental backups and weekly full backups are performed with one copy kept on-site and a duplicate copy kept off-site.

1.

No relevant exceptions noted.

Off-site data is stored in a protected environment. Backups are sent off-site daily, and the Network Operation Centre (OC) personnel are responsible for shipping and receiving tapes.

1.

Off-site tape counts are reconciled with on-site records at least annually.

1.

Backups are tested using backup media integrity checks during the backup process.

1.

8.2

8.3

8.4

Observation/Inspection: For the Mississauga Data Centre, the service auditor observed the configuration of the backup system to confirm that backups are made according to the defined schedule. The service auditor also inspected media dispatch records for a sample of days between June 1, 2009 and November 30, 2009 to verify that duplicate backup copies were sent to an off-site location. Inquiry: For the Mississauga Data Centre, the service

No relevant exceptions noted.

auditor inquired with OC personnel on the procedures for shipping and receiving tapes to and from the offsite storage location. Inspection: For the Mississauga Data Centre, the

No relevant exceptions noted.

service auditor inspected an RMS ticket documenting the annual reconciliation of off-site and on-site tapes counts. Inspection: For the Mississauga Data Centre, the

No relevant exceptions noted.

service auditor inspected RMS records regarding media check alerts.

This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers

35