CICA 5970 Report on Internal Control - VirtGroupvirtgroup.com/library/FusepointCICA5970.pdf · cica...
Transcript of CICA 5970 Report on Internal Control - VirtGroupvirtgroup.com/library/FusepointCICA5970.pdf · cica...
CICA 5970 REPORT ON INTERNAL CONTROL
1
FUSEPOINT MANAGED SERVICES INC.
CICA 5970 REPORT ON INTERNAL CONTROL FOR THE MISSISSAUGA DATA CENTRE
As of November 30, 2009 and Tests of Operating Effectiveness for the Period of June 1, 2009 to November 30, 2009
CICA 5970 REPORT ON INTERNAL CONTROL
2
TABLE OF CONTENTS
Auditor’s Report ...................................................................................................................................................3
Section 2 — Fusepoint’s Description of Controls ................................................................................................5
Overview of Fusepoint Managed Services ....................................................................................................5
Scope of this report for the Mississauga Data Centre ...................................................................................5
Control Environment ......................................................................................................................................7
Risk Assessment ...........................................................................................................................................8
Information and Communication....................................................................................................................8
Monitoring ................................................................................................................................................... 12
Control Objectives and Related Controls ................................................................................................... 14
Complementary User Organization Control Considerations ...................................................................... 16
Changes to Controls ................................................................................................................................... 18
Section 3 — Information Provided by the Service Auditor ................................................................................ 18
Introduction ................................................................................................................................................. 20
CICA 5970 REPORT ON INTERNAL CONTROL
3
Auditor’s Report
To: Fusepoint Managed Services
We have audited the accompanying description of general controls related to Fusepoint Managed Services’
(“Fusepoint”) fully managed hosting and server colocation services related to its data centre in Mississauga.
Fusepoint’s management is responsible for the completeness, accuracy and method of presentation of the
description of the fully managed hosting and server colocation services related to its data centre in Mississauga, as
well as the control objectives and related controls required. Our responsibility is to express an opinion based on
our audit. We conducted our audit in accordance with the standards established by The Canadian Institute of
Chartered Accountants (CICA) for audits of controls at a service organization. Those standards require that we
plan and perform the audit to obtain reasonable assurance about whether (1) the accompanying description
presents fairly, in all material respects, the aspects of Fusepoint’s controls that may be relevant to a user
organization’s internal control as it relates to an audit of financial statements; (2) the controls included in the
description were suitably designed to achieve the control objectives specified in the description, if those controls
were complied with satisfactorily and user organizations applied the controls contemplated in the design of
Fusepoint’s controls; and (3) such controls had been placed in operation as at November 30, 2009. Our audit
included those procedures we considered necessary in the circumstances to obtain a reasonable basis for our
opinion. The control objectives were specified by management of Fusepoint.
In our opinion, the accompanying description of the aforementioned service presents fairly, in all material
respects, the relevant aspects of Fusepoint’s controls that had been placed in operation as at November 30, 2009.
Also, in our opinion, the controls, as described, are suitably designed to provide reasonable assurance that the
specified control objectives would be achieved if the described controls were complied with satisfactorily and user
organizations applied the controls contemplated in the design of Fusepoint’s controls.
In addition to the procedures we considered necessary to express our opinion in the previous paragraph, we
applied tests to specific controls, listed in Section 3, to obtain evidence about their effectiveness in meeting the
control objectives, described in Section 3, during the period from June 1, 2009 to November 30, 2009. The
specific controls and the nature, timing, extent and results of the tests are listed in Section 3. This information
has been provided to user organizations of Fusepoint and to their auditors to be taken into consideration, along
with information about the internal control at user organizations, when making assessments of control risk for
user organizations.
Fusepoint states in control activity 4.1 in its description of general controls that it has an uninterruptible power
supply (UPS) and diesel generator to provide backup power to all essential operations and systems, and that these
systems are tested on at least an annual basis. However, on July 20, 2009, the power transfer scheme for the
Mississauga Data Centre did not perform as expected when an abnormal power failure with Enersource
(Mississauga Hydro) occurred caused by a cable fault. The data centre lost power when the UPS batteries were
CICA 5970 REPORT ON INTERNAL CONTROL
4
depleted and the generators, although available to run were prevented from properly delivering power to the UPS
system, resulting in an exception for this control activity. This exception resulted in the non-achievement of the
control objective “Controls provide reasonable assurance that continuous power is provided to the data centre
and its systems”.
In our opinion, except for the matters described in the preceding paragraph, the controls that were tested, as
described in Section 3, were operating with sufficient effectiveness to provide reasonable assurance that the
control objectives specified in Section 3 were achieved during the period from June 1, 2009 to November 30,
2009.
The relative effectiveness and significance of specific controls at Fusepoint and their effect on assessments of
control risk at user organizations are dependent on their interaction with the controls and other factors present at
individual user organizations. We have performed no procedures to evaluate the effectiveness of controls at
individual user organizations and, accordingly, we express no opinion on the achievement of control objectives at
individual user organizations.
The description of controls at Fusepoint is as at November 30, 2009, and information about tests of the operating
effectiveness of specific controls covers the period from June 1, 2009 to November 30, 2009. Any projection of
such information to the future is subject to the risk that, because of change, the description may no longer portray
the controls in existence. The potential effectiveness of specific controls at Fusepoint is subject to inherent
limitations and, accordingly, errors or fraud may occur and not be detected.
Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that
changes made to the system or controls, changes in processing requirements or changes required because of the
passage of time may alter the validity of such conclusions.
This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its
customers.
Vancouver, BC, Canada
December 22, 2009 Chartered Accountants
CICA 5970 REPORT ON INTERNAL CONTROL
5
SECTION 2 — FUSEPOINT’S DESCRIPTION OF CONTROLS
Overview of Fusepoint Managed Services
Fusepoint Managed Services (“Fusepoint”), founded in 1999, is a leading North American provider of fully managed hosting and IT solutions tailored to the needs of mid-sized and large enterprises. Delivering significant cost, time-to-market, security and staffing advantages, Fusepoint's solutions include system migration and integration; e-business security; network architecture design; business continuity/disaster recovery; and intranet/extranet optimization.
Fusepoint provides proactive end to end solution management covering all key areas of managed infrastructure: Security; Storage Management; Network Management; Customer Care; Monitoring and Reporting. Fusepoint’s primary security related goals and objectives include the ability to:
Create a trusted customer environment
Provide High Availability and Reliability
Manage Risk
Provide Scalability and Extendibility
Understanding that this takes an integrated approach of people, processes and technology, many leading organizations such as Royal Canadian Mint, Mountain Equipment Co-op, Clearview Strategic Partners and Dominion Bond Rating Service have chosen Fusepoint to be their provider of choice to ensure their online applications and infrastructure are available and secure.
Scope of this report for the Mississauga Data Centre
This report describes the control structure of Fusepoint Managed Services, as it relates to Fusepoint’s data centre in Mississauga as of November 30, 2009, and tests of operating effectiveness for the period of June 1, 2009 to November 30, 2009. The control objectives and related control activities covered herein describe the general computer controls used in delivering Fusepoint’s Fully Managed Infrastructure Services and Colocation Hosting Services. It has been prepared to provide information for use by Fusepoint’s management, its customers that rely upon these services, and the auditors of those customers.
Fusepoint provides two tiers of services: Fully Managed Infrastructure Services and Colocation Hosting Services. The Fully Managed Infrastructure Services encompasses the following:
CICA 5970 REPORT ON INTERNAL CONTROL
6
Fusepoint Colocation Hosting Services encompass the following:
CICA 5970 REPORT ON INTERNAL CONTROL
7
This report only covers general computer controls for the infrastructure encompassed by the services above on which a customer’s application may be hosted. Application level controls are not in scope for the services described above, and therefore are not in scope for this report. Fusepoint personnel are not responsible for or involved in performing any financial reporting processes or internal controls related to financial reporting for any Fusepoint customer or any of their customer’s applications.
Control Environment
Generally, an organization’s control environment represents the collective effort of various factors on establishing, enhancing or mitigating the effectiveness of specific controls. Such factors include but are not limited to the following:
Integrity and ethical values
Management’s philosophy and operating style
Organizational structure
Assignment of authority and responsibility
Human resource policies and practice
The control environment reflects the overall attitude, awareness and actions of the Board and management concerning all other components of internal controls and their emphasis within the organization.
Integrity and Ethical Values
Fusepoint expects that its employees will act ethically and with integrity. All Fusepoint personnel are therefore governed by several personnel policies and agreements. They include a non-disclosure agreement, code of conduct and a security policy staff agreement. All new Fusepoint staff are required to sign these agreements as a condition of employment.
Management’s philosophy and operating style
Fusepoint recognizes the importance of strong controls around information security and privacy, and is committed to implementing best practices. Selection of best-of-breed systems helps promote Fusepoint’s secured environment. Fusepoint undergoes regular external audits, such as the Canadian Institute of Chartered Accountants (CICA) Section 5970 Audit, the U.S. Statement of Auditing Standards (SAS) 70 Audit, Payment Card Industry (PCI) Data Security Standard Audit, and the HP Service Provider Certification.
Organization Structure
Fusepoint is divided into the departments as shown by the organizational chart below:
Finance
Hosting
and Infrastructure
Management
Client Experience Facilities Security
Operations
Eastern Region Central/Western
Region
Sales Marketing Human Resources
Quebec City Montreal
Application Services
President & CEO
Information security and internal control is a business responsibility shared by all members of Fusepoint’s Executive Team.
Assignment of authority and responsibility
The Executive Team has approved an Information Security Policy which applies to all employees, and which delegates responsibility for the management of Information Security to the Vice-President Operations. This
CICA 5970 REPORT ON INTERNAL CONTROL
8
policy is updated and reviewed to keep the policy current. Continual updating of the policy ensures that it has addresses an ever changing risk environment.
.
The Security Team is led by the Director of Security who reports to the Vice-President Operations. The Security Team has day-to-day operational responsibility for information security and related internal controls and assists the Vice-President Operations with developing security policies, promoting security awareness and defining security standards. It also meets with and reports weekly to the Vice-President Operations to ensure the coordination and implementation of policies and practices across the company. The Security Team is segregated from the other Operations teams. The Security Team does not perform any operational function performed by the Operations teams. The Security Team is also not responsible for or involved in performing any financial reporting processes or controls for any Fusepoint customer or any of their customer’s applications. Members of the Security Team have the appropriate qualifications and skills to fulfill their duties.
The Operations teams themselves are segregated from each other based on platform (Microsoft, UNIX, network, etc).
All employees of Fusepoint have written job descriptions which clearly delineate each staff member’s roles and responsibilities within the organization.
Human Resources Policies and Practice
A formal workflow procedure for both the hiring, termination and any position/responsibility changes of employees and contractors has been developed to ensure all steps are completed. This procedure is initiated by the Human Resources (HR) Department for all changes, and each change is reviewed by the HR Department to ensure the procedure is completed. Upon hiring, personnel agreements (described in next paragraph) are signed. Personnel with access to customer data are required to go through criminal background screening. Upon termination, access privileges are revoked immediately and physical authentication credentials such as access cards and authentication tokens are retrieved. Upon position/responsibility change, access privileges are adjusted/revoked as required.
Fusepoint has a defined security program in place for its employees. Annual security awareness training is mandatory for all employees as part of this program. All Fusepoint employees are required to sign a non-disclosure agreement, code of conduct and a security policy staff agreement as a condition of employment. Logical access security policies and procedures are documented, and Fusepoint employees have access to all security policies and procedures via Fusepoint’s intranet.
Risk Assessment
Technical Security and Risk Management
A vulnerability management process has been implemented that includes periodic internal and external scanning of managed customer servers. Assessments of patches and security updates from hardware and software vendors are performed by the Security Team, who then coordinates their deployment with the Operations Teams.
Back-out procedures are documented in change requests in the event of a failure occurring during the change.
Procedures are in place and rules have been enabled to prevent access via insecure network services and protocols.
Redundancy is built into the network (for example, use of switches and load balancers) to ensure the continuity of network operations.
Information and Communication
Fusepoint has several information systems in place to support its Fully Managed Infrastructure Services and Colocation Hosting Services. Those systems are:
Customer WebCare portal and Request Management System (RMS)
CICA 5970 REPORT ON INTERNAL CONTROL
9
Automated facility and environmental monitoring systems
Fusepoint Monitoring System, which includes the Netcool Application
Physical access management system (for proximity card readers)
Logical access authentication systems
Intrusion Detection System
Event log monitoring systems
Backup management systems
Standard Operating Procedures
Formalized Standard Operation Procedures (SOP) are used to ensure that where problems are identified, they are recorded, brought to the attention of the appropriate personnel, actioned, followed up and analyzed to identify trends that might indicate a more extensive issue. The SOP has been documented, and includes prescribed procedures for incident management, change management, patch management and data centre access. Fusepoint is not involved in application job scheduling and execution as they are managed and monitored by their customers.
Priority 1 and 2 Ticket Workflow: Customer Contacts Operations Centre (OC)
OC
Cu
sto
me
r
Authorized
Technical Contact
creates a ticket by
sending via WebCare or
calling OC
OC is paged of
new ticket
OC Contacts
customer within 15
minutes to verify
problem
Is caller an
authorized
Technical Contact?
OC advised caller to
contact Authorized
Technical Contact
Customer is
notified the ticket
is resolved
Was 15 minute
response time
observed?
Authorized
Technical Contact
pages on-duty
Team Leader
Was 15 minute
response time
observed?
Problem is being
resolvedYes
Authorized Trouble
Reporter calls Director
of Hosting Operations
No
Ticket is Closed
Work to resolve
begins
immediately
Tickt created via
WebCare?
Ticket Number
assigned to case
OC Technician
resolves the
problem within 15
minutes of
notification?
Ticket Escalated to
2nd Level
OC sends hourly
status updates to
customer until
resolved
Resolution in
Progress
Findings and
results are
documented in the
original ticket
Post-Incident
Report sent to
customer
Updates Received
Hourly?
Yes
No
No
Yes
No
Yes
No
Problem resolved
within 2 hours of
notification?
Ticket escalated to
Director,
Operations
Director escalates
internally/
externally until
problem resolved
No
NoYesYes
Figure 1: Standard Operating Procedure when customer contacts OC
CICA 5970 REPORT ON INTERNAL CONTROL
10
Priority 1 and 2 Ticket Workflow: OC Contacts Customer
OC
Customer receives
notification of problem
with ticket number
OC verifies
trouble exists
Has a problem
been confirmed?
OC continues to
monitor customerCustomer is
notified the ticket
is resolved
Customer calls
OC Manager cell
phone
Update Received
within 30 minutes of
problem start?
Ticket is Closed
Notification sent to
Customerwithin 15
minutes of
verification
Ticket Number
assigned to case
Level 2 resolves
ticket within 30
minutes of problem
start?
Ticket escalated
to Engineer
OC provides
updates every 30
minutes until
resolved
Ticket Assigned
to Level 2
Findings and results
are documented in
the original ticket
Post-Incident
Report sent to
customer
Updates
Received every
30 minutes?
YesNo
Yes
OC Receives
Alert
OC Manager
Available?No
No
Yes
Problem Identified
as Fusepoint
Responsibility?
Customer
Notified
No
Customer
Receives
Notification, works
with Fusepoint to
Resolve
Problem resolved
within 2 hours of
problem Start?
Yes
Director, Hosting
Operations
Notified
No
Director escalates
internally/
externally until
problem resolved
No
Resolution in
Progress
Yes
Engineer resolves
problem within 1
hour of start?
Yes
No
Ticket escalated
to Manager,
Technical
Services
No
Yes
Customer calls
Manager,
Technical
Services cell
phone
Yes
Manager,
Technical
Services
Available?
Yes
Customer calls
Director,
Operations cell
phone
No
Cu
sto
me
r
Figure 2: Standard Operating Procedure when OC contacts customer
Change Management
Fusepoint is responsible for managing changes related to their customers’ system software, infrastructure and environment. Fusepoint’s customers are responsible for managing application changes including the maintenance of any application program libraries.
Change requests, alerts from monitoring sensors, and incident reports are all centrally managed through Fusepoint’s Request Management System (RMS). Only authorized customer personnel have access to the RMS through the WebCare customer portal. Change requests and problems are communicated to Fusepoint through WebCare, and if telephone line support is used by the customer, pertinent details of the conversation are entered into the RMS by the Operations Centre (OC).
Fusepoint has documented change control procedures. Operations Management administers and coordinates the change process from initiation to implementation. Changes are requested according to a published workflow, and notification is sent to the appropriate approver based on the nature of the change (see diagram on the following pages). Every change request is assigned a unique ticket number in the RMS.
Change requests require the change details to be documented including the back-out procedures in the event of failure during the change. Problems incurred during a change are logged into the RMS ticket and resolved before the ticket is closed.
Specific windows and time lines have been established for system software, infrastructure and environment changes to be implemented to minimize disruption to production environments.
CICA 5970 REPORT ON INTERNAL CONTROL
11
Change Request
Engineer Prepares FCR,
Attaches to Change
Ticket
Ticket Submitted
to CM
CM Brings FCR to
Weekly TL Review
Board
Needs CAB
Approval?
Yes
Present to CAB
Change
Approved?
Yes
1. CM Updates Ticket
2. CM Assigns Ticket to Change Requestor
3. CM Updates Change Calendar
4. CM Sends Customer Notification
No
Get VP
Operations
Approval
TL Reviews Ticket
Back for Review
1st Phase
Approval Meeting
(D/O, M/TS, CM)
1st
Phase Approval Process
Revisions
Needed?
No
Yes
Change
Process
CM Updates
Ticket
Ticket Assigned to
TL for Review /
Revision
No
Problems
Encountered
Pre-Change
Problems
Encountered
Post-ChangeEmergency
Change?
No
Yes
Ticket Assigned
Directly to CM
CM Discusses
with TL
CM Discusses
with M/TS
CM Gets CAB or
D/O and VP/O
Approval
Short-cut for emergency
changes
Revise?
Yes
No
Change Not
Approved. File for
reference
End Process
Legend:
FCR: Fusepoint Change Request
TL: Team Lead
M/TS: Manager, Technical Services
CM: Change Manager
D/O: Director, Operations
CAB: Change Advisory Board
VP/O: Vice President, Operations
1st Iteration?
No
Yes
TL, M/TS and CM
Review Change
and Make
Necessary
Modifications
Figure 3: Phase 1 Change Approval Process
CICA 5970 REPORT ON INTERNAL CONTROL
12
Logical and Physical Access
Fusepoint’s responsibility for logical access administration over their customers systems is limited to the network and infrastructure. Fusepoint’s customers manage logical access at the application level.
Logical access security policies and procedures are documented, and Fusepoint employees have access to all security policies and procedures via Fusepoint’s intranet. All Fusepoint employees are required to sign a non-disclosure agreement, code of conduct and a security policy staff agreement as a condition of employment. Annual security awareness training is also mandatory for all employees.
Only authorized staff groups within Fusepoint have logical access to restricted access network segments, production data, programs or resources. Fusepoint staff use unique user IDs to access programs and data. All role-based and administrative passwords are stored within a secured database protected and maintained by the Security Team, and access is restricted to Operations personnel only. Access control is enforced using automated access controls (e.g. two-factor authentication, complex passwords with minimum-length, account lockout for multiple unsuccessful logins, etc.).
Access to the Mississauga Data Centre is restricted through physical access controls. Only authorized Fusepoint staff or visitors who have been pre-authorized are granted access.
Network and Operating System Security
Fusepoint’s production network architecture has been implemented to separate the network into multiple zones. Redundant and shared firewalls have been used to separate public-facing Web servers in the demilitarized zone from the back-end application and database servers in the trusted zone. Fusepoint’s office desktop machines and any development workstations are on a network separate from the production network, and are not within the scope of this report.
Intrusion Detection Software systems and monitoring procedures have been implemented to identify unauthorized network access. For internal servers, fully managed customers’ servers and subscribed colocation customers’ servers, Fusepoint staff will respond to IDS alerts. (No response is provided to colocation customers that do not subscribe to the IDS service.)
Virtual Private Network (VPN) has been implemented for secure remote access into the internal production networks and systems.
Pertinent anti-virus engines and signatures are installed on the Windows-based and Linux-based servers, and signatures are updated daily for internal servers and for customers who have subscribed to the anti-virus service. Hardening procedures have been developed and maintained for production server operating systems.
Data Centre Facilities
The Mississauga Data Centre has systems in place to protect computer hardware and equipment from fire and environmental damage. An uninterruptible power supply and diesel generator provide backup power to all essential operations and systems including the computer room, and these systems are tested on at least a quarterly basis and after any significant change to power infrastructure. Reviews of power systems are performed to ensure that there is sufficient power capacity.
Daily incremental backups and weekly full backups are performed for internal servers, fully managed customers and colocation customers who subscribe to the backup service. When a backup is performed, two copies are made: one that remains on-site, and one that is shipped off-site. Media integrity checks are performed during the backup process to ensure that the backup can be restored if needed.
Monitoring
Quality Assurance
Fusepoint has implemented a Quality Assurance (QA) function that is independent of its Operations group, and a QA person has been appointed to ensure that standard operating procedures are followed. The QA
CICA 5970 REPORT ON INTERNAL CONTROL
13
function is responsible for reviewing business operations, customer contracts, etc. to assess compliance with policies and procedures. Adherence to operating procedures is enforced by QA process.
The Fusepoint Security Team is responsible for monitoring the implementation and compliance of the information security program through periodic audits, compliance checks and use of various technology tools.
Facilities and System Monitoring
Security cameras have been placed in operation in and are monitored 24 × 7 in the Network Operations Room.
The Fusepoint Monitoring System provides an automated central monitoring system that is used to monitor servers and network devices for system utilization, hardware failure and performance on a real-time basis. Automated tools and technologies have been implemented to monitor Fusepoint’s hardware and software, along with environmental factors such as temperature, power and humidity. The core of the Fusepoint Monitoring System is the Netcool application which performs normalization and correlation of the collected data for all facilities and system monitoring except for specific systems monitor physical conditions in each data centre. Netcool is monitored by personnel in the Operations Centre (OC), who can then create tickets in the Request Management System (RMS) if required using data fed in from Netcool. Systems that are not interfaced with Netcool are directly monitored by the OC.
CICA 5970 REPORT ON INTERNAL CONTROL
14
Control Objectives and Related Controls
This subsection provides a list of control objectives and related controls that have been tested for operating effectiveness. These control objectives and related controls are also listed in Section 3 of this report, “Information Provided by the Service Auditor”. Although the listing of the control objectives and related controls in both Sections 2 and 3 of this report may seem redundant, the list in this section has been provided for convenience for Canadian audiences used to the conventions for service auditor’s reports in Canada.
Administration and Organization
1.0 Controls provide reasonable assurance that defined security program is in place and that Fusepoint employees are aware of this security program.
1.1 A mandatory annual security awareness program has been placed in operation to educate Fusepoint employees about Fusepoint’s security program and to articulate details of the program.
1.2 Fusepoint employees are required in the hiring process to execute a legally binding non-disclosure agreement which includes terms and conditions related to maintaining the non-disclosure of information that is confidential to either Fusepoint or its customers.
1.3 Fusepoint employees are required in the hiring process to sign that they have received and read both Fusepoint’s Code of Conduct and Fusepoint’s Security Policy.
1.4 Criminal background screening is performed during the hiring process on technical employees and contractors with either physical or logical access to operations areas and customer data.
1.5 Access privileges are revoked immediately and physical authentication credentials such as access cards and authentication tokens are retrieved upon termination of an employee or contractor.
1.6 Access privileges for employees who change departments or responsibilities are modified accordingly.
Facilities
2.0 Controls provide reasonable assurance that physical access to the data centre is restricted to appropriate personnel.
2.1 Access to the data centre is controlled through proximity card readers, and only authorized Fusepoint staff are issued proximity reader access cards.
2.2 Access privileges are granted on the basis of that person’s need to perform specific job functions, and a bi-annual review of access privileges is performed.
2.3 Physical security incidents and exceptions are reviewed by the Security Team. Reported physical security incidents that are classified as major in the Request Management System (RMS) are escalated to Vice-President Operations
2.4 Visitors to the data centre must be pre-authorized, and must sign-in before being granted physical access to the data centre.
2.5 The servers and other equipment for Managed Services (as opposed to Co-located servers) can only be physically accessed by authorized Fusepoint staff.
3.0 Controls provide reasonable assurance that computer hardware and equipment are protected against fire and environmental damage.
3.1 A fire detection and suppression system has been placed in operation in the data centre. Testing of fire detection and suppression equipment is performed at least annually.
CICA 5970 REPORT ON INTERNAL CONTROL
15
3.2 Alarm panels and alerts are in place to monitor and detect facility environmental settings, such as temperature and moisture.
3.3 Climate control systems regulate air temperature within the computer rooms. Temperature monitoring equipment continuously monitors environmental conditions.
3.4 There are separate climate control units in place to protect against failure of individual units. An automated monitoring system is in place to alarm computer operations employees in the event of failure of the environmental control equipment in the computer room.
3.5 An equipment and facilities maintenance program that includes at least annual maintenance and/or testing is in place to ensure that the facilities and equipment are kept in working order.
4.0 Controls provide reasonable assurance that continuous power is provided to the data centre and its systems.
4.1 An uninterruptible power supply and diesel generator provides backup power to all essential operations and systems including the computer room. These systems are tested on at least a quarterly basis, and after any significant change to power infrastructure.
Exception noted: On July 20, 2009, the power transfer scheme for the Mississauga Data Centre did not perform as expected when an abnormal power failure with Enersource (Mississauga Hydro) occurred caused by a cable fault. The data centre lost power when the UPS batteries were depleted and the generators, although available to run were prevented from properly delivering power to the UPS system, resulting in an exception for this control activity.
4.2 A daily review of power systems is performed to ensure that there is sufficient power capacity for the data centre.
Logical Access and Security
5.0 Controls provide reasonable assurance that inadvertent or unauthorized access to customers’ data and programs is prevented or detected.
5.1 Production servers and equipment are located on restricted access network segments, and automated authentication controls are in place to restrict access to these network segments to authorized personnel.
5.2 Only authorized staff groups within Fusepoint have logical access to restricted access network segments, production data, programs or resources. Logical access is only possible through Fusepoint’s offices, or through VPN using two-factor authentication. Fusepoint staff use unique user IDs to access programs and data.
5.3 Annual reviews of logical access privileges are performed.
5.4 The Security Team monitors and assesses new security alerts and advisories. Patches and other fixes are applied according to the priority level assigned by the Security Team.
5.5 Event log monitoring tools for operating systems, firewalls and Intrusion Detection Systems (IDSs) are configured to send alerts on unauthorized access attempts and other unusual events to the Netcool Application monitored by the OC.
5.6 An automated security incident escalation procedure is enforced by the Request Management System (RMS), requiring Fusepoint staff to respond to incidents within documented timelines depending on their priority level. Incidents that are not responded to within the defined timeline are automatically escalated to the next staff level by the Netcool Application.
5.7 Pertinent anti-virus engines and signatures are installed on the Windows-based servers, and signatures are updated daily.
5.8 Firewalls are in place to prevent unauthorized network traffic, and to separate Fusepoint’s network into multiple zones.
CICA 5970 REPORT ON INTERNAL CONTROL
16
5.9 Firewall rules are reviewed quarterly.
5.10 Intrusion Detection Systems are in place to detect unauthorized or suspicious traffic and send alerts to the Netcool Application monitored by the OC.
Change Management / Problem Resolution
6.0 Controls provide reasonable assurance that modifications to system software and infrastructure are authorized.
6.1 Change requests can only be made by authorized customer personnel or authorized Fusepoint staff.
6.2 Changes are reviewed and then signed off by the appropriate Team Lead, and finally approved by the Fusepoint Change Advisory Board or Vice President of Operations.
6.3 Changes are supported by back out plans to enable recovery in the event of problems being encountered during implementation.
6.4 Fusepoint personnel are not responsible for or involved in performing any financial reporting processes or internal controls related to financial reporting for any Fusepoint customer or any of Fusepoint customer’s applications.
7.0 Controls provide reasonable assurance that change requests are addressed on a timely basis.
7.1 An automated change escalation procedure is enforced by the Request Management System (RMS), requiring Fusepoint staff to address change requests within documented timelines depending on their priority level. Change requests that are not responded to within the defined timeline are automatically escalated to the next staff level by the RMS.
Backup and Recovery
8.0 Controls provide reasonable assurance that backups for recovering software and data files are maintained in the event of a disruption or a disaster.
8.1 Daily incremental backups and weekly full backups are performed with one copy kept on-site and a duplicate copy kept off-site.
8.2 Off-site data is stored in a protected environment. Backups are sent off-site daily, and the Network Operation Centre (OC) personnel are responsible for shipping and receiving tapes.
8.3 Off-site tape counts are reconciled with on-site records at least annually.
8.4 Backups are tested using backup media integrity checks during the backup process.
Complementary User Organization Control Considerations
The relative effectiveness and significance of specific controls at Fusepoint and their effect on assessments of control risk at any customer of Fusepoint are dependent on their interaction with the controls and other factors present in the customer’s environment. No procedures were performed to evaluate the effectiveness of controls at any of Fusepoint customers.
It is the responsibility of each customer’s management and their auditors to ensure that appropriate application level controls and procedures and general computer controls and procedures are in place and performed in the end-user controlled environment to complement the system of controls in place within the Fusepoint environment. Those complementary controls are:
that the creation, modification and deletion of user accounts at the application level are appropriately authorized and performed by the customer;
that application level authentication controls have been placed in operation;
if passwords are used for authentication at the application level, those passwords are changed on a regular basis;
CICA 5970 REPORT ON INTERNAL CONTROL
17
that the customer performs a regular review of application level user accounts and access privileges;
that complex passwords are required for all application level user accounts;
that the customer performs adequate change control procedures including approval of application changes and maintenance of appropriate access controls that promote segregation of duties;
that where appropriate, the customer approves application job scheduling and execution, appropriately restricts access to job scheduling and execution, and appropriately monitors job execution (e.g. batch job processing);
that customer personnel provided access to Fusepoint’s WebCare customer portal are appropriately authorized;
that customer personnel who are the designated communication contacts with Fusepoint are appropriately authorized, and Fusepoint is informed of any changes of authorized personnel on a timely basis;
that customer personnel who visit Fusepoint’s Mississauga Data Centre are appropriately authorized;
that the customer performs adequate testing of application changes prior to their promotion to the production environment;
that the customer performs adequate security testing or receives reasonable assurance of the security of any application level code that is developed outside of Fusepoint’s environment;
unless the customer subscribes to Fusepoint’s anti-virus service, that the customer installs anti-virus software on its Windows servers and updates the anti-virus signatures on a daily basis; and
that the customer places into operation any other internal controls (e.g. segregation of duties, reconciliations, etc.) that are necessary for its financial reporting processes or for the application it is using within Fusepoint’s environment.
Furthermore, for customers using Fusepoint’s server colocation service, the following controls need to be placed in operation for co-located servers where Fusepoint does not manage or have access to the servers:
the creation, modification and deletion of accounts at the operating system and database level for any servers are appropriately authorized and performed by the customer;
that operating system and database level passwords are changed on a regularly recurring basis;
that the customer performs a regularly recurring review of operating system and database level passwords user accounts and access privileges;
unless the customer subscribes to Fusepoint’s backup service, that the customer backs up server data on a regular basis, and tests the restoration of data from the backup on a regular basis;
unless the customer subscribes to Fusepoint’s IDS service, that the customer implements its own controls for detecting and responding to any incidents of unauthorized access or use; and
that each customer device (servers, routers, switches, etc.):
o have two independent power supplies,
o has one power supply is connected to the “A” power source and the other is connected to the “B” power source within their assigned cabinet, and
o is inspected by the customer to confirm that the independent power supplies are properly connected to the appropriate power sources within their assigned cabinet.
CICA 5970 REPORT ON INTERNAL CONTROL
18
Changes to Controls
The following changes to the controls have been made since the last report for the period ending November 30, 2008:
The Fusepoint Security Committee has become defunct in January, 2009. The Security Team led by the Director of Security is responsible for day-to-day operations for information security and related internal controls and assists the Vice-President Operations with developing security policies, promoting security awareness and defining security standards. The Security Team also meets with and reports weekly to the Vice-President Operations to ensure the coordination and implementation of policies and practices across the company and reports to the Vice-President Operations.
An upgrade was made in March 2009 to the uninterruptible power supply of the Mississauga Data Centre to replace aging UPS infrastructure and to provide additional capacity to meet customer requirements.
Fusepoint re-tested the transfer scheme after the July 20, 2009 event by simulating power failures to the building and could not re-produce the condition that happened on July 20, 2009. In any event, Fusepoint is in progress of implementing a replacement technology for the breaker scheme to better handle such a condition. Fusepoint has contracted the third party to assist in the engineering of this solution which includes several suppliers. The project began in August of 2009 and is expected to complete in April of 2010.
Fusepoint has hired and implemented on-site 24 x 7 staff for building operations coverage along with updated procedures should such an unlikely event such as July 20, 2009 re-occur in the interim. This coverage will continue going forward.
Fusepoint has increased the frequency of testing on the uninterruptible power supply from an annual basis to a quarterly basis to ensure that the uninterruptible power supply and diesel generator provide backup power and to avoid re-occurrence of power loss such as the July 20, 2009 event. Additionally, Fusepoint will perform testing on the systems after any significant change to power infrastructure.
CICA 5970 REPORT ON INTERNAL CONTROL
19
SECTION 3 — INFORMATION PROVIDED BY THE SERVICE AUDITOR
The following section on tests of operating effectiveness is intended to provide interested parties with information sufficient to obtain an understanding of those aspects of Fusepoint’s controls that may be relevant to customer organizations’ internal control, and to reduce the assessed level of control risk below the maximum for certain financial statement assertions. This report, when coupled with an understanding of the internal control in place at customer organizations, is intended to assist in the assessment of the total internal control surrounding Fusepoint’s fully managed hosting and server colocation services related to its data centre in Mississauga.
Fusepoint Managed Services 20
Report on Tests of Operating Effectiveness
Introduction
This section of the report contains the description of the tests performed by Grant Thornton
LLP (Canada) to assess the operating effectiveness of controls at Fusepoint Managed Services
(“Fusepoint”) for the period from June 1, 2009 to November 30, 2009 for its Mississauga Data
Centre.
The Description of Controls has been provided by the management of Fusepoint.
Furthermore, Fusepoint has selected all control objectives in the Description of Controls to be
in scope for the testing of operating effectiveness.
For each control tested for operating effectiveness, an indication of the nature, timing, extent
and results of the tests have been provided. In the following tables, any exceptions or other
information identified by the tests that could be relevant to user auditors have been provided in
the column labelled “Results”. If no exceptions or other relevant information was identified,
then the remark “No relevant exceptions noted” has been given.
Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre
21
This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers
1.0 Controls provide reasonable assurance that defined security program is in place and that Fusepoint employees are aware of this security program.
Fusepoint control activity Grant Thornton test of control Results
1.1 A mandatory annual security awareness program
has been placed in operation to educate Fusepoint
employees about Fusepoint’s security program and
to articulate details of the program.
1. Inspection: Attendance lists for sessions of the
security awareness program held between June 1,
2009 and November 30, 2009 were obtained and
inspected. Complete employee lists were reconciled
against the security awareness attendance list to
confirm that training was provided to all staff. The
service auditor inspected documentation confirming
that attendance to the security awareness program
was mandatory.
No relevant exceptions noted.
2. Inspection: The service auditor inspected
documentation on the annual security awareness
program and assessed their adequacy in relation to
security policies in force. The service auditor also
inspected documentation confirming mandatory
attendance.
No relevant exceptions noted.
1.2 Fusepoint employees are required in the hiring
process to execute a legally binding non-disclosure
agreement which includes terms and conditions
related to maintaining the non-disclosure of
information that is confidential to either Fusepoint or
its customers.
1. Inspection: For the entire population of employees
hired between June 1, 2009 and November 30, 2009,
the service auditor inspected copies of Non-
Disclosure Agreements to confirm they were signed
by the employee concerned.
No relevant exceptions noted.
1.3 Fusepoint employees are required in the hiring
process to sign that they have received and read
both Fusepoint’s Code of Conduct and Fusepoint’s
Security Policy.
1. Inspection: For the entire population of employees
from the Mississauga Data Centre, employee files
were reviewed to confirm the existence of signatures
acknowledging the acceptance of the Code of
Conduct and Security Policy.
No relevant exceptions noted.
Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre
22
This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers
1.0 Controls provide reasonable assurance that defined security program is in place and that Fusepoint employees are aware of this security program.
Fusepoint control activity Grant Thornton test of control Results
1.4 Criminal background screening is performed during
the hiring process on technical employees and
contractors with either physical or logical access to
operations areas and customer data.
1. Inspection: The service auditor inspected a copy of
criminal background check reports for the entire
population of employees and contractors who were
hired between June 1, 2009 and November 30, 2009,
and were granted access to the operations areas of
the Mississauga Data Centre.
No relevant exceptions noted.
1.5 Access privileges are revoked immediately and
physical authentication credentials such as access
cards and authentication tokens are retrieved upon
termination of an employee or contractor.
1. Inspection: For the entire population of employees
terminated between June 1, 2009 and November 30,
2009, at the Mississauga Data Centre, the service
auditor inspected the termination checklists and
verified that all steps in the termination checklist were
completed, including the notification of the
termination, the updating of HR records, the
termination of the user account, and the retrieval of
company property.
No relevant exceptions noted.
1.6 Access privileges for employees who change
departments or responsibilities are modified
accordingly.
1. Inspection: For the entire population of employees
who changed departments or responsibilities at the
Mississauga Data Centre, between June 1, 2009 and
November 30, 2009, the service auditor inspected
documentation to verify that access privileges were
modified accordingly.
No relevant exceptions noted.
Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre
23
This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers
2.0 Controls provide reasonable assurance that physical access to the data centre is restricted to appropriate personnel.
Fusepoint control activity Grant Thornton test of control Results
2.1 Access to the data centre is controlled through
proximity card readers, and only authorized
Fusepoint staff are issued proximity reader
access cards.
1. Inspection: The service auditor inspected a listing of
all Fusepoint employees and contractors who have
proximity card access to the Mississauga Data Centre.
For all employees/contractors, the service auditor
verified that access was appropriately authorized
based on the employee/contractor’s role.
No relevant exceptions noted.
2.2 Access privileges are granted on the basis of
that person’s need to perform specific job
functions, and a bi-annual review of access
privileges is performed.
1. Inspection: The service auditor inspected a listing of
all Fusepoint employees and contractors who have
proximity card access to the Mississauga Data Centre.
The listing was reviewed to ensure that all staff who
have proximity card access require access as part of
their job function.
No relevant exceptions noted.
2. Inspection/Inquiry: The service auditor inspected
documentation and inquired with Security Team
members to confirm that regular reviews of the access
privileges granted at the Mississauga Data Centre
were performed.
No relevant exceptions noted.
3. Inspection: The service auditor inspected a sample of
signed check-out sheets for the keys to the locked
cabinets at the Mississauga Data Centre and
confirmed that only appropriate individuals were
granted access to the keys.
No relevant exceptions noted.
4. Observation: For the Mississauga Data Centre, the
service auditor observed the use of an employee
access card for an employee who was not granted
access to confirm that access is denied and the
access attempt was recorded.
No relevant exceptions noted.
Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre
24
This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers
2.0 Controls provide reasonable assurance that physical access to the data centre is restricted to appropriate personnel.
Fusepoint control activity Grant Thornton test of control Results
2.3 Physical security incidents and exceptions are
reviewed by the Security Team. Reported
physical security incidents that are classified as
major in the Request Management System
(RMS) are escalated to Vice-President
Operations
1. Inquiry: The service auditor inquired with Fusepoint’s
Director of Security to verify that the Fusepoint
Security Team reviewed physical security incidents at
the Mississauga Data Centre and physical security
incidents classified as major were escalated to Vice-
President Operations.
No instances of the control activity were identified in the
audit period.
2.4 Visitors to the data centre must be pre-
authorized, and must sign-in before being
granted physical access to the data centre.
1. Inquiry: The service auditor inquired with Fusepoint
Operations Centre staff at the Mississauga Data
Centre to confirm that all visitors must sign in at
reception and obtain a visitor’s pass.
No relevant exceptions noted.
2. Inspection: The service auditor inspected visitor sign-
in sheets for the Mississauga Data Centre for a
sample of visitors in the period between June 1, 2009
and November 30, 2009 to verify that those visitors
had been pre-authorized with an RMS ticket.
No relevant exceptions noted.
2.5 The servers and other equipment for Managed
Services (as opposed to Co-located servers)
can only be physically accessed by authorized
Fusepoint staff.
1. Observation: The service auditor visited the
Mississauga Data Centre and confirmed the following.
Physical controls that restrict access to servers and
other Managed Services equipment ensure that only
authorized Fusepoint staff have access.
No relevant exceptions noted.
Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre
25
This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers
3.0 Controls provide reasonable assurance that computer hardware and equipment are protected against fire and environmental damage.
Fusepoint control activity Grant Thornton test of control Results
3.1 A fire detection and suppression system has been
placed in operation in the data centre. Testing of fire
detection and suppression equipment is performed
at least annually.
2. Observation/Inspection: The service auditor
observed that Fire Detection and Suppression
systems are installed in the Mississauga Data Centre.
The service auditor inspected equipment
maintenance documents to determine that fire
detection is tested annually.
No relevant exceptions noted.
3.2 Alarm panels and alerts are in place to monitor and
detect facility environmental settings, such as
temperature and moisture.
1. Observation/Inquiry: The service auditor visited the
Mississauga Data Centre. Through observation and
inquiry with Fusepoint personnel, the service auditor
verified that alarm panels and alerts are in place to
monitor facility environmental settings, such as
temperature and moisture.
No relevant exceptions noted.
2. Observation: The service auditor observed that
automated systems are used by Operations Centre
personnel for monitoring.
No relevant exceptions noted.
3.3 Climate control systems regulate air temperature
within the computer rooms. Temperature monitoring
equipment continuously monitors environmental
conditions.
1. Observation/Inquiry: The service auditor observed
that air conditioning units were deployed in the
computer room to regulate air temperature at the
Mississauga Data Centre. The service auditor
observed that fail-over units for the same exist by
way of separate chiller units and Air Handling Units.
Through inquiry with Fusepoint personnel, the service
auditor confirmed that these provide redundancy
through automatic fail-over. The service auditor
established that temperature sensors send out
automated alarm notifications in case defined
temperature thresholds are crossed.
No relevant exceptions noted.
Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre
26
This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers
3.0 Controls provide reasonable assurance that computer hardware and equipment are protected against fire and environmental damage.
Fusepoint control activity Grant Thornton test of control Results
3.4 There are separate climate control units in place to
protect against failure of individual units. An
automated monitoring system is in place to alarm
computer operations employees in the event of
failure of the environmental control equipment in the
computer room.
1. Observation: The service auditor visited the
Mississauga Data Centre and observed that fail-over
units are in place for climate control.
No relevant exceptions noted.
2. Inspection: For the Mississauga Data Centre, the
service auditor inspected evidence to verify that
automated monitoring systems alert computer
operations employees via email in the event of a
failure in environmental control equipment.
No relevant exceptions noted.
3.5 An equipment and facilities maintenance program
that includes at least annual maintenance and/or
testing is in place to ensure that the facilities and
equipment are kept in working order.
1. Inspection: For the Mississauga Data Centre, the
service auditor inspected lease agreement/other
lease contracts to determine that the lease
agreement contains provisions for repair to facilities,
building structure, etc. Specifically, the service
auditor made note of the lease date to determine that
contracts have been updated as required in the lease
deed.
The service auditor inspected evidence of
inspection/maintenance carried out on the electrical,
fire detection & suppression systems, and power
backup equipment.
No relevant exceptions noted.
Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre
27
This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers
4.0 Controls provide reasonable assurance that continuous power is provided to the data centre and its systems.
Fusepoint control activity Grant Thornton test of control Results
4.1 An uninterruptible power supply and diesel
generator provides backup power to all essential
operations and systems including the computer
room. These systems are tested on at least a
quarterly basis, and after any significant change to
power infrastructure.
1. Inspection: The service auditor inspected evidence
by way of maintenance reports and filled-in checklists
from the period June 1, 2009 to November 30, 2009
and confirmed that regular testing of the system is
carried out at the Mississauga Data Centre.
Exceptions noted:
On July 20, 2009, the power transfer scheme for the
Mississauga Data Centre did not perform as expected
when an abnormal power failure with Enersource
(Mississauga Hydro) occurred caused by a cable fault.
The data centre lost power when the UPS batteries were
depleted and the generators, although available to run
were prevented from properly delivering power to the UPS
system, resulting in an exception for this control activity.
Fusepoint has increased the frequency of testing on the
uninterruptible power supply from an annual basis to a
quarterly basis to ensure that the uninterruptible power
supply and diesel generator provide backup power and to
avoid re-occurrence of power loss such as the July 20,
2009 event. Additionally, Fusepoint will perform testing on
the systems after any significant change to power
infrastructure.
4.2 A daily review of power systems is performed to
ensure that there is sufficient power capacity for the
data centre.
1. Inquiry: The service auditor inquired with the facilities
staff at the Mississauga Data Centre to confirm that a
daily review of power systems is performed to ensure
that there is sufficient power capacity for each data
centre.
No relevant exceptions noted.
2. Inspection: For the Mississauga Data Centre, the
service auditor inspected evidence to verify that
power use is regularly compared to the power
capacity and growth forecasting is performed.
No relevant exceptions noted.
Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre
28
This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers
5.0 Controls provide reasonable assurance that inadvertent or unauthorized access to customers’ data and programs is prevented or detected.
Fusepoint control activity Grant Thornton test of control Results
5.1 Production servers and equipment are located on
restricted access network segments, and
automated authentication controls are in place to
restrict access to these network segments to
authorized personnel.
1. Inspection/Observation: The service auditor
inspected network diagrams to confirm the existence
of restricted access network segments. It was
observed that a user ID, password, and RSA token
was required to access production servers on
restricted networks.
No relevant exceptions noted.
2. Observation: The service auditor observed the
Systems Administrator logging into restricted network
segment to verify that automated authentication
controls are in place to restrict access to production
servers and equipment to only authorized personnel.
No relevant exceptions noted.
5.2 Only authorized staff groups within Fusepoint have
logical access to restricted access network
segments, production data, programs or resources.
Logical access is only possible through Fusepoint’s
offices, or through VPN using two-factor
authentication. Fusepoint staff use unique user IDs
to access programs and data.
1. Inspection: The service auditor inspected the user
access controls to determine whether they are
configured so that only authorized staff groups have
access. A sample of access logs was reviewed to
determine whether only users in authorized staff
groups have access to the restricted network
segment.
No relevant exceptions noted.
2. Observation: The service auditor observed that the
use of a VPN using two-factor authentication is
required, unless the user is physically in Fusepoint’s
offices.
No relevant exceptions noted.
3. Observation/Inquiry: The service auditor observed
system configurations and inquired with Fusepoint
personnel to verify that unique user IDs are required to
access programs and data.
No relevant exceptions noted.
Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre
29
This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers
5.0 Controls provide reasonable assurance that inadvertent or unauthorized access to customers’ data and programs is prevented or detected.
Fusepoint control activity Grant Thornton test of control Results
5.3 Annual reviews of logical access privileges are
performed.
1. Inspection/Inquiry: The service auditor inspected
documentation and inquired with the Security Team to
verify that reviews are a part of the regular Internal
Security Audit.
No relevant exceptions noted.
5.4 The Security Team monitors and assesses new
security alerts and advisories. Patches and other
fixes are applied according to the priority level
assigned by the Security Team.
1. Inspection: The service auditor inspected a sample of
alerts related to vulnerability/patch information
published by vendors and advisory services and
corresponding Fusepoint Security Bulletins (FSB).
The service auditor also confirmed that the alerts were
assigned and applied based on priority level.
No relevant exceptions noted.
5.5 Event log monitoring tools for operating systems,
firewalls and Intrusion Detection Systems (IDSs)
are configured to send alerts on unauthorized
access attempts and other unusual events to the
Netcool Application monitored by the OC.
1. Inspection/Inquiry: The service auditor inspected a
sample of automated alerts from the Netcool
application regarding unauthorized access attempts
and other unusual events that were generated by the
event log monitoring system. The service auditor also
inquired with OC personnel to verify that they use
NetCool for monitoring.
No relevant exceptions noted.
5.6 An automated security incident escalation
procedure is enforced by the Request Management
System (RMS), requiring Fusepoint staff to respond
to incidents within documented timelines depending
on their priority level. Incidents that are not
responded to within the defined timeline are
1. Inspection: The service auditor inspected RMS
configuration settings to confirm that an automated
security incident escalation procedure is enforced by
the RMS, requiring Fusepoint staff to respond to
incidents within documented timelines depending on
their priority level.
No relevant exceptions noted.
Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre
30
This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers
5.0 Controls provide reasonable assurance that inadvertent or unauthorized access to customers’ data and programs is prevented or detected.
Fusepoint control activity Grant Thornton test of control Results
automatically escalated to the next staff level by the
Netcool Application.
2. Inspection: For the Mississauga Data Centre, the
service auditor inspected configuration settings for the
Netcool Application to ensure that incidents that are
not responded to within the defined timeline are
automatically escalated to the next staff level.
No relevant exceptions noted.
3. Inquiry/Inspection: The service auditor confirmed
that administrative access at both the application and
the operating system level for both the RMS and
Netcool is restricted to appropriate personnel.
No relevant exceptions noted.
5.7 Pertinent anti-virus engines and signatures are
installed on the Windows-based servers, and
signatures are updated daily.
1. Inspection: The service auditor inspected a sample of
Windows-based servers in the Mississauga Data
Centre to verify that the anti-virus solution was
installed and that the signature was not out of date.
No relevant exceptions noted.
5.8 Firewalls are in place to prevent unauthorized
network traffic, and to separate Fusepoint’s network
into multiple zones.
1. Inspection: The service auditor inspected network
diagrams for the Mississauga Data Centre. It was
verified that there are several levels of access controls
and networks have been segmented into multiple
zones.
No relevant exceptions noted.
5.9 Firewall rules are reviewed quarterly. 1. Inspection: For the Mississauga Data Centre, the
service auditor inspected a sample of RMS tickets
from the period June 1, 2009 to November 30, 2009 to
confirm that reviews of the firewall rules were
performed quarterly.
No relevant exceptions noted.
Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre
31
This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers
5.0 Controls provide reasonable assurance that inadvertent or unauthorized access to customers’ data and programs is prevented or detected.
Fusepoint control activity Grant Thornton test of control Results
5.10 Intrusion Detection Systems are in place to detect
unauthorized or suspicious traffic and send alerts to
the Netcool Application monitored by the OC.
1. Inspection/Inquiry: For the Mississauga Data Centre,
the service auditor inspected evidence that the
Netcool application received alerts from the IDS, and
RMS tickets were subsequently created for those
alerts.
No relevant exceptions noted.
Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre
32
This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers
6.0 Controls provide reasonable assurance that modifications to system software and infrastructure are authorized
Fusepoint control activity Grant Thornton test of control Results
6.1 Change requests can only be made by authorized
customer personnel or authorized Fusepoint staff.
1. Observation/Inquiry: For the Mississauga Data
Centre, the service auditor inquired with Fusepoint
personnel and observed that changes can only be
requested through Fusepoint’s Request Management
System (RMS). The service auditor also observed
that only customers or authorized Fusepoint staff can
access the RMS, which is restricted through
authentication controls.
No relevant exceptions noted.
6.2 Changes are reviewed and then signed off by the
appropriate Team Lead, and finally approved by the
Fusepoint Change Advisory Board or Vice President
of Operations.
1. Inspection: For the Mississauga Data Centre, the
service auditor inspected documentation related to a
sample of change requests to verify that the change
requests have been reviewed and signed off by the
appropriate Team Lead and then approved.
No relevant exceptions noted.
6.3 Changes are supported by back out plans to enable
recovery in the event of problems being
encountered during implementation.
1. Inspection: For the Mississauga Data Centre, the
service auditor inspected documentation related to a
sample of changes during the period June 1, 2009
and November 30, 2009. From the documentation,
the Service Auditor verified that the change
description included a back-out plan in the event of a
problem being encountered during implementation of
the change.
No relevant exceptions noted.
6.4 Fusepoint personnel are not responsible for or
involved in performing any financial reporting
processes or internal controls related to financial
reporting for any Fusepoint customer or any of
Fusepoint customer’s applications.
1. Inquiry/Inspection: For the Mississauga Data
Centre, the service auditor inquired with Security and
Operation Teams, and inspected documented job
descriptions to confirm that they did not perform any
financial reporting processes or internal controls for a
customer.
No relevant exceptions noted.
2. Inspection: For the Mississauga Data Centre, the
service auditor inspected a sample of RMS tickets
No relevant exceptions noted.
Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre
33
This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers
6.0 Controls provide reasonable assurance that modifications to system software and infrastructure are authorized
Fusepoint control activity Grant Thornton test of control Results
assigned to Security or Operation Teams and
confirmed that they did not perform any financial
reporting processes or internal controls for a
customer.
Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre
34
This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers
7.0 Controls provide reasonable assurance that change requests are addressed on a timely basis.
Fusepoint control activity Grant Thornton test of control Results
7.1 An automated change escalation procedure is
enforced by the Request Management System
(RMS), requiring Fusepoint staff to address change
requests within documented timelines depending on
their priority level. Change requests that are not
responded to within the defined timeline are
automatically escalated to the next staff level by the
RMS.
1. Inspection: For the Mississauga Data Centre, the
service auditor inspected a sample of RMS tickets to
confirm that security escalation procedures were
followed for security incidents, and that priority levels
assigned were in accordance with established
procedures.
No relevant exceptions noted.
2. Inspection: For the Mississauga Data Centre, the
service auditor inspected a sample of RMS tickets to
verify that hardware and software issues were logged
in the RMS ticketing system and were escalated
according to problem severity.
No relevant exceptions noted.
Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre
35
This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers
8.0 Controls provide reasonable assurance that backups for recovering software and data files are maintained in the event of a disruption or a disaster.
Fusepoint control activity Grant Thornton test of control Results
8.1 Daily incremental backups and weekly full backups
are performed with one copy kept on-site and a
duplicate copy kept off-site.
1. Observation/Inspection: For the Mississauga Data
Centre, the service auditor observed the configuration
of the backup system to confirm that backups are
made according to the defined schedule. The service
auditor also inspected media dispatch records for a
sample of days between June 1, 2009 and November
30, 2009 to verify that duplicate backup copies were
sent to an off-site location.
No relevant exceptions noted.
8.2 Off-site data is stored in a protected environment.
Backups are sent off-site daily, and the Network
Operation Centre (OC) personnel are responsible
for shipping and receiving tapes.
1. Inquiry: For the Mississauga Data Centre, the service
auditor inquired with OC personnel on the procedures
for shipping and receiving tapes to and from the off-
site storage location.
No relevant exceptions noted.
8.3 Off-site tape counts are reconciled with on-site
records at least annually.
1. Inspection: For the Mississauga Data Centre, the
service auditor inspected an RMS ticket documenting
the annual reconciliation of off-site and on-site tapes
counts.
No relevant exceptions noted.
8.4 Backups are tested using backup media integrity
checks during the backup process.
1. Inspection: For the Mississauga Data Centre, the
service auditor inspected RMS records regarding
media check alerts.
No relevant exceptions noted.