cica 5970 report on internal control - virtgroupvirtgroup.com/library/fusepointcica5970.pdf · cica...

CICA 5970 REPORT ON INTERNAL CONTROL

1

FUSEPOINT MANAGED SERVICES INC.

CICA 5970 REPORT ON INTERNAL CONTROL FOR THE MISSISSAUGA DATA CENTRE

As of November 30, 2009 and Tests of Operating Effectiveness for the Period of June 1, 2009 to November 30, 2009


2

TABLE OF CONTENTS

Auditor’s Report ...................................................................................................................................................3

Section 2 — Fusepoint’s Description of Controls ................................................................................................5

Overview of Fusepoint Managed Services ....................................................................................................5

Scope of this report for the Mississauga Data Centre ...................................................................................5

Control Environment ......................................................................................................................................7

Risk Assessment ...........................................................................................................................................8

Information and Communication....................................................................................................................8

Monitoring ................................................................................................................................................... 12

Control Objectives and Related Controls ................................................................................................... 14

Complementary User Organization Control Considerations ...................................................................... 16

Changes to Controls ................................................................................................................................... 18

Section 3 — Information Provided by the Service Auditor ................................................................................ 18

Introduction ................................................................................................................................................. 20


3

Auditor’s Report

To: Fusepoint Managed Services

We have audited the accompanying description of general controls related to Fusepoint Managed Services’

(“Fusepoint”) fully managed hosting and server colocation services related to its data centre in Mississauga.

Fusepoint’s management is responsible for the completeness, accuracy and method of presentation of the

description of the fully managed hosting and server colocation services related to its data centre in Mississauga, as

well as the control objectives and related controls required. Our responsibility is to express an opinion based on

our audit. We conducted our audit in accordance with the standards established by The Canadian Institute of

Chartered Accountants (CICA) for audits of controls at a service organization. Those standards require that we

plan and perform the audit to obtain reasonable assurance about whether (1) the accompanying description

presents fairly, in all material respects, the aspects of Fusepoint’s controls that may be relevant to a user

organization’s internal control as it relates to an audit of financial statements; (2) the controls included in the

description were suitably designed to achieve the control objectives specified in the description, if those controls

were complied with satisfactorily and user organizations applied the controls contemplated in the design of

Fusepoint’s controls; and (3) such controls had been placed in operation as at November 30, 2009. Our audit

included those procedures we considered necessary in the circumstances to obtain a reasonable basis for our

opinion. The control objectives were specified by management of Fusepoint.

In our opinion, the accompanying description of the aforementioned service presents fairly, in all material

respects, the relevant aspects of Fusepoint’s controls that had been placed in operation as at November 30, 2009.

Also, in our opinion, the controls, as described, are suitably designed to provide reasonable assurance that the

specified control objectives would be achieved if the described controls were complied with satisfactorily and user

organizations applied the controls contemplated in the design of Fusepoint’s controls.

In addition to the procedures we considered necessary to express our opinion in the previous paragraph, we

applied tests to specific controls, listed in Section 3, to obtain evidence about their effectiveness in meeting the

control objectives, described in Section 3, during the period from June 1, 2009 to November 30, 2009. The

specific controls and the nature, timing, extent and results of the tests are listed in Section 3. This information

has been provided to user organizations of Fusepoint and to their auditors to be taken into consideration, along

with information about the internal control at user organizations, when making assessments of control risk for

user organizations.

Fusepoint states in control activity 4.1 in its description of general controls that it has an uninterruptible power

supply (UPS) and diesel generator to provide backup power to all essential operations and systems, and that these

systems are tested on at least an annual basis. However, on July 20, 2009, the power transfer scheme for the

Mississauga Data Centre did not perform as expected when an abnormal power failure with Enersource

(Mississauga Hydro) occurred caused by a cable fault. The data centre lost power when the UPS batteries were


4

depleted and the generators, although available to run were prevented from properly delivering power to the UPS

system, resulting in an exception for this control activity. This exception resulted in the non-achievement of the

control objective “Controls provide reasonable assurance that continuous power is provided to the data centre

and its systems”.

In our opinion, except for the matters described in the preceding paragraph, the controls that were tested, as

described in Section 3, were operating with sufficient effectiveness to provide reasonable assurance that the

control objectives specified in Section 3 were achieved during the period from June 1, 2009 to November 30,

2009.

The relative effectiveness and significance of specific controls at Fusepoint and their effect on assessments of

control risk at user organizations are dependent on their interaction with the controls and other factors present at

individual user organizations. We have performed no procedures to evaluate the effectiveness of controls at

individual user organizations and, accordingly, we express no opinion on the achievement of control objectives at

individual user organizations.

The description of controls at Fusepoint is as at November 30, 2009, and information about tests of the operating

effectiveness of specific controls covers the period from June 1, 2009 to November 30, 2009. Any projection of

such information to the future is subject to the risk that, because of change, the description may no longer portray

the controls in existence. The potential effectiveness of specific controls at Fusepoint is subject to inherent

limitations and, accordingly, errors or fraud may occur and not be detected.

Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that

changes made to the system or controls, changes in processing requirements or changes required because of the

passage of time may alter the validity of such conclusions.

This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its

customers.

Vancouver, BC, Canada

December 22, 2009 Chartered Accountants


5

SECTION 2 — FUSEPOINT’S DESCRIPTION OF CONTROLS

Overview of Fusepoint Managed Services

Fusepoint Managed Services (“Fusepoint”), founded in 1999, is a leading North American provider of fully managed hosting and IT solutions tailored to the needs of mid-sized and large enterprises. Delivering significant cost, time-to-market, security and staffing advantages, Fusepoint's solutions include system migration and integration; e-business security; network architecture design; business continuity/disaster recovery; and intranet/extranet optimization.

Fusepoint provides proactive end to end solution management covering all key areas of managed infrastructure: Security; Storage Management; Network Management; Customer Care; Monitoring and Reporting. Fusepoint’s primary security related goals and objectives include the ability to:

Create a trusted customer environment

Provide High Availability and Reliability

Manage Risk

Provide Scalability and Extendibility

Understanding that this takes an integrated approach of people, processes and technology, many leading organizations such as Royal Canadian Mint, Mountain Equipment Co-op, Clearview Strategic Partners and Dominion Bond Rating Service have chosen Fusepoint to be their provider of choice to ensure their online applications and infrastructure are available and secure.

Scope of this report for the Mississauga Data Centre

This report describes the control structure of Fusepoint Managed Services, as it relates to Fusepoint’s data centre in Mississauga as of November 30, 2009, and tests of operating effectiveness for the period of June 1, 2009 to November 30, 2009. The control objectives and related control activities covered herein describe the general computer controls used in delivering Fusepoint’s Fully Managed Infrastructure Services and Colocation Hosting Services. It has been prepared to provide information for use by Fusepoint’s management, its customers that rely upon these services, and the auditors of those customers.

Fusepoint provides two tiers of services: Fully Managed Infrastructure Services and Colocation Hosting Services. The Fully Managed Infrastructure Services encompasses the following:


6

Fusepoint Colocation Hosting Services encompass the following:


7

This report only covers general computer controls for the infrastructure encompassed by the services above on which a customer’s application may be hosted. Application level controls are not in scope for the services described above, and therefore are not in scope for this report. Fusepoint personnel are not responsible for or involved in performing any financial reporting processes or internal controls related to financial reporting for any Fusepoint customer or any of their customer’s applications.

Control Environment

Generally, an organization’s control environment represents the collective effort of various factors on establishing, enhancing or mitigating the effectiveness of specific controls. Such factors include but are not limited to the following:

Integrity and ethical values

Management’s philosophy and operating style

Organizational structure

Assignment of authority and responsibility

Human resource policies and practice

The control environment reflects the overall attitude, awareness and actions of the Board and management concerning all other components of internal controls and their emphasis within the organization.

Integrity and Ethical Values

Fusepoint expects that its employees will act ethically and with integrity. All Fusepoint personnel are therefore governed by several personnel policies and agreements. They include a non-disclosure agreement, code of conduct and a security policy staff agreement. All new Fusepoint staff are required to sign these agreements as a condition of employment.

Management’s philosophy and operating style

Fusepoint recognizes the importance of strong controls around information security and privacy, and is committed to implementing best practices. Selection of best-of-breed systems helps promote Fusepoint’s secured environment. Fusepoint undergoes regular external audits, such as the Canadian Institute of Chartered Accountants (CICA) Section 5970 Audit, the U.S. Statement of Auditing Standards (SAS) 70 Audit, Payment Card Industry (PCI) Data Security Standard Audit, and the HP Service Provider Certification.

Organization Structure

Fusepoint is divided into the departments as shown by the organizational chart below:

Finance

Hosting

and Infrastructure

Management

Client Experience Facilities Security

Operations

Eastern Region Central/Western

Region

Sales Marketing Human Resources

Quebec City Montreal

Application Services

President & CEO

Information security and internal control is a business responsibility shared by all members of Fusepoint’s Executive Team.

Assignment of authority and responsibility

The Executive Team has approved an Information Security Policy which applies to all employees, and which delegates responsibility for the management of Information Security to the Vice-President Operations. This


8

policy is updated and reviewed to keep the policy current. Continual updating of the policy ensures that it has addresses an ever changing risk environment.

.

The Security Team is led by the Director of Security who reports to the Vice-President Operations. The Security Team has day-to-day operational responsibility for information security and related internal controls and assists the Vice-President Operations with developing security policies, promoting security awareness and defining security standards. It also meets with and reports weekly to the Vice-President Operations to ensure the coordination and implementation of policies and practices across the company. The Security Team is segregated from the other Operations teams. The Security Team does not perform any operational function performed by the Operations teams. The Security Team is also not responsible for or involved in performing any financial reporting processes or controls for any Fusepoint customer or any of their customer’s applications. Members of the Security Team have the appropriate qualifications and skills to fulfill their duties.

The Operations teams themselves are segregated from each other based on platform (Microsoft, UNIX, network, etc).

All employees of Fusepoint have written job descriptions which clearly delineate each staff member’s roles and responsibilities within the organization.

Human Resources Policies and Practice

A formal workflow procedure for both the hiring, termination and any position/responsibility changes of employees and contractors has been developed to ensure all steps are completed. This procedure is initiated by the Human Resources (HR) Department for all changes, and each change is reviewed by the HR Department to ensure the procedure is completed. Upon hiring, personnel agreements (described in next paragraph) are signed. Personnel with access to customer data are required to go through criminal background screening. Upon termination, access privileges are revoked immediately and physical authentication credentials such as access cards and authentication tokens are retrieved. Upon position/responsibility change, access privileges are adjusted/revoked as required.

Fusepoint has a defined security program in place for its employees. Annual security awareness training is mandatory for all employees as part of this program. All Fusepoint employees are required to sign a non-disclosure agreement, code of conduct and a security policy staff agreement as a condition of employment. Logical access security policies and procedures are documented, and Fusepoint employees have access to all security policies and procedures via Fusepoint’s intranet.

Risk Assessment

Technical Security and Risk Management

A vulnerability management process has been implemented that includes periodic internal and external scanning of managed customer servers. Assessments of patches and security updates from hardware and software vendors are performed by the Security Team, who then coordinates their deployment with the Operations Teams.

Back-out procedures are documented in change requests in the event of a failure occurring during the change.

Procedures are in place and rules have been enabled to prevent access via insecure network services and protocols.

Redundancy is built into the network (for example, use of switches and load balancers) to ensure the continuity of network operations.

Information and Communication

Fusepoint has several information systems in place to support its Fully Managed Infrastructure Services and Colocation Hosting Services. Those systems are:

Customer WebCare portal and Request Management System (RMS)


9

Automated facility and environmental monitoring systems

Fusepoint Monitoring System, which includes the Netcool Application

Physical access management system (for proximity card readers)

Logical access authentication systems

Intrusion Detection System

Event log monitoring systems

Backup management systems

Standard Operating Procedures

Formalized Standard Operation Procedures (SOP) are used to ensure that where problems are identified, they are recorded, brought to the attention of the appropriate personnel, actioned, followed up and analyzed to identify trends that might indicate a more extensive issue. The SOP has been documented, and includes prescribed procedures for incident management, change management, patch management and data centre access. Fusepoint is not involved in application job scheduling and execution as they are managed and monitored by their customers.

Priority 1 and 2 Ticket Workflow: Customer Contacts Operations Centre (OC)

OC

Cu

sto

me

r

Authorized

Technical Contact

creates a ticket by

sending via WebCare or

calling OC

OC is paged of

new ticket

OC Contacts

customer within 15

minutes to verify

problem

Is caller an

authorized

Technical Contact?

OC advised caller to

contact Authorized

Technical Contact

Customer is

notified the ticket

is resolved

Was 15 minute

response time

observed?

Authorized

Technical Contact

pages on-duty

Team Leader

Was 15 minute

response time

observed?

Problem is being

resolvedYes

Authorized Trouble

Reporter calls Director

of Hosting Operations

No

Ticket is Closed

Work to resolve

begins

immediately

Tickt created via

WebCare?

Ticket Number

assigned to case

OC Technician

resolves the

problem within 15

minutes of

notification?

Ticket Escalated to

2nd Level

OC sends hourly

status updates to

customer until

resolved

Resolution in

Progress

Findings and

results are

documented in the

original ticket

Post-Incident

Report sent to

customer

Updates Received

Hourly?

Yes

No

No

Yes

No

Yes

No

Problem resolved

within 2 hours of

notification?

Ticket escalated to

Director,

Operations

Director escalates

internally/

externally until

problem resolved

No

NoYesYes

Figure 1: Standard Operating Procedure when customer contacts OC


10

Priority 1 and 2 Ticket Workflow: OC Contacts Customer

OC

Customer receives

notification of problem

with ticket number

OC verifies

trouble exists

Has a problem

been confirmed?

OC continues to

monitor customerCustomer is

notified the ticket

is resolved

Customer calls

OC Manager cell

phone

Update Received

within 30 minutes of

problem start?

Ticket is Closed

Notification sent to

Customerwithin 15

minutes of

verification

Ticket Number

assigned to case

Level 2 resolves

ticket within 30

minutes of problem

start?

Ticket escalated

to Engineer

OC provides

updates every 30

minutes until

resolved

Ticket Assigned

to Level 2

Findings and results

are documented in

the original ticket

Post-Incident

Report sent to

customer

Updates

Received every

30 minutes?

YesNo

Yes

OC Receives

Alert

OC Manager

Available?No

No

Yes

Problem Identified

as Fusepoint

Responsibility?

Customer

Notified

No

Customer

Receives

Notification, works

with Fusepoint to

Resolve

Problem resolved

within 2 hours of

problem Start?

Yes

Director, Hosting

Operations

Notified

No

Director escalates

internally/

externally until

problem resolved

No

Resolution in

Progress

Yes

Engineer resolves

problem within 1

hour of start?

Yes

No

Ticket escalated

to Manager,

Technical

Services

No

Yes

Customer calls

Manager,

Technical

Services cell

phone

Yes

Manager,

Technical

Services

Available?

Yes

Customer calls

Director,

Operations cell

phone

No

Cu

sto

me

r

Figure 2: Standard Operating Procedure when OC contacts customer

Change Management

Fusepoint is responsible for managing changes related to their customers’ system software, infrastructure and environment. Fusepoint’s customers are responsible for managing application changes including the maintenance of any application program libraries.

Change requests, alerts from monitoring sensors, and incident reports are all centrally managed through Fusepoint’s Request Management System (RMS). Only authorized customer personnel have access to the RMS through the WebCare customer portal. Change requests and problems are communicated to Fusepoint through WebCare, and if telephone line support is used by the customer, pertinent details of the conversation are entered into the RMS by the Operations Centre (OC).

Fusepoint has documented change control procedures. Operations Management administers and coordinates the change process from initiation to implementation. Changes are requested according to a published workflow, and notification is sent to the appropriate approver based on the nature of the change (see diagram on the following pages). Every change request is assigned a unique ticket number in the RMS.

Change requests require the change details to be documented including the back-out procedures in the event of failure during the change. Problems incurred during a change are logged into the RMS ticket and resolved before the ticket is closed.

Specific windows and time lines have been established for system software, infrastructure and environment changes to be implemented to minimize disruption to production environments.


11

Change Request

Engineer Prepares FCR,

Attaches to Change

Ticket

Ticket Submitted

to CM

CM Brings FCR to

Weekly TL Review

Board

Needs CAB

Approval?

Yes

Present to CAB

Change

Approved?

Yes

1. CM Updates Ticket

2. CM Assigns Ticket to Change Requestor

3. CM Updates Change Calendar

4. CM Sends Customer Notification

No

Get VP

Operations

Approval

TL Reviews Ticket

Back for Review

1st Phase

Approval Meeting

(D/O, M/TS, CM)

1st

Phase Approval Process

Revisions

Needed?

No

Yes

Change

Process

CM Updates

Ticket

Ticket Assigned to

TL for Review /

Revision

No

Problems

Encountered

Pre-Change

Problems

Encountered

Post-ChangeEmergency

Change?

No

Yes

Ticket Assigned

Directly to CM

CM Discusses

with TL

CM Discusses

with M/TS

CM Gets CAB or

D/O and VP/O

Approval

Short-cut for emergency

changes

Revise?

Yes

No

Change Not

Approved. File for

reference

End Process

Legend:

FCR: Fusepoint Change Request

TL: Team Lead

M/TS: Manager, Technical Services

CM: Change Manager

D/O: Director, Operations

CAB: Change Advisory Board

VP/O: Vice President, Operations

1st Iteration?

No

Yes

TL, M/TS and CM

Review Change

and Make

Necessary

Modifications

Figure 3: Phase 1 Change Approval Process


12

Logical and Physical Access

Fusepoint’s responsibility for logical access administration over their customers systems is limited to the network and infrastructure. Fusepoint’s customers manage logical access at the application level.

Logical access security policies and procedures are documented, and Fusepoint employees have access to all security policies and procedures via Fusepoint’s intranet. All Fusepoint employees are required to sign a non-disclosure agreement, code of conduct and a security policy staff agreement as a condition of employment. Annual security awareness training is also mandatory for all employees.

Only authorized staff groups within Fusepoint have logical access to restricted access network segments, production data, programs or resources. Fusepoint staff use unique user IDs to access programs and data. All role-based and administrative passwords are stored within a secured database protected and maintained by the Security Team, and access is restricted to Operations personnel only. Access control is enforced using automated access controls (e.g. two-factor authentication, complex passwords with minimum-length, account lockout for multiple unsuccessful logins, etc.).

Access to the Mississauga Data Centre is restricted through physical access controls. Only authorized Fusepoint staff or visitors who have been pre-authorized are granted access.

Network and Operating System Security

Fusepoint’s production network architecture has been implemented to separate the network into multiple zones. Redundant and shared firewalls have been used to separate public-facing Web servers in the demilitarized zone from the back-end application and database servers in the trusted zone. Fusepoint’s office desktop machines and any development workstations are on a network separate from the production network, and are not within the scope of this report.

Intrusion Detection Software systems and monitoring procedures have been implemented to identify unauthorized network access. For internal servers, fully managed customers’ servers and subscribed colocation customers’ servers, Fusepoint staff will respond to IDS alerts. (No response is provided to colocation customers that do not subscribe to the IDS service.)

Virtual Private Network (VPN) has been implemented for secure remote access into the internal production networks and systems.

Pertinent anti-virus engines and signatures are installed on the Windows-based and Linux-based servers, and signatures are updated daily for internal servers and for customers who have subscribed to the anti-virus service. Hardening procedures have been developed and maintained for production server operating systems.

Data Centre Facilities

The Mississauga Data Centre has systems in place to protect computer hardware and equipment from fire and environmental damage. An uninterruptible power supply and diesel generator provide backup power to all essential operations and systems including the computer room, and these systems are tested on at least a quarterly basis and after any significant change to power infrastructure. Reviews of power systems are performed to ensure that there is sufficient power capacity.

Daily incremental backups and weekly full backups are performed for internal servers, fully managed customers and colocation customers who subscribe to the backup service. When a backup is performed, two copies are made: one that remains on-site, and one that is shipped off-site. Media integrity checks are performed during the backup process to ensure that the backup can be restored if needed.

Monitoring

Quality Assurance

Fusepoint has implemented a Quality Assurance (QA) function that is independent of its Operations group, and a QA person has been appointed to ensure that standard operating procedures are followed. The QA


13

function is responsible for reviewing business operations, customer contracts, etc. to assess compliance with policies and procedures. Adherence to operating procedures is enforced by QA process.

The Fusepoint Security Team is responsible for monitoring the implementation and compliance of the information security program through periodic audits, compliance checks and use of various technology tools.

Facilities and System Monitoring

Security cameras have been placed in operation in and are monitored 24 × 7 in the Network Operations Room.

The Fusepoint Monitoring System provides an automated central monitoring system that is used to monitor servers and network devices for system utilization, hardware failure and performance on a real-time basis. Automated tools and technologies have been implemented to monitor Fusepoint’s hardware and software, along with environmental factors such as temperature, power and humidity. The core of the Fusepoint Monitoring System is the Netcool application which performs normalization and correlation of the collected data for all facilities and system monitoring except for specific systems monitor physical conditions in each data centre. Netcool is monitored by personnel in the Operations Centre (OC), who can then create tickets in the Request Management System (RMS) if required using data fed in from Netcool. Systems that are not interfaced with Netcool are directly monitored by the OC.


14

Control Objectives and Related Controls

This subsection provides a list of control objectives and related controls that have been tested for operating effectiveness. These control objectives and related controls are also listed in Section 3 of this report, “Information Provided by the Service Auditor”. Although the listing of the control objectives and related controls in both Sections 2 and 3 of this report may seem redundant, the list in this section has been provided for convenience for Canadian audiences used to the conventions for service auditor’s reports in Canada.

Administration and Organization

1.0 Controls provide reasonable assurance that defined security program is in place and that Fusepoint employees are aware of this security program.

1.1 A mandatory annual security awareness program has been placed in operation to educate Fusepoint employees about Fusepoint’s security program and to articulate details of the program.

1.2 Fusepoint employees are required in the hiring process to execute a legally binding non-disclosure agreement which includes terms and conditions related to maintaining the non-disclosure of information that is confidential to either Fusepoint or its customers.

1.3 Fusepoint employees are required in the hiring process to sign that they have received and read both Fusepoint’s Code of Conduct and Fusepoint’s Security Policy.

1.4 Criminal background screening is performed during the hiring process on technical employees and contractors with either physical or logical access to operations areas and customer data.

1.5 Access privileges are revoked immediately and physical authentication credentials such as access cards and authentication tokens are retrieved upon termination of an employee or contractor.

1.6 Access privileges for employees who change departments or responsibilities are modified accordingly.

Facilities

2.0 Controls provide reasonable assurance that physical access to the data centre is restricted to appropriate personnel.

2.1 Access to the data centre is controlled through proximity card readers, and only authorized Fusepoint staff are issued proximity reader access cards.

2.2 Access privileges are granted on the basis of that person’s need to perform specific job functions, and a bi-annual review of access privileges is performed.

2.3 Physical security incidents and exceptions are reviewed by the Security Team. Reported physical security incidents that are classified as major in the Request Management System (RMS) are escalated to Vice-President Operations

2.4 Visitors to the data centre must be pre-authorized, and must sign-in before being granted physical access to the data centre.

2.5 The servers and other equipment for Managed Services (as opposed to Co-located servers) can only be physically accessed by authorized Fusepoint staff.

3.0 Controls provide reasonable assurance that computer hardware and equipment are protected against fire and environmental damage.

3.1 A fire detection and suppression system has been placed in operation in the data centre. Testing of fire detection and suppression equipment is performed at least annually.


15

3.2 Alarm panels and alerts are in place to monitor and detect facility environmental settings, such as temperature and moisture.

3.3 Climate control systems regulate air temperature within the computer rooms. Temperature monitoring equipment continuously monitors environmental conditions.

3.4 There are separate climate control units in place to protect against failure of individual units. An automated monitoring system is in place to alarm computer operations employees in the event of failure of the environmental control equipment in the computer room.

3.5 An equipment and facilities maintenance program that includes at least annual maintenance and/or testing is in place to ensure that the facilities and equipment are kept in working order.

4.0 Controls provide reasonable assurance that continuous power is provided to the data centre and its systems.

4.1 An uninterruptible power supply and diesel generator provides backup power to all essential operations and systems including the computer room. These systems are tested on at least a quarterly basis, and after any significant change to power infrastructure.

Exception noted: On July 20, 2009, the power transfer scheme for the Mississauga Data Centre did not perform as expected when an abnormal power failure with Enersource (Mississauga Hydro) occurred caused by a cable fault. The data centre lost power when the UPS batteries were depleted and the generators, although available to run were prevented from properly delivering power to the UPS system, resulting in an exception for this control activity.

4.2 A daily review of power systems is performed to ensure that there is sufficient power capacity for the data centre.

Logical Access and Security

5.0 Controls provide reasonable assurance that inadvertent or unauthorized access to customers’ data and programs is prevented or detected.

5.1 Production servers and equipment are located on restricted access network segments, and automated authentication controls are in place to restrict access to these network segments to authorized personnel.

5.2 Only authorized staff groups within Fusepoint have logical access to restricted access network segments, production data, programs or resources. Logical access is only possible through Fusepoint’s offices, or through VPN using two-factor authentication. Fusepoint staff use unique user IDs to access programs and data.

5.3 Annual reviews of logical access privileges are performed.

5.4 The Security Team monitors and assesses new security alerts and advisories. Patches and other fixes are applied according to the priority level assigned by the Security Team.

5.5 Event log monitoring tools for operating systems, firewalls and Intrusion Detection Systems (IDSs) are configured to send alerts on unauthorized access attempts and other unusual events to the Netcool Application monitored by the OC.

5.6 An automated security incident escalation procedure is enforced by the Request Management System (RMS), requiring Fusepoint staff to respond to incidents within documented timelines depending on their priority level. Incidents that are not responded to within the defined timeline are automatically escalated to the next staff level by the Netcool Application.

5.7 Pertinent anti-virus engines and signatures are installed on the Windows-based servers, and signatures are updated daily.

5.8 Firewalls are in place to prevent unauthorized network traffic, and to separate Fusepoint’s network into multiple zones.


16

5.9 Firewall rules are reviewed quarterly.

5.10 Intrusion Detection Systems are in place to detect unauthorized or suspicious traffic and send alerts to the Netcool Application monitored by the OC.

Change Management / Problem Resolution

6.0 Controls provide reasonable assurance that modifications to system software and infrastructure are authorized.

6.1 Change requests can only be made by authorized customer personnel or authorized Fusepoint staff.

6.2 Changes are reviewed and then signed off by the appropriate Team Lead, and finally approved by the Fusepoint Change Advisory Board or Vice President of Operations.

6.3 Changes are supported by back out plans to enable recovery in the event of problems being encountered during implementation.

6.4 Fusepoint personnel are not responsible for or involved in performing any financial reporting processes or internal controls related to financial reporting for any Fusepoint customer or any of Fusepoint customer’s applications.

7.0 Controls provide reasonable assurance that change requests are addressed on a timely basis.

7.1 An automated change escalation procedure is enforced by the Request Management System (RMS), requiring Fusepoint staff to address change requests within documented timelines depending on their priority level. Change requests that are not responded to within the defined timeline are automatically escalated to the next staff level by the RMS.

Backup and Recovery

8.0 Controls provide reasonable assurance that backups for recovering software and data files are maintained in the event of a disruption or a disaster.

8.1 Daily incremental backups and weekly full backups are performed with one copy kept on-site and a duplicate copy kept off-site.

8.2 Off-site data is stored in a protected environment. Backups are sent off-site daily, and the Network Operation Centre (OC) personnel are responsible for shipping and receiving tapes.

8.3 Off-site tape counts are reconciled with on-site records at least annually.

8.4 Backups are tested using backup media integrity checks during the backup process.

Complementary User Organization Control Considerations

The relative effectiveness and significance of specific controls at Fusepoint and their effect on assessments of control risk at any customer of Fusepoint are dependent on their interaction with the controls and other factors present in the customer’s environment. No procedures were performed to evaluate the effectiveness of controls at any of Fusepoint customers.

It is the responsibility of each customer’s management and their auditors to ensure that appropriate application level controls and procedures and general computer controls and procedures are in place and performed in the end-user controlled environment to complement the system of controls in place within the Fusepoint environment. Those complementary controls are:

that the creation, modification and deletion of user accounts at the application level are appropriately authorized and performed by the customer;

that application level authentication controls have been placed in operation;

if passwords are used for authentication at the application level, those passwords are changed on a regular basis;


17

that the customer performs a regular review of application level user accounts and access privileges;

that complex passwords are required for all application level user accounts;

that the customer performs adequate change control procedures including approval of application changes and maintenance of appropriate access controls that promote segregation of duties;

that where appropriate, the customer approves application job scheduling and execution, appropriately restricts access to job scheduling and execution, and appropriately monitors job execution (e.g. batch job processing);

that customer personnel provided access to Fusepoint’s WebCare customer portal are appropriately authorized;

that customer personnel who are the designated communication contacts with Fusepoint are appropriately authorized, and Fusepoint is informed of any changes of authorized personnel on a timely basis;

that customer personnel who visit Fusepoint’s Mississauga Data Centre are appropriately authorized;

that the customer performs adequate testing of application changes prior to their promotion to the production environment;

that the customer performs adequate security testing or receives reasonable assurance of the security of any application level code that is developed outside of Fusepoint’s environment;

unless the customer subscribes to Fusepoint’s anti-virus service, that the customer installs anti-virus software on its Windows servers and updates the anti-virus signatures on a daily basis; and

that the customer places into operation any other internal controls (e.g. segregation of duties, reconciliations, etc.) that are necessary for its financial reporting processes or for the application it is using within Fusepoint’s environment.

Furthermore, for customers using Fusepoint’s server colocation service, the following controls need to be placed in operation for co-located servers where Fusepoint does not manage or have access to the servers:

the creation, modification and deletion of accounts at the operating system and database level for any servers are appropriately authorized and performed by the customer;

that operating system and database level passwords are changed on a regularly recurring basis;

that the customer performs a regularly recurring review of operating system and database level passwords user accounts and access privileges;

unless the customer subscribes to Fusepoint’s backup service, that the customer backs up server data on a regular basis, and tests the restoration of data from the backup on a regular basis;

unless the customer subscribes to Fusepoint’s IDS service, that the customer implements its own controls for detecting and responding to any incidents of unauthorized access or use; and

that each customer device (servers, routers, switches, etc.):

o have two independent power supplies,

o has one power supply is connected to the “A” power source and the other is connected to the “B” power source within their assigned cabinet, and

o is inspected by the customer to confirm that the independent power supplies are properly connected to the appropriate power sources within their assigned cabinet.


18

Changes to Controls

The following changes to the controls have been made since the last report for the period ending November 30, 2008:

The Fusepoint Security Committee has become defunct in January, 2009. The Security Team led by the Director of Security is responsible for day-to-day operations for information security and related internal controls and assists the Vice-President Operations with developing security policies, promoting security awareness and defining security standards. The Security Team also meets with and reports weekly to the Vice-President Operations to ensure the coordination and implementation of policies and practices across the company and reports to the Vice-President Operations.

An upgrade was made in March 2009 to the uninterruptible power supply of the Mississauga Data Centre to replace aging UPS infrastructure and to provide additional capacity to meet customer requirements.

Fusepoint re-tested the transfer scheme after the July 20, 2009 event by simulating power failures to the building and could not re-produce the condition that happened on July 20, 2009. In any event, Fusepoint is in progress of implementing a replacement technology for the breaker scheme to better handle such a condition. Fusepoint has contracted the third party to assist in the engineering of this solution which includes several suppliers. The project began in August of 2009 and is expected to complete in April of 2010.

Fusepoint has hired and implemented on-site 24 x 7 staff for building operations coverage along with updated procedures should such an unlikely event such as July 20, 2009 re-occur in the interim. This coverage will continue going forward.

Fusepoint has increased the frequency of testing on the uninterruptible power supply from an annual basis to a quarterly basis to ensure that the uninterruptible power supply and diesel generator provide backup power and to avoid re-occurrence of power loss such as the July 20, 2009 event. Additionally, Fusepoint will perform testing on the systems after any significant change to power infrastructure.


19

SECTION 3 — INFORMATION PROVIDED BY THE SERVICE AUDITOR

The following section on tests of operating effectiveness is intended to provide interested parties with information sufficient to obtain an understanding of those aspects of Fusepoint’s controls that may be relevant to customer organizations’ internal control, and to reduce the assessed level of control risk below the maximum for certain financial statement assertions. This report, when coupled with an understanding of the internal control in place at customer organizations, is intended to assist in the assessment of the total internal control surrounding Fusepoint’s fully managed hosting and server colocation services related to its data centre in Mississauga.

Fusepoint Managed Services 20

Report on Tests of Operating Effectiveness

Introduction

This section of the report contains the description of the tests performed by Grant Thornton

LLP (Canada) to assess the operating effectiveness of controls at Fusepoint Managed Services

(“Fusepoint”) for the period from June 1, 2009 to November 30, 2009 for its Mississauga Data

Centre.

The Description of Controls has been provided by the management of Fusepoint.

Furthermore, Fusepoint has selected all control objectives in the Description of Controls to be

in scope for the testing of operating effectiveness.

For each control tested for operating effectiveness, an indication of the nature, timing, extent

and results of the tests have been provided. In the following tables, any exceptions or other

information identified by the tests that could be relevant to user auditors have been provided in

the column labelled “Results”. If no exceptions or other relevant information was identified,

then the remark “No relevant exceptions noted” has been given.

Fusepoint Managed Services Report on Tests of Operating Effectiveness — from June 1, 2009 to November 30, 2009 for the Mississauga Data Centre

21

This report is intended solely for use by the management of Fusepoint, its customers, and the auditors of its customers


Fusepoint control activity Grant Thornton test of control Results

1.1 A mandatory annual security awareness program

has been placed in operation to educate Fusepoint

employees about Fusepoint’s security program and

to articulate details of the program.

1. Inspection: Attendance lists for sessions of the

security awareness program held between June 1,

2009 and November 30, 2009 were obtained and

inspected. Complete employee lists were reconciled

against the security awareness attendance list to

confirm that training was provided to all staff. The

service auditor inspected documentation confirming

that attendance to the security awareness program

was mandatory.

No relevant exceptions noted.

2. Inspection: The service auditor inspected

documentation on the annual security awareness

program and assessed their adequacy in relation to

security policies in force. The service auditor also

inspected documentation confirming mandatory

attendance.


1.2 Fusepoint employees are required in the hiring

process to execute a legally binding non-disclosure

agreement which includes terms and conditions

related to maintaining the non-disclosure of

information that is confidential to either Fusepoint or

its customers.

1. Inspection: For the entire population of employees

hired between June 1, 2009 and November 30, 2009,

the service auditor inspected copies of Non-

Disclosure Agreements to confirm they were signed

by the employee concerned.


1.3 Fusepoint employees are required in the hiring

process to sign that they have received and read

both Fusepoint’s Code of Conduct and Fusepoint’s

Security Policy.


from the Mississauga Data Centre, employee files

were reviewed to confirm the existence of signatures

acknowledging the acceptance of the Code of

Conduct and Security Policy.



22




1.4 Criminal background screening is performed during

the hiring process on technical employees and

contractors with either physical or logical access to

operations areas and customer data.

1. Inspection: The service auditor inspected a copy of

criminal background check reports for the entire

population of employees and contractors who were

hired between June 1, 2009 and November 30, 2009,

and were granted access to the operations areas of

the Mississauga Data Centre.


1.5 Access privileges are revoked immediately and

physical authentication credentials such as access

cards and authentication tokens are retrieved upon

termination of an employee or contractor.


terminated between June 1, 2009 and November 30,

2009, at the Mississauga Data Centre, the service

auditor inspected the termination checklists and

verified that all steps in the termination checklist were

completed, including the notification of the

termination, the updating of HR records, the

termination of the user account, and the retrieval of

company property.


1.6 Access privileges for employees who change

departments or responsibilities are modified

accordingly.


who changed departments or responsibilities at the

Mississauga Data Centre, between June 1, 2009 and

November 30, 2009, the service auditor inspected

documentation to verify that access privileges were

modified accordingly.



23




2.1 Access to the data centre is controlled through

proximity card readers, and only authorized

Fusepoint staff are issued proximity reader

access cards.

1. Inspection: The service auditor inspected a listing of

all Fusepoint employees and contractors who have

proximity card access to the Mississauga Data Centre.

For all employees/contractors, the service auditor

verified that access was appropriately authorized

based on the employee/contractor’s role.


2.2 Access privileges are granted on the basis of

that person’s need to perform specific job

functions, and a bi-annual review of access

privileges is performed.

1. Inspection: The service auditor inspected a listing of

all Fusepoint employees and contractors who have

proximity card access to the Mississauga Data Centre.

The listing was reviewed to ensure that all staff who

have proximity card access require access as part of

their job function.


2. Inspection/Inquiry: The service auditor inspected

documentation and inquired with Security Team

members to confirm that regular reviews of the access

privileges granted at the Mississauga Data Centre

were performed.


3. Inspection: The service auditor inspected a sample of

signed check-out sheets for the keys to the locked

cabinets at the Mississauga Data Centre and

confirmed that only appropriate individuals were

granted access to the keys.


4. Observation: For the Mississauga Data Centre, the

service auditor observed the use of an employee

access card for an employee who was not granted

access to confirm that access is denied and the

access attempt was recorded.



24




2.3 Physical security incidents and exceptions are

reviewed by the Security Team. Reported

physical security incidents that are classified as

major in the Request Management System

(RMS) are escalated to Vice-President

Operations

1. Inquiry: The service auditor inquired with Fusepoint’s

Director of Security to verify that the Fusepoint

Security Team reviewed physical security incidents at

the Mississauga Data Centre and physical security

incidents classified as major were escalated to Vice-

President Operations.

No instances of the control activity were identified in the

audit period.

2.4 Visitors to the data centre must be pre-

authorized, and must sign-in before being

granted physical access to the data centre.

1. Inquiry: The service auditor inquired with Fusepoint

Operations Centre staff at the Mississauga Data

Centre to confirm that all visitors must sign in at

reception and obtain a visitor’s pass.


2. Inspection: The service auditor inspected visitor sign-

in sheets for the Mississauga Data Centre for a

sample of visitors in the period between June 1, 2009

and November 30, 2009 to verify that those visitors

had been pre-authorized with an RMS ticket.


2.5 The servers and other equipment for Managed

Services (as opposed to Co-located servers)

can only be physically accessed by authorized

Fusepoint staff.

1. Observation: The service auditor visited the

Mississauga Data Centre and confirmed the following.

Physical controls that restrict access to servers and

other Managed Services equipment ensure that only

authorized Fusepoint staff have access.



25




3.1 A fire detection and suppression system has been

placed in operation in the data centre. Testing of fire

detection and suppression equipment is performed

at least annually.

2. Observation/Inspection: The service auditor

observed that Fire Detection and Suppression

systems are installed in the Mississauga Data Centre.

The service auditor inspected equipment

maintenance documents to determine that fire

detection is tested annually.


3.2 Alarm panels and alerts are in place to monitor and

detect facility environmental settings, such as

temperature and moisture.

1. Observation/Inquiry: The service auditor visited the

Mississauga Data Centre. Through observation and

inquiry with Fusepoint personnel, the service auditor

verified that alarm panels and alerts are in place to

monitor facility environmental settings, such as

temperature and moisture.


2. Observation: The service auditor observed that

automated systems are used by Operations Centre

personnel for monitoring.


3.3 Climate control systems regulate air temperature

within the computer rooms. Temperature monitoring

equipment continuously monitors environmental

conditions.

1. Observation/Inquiry: The service auditor observed

that air conditioning units were deployed in the

computer room to regulate air temperature at the

Mississauga Data Centre. The service auditor

observed that fail-over units for the same exist by

way of separate chiller units and Air Handling Units.

Through inquiry with Fusepoint personnel, the service

auditor confirmed that these provide redundancy

through automatic fail-over. The service auditor

established that temperature sensors send out

automated alarm notifications in case defined

temperature thresholds are crossed.



26




3.4 There are separate climate control units in place to

protect against failure of individual units. An

automated monitoring system is in place to alarm

computer operations employees in the event of

failure of the environmental control equipment in the

computer room.

1. Observation: The service auditor visited the

Mississauga Data Centre and observed that fail-over

units are in place for climate control.


2. Inspection: For the Mississauga Data Centre, the

service auditor inspected evidence to verify that

automated monitoring systems alert computer

operations employees via email in the event of a

failure in environmental control equipment.


3.5 An equipment and facilities maintenance program

that includes at least annual maintenance and/or

testing is in place to ensure that the facilities and

equipment are kept in working order.


service auditor inspected lease agreement/other

lease contracts to determine that the lease

agreement contains provisions for repair to facilities,

building structure, etc. Specifically, the service

auditor made note of the lease date to determine that

contracts have been updated as required in the lease

deed.

The service auditor inspected evidence of

inspection/maintenance carried out on the electrical,

fire detection & suppression systems, and power

backup equipment.



27


4.0 Controls provide reasonable assurance that continuous power is provided to the data centre and its systems.


4.1 An uninterruptible power supply and diesel

generator provides backup power to all essential

operations and systems including the computer

room. These systems are tested on at least a

quarterly basis, and after any significant change to

power infrastructure.

1. Inspection: The service auditor inspected evidence

by way of maintenance reports and filled-in checklists

from the period June 1, 2009 to November 30, 2009

and confirmed that regular testing of the system is

carried out at the Mississauga Data Centre.

Exceptions noted:

On July 20, 2009, the power transfer scheme for the

Mississauga Data Centre did not perform as expected

when an abnormal power failure with Enersource

(Mississauga Hydro) occurred caused by a cable fault.

The data centre lost power when the UPS batteries were

depleted and the generators, although available to run

were prevented from properly delivering power to the UPS

system, resulting in an exception for this control activity.

Fusepoint has increased the frequency of testing on the

uninterruptible power supply from an annual basis to a

quarterly basis to ensure that the uninterruptible power

supply and diesel generator provide backup power and to

avoid re-occurrence of power loss such as the July 20,

2009 event. Additionally, Fusepoint will perform testing on

the systems after any significant change to power

infrastructure.

4.2 A daily review of power systems is performed to

ensure that there is sufficient power capacity for the

data centre.

1. Inquiry: The service auditor inquired with the facilities

staff at the Mississauga Data Centre to confirm that a

daily review of power systems is performed to ensure

that there is sufficient power capacity for each data

centre.



service auditor inspected evidence to verify that

power use is regularly compared to the power

capacity and growth forecasting is performed.



28




5.1 Production servers and equipment are located on

restricted access network segments, and

automated authentication controls are in place to

restrict access to these network segments to

authorized personnel.

1. Inspection/Observation: The service auditor

inspected network diagrams to confirm the existence

of restricted access network segments. It was

observed that a user ID, password, and RSA token

was required to access production servers on

restricted networks.


2. Observation: The service auditor observed the

Systems Administrator logging into restricted network

segment to verify that automated authentication

controls are in place to restrict access to production

servers and equipment to only authorized personnel.


5.2 Only authorized staff groups within Fusepoint have

logical access to restricted access network

segments, production data, programs or resources.

Logical access is only possible through Fusepoint’s

offices, or through VPN using two-factor

authentication. Fusepoint staff use unique user IDs

to access programs and data.

1. Inspection: The service auditor inspected the user

access controls to determine whether they are

configured so that only authorized staff groups have

access. A sample of access logs was reviewed to

determine whether only users in authorized staff

groups have access to the restricted network

segment.


2. Observation: The service auditor observed that the

use of a VPN using two-factor authentication is

required, unless the user is physically in Fusepoint’s

offices.


3. Observation/Inquiry: The service auditor observed

system configurations and inquired with Fusepoint

personnel to verify that unique user IDs are required to

access programs and data.



29




5.3 Annual reviews of logical access privileges are

performed.

1. Inspection/Inquiry: The service auditor inspected

documentation and inquired with the Security Team to

verify that reviews are a part of the regular Internal

Security Audit.


5.4 The Security Team monitors and assesses new

security alerts and advisories. Patches and other

fixes are applied according to the priority level

assigned by the Security Team.


alerts related to vulnerability/patch information

published by vendors and advisory services and

corresponding Fusepoint Security Bulletins (FSB).

The service auditor also confirmed that the alerts were

assigned and applied based on priority level.


5.5 Event log monitoring tools for operating systems,

firewalls and Intrusion Detection Systems (IDSs)

are configured to send alerts on unauthorized

access attempts and other unusual events to the

Netcool Application monitored by the OC.

1. Inspection/Inquiry: The service auditor inspected a

sample of automated alerts from the Netcool

application regarding unauthorized access attempts

and other unusual events that were generated by the

event log monitoring system. The service auditor also

inquired with OC personnel to verify that they use

NetCool for monitoring.


5.6 An automated security incident escalation

procedure is enforced by the Request Management

System (RMS), requiring Fusepoint staff to respond

to incidents within documented timelines depending

on their priority level. Incidents that are not

responded to within the defined timeline are

1. Inspection: The service auditor inspected RMS

configuration settings to confirm that an automated

security incident escalation procedure is enforced by

the RMS, requiring Fusepoint staff to respond to

incidents within documented timelines depending on

their priority level.



30




automatically escalated to the next staff level by the

Netcool Application.


service auditor inspected configuration settings for the

Netcool Application to ensure that incidents that are

not responded to within the defined timeline are

automatically escalated to the next staff level.


3. Inquiry/Inspection: The service auditor confirmed

that administrative access at both the application and

the operating system level for both the RMS and

Netcool is restricted to appropriate personnel.


5.7 Pertinent anti-virus engines and signatures are

installed on the Windows-based servers, and

signatures are updated daily.


Windows-based servers in the Mississauga Data

Centre to verify that the anti-virus solution was

installed and that the signature was not out of date.


5.8 Firewalls are in place to prevent unauthorized

network traffic, and to separate Fusepoint’s network

into multiple zones.

1. Inspection: The service auditor inspected network

diagrams for the Mississauga Data Centre. It was

verified that there are several levels of access controls

and networks have been segmented into multiple

zones.


5.9 Firewall rules are reviewed quarterly. 1. Inspection: For the Mississauga Data Centre, the

service auditor inspected a sample of RMS tickets

from the period June 1, 2009 to November 30, 2009 to

confirm that reviews of the firewall rules were

performed quarterly.



31




5.10 Intrusion Detection Systems are in place to detect

unauthorized or suspicious traffic and send alerts to

the Netcool Application monitored by the OC.

1. Inspection/Inquiry: For the Mississauga Data Centre,

the service auditor inspected evidence that the

Netcool application received alerts from the IDS, and

RMS tickets were subsequently created for those

alerts.



32


6.0 Controls provide reasonable assurance that modifications to system software and infrastructure are authorized


6.1 Change requests can only be made by authorized

customer personnel or authorized Fusepoint staff.

1. Observation/Inquiry: For the Mississauga Data

Centre, the service auditor inquired with Fusepoint

personnel and observed that changes can only be

requested through Fusepoint’s Request Management

System (RMS). The service auditor also observed

that only customers or authorized Fusepoint staff can

access the RMS, which is restricted through

authentication controls.


6.2 Changes are reviewed and then signed off by the

appropriate Team Lead, and finally approved by the

Fusepoint Change Advisory Board or Vice President

of Operations.


service auditor inspected documentation related to a

sample of change requests to verify that the change

requests have been reviewed and signed off by the

appropriate Team Lead and then approved.


6.3 Changes are supported by back out plans to enable

recovery in the event of problems being

encountered during implementation.


service auditor inspected documentation related to a

sample of changes during the period June 1, 2009

and November 30, 2009. From the documentation,

the Service Auditor verified that the change

description included a back-out plan in the event of a

problem being encountered during implementation of

the change.


6.4 Fusepoint personnel are not responsible for or

involved in performing any financial reporting

processes or internal controls related to financial

reporting for any Fusepoint customer or any of

Fusepoint customer’s applications.

1. Inquiry/Inspection: For the Mississauga Data

Centre, the service auditor inquired with Security and

Operation Teams, and inspected documented job

descriptions to confirm that they did not perform any

financial reporting processes or internal controls for a

customer.



service auditor inspected a sample of RMS tickets



33


6.0 Controls provide reasonable assurance that modifications to system software and infrastructure are authorized


assigned to Security or Operation Teams and

confirmed that they did not perform any financial

reporting processes or internal controls for a

customer.


34


7.0 Controls provide reasonable assurance that change requests are addressed on a timely basis.


7.1 An automated change escalation procedure is

enforced by the Request Management System

(RMS), requiring Fusepoint staff to address change

requests within documented timelines depending on

their priority level. Change requests that are not

responded to within the defined timeline are

automatically escalated to the next staff level by the

RMS.


service auditor inspected a sample of RMS tickets to

confirm that security escalation procedures were

followed for security incidents, and that priority levels

assigned were in accordance with established

procedures.



service auditor inspected a sample of RMS tickets to

verify that hardware and software issues were logged

in the RMS ticketing system and were escalated

according to problem severity.



35


8.0 Controls provide reasonable assurance that backups for recovering software and data files are maintained in the event of a disruption or a disaster.


8.1 Daily incremental backups and weekly full backups

are performed with one copy kept on-site and a

duplicate copy kept off-site.

1. Observation/Inspection: For the Mississauga Data

Centre, the service auditor observed the configuration

of the backup system to confirm that backups are

made according to the defined schedule. The service

auditor also inspected media dispatch records for a

sample of days between June 1, 2009 and November

30, 2009 to verify that duplicate backup copies were

sent to an off-site location.


8.2 Off-site data is stored in a protected environment.

Backups are sent off-site daily, and the Network

Operation Centre (OC) personnel are responsible

for shipping and receiving tapes.

1. Inquiry: For the Mississauga Data Centre, the service

auditor inquired with OC personnel on the procedures

for shipping and receiving tapes to and from the off-

site storage location.


8.3 Off-site tape counts are reconciled with on-site

records at least annually.


service auditor inspected an RMS ticket documenting

the annual reconciliation of off-site and on-site tapes

counts.


8.4 Backups are tested using backup media integrity

checks during the backup process.


service auditor inspected RMS records regarding

media check alerts.


cica 5970 report on internal control - virtgroupvirtgroup.com/library/fusepointcica5970.pdf · cica...

Documents