illustrative soc for supply chain report

i Main title here: Subhead title goes here

Illustrative SOC for Supply Chain Report

Illustrative SOC for Supply Chain Report 277

Appendix E

Illustrative SOC for Supply Chain Report(Including Entity Management’s Assertion,Accountant’s Report, and IllustrativeDescription of the System)This appendix is nonauthoritative and is included for informational purposesonly.

Note to Readers: In the following illustrative SOC for Supply Chain report,Company X has engaged the practitioner to examine and report on the descrip-tion of the system that manufactures and distributes widgets and the effective-ness of controls therein, which are necessary to provide reasonable assurancethat the company's principal system objectives were achieved based on the ap-plicable trust services criteria relevant to security and availability.

This illustrative report assumes that, as discussed in the description in section3, the components received from Company Y are a critical part of Company X'smanufacture of its widgets. Company X management has decided to use thecarve-out method for Company Y, and the assertion and report include certaindisclosures related to Company Y and the complementary supplier controls thatit is expected to have in place.

Report on Company X’s Description of Its WidgetManufacturing and Distribution System and on theEffectiveness of Its Controls Relevant to Security andAvailability Throughout the Period January 1, 20X1,to December 31, 20X1CONTENTS

Section 1 — Assertion of Company X's Management

Section 2 — Independent Accountant's Report

Section 3 — Company X's Description of Its Widget Manufacturing and Distri-bution System

Manufacturing and Distribution System

Principal System Objectives

Components of the System

Infrastructure

Software

People

Procedures

Data

Materials

©2020, AICPA AAG-SSC APP E

278 SOC for Supply Chain

Section 4 — Trust Services Categories, Criteria, Related Controls, and Tests ofControls

Applicable Trust Services Criteria Relevant to Security and Availabil-ity

Section 5 — Other Information Provided by Company X Management That IsNot Covered by the Accountant's Report

AAG-SSC APP E ©2020, AICPA


Section 1 — Assertion of Company X’s Management[Company X’s Letterhead]

Assertion of Company X Management

We have prepared the accompanying description of Company X's widget manu-facturing and distribution system (system) in section 3 titled "Company X's De-scription of Its Widget Manufacturing System Throughout the Period January1, 20XX, to December 31, 20XX," (description) based on the criteria for a descrip-tion of a company's system in DC section 300, 2020 Description Criteria for aDescription of an Entity's Production, Manufacturing, or Distribution Systemin a SOC for Supply Chain Report, in AICPA Description Criteria (descriptioncriteria). The description is intended to provide report users with informationabout the system, including the effectiveness of controls stated therein, thatmay be helpful when assessing their risks arising from Company X's manufac-ture and distribution of widgets.

We have also evaluated whether the controls stated in the description, whichare necessary to provide reasonable assurance that Company X achieved itsprincipal system objectives, were effective throughout the period [date] to [date]based on the trust services criteria relevant to security and availability andwhether the controls stated in the description, which are necessary to providereasonable assurance that Company X achieved its principal system objectives,were effective throughout the period January 1, 20XX, to December 31, 20XX,based on the trust services criteria relevant to security and availability (appli-cable trust criteria) set forth in TSP section 100, 2017 Trust Services Criteriafor Security, Availability, Processing Integrity, Confidentiality, and Privacy, inAICPA Trust Services Criteria.

We assert that:

• The description presents Company X's system that was designedand implemented throughout the period January 1, 20XX, to De-cember 31, 20XX, in accordance with the description criteria.

• Based on the evaluation described in the preceding paragraph,the controls stated in the description, which are necessary to pro-vide reasonable assurance that Company X achieved its principalsystem objectives, were effective throughout the period January1, 20XX, to December 31, 20XX, based on the applicable trust ser-vices criteria.

Section 2 — Independent Accountant’s ReportIndependent Accountant's Report

To: Company X

Scope

We have examined:

• Company X's accompanying description of its widget manufactur-ing and distribution system (system) titled "Company X's Descrip-tion of Its Widget Manufacturing System Throughout the PeriodJanuary 1, 20XX, to December 31, 20XX," (description) based onthe criteria for a description of a company's system in DC sec-tion 300, 2020 Description Criteria for a Description of an Entity'sProduction, Manufacturing, or Distribution System in a SOC for



Supply Chain Report, in AICPA Description Criteria (descriptioncriteria), and

• The effectiveness of controls stated in the description, which arenecessary to provide reasonable assurance that ABC Entity's prin-cipal system objectives were achieved throughout the period [date]to [date] based on the trust services criteria relevant to securityand availability (applicable trust services criteria) set forth in TSPsection 100, 2017 Trust Services Criteria for Security, Availability,Processing Integrity, Confidentiality, and Privacy, in AICPA TrustServices Criteria.

Entity Management's Responsibilities

Company X is responsible for establishing the system objectives; identifyingthe risks that threaten the achievement of the system objectives; and design-ing, implementing, and operating effective controls within the system to pro-vide reasonable assurance that Company X's principal system objectives areachieved. Company X is also responsible for selecting the applicable trust ser-vices category or categories, preparing the description, and stating the controlsin the description. Company X has provided the accompanying assertion titled"Assertion of Company X Management" (assertion) about the description andthe effectiveness of controls stated therein.

Accountant's Responsibilities

Our responsibility is to express an opinion on the description and on the effec-tiveness of controls stated in the description, based on our examination. Our ex-amination was conducted in accordance with attestation standards establishedby the American Institute of Certified Public Accountants. Those standards re-quire that we plan and perform our examination to obtain reasonable assuranceabout whether, in all material respects, the description is presented in accor-dance with the description criteria and the controls stated therein, which arenecessary to provide reasonable assurance that the company achieved its prin-cipal system objectives, were effective based on the applicable trust servicescriteria.

An examination of the description of a company's system and effectiveness ofcontrols involves the following:

• Obtaining an understanding of the system and the company'sprincipal system objectives

• Assessing the risks that the description is not presented in ac-cordance with the description criteria and that controls were noteffective

• Performing procedures to obtain evidence about whether the de-scription is presented in accordance with the description criteria

• Performing procedures to obtain evidence about whether controlsstated in the description, which are necessary to provide reason-able assurance that the company achieved its principal systemobjectives, were effective based on the applicable trust servicescriteria

• Evaluating the overall presentation of the description.

Our examination also included performing such other procedures as we consid-ered necessary in the circumstances. We believe that the evidence we obtainedis sufficient and appropriate to provide a reasonable basis for our opinion.


Illustrative SOC for Supply Chain Report 281Our examination did not involve performing procedures to obtain evidenceabout the quality of the goods produced by the system to determine whetherthose goods met product performance specifications, nor did it involve perform-ing procedures to obtain evidence about whether other system objectives wereachieved. Therefore, the opinion expressed below relates only to the effective-ness of controls necessary to provide reasonable assurance that the companyachieved its principal system objectives and should not be considered a war-ranty or guarantee that the goods meet those specifications. Furthermore, wedo not express an opinion on the fitness for purpose or the commercial viabilityof the goods.

Inherent Limitations

The description is prepared to meet the common needs of intended users andmay not, therefore, include every aspect of the system that individual usersmay consider important to meet their informational needs.

There are inherent limitations in the effectiveness of any system of internalcontrol, including the possibility of human error and the circumvention of con-trols. Because of their nature, controls may not always be effective to pro-vide reasonable assurance that the company's principal system objectives areachieved. Also, the projection to the future of any conclusions about the effec-tiveness of controls is subject to the risk that controls may become inadequatebecause of changes in conditions or that the degree of compliance with the Com-pany's policies or procedures may deteriorate.

Furthermore, the goods produced, manufactured, or distributed may be subjectto rates of failure that have been deemed acceptable based on the principal sys-tem objectives. For those reasons, such goods may not always be free of defects.

Description of Tests of Controls

The specific controls we tested, and the nature, timing, and results of thosetests, are listed in section 4, "Trust Services Categories, Criteria, Related Con-trols, and Tests of Controls," in columns 2, 3 and 4, respectively.

Opinion

In our opinion, in all material respects,

a. the description presents Company X's system that was designedand implemented throughout the period January 1, 20XX, to De-cember 31, 20XX, in accordance with the description criteria.

b. the controls stated in the description, which are necessary to pro-vide reasonable assurance that Company X achieved its principalsystem objectives, were effective throughout the period January 1,20XX, to December 31, 20XX, based on the applicable trust servicescriteria.

Restricted Use

This report, including the description of tests of controls and results thereof insection 4, is intended solely for the information and use of Company X, its busi-ness customers and business partners, accountants providing services to suchbusiness customers and business partners, and prospective business customersand business partners, who have sufficient knowledge and understanding of thefollowing:

• The nature of the goods produced, manufactured, or distributedby the company



• Internal control and its inherent limitations

• The applicable trust services criteria

• The risks that may threaten the achievement of the company'sprincipal system objectives and how controls address those risks

This report is not intended to be, and should not be, used by anyone other thanthese specified parties.

[Accountant's signature][Accountant's city and state][Date of accountant's report]

Section 3 — Company X’s Description of Its WidgetManufacturing and Distribution SystemNote to Readers: The following illustrative system description is for illustrativepurposes only and is not meant to be prescriptive. For illustrative purposes, thedescription is organized by description criteria; however, there is no prescribedformat for the description of a system. For brevity, the description does not in-clude everything that might be included in the description of the entity's sys-tem. It also does not include a complete discussion of the processes and controlsCompany X designs, implements, and operates to achieve its principal systemobjectives for availability. Ellipses (...) or notes to readers indicate places wheredetail has been omitted from the illustration.

Widget Manufacturing and Distribution

Company X (Company X or the Company), located in Weehawken, NJ, is amanufacturer of widgets. Company X's widgets are an integral component ofautonomous vehicles manufactured by various automobile and truck originalequipment manufacturers (OEMs). Widgets are provided to the OEMs for usein manufacturing and replacement parts. The Company currently does not pro-vide widgets to the aftermarket parts industry. The widgets are the only prod-uct manufactured by the Company, and all widgets are made within the Wee-hawken facility.

Company X's widgets are built to meet or exceed the physical and functionalspecifications for the widgets described in the Company's technical specifica-tions, which are available to OEM customers through the customer web portal.The widgets comprise both a physical device and embedded software, which isconfigured during the manufacturing process. The source code for the softwareused in the widgets is supplied by Company Y Software and then customizedand configured for purpose during the manufacturing process by Company Xemployees. Supplies of other raw materials used in the manufacturing processcome from various sources throughout the world.

The Company maintains controls throughout the manufacturing process tohelp ensure its availability commitments are met and performs periodic testingon a sample of outputs to ensure that its widgets meet the published specifica-tions related to security and processing integrity.

The Company provides its customers with a limited warranty over productfunctionality, which includes a statement that the widgets are free from knownsoftware defects or intentionally embedded malicious code. Each widget modelis designed to meet the laws and regulations of specific countries. The coun-tries for which each model is intended are set forth in the product documen-tation for the model. Widgets are also designed to comply with ISO/TS16949


Illustrative SOC for Supply Chain Report 283requirements and other industry standards listed by model in the product doc-umentation.

Upon completion of widget manufacturing, the widgets are stored in twocompany-owned, on-site loading and storage facilities located in Edison, NJ,and New Brunswick, NJ. Company X has warehouse and inventory manage-ment systems in place to ensure widgets are tracked and processed completelyand accurately, ensuring they are available per the Company's availability com-mitments. The widgets are distributed by various contracted distribution logis-tics companies. Company X does not own or control the distribution companies.Widgets are shipped to customers with full insurance coverage.

Principal System Objectives

Company X's ability to achieve its overall business objectives depends, in largepart, on its ability to meet its commitments to customers with respect to prod-ucts that achieve product performance specifications and related delivery com-mitments.

The technical product specifications include:

• Physical: Interface criteria, weight, durability, environmental (i.e.,ability to withstand heat, dust, and humidity conditions), andpower specifications

• Performance: Specific requirements regarding the digital perfor-mance of the widget for the purposes stated in product documen-tation

• The terms and conditions place specific limitations on the use ofthe product for purposes other than those for which the productswere designed.

Company X warrants performance of its widgets to the specifications applicableat the time of sale, in accordance with the warranty included in the suppliercontract with the OEM.

To that end, Company X has made the following commitments to its customers:

• Company X will produce widgets that meet or exceed the physicaland functional specifications that are (a) provided as part of theordering process or (b) described in the related product documen-tation. Programmed firmware contained within Company X's wid-gets is free of known software defects that would prevent the wid-gets from meeting product performance specifications and doesnot contain any intentionally embedded malicious code.

• Company X will provide firmware updates to OEMs for 15 yearsbeyond the product release date for any software defects identi-fied that prevent the widgets from meeting product performancespecifications.

• Widget models are designed to comply with local and national reg-ulations as set forth in product documentation. Company X's wid-gets are designed to comply with industry standards as listed inthe terms and conditions of sale, including ISO/TS16949 require-ments.

• Company X recognizes that fulfilling manufacturing and distri-bution requirements is critical to customers' ability to fulfill theirown commitments. To that end, Company X's sales orders contain



financial incentives for meeting delivery commitments and con-tractual penalties for failure to meet agreed-upon quantities anddelivery deadlines.

• Company X recognizes that the timely provision of widgets to cus-tomers includes the secure storage, distribution, and delivery ofproducts. Company X commits to maintain distribution contractsin each of the applicable service areas and includes controls tomonitor timeliness and quality of distribution. Storage and dis-tribution facilities are protected against physical loss or theft ofproducts that might affect the achievement of the Company's se-curity and/or availability commitments.

• As part of Company X's customer-specific design and productionprocesses, the Company regularly receives information from cus-tomers that is considered customer proprietary and sensitive.Company X has established internal data-handling processes tosafeguard proprietary customer data from intentional and/or un-intentional disclosure, including protection of:

— Customer trade secrets (e.g., electronic specifications,manufacturing plans, semiconductors, distribution ar-rangements)

— Customer purchase quantities and delivery criteria— Other proprietary elements as identified by customers at

the time of sale

• In the ordinary course of business, Company X does not receivepersonally identifiable information regarding the end-users ofderivative products (e.g., autonomous vehicles). In limited circum-stances, the company may receive widgets that have been removedfrom end-user vehicles in order to perform diagnostic testing andquality analysis. Such information is treated as confidential in-formation of the OEM in accordance with terms of the contractbetween Company X and the OEM.

• Company X has established specific manufacturing system objec-tives that are reviewed at each Board of Directors (Board) meet-ing (e.g., Improving Quality, Managing Cybersecurity Risk, Reduc-ing Costs, Increasing Flexibility, Improving Sustainability). Thisreport addresses the controls relevant to the following principalsystem objectives:

— Manufacturing of widgets in accordance with productperformance specifications

— Meeting product availability commitments— Managing cybersecurity risk to an acceptable level to

support the production of widgets in accordance withspecifications, meet product availability commitments,and protect confidential information used in the produc-tion process from unauthorized use or disclosure

Description of Company X Software Assurance Process, as Applied toSourced Embedded Software

Company X follows a stringent set of software quality and security assur-ance checks with respect to its own software, as well as that of its suppliers.


Illustrative SOC for Supply Chain Report 285Company Y software embedded onto the Widget is subject to these softwarequality and security assurance checks to ensure the software is safe and securefor operation. The software assurance process includes use case testing for func-tionality, load and stress testing to simulate peak performance conditions, andpenetration and fuzz testing to remove security flaws. Company X also receivesa structural quality certification of the embedded software from Company Ybased on the CISQ standard and the OWASP Top-10, to minimize the risk oflatent security vulnerabilities, performance degradations, and failure modes.Both the testing and certification of structural quality are performed with eachmajor and minor release of the embedded software.

Identified System Incidents

During the period under assessment, the Company experienced an incident inwhich an online intruder gained access, through a previously unknown operat-ing system vulnerability in the server used to update a supplier's software, tothe server used to store and configure the embedded software used in its wid-gets. The intruder used the access to make unauthorized changes to the soft-ware and configuration parameters to be loaded in the widgets. The attack wasdetected approximately 66 hours after the unauthorized access was obtainedand was remediated within 5 days of detection. Company X ceased the manu-facturing of widgets during the 5-day period and recalled all widgets that wereloaded with the software from the time of initial unauthorized access throughthe remediation of the incident. The Company reconciled serial numbers of allrecalled and unshipped widgets to manufacturing records without exception.Based on this reconciliation, management believes that all widgets with theunauthorized software have been accounted for. All of these widgets were sub-sequently destroyed under controlled conditions.

As part of the remediation, Company X reinstalled the operating system andapplications from a backup made prior to the incident and applied the softwarepatch provided by the operating system supplier.

Production, Manufacturing, and Distribution Risks

Risks related to the production, manufacturing, and distribution systemand underlying information systems, use of suppliers, and delivery channelsused by the entity:

• The Company's widgets are manufactured with software suppliedby Company Y, which is configured and installed in each widgetduring the manufacturing process. Company Y is responsible forsupplying components, including the embedded software, whichmeet the Company's requirements. The quality of the Company'sfinal product is dependent on receiving materials and components,including embedded software, which are free of software defectsand do not contain any intentionally embedded malicious code.To that end, see the section "Description of Company X SoftwareAssurance Process, as Applied to Sourced Embedded Software" forcontrols Company X deploys to test the software that Company Ysupplies. The controls and processes of the various raw materialand component suppliers are outside the subject of this report.

• The Company's manufacturing and distribution processes arehighly automated and integrated, using various IT equipment andinformation systems. The failure of such equipment and informa-tion systems could result in a significant disruption to the manu-facture and distribution of widgets. One of the systems Company



X uses in its manufacturing process is the AAA system. The AAAsystem provider recently went bankrupt. The Company's risk as-sessment indicates that the Company has not experienced any sig-nificant issues with this system. While the Company has the capa-bilities to repair this system in-house, it will be difficult to replacethe AAA system. The Company is actively seeking a replacementstrategy before the system becomes obsolete.

• The Company regularly receives, from customers, informationthat is proprietary and sensitive, including customer trade secrets,customer purchase quantities and delivery criteria, and other pro-prietary elements as identified by customers at the time of sale.

Risks related to physical, environmental, technological, organizational, andother changes

• As part of the Company's strategic initiatives, the Companymoved its widgets manufacturing facility from Sacramento, CA,to Weehawken, NJ, at the beginning of the period. As part of thischange, the Company hired a new head of production managementthat oversees the Weehawken, NJ, facility.

• During the year, the Company also switched the embedded soft-ware supplier from Company Z to Company Y during this locationchange.

Components of the System that Manufactures and Distributes theWidgets

Infrastructure. Company X manufactures widgets on its own assembly line. Themanufacturing process includes the direct manufacture of certain key compo-nents from raw material, and the assembly of these components with othercomponents sourced from suppliers located in Asia, US, and Mexico.

Customers are given a view into Company X's production and distribution sys-tem (PADS) where they can place their orders and track the status and locationof the widgets they have ordered.

Components from suppliers are received in a near just-in-time (JIT) fashionbased on production forecasts to control inventories; however, some componentinventories are kept during peak volume season. This requires real-time track-ing of all components and shipments in SAP material management module.Suppliers are given access into an interface that shows real-time status of WIPinventories and order forecasts, enabling suppliers to ship components on anas-needed basis to Company X.

The manufacture of Company X specialty components requires the use of nu-merous computer controls machines and tools, including injection presses, ade-burring machines, and a soldering machine. These are controlled by auto-mated scheduling systems on the plant floor. The raw materials are deliveredinto one end of the manufacturing plant, where they are stored in vats andfed into the manufacturing equipment. The finished components are stored onspecialized racks and taken to the assembly area by human-operated forklifts.

The assembly of components into final widgets requires a line of specializedrobot arms with drilling, soldering, and compression attachments arranged inorder. The assembly line is controlled by software embedded into the robotsand a master control system (MCS) that operates the robot arms in propercadence. That software can be updated to assemble the 20 models of widgets


Illustrative SOC for Supply Chain Report 287that Company X manufactures. Each widget requires a different set of rawcomponents and different set of operations by the robot assembly line. MCS canhandle the 20 widget models and some types of customizations (e.g., includingor excluding certain components off the assembly).

The IT systems running the shop floor run on a set of Microsoft Windowsservers, running the Windows 10 OS. These are four-way servers housed in asmall data center, in a 30x20 room in each of the manufacturing sites. They areconnected to the local area networks (LAN) for these sites, which also connectto all the end-user workstations, running Microsoft Office, as well as the scan-ners used for checking shipments in and out, the mobile devices for shop floorstaff, and the HVAC system for climate control. The servers are also connectedby a wide area network (WAN) to the other sites in the Company as well as thecorporate systems in Company X's secured network operations centers (NOCs).The WAN connectivity is run over T3 lines provided by ABC Communications,with a redundant loop provided by DEF Communications. Business continuityand disaster recovery (BC/DR) services are provided by GHI Corporation witha 4-hour recovery SLA.

Employees access the applications (see "Software" section below) eitherthrough their desktop on company-supplied computers or through a Citrix Ac-cess Gateway. Data communications between offices are encrypted with Ciscovirtual private networking (VPN) technology using Advanced Encryption Stan-dard 256-bit encryption to protect data and intra-company communications.

Company X's IT systems and manufacturing control systems (MCS, PADS, andothers) use the Microsoft SQL Server relational database management system.These database servers and file servers are housed in Company X's securedNOCs. All data at rest in the DBMS is encrypted.

Company X uses Transport Layer Security to encrypt email exchangeswith customers, suppliers, facility and service providers, and transportationproviders. All sensitive data is also encrypted at rest in the DBMS.

Software. The software used in the manufacturing and distribution process fallsinto three main categories:

1. Embedded logic is the software or firmware that gets encoded in thewidgets and robots that operate on the manufacturing floor, in theassembly process, or as part of the distribution process. This soft-ware is updated only when it is patched for security vulnerabilities,or when upgrades to the device functionality are necessary.

2. Operating and network software is the software that is in the net-work routers, gateways, firewalls, etc., and on the operating sys-tems of all the devices, servers, and endpoint computers. The PCs,RDBMS, and servers have already been described. The networksare all running Cisco equipment and their latest operating soft-ware. Company X is also running security software for WAF, an-tivirus and intrusion detection. The HVAC systems are controlledby proprietary software from the HVAC supplier.

3. Information software includes the software that collects and pro-cesses data from the factory, distribution process, or customers (asdescribed in the "data" section below) and is used to control themanufacturing and distribution process and customer payments,account tracking, recordkeeping, etc. Company X uses the follow-ing IT systems:



• Master Control System (MCS) — The MCS was developedin-house. Together with the Production and DistributionSystem and the AAA system, it is responsible for the op-eration of the manufacturing and assembly process, in-cluding the robotic assembly line used to assemble the 20varieties of widgets that Company X manufactures.

• Production and Distribution System (PADS) — ThePADS, also developed in house, tracks widgets manu-factured and delivered. Customers can track materialsthrough PADS interfaces (portals and APIs). PADS is thesource of record for master transportation file data andtransportation logs.

• Warehouse and Inventory Management System(WIMS) — WIMS, also developed in house, tracks widgetsin the warehouse. Track inventory across every step ofyour operations from ordering to delivery, track items bylot number, serial numbers, expiration dates, and othermethods, monitor asset levels in multiple locations andtransfer from one to another when necessary. WIMSinterfaces with PADS and WIMS is the source of recordfor master inventory and warehouse data.

• The AAA system is a third-party supplier software and,together with the MCS and PADS, is responsible for theoperation of the manufacturing and assembly process.

• SAP — The manufacturing plants run SAP for allthe time-keeping, personnel management, HR, financialreporting, and materials management, including WIPinventories and component orders to ensure raw mate-rials and components are delivered on time for produc-tion while minimizing WIP. This system is customizedfor Company X using configurations and some RICEFcode.

• Quality Assurance System (QAS) — The is an in-housedeveloped system that tracks in-plant sampling tests aswell as returns and defects in the field. The system is in-tegrated into MCS and SAP to tie together manufacturingconfigurations and components used in specific batchesfor root cause analysis.

• Analytics — Company X uses a third-party commercial-off-the-shelf (COTS) analytics package for managing dataand business reporting.

• Customer Information System (CIS) — The CIS keepstrack of all customer data, including prior order historiesand account information. The CIS interfaces into the SAPsystem for AR.

• Application TRK is installed to enhance the workflow andapproval process in support of the policies. This applica-tion enables tracking of additions, modifications, or dele-tions of users; changes to data classification; changes toauthority levels in access approvals; tests of new securitycomponents prior to installation; and tracking of systemincidents and their resolution.


Illustrative SOC for Supply Chain Report 289People. Company X has a staff of approximately 150 employees organized in thefollowing functional areas:

• Corporate. Executives, senior production management, and seniorlogistics management. These individuals perform oversight re-sponsibilities over the production and transportation processesthrough the performance of various monitoring controls. The con-trols primarily consist of measurement and analyses of key per-formance indicators generated through internal reports.

• Operations. Staff that administer the day-to-day manufacturingactivities, and scheduling of transportation providers. Operationstaff are divided into the following categories:

— Design staff— Assemblers and assembly supervisors— Packaging staff— Computer control programmers and operators— Quality control inspectors— Facility managers— Safety coordinators— Warehouse workers— Transportation coordinators— Reports managers

Data. Data within the production system constitutes production requisitionscreated based on customer orders, production data related to batches, compo-nents, raw materials, WIP inventory, and production and quality control logsand reports. Data within the transportation system constitutes master trans-portation file data and transportation logs. Data within WIMS constitutes mas-ter inventory and warehouse data.

These reports are used by management for performing analyses and assess-ing the effectiveness of controls. They are generated internally within the pro-duction and transportation systems and are available in electronic PDF andcomma-delimited value file exports. They are not transmitted directly from theproduction and transportation systems to external parties.

Materials. Company X purchases raw materials and components from pre-approved suppliers, selected through a strict vetting and bidding process. Sup-pliers are responsible for the quality of materials and components; however,Company X has instituted a system of spot checks over certain significant rawmaterials.

Materials and components that are not being used within the manufacturingsystem are stored within facilities and secured by physical controls. Inventorycontrols are employed to ensure production at capacity that would enable theCompany to meet its distribution commitments.

Processes and Procedures. The Company's portfolio of security and availabilitycontrols is based on specifications set forth in the International Organizationfor Standardization and International Electrotechnical Commission (ISO/IEC)standards. The CRO is responsible for creating, updating, communicating, andmonitoring procedures and control activities based on these standards. Proce-dures and related controls address the following areas within the manufactur-ing areas:



• Authorized access to the manufacturing management and trans-portation scheduling systems

• Authorized access to reporting system

• Malware protection

• Filtering of network traffic

• Compartmentalization of manufacturing and transportation sys-tems from office networks

• Change management over SDLC

• Necessary backup and offline storage

• Physical access to production and warehouse facilities

• Environmental monitoring in production and warehouse facilities

• Disaster recovery programs

A description of procedures and controls is provided below.

This section provides information about the five interrelated components ofinternal control at Company X, including:

• Control Environment,

• Risk Assessment Process,

• Monitoring Activities,

• Information and Communication, and

• Control Activities

Control Environment

Company X's control environment exists under the organization's governancestructure and bodies which is led by the Board of Directors (Board). The Boardoversees and monitors Company X's control environment with the assistance ofits subcommittees including the Audit Committee, which provides general di-rection and oversight on matters related to the financial statement preparation,external audits and internal control assessment and reporting, and the Tech-nology Committee, which oversees the entity's IT and operations, especially asit relates to manufacturing, engineering and production. The role of these gov-ernance bodies as it relates to promoting the integrity of Company X's controlenvironment and are referenced, as warranted in under the subheadings of thissection.

Code of Conduct

A sound control environment is established through a commitment to integrityand ethical conduct throughout all levels of the organization. Company X pro-motes a culture of integrity through an organizational culture and philosophythat prioritizes standards and ethical conduct. To this end, Company X has de-veloped a Code of Conduct policy that has been mandated and approved by theBoard. The Code of Conduct provides detailed guidance on proper behavior andoutlines sanctions for a breach of conduct up to and including termination. Hu-man Resources is given responsibility for monitoring adherence to the code ofconduct and those in a supervisory capacity are trained and instructed to re-port violations. In addition, an anonymous ethics hotline has been establishedto facilitate the reporting of dubious conduct and provides a method of report-ing which is intended to shield the whistleblower from reprisals. All reportedincidents are assigned a case number and investigated. Record of these reportsand investigations are summarized and reported to the Board to provide proper


Illustrative SOC for Supply Chain Report 291visibility and oversight. The Code of Conduct applies to suppliers and criticalthird parties that meet certain predefined characteristics and profiles. All em-ployees and contract laborers under Company X's management are requiredto read and evidence their commitment to acknowledge the Code of Conductby signature at the time of hire and confirm their acknowledgement annuallythereafter.

Company X has anonymous third-party administered whistleblower hotlinesavailable to internal and external users. The CRO monitors customer and work-force complaints reported vie the hotlines.

Control Assessment, Oversight, and Reporting

Board members are appointed to act on behalf of the shareholders. Roles and re-sponsibilities of Board members as outlined in the Board of Directors' Charterare segregated from the roles and responsibilities of management. The Board,by charter, comprises at least 50% independent board members and bears ulti-mate responsibility for the Company X's control environment and the system ofinternal control. The Board, depending upon the subject matter on the docket,also assesses the need to supplement board membership with individuals that,for example, possess expertise related to supply chain and third-party risk man-agement. Specifically, the need for special expertise is evaluated prior to eachboard meeting, based on the meeting agenda. If warranted, the Board will pro-cure the needed experts or consultants, as needed.

Quarterly and annually, senior management and the Board receive informationand training needed to fulfill their roles with respect to the achievement ofCompany X's service commitments and system requirements.

Responsibility for oversight of internal control is delegated to the Audit Com-mittee, with at least 50% of its membership drawn from independent membersof the Board. The Audit Committee meets at least quarterly. The Audit Commit-tee comprises individuals who possess requisite expertise related to financialreporting, internal control, operations and logistics, and cybersecurity. In addi-tion, other expertise disciplines will be summons on ex officio basis to addressspecific topics, as required. Internal Audit, who reports directly to the chair ofthe Audit Committee, is responsible for assessing Company X's control envi-ronment, and planning, executing and issuing audit reports to the responsiblemanagement (for the subject matter examined) and the Audit Committee.

The Technology Committee comprises designated representatives of the Board,the Chief Technology Officer (CTO), the Chief Risk Officer (CRO), Chief In-formation Security Officer (CISO) and the General Managers of Company X'sbusiness units. Various internal and external business analysts and system an-alysts also participate in meetings of the committee, as warranted, to providesubject expertise. The purpose of the Technology Committee is to ensure thatCompany's technology direction and capability, including information technol-ogy, engineering and production can support Company X's current operations,its strategy and future growth. An important mandate of the Technology Com-mittee is to provide design governance to the entity, ensuring the importanttechnology components and application systems under consideration for acqui-sition and implementation in will support Company X's business strategy, willintegrate well into the existing application and technology infrastructure andwill scale well throughout the enterprise and support the intended user popu-lation(s), as needed.



Organizational Design, Span of Authority, and Reporting Lines

Company X has one primary business unit with a number of operating unitsand geographic locations. To simplify operations and reporting relationships,the organization and reporting relationships are, however, defined functionallyrather than geographically by operating center. Company X assesses its organi-zational structure, reporting lines, authorities, and responsibilities as part of itsongoing risk assessment and management process, which is summarized andapproved by the Board annually. Reporting relationships and organizationalstructures are reviewed periodically (and at least annually) by senior manage-ment and revised when necessary to reflect current organizational structure. Areviewed and updated (if necessary) risk assessment and organization chartsthat details reporting lines are included as part of a Board package along withother policies that is reviewed and approved by the board, annually.

Roles and responsibilities are documented in written job descriptions whichare specified for each position classification. Job descriptions are reviewed byCompany X management on an annual basis for needed changes and wherejob duty changes are required necessary changes to these job descriptions arealso made to enable execution of authorities and responsibilities and flow ofinformation to manage the activities of Company X.

Employee roles and responsibilities whose execution affect the achievementof objectives are communicated as part of the hiring or transfer process. Hu-man resources personnel screen internal and external job applicant qualifi-cations based on the defined requirements within the job description. Tran-scripts are obtained to evidence educational attainment, and job references arechecked to validate experience. Prior to extension of a job offer, job candidatesare subject to a background check by a third-party provider that conducts amulti-jurisdictional database search of criminal records and credit reportingagencies:

Management is committed to continually developing its workforce and attract-ing and retaining competent personnel to ensure continued achievement ofobjectives. To that end Company X provides continued internal and externaltrainings based on the employees' responsibilities. In addition, annual secu-rity, privacy, and safety trainings are mandatory for all employees, contractors,and supplier employee. New hires whether an employee, contractor, or supplieremployee, are provided the same training during the onboarding process. Thetraining includes communication of policies for accessing and using systemsand sanctions for violating the information security policy. In the training, em-ployees are also instructed to report potential security incidents to the helpdesk. Management monitors compliance with training requirements.

Company X believes in continuous monitoring and improvement of its environ-ment, processes, technology and people. As it relates to its people, Company Xmanagement and the Board perform annual performance evaluations to com-municate and hold individuals accountable for performance of internal controlresponsibilities. The performance evaluation is signed by the manager and em-ployee. The evaluation process may result in corrective actions, including train-ing or sanctions, as necessary.

Management and the Board establish measurable goals and performance eval-uation criteria, including incentives, other rewards, and sanctions appropri-ate for responsibilities at all levels of Company X, that are in alignmentwith Company's short-term and longer-term objectives. Established short-termand longer-term Company X goals and performance evaluation, reward and


Illustrative SOC for Supply Chain Report 293sanctions criteria for Company X executives are reviewed and approved annu-ally by the Compensation Committee to ensure the goals and rewards considerpressures associated with the achievement of objectives. For example, Com-pany X personnel with internal control responsibility are not rewarded basedon number of exceptions noted or lack thereof by the external auditor.

Management and the Board evaluate performance of internal control responsi-bilities, providing rewards and sanctions appropriate for responsibilities, con-sidering the achievement of both short-term and longer-term objectives.

During its ongoing and periodic business planning, business continuity plan-ning and budgeting process, management and the Board evaluate the need foradditional tools and resources to achieve business objectives including contin-gency plans for assignments of responsibility important for internal control.

Risk Assessment Process [not illustrated]

Information and Communication

A key step in the design of Company X's processes and controls is the identifica-tion of the information needed to operate, monitor and control the system andthe definition of the requirements for it. The identified information is includedin the system design specifications at the functional and detailed design levels.The subsequent testing of system changes includes procedures to evaluate thecompleteness and accuracy of the specified information.

Security availability objectives of the system are detailed through various poli-cies, procedures and manuals. These documents are available to internal per-sonnel through an intranet site. The policies and procedures are reviewed bysenior management and approved annually by the CRO. As part of senior man-agement's annual review, they identify information required and expected tosupport the achievement of Company X's service commitments and system re-quirements.

Company X's security, availability and processing policies and proceduresaddress employee's responsibility for production quality and performancespecifications, delivery requirements, operational failures, incidents, systemproblems, concerns and complaints. The documented policies and proceduresinclude internal controls for producing timely, accurate and complete prod-ucts. The policies, procedures, and manuals include, but are not limited to, thefollowing:

• Logical and Physical Security

• Change Management

• Incident Response and Monitoring

• Assembly Manuals

• ISO Compliance Procedures

• QAS Procedures

The policies and procedures help ensure that employees understand their indi-vidual roles and enable them to carry out their responsibilities and controls toensure significant events are communicated in a timely manner. These includeformal and informal training programs and the use of email to communicatetime-sensitive information and processes for security and system availabilitypurposes that notify key personnel in the event of problems. Employees alsoreceived updates via staff meetings and monthly newsletters. The documentedIncident Response and Monitoring Policy includes procedures regarding an



escalation plan based on the nature and severity of the incident to senior man-agement and the Board, as necessary.

Company X's security and availability commitments are communicated to cus-tomers through documented contracts while product specifications are set forthin product documentation. Agreements are established with service providers,including Company Y, that include clearly defined terms, conditions, and re-sponsibilities. Company X's website includes information regarding terms andresponsibilities. Any changes to the commitments and requirements are com-municated to internal personnel, customers, and third parties on a timely basis.

Monitoring Activities [not illustrated] ...

Control Activities [for brevity, only control activities that address CC5.1–5.3and CC6. 1–2 have been illustrated. The control activities that address the avail-ability criteria have not been illustrated.]

Control Design and Implementation

Company X follows a defined process for selecting, developing, and implement-ing controls when the need for an additional control is identified, whether as aresult of a change in risk assessment, the monitoring of controls, or other ac-tivities. Once the risk has been identified, a manager from the department re-sponsible for the process is assigned responsibility for developing the new con-trol with the assistance of a team comprising personnel from the controller'soffice, internal audit, information technology, engineering, and other depart-ments, as necessary. The team identifies the detailed characteristics of the riskand identifies potential controls that would address the risks. Potential con-trols are evaluated and one or more controls are selected for implementation.As part of the control selection process, the need for monitoring is evaluatedand, if needed, appropriate monitoring activities are selected.

The design and implementation of controls is considered a process change andfollows the change management process described below.

Security Policies

As a manufacturing organization, Company X treats all third-party informa-tion in its custody and all intellectual property as confidential information.Nonpublic information is also regarded as confidential, and as such, afforded allthe same protections and safeguards documented all confidential informationthrough the implementation policies, procedures, and controls. The Informa-tion Security Policy which defines protection requirements, access rights, andaccess restrictions, as well as retention and destruction requirements for con-fidential data. The Information Security Policy also defines assessing risks ona periodic basis, preventing unauthorized access, adding new users, modifyingaccess levels of existing users, and removing users who no longer need access.The functional organization design and on-going assessment facilitates effec-tive lines of reporting, enables execution of authority and responsibilities andthe flow of information to manage the activities of the Company.

The following security policies and related processes are in place for the MCS:

• Data classification and business impact assessment

• Selection, documentation, and implementation of security controls

• Assessment of security controls

• User access authorization and provisioning

• Removal of user access



• Monitoring of security controls

• Security management

Asset Management

Company X has an asset management (AM) application to track informationassets, including hardware, all stages of data (at-rest, during processing, or intransmission), all three types of software described above (IT software, softwareon-board manufacturing equipment, and software that's engineered into theproduct), mobile devices, and offline system components. This inventory is keptup to date by the CTO's office and reviewed by management at least once perannum to certify correctness. These reviews and certifications by managementare also tracked by the AM application.

Network Structure

Company X uses network segmentation to help limit access. The network seg-ment in user are:

• Manufacturing — used for IT systems that control the manufac-ture of widgets, including SCM systems

• Code injection — used for the server and client that configure in-stall embedded software in widgets

• Engineering — used for product design, development, and analy-sis

• Corporate — used for all other functions

• IT test — used by IT to test changes to software and hardware

• External — used to control access with outsides networks

Virtual firewall technology is used to control access between segments whileaccess to the manufacturing and code injection segment is controlled throughdedicated jump servers.

Physical and virtual IT device specification and configuration standards existfor each type of IT device. Operating system, database, and middleware config-uration standards are also defined. Variances from standards for a particularuse case must be documented and approved by the CISO and CIO. Configura-tions standards are reviewed and revised on an annual basis. Implementationof configuration changes required by changes to standards are made via thepatch management process.

Unique user identification numbers, names, and passwords are required to au-thenticate users to production systems and all data assets, as well as to thefacility services, transportation provider, member services, and client report-ing websites. Users are identified and authenticated to the corporate networkthrough a single sign-on tool. This tool is then used to identify and authenti-cate users to IT components on all but the manufacturing and code injectionsegments. Access to the manufacturing and code injection segments generallyrequires separate validation of credentials at dedicated workstations on thosesegments.

Inbound external traffic terminates at a DMZ that's separated via firewall fromthe internal network. External users, whether employees or approved thirdparty personnel, are permitted access to company systems via VPN over SSLnetworks and an access control system that uses two-factor authentication.

Access to applications, servers and other resources is based on role-based se-curity enforced by access control software. In-scope production systems are



configured to limit access to personnel based on the rule sets implemented bythe access control system.

Password parameters consist of the following:

• Passwords contain a minimum of eight characters, including onenon-alphanumeric character, and are complexity-enabled.

• Passwords expire every 90 days for non-privileged accounts and60 days for privileged accounts.

• Log-on sessions are terminated after three failed log-on attempts.

Users cannot reuse the last three passwords (five passwords for privileged ac-counts).

New software, hardware, and devices that are implemented in the companynetwork undergo a change management process, as documented in this report.This process includes the configuration of access credentials to network andinformation assets for the new software or hardware to function properly. Soft-ware and hardware assets are reviewed quarterly and any credentials are re-moved for any decommissioned assets.

Employees are granted logical and physical access to in-scope systems basedon documented approvals. All personnel with external access are documentedand access is reviewed by management at least once every six months by ap-propriate management personnel. Company X's transportation providers, sub-assembly providers, treating facilities, and component providers (subcontrac-tors) are approved for access by an authorized user. The ability to create ormodify user access accounts and user access privileges is limited to authorizedpersonnel. User access is reviewed quarterly to verify whether individuals' ac-cess is necessary for their job functions and to identify the existence of inap-propriate accounts. Accounts that are no longer needed are removed from theauthorized user list in the access control system.

Administrative access to Active Directory, Unix, SCM systems and systemservers and databases is restricted to authorized employees.

The human resources department provides IT personnel with an employee ter-mination report every two weeks. IT reconciles the termination report with cur-rent access privileges to determine if access has been appropriately removed ordisabled. Customer service and supply chain management teams also providemonthly updates to lists of third-party personnel who can have access to specificCompany X systems. Dormant network accounts are disabled after 90 days ofinactivity, and dormant MCS accounts are disabled after 45 days of inactivity.

Internal data-handling processes have been established to make sure thatconfidential customer information is adequately safeguarded. The Companyencrypts all e-mail exchanges with customers, suppliers, facility and serviceproviders, and transportation providers with Transport Layer Security. Addi-tionally, the Company encrypts all sensitive data at rest in the DBMS. All in-ternal data transmissions between Company offices are encrypted. Encryptionkeys are managed and protected using a COTS key vault product across theenterprise.

Change Management... [not illustrated]

Business Continuity and Recovery

The Company monitors its manufacturing plant equipment, systems and per-sonnel schedules, and inventory to ensure adequate system capacity is main-tained; equipment is maintained, replaced or upgraded timely; personnel are


Illustrative SOC for Supply Chain Report 297available as per manufacturing plans; and inventory of raw materials, WIP,and finished goods are maintained at forecasted levels. The Facilities Teammaintains HVAC and other environmental systems, such as UPS, backup gen-erators, sprinklers, fire extinguishers as part of its daily activities and a thirdparty is contracted to test the backup generators and inspect fire extinguishersannually. The Plant Equipment Maintenance Team monitors plant equipmentas part of the team's daily activities with routine maintenance performed dur-ing scheduled weekly maintenance windows. The Assembly Supervisors planand monitor personnel schedule and attendance, including penalties for repeattardiness, which may include employment termination. The NOC Team moni-tors the network and plant systems for capacity and any potential availabilityissues. The Assembly Supervisors and Managers, Sales Managers, and Ware-house Managers meet monthly to discuss inventory including planning for fu-ture as well as managing current inventory levels.

The Company has contracted with GHI Corporation for its business continuityand disaster recovery with a 4-hour recovery SLA based on its business impactanalysis. The Company works with GHI Corporation to test the plans annually.

The Computer Operators performs incremental backup of manufacturing datadaily and full backups weekly. Backups are monitored daily and re-run if failed.Backup tapes are shipped off weekly and stored at the GHI Corporation backupstorage facility.

Quality Management

As part of the Company X's Quality Assurance System (QAS), the entityremains cognizant of applicable laws and regulations regarding the manu-facture, distribution, and export of widgets and their components. The QASincludes quarterly reviews for changes to organizational policy, processes, spec-ifications, and results. Performance results are reviewed with key personnel toensure that available improvements are implemented and that quality controlshortcomings related to customer specifications, commitments, and delivery areadequately addressed on a timely basis.

Company X's widgets are produced using materials and parts from externalsources. As part of Company X's ISO 9000-based quality controls, the Companyprovides both material specifications and software quality requirements (whereapplicable) to suppliers from whom materials are purchased.

As a function of QAS, products and materials received are inspected for adher-ence to the Company's specifications and suitability for use in its manufactur-ing processes. While reasonable measures are instituted to verify the suitabilityof materials and logical components, the controls and processes of Company X'ssuppliers are not included in this description nor tested by the practitioner.

Section 4 — Trust Services Categories, Criteria, Related Controls,and Tests of ControlsNote to Readers: Although the applicable trust services criteria, related con-trols, and management responses to deviations, if any, would be presented inthis section, they are an integral part of Company X's description of its wid-get manufacturing and distribution system throughout the period January 31,20X1, to December 31, 20X1. Company X's controls relevant to security and thepractitioner's test of controls presented in this section are for illustrative pur-poses. For brevity, the table does not include the controls Company X designs,implements, and operates to achieve its principal system objectives relevant to



availability and processing integrity. Only selected controls, tests of controls, andresults thereof are illustrated in the table. Accordingly, the table is incomplete.

Applicable Trust Services Criteria Relevant to the Security and Avail-ability Categories

Information Produced by the Entity

For tests of controls requiring the use of Information Produced by the En-tity (IPE), including Electronic Audit Evidence (EAE) (e.g., controls requiringsystem-generated populations for sample-based testing), the practitioner per-formed a combination of the following procedures to address the completeness,accuracy, and data integrity of the data or reports used:

• Inspected the source of the IPE,

• Inspected the query, script, or parameters used to generate theIPE,

• Tied data between the IPE and the source, and/or

• Inspected the IPE for anomalous gaps in sequence or timing todetermine the data is complete, accurate, and maintains its in-tegrity.

For tests of controls requiring management's use of IPE in the execution of thecontrols (e.g., agreeing the general ledger to the sub-ledger), the practitionerinspected entity management's procedures, as applicable, to assess the validityof the IPE source and the completeness, accuracy, and integrity of the data orreports.



Tru

stS

ervi

ces

Cri

teri

afo

rth

eS

ecu

rity

an

dA

vail

abi

lity

Ca

tego

ries

Des

crip

tion

ofC

omp

an

yX

’sC

ontr

ols

Pra

ctit

ion

er’s

Tes

tsof

Con

trol

sR

esu

lts

ofP

ract

itio

ner

’sT

ests

ofC

ontr

ols

Con

trol

En

viro

nm

ent

CC

1.1

Th

een

tity

dem

onst

rate

sa

com

mit

men

tto

inte

grit

yan

det

hic

alva

lues

.

Com

pan

yX

has

docu

men

ted

the

code

ofbu

sin

ess

con

duct

and

eth

ical

stan

dard

sw

hic

har

ere

view

ed,u

pdat

edif

appl

icab

le,a

nd

appr

oved

byth

ebo

ard

ofdi

rect

ors

and

sen

ior

man

agem

ent

ann

ual

ly.

Insp

ecte

dth

eco

deof

busi

nes

sco

ndu

ctan

det

hic

alst

anda

rds

ofC

ompa

ny

Xn

otin

gth

eco

ndu

ctan

dst

anda

rds

outl

ines

the

Com

pan

y's

com

mit

men

tsto

inte

grit

yan

det

hic

alva

lues

and

that

the

con

duct

and

stan

dard

sw

ere

upd

ated

and

appr

oved

byth

ebo

ard

ofdi

rect

ors

and

sen

ior

man

agem

ent

wit

hin

the

exam

inat

ion

peri

od.

No

exce

ptio

ns

not

ed.

Per

son

nel

,in

clu

din

gco

ntr

acto

rs,a

rere

quir

edto

read

and

acce

ptth

eco

deof

busi

nes

sco

ndu

ctan

det

hic

alst

anda

rds

upo

nth

eir

hir

ean

dfo

rmal

lyre

affi

rmth

eman

nu

ally

ther

eaft

er.

Agr

eem

ents

are

esta

blis

hed

wit

hsu

ppli

ers,

ven

dors

,an

dcr

itic

alth

ird

part

ies

(Com

pan

yY,

GH

IC

orpo

rati

onan

dot

her

crit

ical

thir

dpa

rtie

s)th

atin

clu

decl

earl

yde

fin

edte

rms,

con

diti

ons,

and

resp

onsi

bili

ties

for

supp

lier

s,ve

ndo

rs,a

nd

crit

ical

thir

dpa

rtie

s.

For

ase

lect

ion

ofn

ewh

ires

incl

udi

ng

con

trac

th

ires

,in

spec

ted

the

code

ofbu

sin

ess

con

duct

and

eth

ical

stan

dard

ssi

gned

and

dete

rmin

edth

atth

eco

ndu

ctan

dth

est

anda

rds

wer

eac

know

ledg

edby

each

hir

ese

lect

ed.

For

ase

lect

ion

ofcu

rren

tpe

rson

nel

,in

clu

din

gco

ntr

acto

rs,i

nsp

ecte

dth

eco

deof

busi

nes

sco

ndu

ctan

det

hic

alst

anda

rds

sign

edan

dde

term

ined

that

the

con

duct

and

the

stan

dard

sw

ere

ackn

owle

dged

ann

ual

lyby

each

pers

onse

lect

ed.

For

ase

lect

ion

ofag

reem

ents

wit

hth

esu

ppli

ers,

ven

dors

,an

dcr

itic

alth

ird

part

ies,

insp

ecte

dth

eag

reem

ents

and

dete

rmin

edth

atth

eag

reem

ent

outl

ined

Com

pan

yX

'sre

quir

emen

ts,i

ncl

udi

ng

term

s,co

ndi

tion

s,an

dre

spon

sibi

liti

esfo

rth

esu

ppli

ers,

ven

dors

,an

dcr

itic

alth

ird

part

ies.

Tw

oof

45n

ewh

ires

sele

cted

,di

dn

otsi

gnth

eco

ndu

ctan

dst

anda

rds

ackn

owle

dgem

ent.

(con

tin

ued

)


300 SOC for Supply ChainT

rust

Ser

vice

sC

rite

ria

for

the

Sec

uri

tya

nd

Ava

ila

bili

tyC

ate

gori

esD

escr

ipti

onof

Com

pa

ny

X’s

Con

trol

sP

ract

itio

ner

’sT

ests

ofC

ontr

ols

Res

ult

sof

Pra

ctit

ion

er’s

Tes

tsof

Con

trol

s

Man

agem

ent

mon

itor

spe

rson

nel

com

plia

nce

wit

hth

eco

deof

busi

nes

sco

ndu

ctan

det

hic

alst

anda

rds

thro

ugh

mon

itor

ing

ofcu

stom

eran

dw

orkf

orce

mem

ber

com

plai

nts

and

the

use

ofan

anon

ymou

sth

ird-

part

yad

min

iste

red

eth

ics

hot

lin

e.C

ompa

ny

X's

code

ofbu

sin

ess

con

duct

incl

ude

sa

san

ctio

ns

poli

cyfo

rpe

rson

nel

wh

ovi

olat

eth

eco

deof

busi

nes

sco

ndu

ct.T

he

san

ctio

ns

poli

cyis

appl

ied

tope

rson

nel

wh

ovi

olat

eth

eco

deof

busi

nes

sco

ndu

ct.

Insp

ecte

dC

ompa

ny

X's

web

site

and

test

dial

edth

eh

otli

ne

nu

mbe

rpr

ovid

edan

dde

term

ined

that

anan

onym

ous

thir

d-pa

rty

adm

inis

tere

dh

otli

ne

isav

aila

ble.

Insp

ecte

dC

ompa

ny

X's

code

ofbu

sin

ess

con

duct

and

dete

rmin

edth

atit

incl

ude

da

san

ctio

ns

poli

cyfo

rpe

rson

nel

wh

ovi

olat

eth

eco

deof

busi

nes

sco

ndu

ct.

For

ase

lect

ion

ofcu

stom

eran

dw

orkf

orce

mem

ber

com

plai

nts

logg

edvi

ath

eth

ird-

part

yad

min

iste

red

hot

lin

e,in

spec

ted

the

rela

ted

docu

men

tati

onan

dde

term

ined

that

pers

onn

elw

ho

viol

ated

the

code

ofbu

sin

ess

con

duct

wer

esa

nct

ion

edas

per

the

poli

cy.

No

exce

ptio

ns

not

ed.

Pri

orto

empl

oym

ent,

pers

onn

elar

eve

rifi

edag

ain

stre

gula

tory

scre

enin

gda

taba

ses,

incl

udi

ng

ata

min

imu

m,c

redi

t,cr

imin

al,

dru

g,an

dem

ploy

men

tch

ecks

.

For

ase

lect

ion

ofn

ewh

ires

,in

spec

ted

the

back

grou

nd

chec

ksan

dde

term

ined

that

sele

cted

pers

onn

elsu

cces

sfu

lly

com

plet

edba

ckgr

oun

dch

ecks

incl

udi

ng,

cred

it,c

rim

inal

,dr

ug

and

empl

oym

ent

chec

kspr

ior

tobe

ing

hir

edby

Com

pan

yX

.

No

exce

ptio

ns

not

ed.

CC

1.2

Th

ebo

ard

ofdi

rect

ors

dem

onst

rate

sin

depe

nde

nce

from

man

agem

ent

and

exer

cise

sov

ersi

ght

ofth

ede

velo

pmen

tan

dpe

rfor

man

ceof

inte

rnal

con

trol

.

Th

ebo

ard

ofdi

rect

ors

are

appo

inte

dto

act

onbe

hal

fof

the

shar

ehol

ders

.Rol

esan

dre

spon

sibi

liti

esof

the

boar

dof

dire

ctor

sas

outl

ined

inth

eB

oard

ofD

irec

tors

'Ch

arte

rar

ese

greg

ated

from

the

role

san

dre

spon

sibi

liti

esof

man

agem

ent.

Th

ebo

ard

ofdi

rect

ors

un

ders

tan

dan

dac

know

ledg

eth

eB

oard

ofD

irec

tors

'Ch

arte

rto

acce

ptit

sov

ersi

ght

resp

onsi

bili

ties

inre

lati

onto

esta

blis

hed

requ

irem

ents

and

expe

ctat

ion

san

du

ltim

ate

resp

onsi

bili

tyfo

rC

ompa

ny

X's

con

trol

envi

ron

men

t.T

he

Boa

rdov

erse

esan

dm

onit

ors

Com

pan

yX

'sco

ntr

olen

viro

nm

ent

wit

hth

eas

sist

ance

ofit

ssu

bcom

mit

tees

incl

udi

ng

the

Tec

hn

olog

yC

omm

itte

e,w

hic

hov

erse

esth

een

tity

'sIT

and

oper

atio

ns,

espe

cial

lyas

itre

late

sto

man

ufa

ctu

rin

g,en

gin

eeri

ng

and

prod

uct

ion

.

Insp

ecte

dth

eB

oard

ofD

irec

tors

'Ch

arte

ran

dde

term

ined

that

the

boar

dof

dire

ctor

sar

eap

poin

ted

toac

ton

beh

alf

ofth

esh

areh

olde

rsan

dth

ero

les

and

resp

onsi

bili

ties

are

segr

egat

edfr

omth

ero

les

and

resp

onsi

bili

ties

ofm

anag

emen

t.In

spec

ted

the

boar

dof

dire

ctor

s'ac

know

ledg

emen

tof

the

Boa

rdof

Dir

ecto

rs'

Ch

arte

rto

acce

ptit

sov

ersi

ght

resp

onsi

bili

ties

inre

lati

onto

esta

blis

hed

requ

irem

ents

and

expe

ctat

ion

s.In

spec

ted

the

Boa

rdof

Dir

ecto

rs'C

har

ter

and

dete

rmin

edth

atth

eT

ech

nol

ogy

Com

mit

tee

has

been

assi

gned

the

resp

onsi

bili

tyto

over

see

the

enti

ty's

ITan

dop

erat

ion

s,es

peci

ally

asit

rela

tes

tom

anu

fact

uri

ng,

engi

nee

rin

gan

dpr

odu

ctio

n.

No

exce

ptio

ns

not

ed.



Tru

stS

ervi

ces

Cri

teri

afo

rth

eS

ecu

rity

an

dA

vail

abi

lity

Ca

tego

ries

Des

crip

tion

ofC

omp

an

yX

’sC

ontr

ols

Pra

ctit

ion

er’s

Tes

tsof

Con

trol

sR

esu

lts

ofP

ract

itio

ner

’sT

ests

ofC

ontr

ols

Th

eB

oard

ofD

irec

tors

'Ch

arte

rin

clu

des

the

min

imu

mba

ckgr

oun

dan

dsk

ills

requ

ired

ofbo

ard

ofdi

rect

ors.

Du

rin

gth

ean

nu

albo

ard

mee

tin

g,th

eba

ckgr

oun

dan

dsk

ills

ofea

chbo

ard

mem

ber

isco

mpa

red

toth

eba

ckgr

oun

dan

dsk

ills

not

edin

the

Boa

rdof

Dir

ecto

rs'C

har

ter.

Insp

ecte

dth

eB

oard

ofD

irec

tors

'Ch

arte

ran

dde

term

ined

that

the

min

imu

mba

ckgr

oun

dan

dsk

ills

requ

ired

ofbo

ard

ofdi

rect

ors

isdo

cum

ente

d.F

orth

ean

nu

albo

ard

mee

tin

g,in

spec

ted

the

mee

tin

gm

inu

tes

and

dete

rmin

edth

atth

eba

ckgr

oun

dan

dsk

ills

ofea

chbo

ard

mem

ber

was

com

pare

dto

the

back

grou

nd

and

skil

lsn

oted

inth

eB

oard

ofD

irec

tors

'Ch

arte

r.

No

exce

ptio

ns

not

ed.

Th

eB

oard

ofD

irec

tors

mee

tin

gag

enda

sis

revi

ewed

inad

van

ceof

the

mee

tin

gto

dete

rmin

ew

het

her

subj

ect

mat

ter

onth

eag

enda

requ

ires

spec

ific

expe

rtis

eth

atis

not

repr

esen

ted

and,

ifw

arra

nte

d,w

illp

rocu

reth

en

eede

dex

pert

sor

con

sult

ants

,as

nee

ded.

Insp

ecte

dm

eeti

ng

agen

das

and

min

ute

sfo

rev

iden

ceth

at(a

)th

eB

oard

ofD

irec

tors

mee

tin

gag

enda

sis

revi

ewed

inad

van

ceof

the

mee

tin

gto

dete

rmin

ew

het

her

subj

ect

mat

ter

onth

eag

enda

requ

ires

spec

ific

expe

rtis

eth

atis

not

repr

esen

ted

and

(b)

that

,if

war

ran

ted,

the

boar

dw

illp

rocu

reth

en

eede

dex

pert

sor

con

sult

ants

,as

nee

ded,

prio

rto

disc

uss

ing

the

topi

c.

Th

ebo

ard

ofdi

rect

ors

con

sist

ofm

ajor

ity

ofin

depe

nde

nt

mem

bers

aspe

rth

eB

oard

ofD

irec

tors

'Ch

arte

rto

mai

nta

inin

depe

nde

nce

from

man

agem

ent

and

isco

mpo

sed

ofat

leas

t50

%in

depe

nde

nt

boar

dm

embe

rs,

Insp

ecte

dth

eB

oard

ofD

irec

tors

'Ch

arte

ran

dde

term

ined

that

itn

otes

the

boar

dof

dire

ctor

ssh

ould

con

sist

ofm

ajor

ity

ofin

depe

nde

nt

mem

bers

.In

spec

ted

the

boar

dof

dire

ctor

s'st

ruct

ure

and

dete

rmin

edth

atth

ebo

ard

ofdi

rect

ors

con

sist

edof

maj

orit

yof

inde

pen

den

tm

embe

rs.

Insp

ecte

dth

ebo

ard

ofdi

rect

ors'

stru

ctu

rean

dde

term

ined

that

atle

ast

50%

orin

depe

nde

nt

ofC

ompa

ny

X.

No

exce

ptio

ns

not

ed. (c

onti

nu

ed)



Tru

stS

ervi

ces

Cri

teri

afo

rth

eS

ecu

rity

an

dA

vail

abi

lity

Ca

tego

ries

Des

crip

tion

ofC

omp

an

yX

’sC

ontr

ols

Pra

ctit

ion

er’s

Tes

tsof

Con

trol

sR

esu

lts

ofP

ract

itio

ner

’sT

ests

ofC

ontr

ols

An

Au

dit

Com

mit

tee

has

been

form

edas

asu

bcom

mit

tee

ofth

ebo

ard

and

isch

arge

dw

ith

eval

uat

ing

the

con

trol

envi

ron

men

t,an

dfi

nan

cial

repo

rtin

gpr

oces

s.T

he

audi

tco

mm

itte

em

eets

quar

terl

yan

dre

port

sto

the

boar

ddi

rect

ors

and,

like

the

boar

d,is

com

pose

dof

atle

ast

50%

exte

rnal

(in

depe

nde

nt)

mem

bers

.In

tern

alA

udi

tre

port

sdi

rect

lyto

the

Au

dit

Com

mit

tee

and

isre

spon

sibl

efo

ras

sess

ing

Com

pan

yX

'sco

ntr

olen

viro

nm

ent.

Inte

rnal

Au

dit

wit

hth

ead

vice

and

appr

oval

ofth

eA

udi

tC

omm

itte

e,ar

ere

spon

sibl

efo

rpl

ann

ing,

exec

uti

ng

and

issu

ing

audi

tre

port

sto

the

resp

onsi

ble

man

agem

ent

(for

the

subj

ect

mat

ter

exam

ined

)an

dto

the

Au

dit

Com

mit

tee.

Eva

luat

edth

eA

udi

tC

har

ter

toco

nfi

rmth

atth

eyh

ave

resp

onsi

bili

tyfo

rov

erse

ein

gth

eco

ntr

olen

viro

nm

ent

and

fin

anci

alre

port

ing

proc

ess.

Eva

luat

edth

em

embe

rsh

ipan

dre

port

ing

stru

ctu

rean

dco

nfi

rmed

that

the

audi

tco

mm

itte

eis

com

pose

dof

atle

ast

50%

exte

rnal

mem

bers

.In

spec

ted

Au

dit

Com

mit

tee

mee

tin

gm

inu

tes

and

dete

rmin

edth

atm

eeti

ngs

occu

rat

leas

tqu

arte

rly

and

the

mee

tin

gm

inu

tes

are

shar

edw

ith

the

Boa

rd.

Insp

ecte

dth

eIn

tern

alA

udi

tC

har

ter

and

dete

rmin

edth

atIn

tern

alA

udi

tre

port

sdi

rect

lyto

the

Au

dit

Com

mit

tee.

Rev

iew

edA

udi

tC

omm

itte

eM

inu

tes

and

dete

rmin

edth

atIn

tern

alA

udi

tac

tive

lyre

port

sto

and

isov

erse

enby

the

Au

dit

Com

mit

tee.

Insp

ecte

dth

eIn

tern

alA

udi

tP

lan

nin

gpr

oces

san

dth

ree-

year

audi

tpl

anto

dete

rmin

eth

eco

mpl

eten

ess

ofth

eau

dit

un

iver

sean

dsp

anof

revi

ew.

No

exce

ptio

ns

not

ed.

Th

eT

ech

nol

ogy

Com

mit

tee

com

pris

esde

sign

ated

repr

esen

tati

ves

ofth

eB

oard

,th

eC

hie

fT

ech

nol

ogy

Offi

cer

(CT

O),

the

Ch

ief

Ris

kO

ffice

r(C

RO

),C

hie

fIn

form

atio

nS

ecu

rity

Offi

cer

(CIS

O)

and

the

Gen

eral

Man

ager

sof

Com

pan

yX

'sbu

sin

ess

un

its.

Eva

luat

edth

eT

ech

nol

ogy

Com

mit

tee

Ch

arte

ran

dde

term

ined

that

the

mem

bers

hip

com

pris

esth

epo

siti

ons

asde

scri

bed.

No

exce

ptio

ns

not

ed.



Tru

stS

ervi

ces

Cri

teri

afo

rth

eS

ecu

rity

an

dA

vail

abi

lity

Ca

tego

ries

Des

crip

tion

ofC

omp

an

yX

’sC

ontr

ols

Pra

ctit

ion

er’s

Tes

tsof

Con

trol

sR

esu

lts

ofP

ract

itio

ner

’sT

ests

ofC

ontr

ols

Th

eT

ech

nol

ogy

Com

mit

tee

ensu

reth

eC

ompa

ny'

ste

chn

olog

ydi

rect

ion

and

capa

bili

ty,i

ncl

udi

ng

info

rmat

ion

tech

nol

ogy,

engi

nee

rin

g,an

dpr

odu

ctio

n,c

ansu

ppor

tit

scu

rren

top

erat

ion

s,st

rate

gy,a

nd

futu

regr

owth

.Th

eT

ech

nol

ogy

Com

mit

tee

mee

tsat

leas

tqu

arte

rly

and

repo

rts

toth

eB

oard

.

Eva

luat

edth

eT

ech

nol

ogy

Com

mit

tee

Ch

arte

ran

dde

term

ined

that

the

com

mit

tee

has

resp

onsi

bili

tyfo

rov

erse

ein

gth

een

tity

'ste

chn

olog

ydi

rect

ion

and

capa

bili

ty,i

ncl

udi

ng

ensu

rin

gth

atth

een

tity

'sin

form

atio

nte

chn

olog

y,en

gin

eeri

ng

and

prod

uct

ion

can

supp

ort

the

Com

pan

y's

curr

ent

and

futu

reob

ject

ives

asit

rela

tes

tose

curi

ty,a

vail

abil

ity

and

proc

essi

ng

inte

grit

y.In

spec

ted

the

Tec

hn

olog

yC

omm

itte

em

eeti

ng

min

ute

sto

dete

rmin

ew

het

her

mee

tin

gsoc

cur

atle

ast

quar

terl

yan

dth

em

eeti

ng

min

ute

sar

esh

ared

wit

hth

eB

oard

.

Exc

epti

onn

oted

.On

eof

two

quar

terl

yT

ech

nol

ogy

Com

mit

tee

mee

tin

gm

inu

tes

was

not

avai

labl

e.

CC

1.3

Man

agem

ent

esta

blis

hes

,wit

hbo

ard

over

sigh

t,st

ruct

ure

s,re

port

ing

lin

es,a

nd

appr

opri

ate

auth

orit

ies

and

resp

onsi

bili

ties

inth

epu

rsu

itof

obje

ctiv

es.

Com

pan

yX

man

agem

ent

and

the

boar

dof

dire

ctor

sev

alu

ate

its

orga

niz

atio

nal

stru

ctu

re,r

epor

tin

gli

nes

,au

thor

itie

s,an

dre

spon

sibi

liti

esas

part

ofit

sbu

sin

ess

plan

nin

gpr

oces

san

das

part

ofit

son

goin

gri

skas

sess

men

tan

dm

anag

emen

tpr

oces

san

dre

vise

thes

ew

hen

nec

essa

ryto

supp

ort

the

ach

ieve

men

tof

obje

ctiv

es.

Insp

ecte

dth

ean

nu

albu

sin

ess

plan

nin

gan

dri

skas

sess

men

tdo

cum

enta

tion

and

dete

rmin

edth

ator

gan

izat

ion

alst

ruct

ure

,re

port

ing

lin

es,a

uth

orit

ies,

and

resp

onsi

bili

ties

wer

ere

vise

d.

No

exce

ptio

ns

not

ed.

Job

desc

ript

ion

sar

ere

view

edby

Com

pan

yX

man

agem

ent

onan

ann

ual

basi

sfo

rn

eede

dch

ange

san

dw

her

ejo

bdu

tych

ange

sar

ere

quir

edn

eces

sary

chan

ges

toth

ese

job

desc

ript

ion

sar

eal

som

ade

toen

able

exec

uti

onof

auth

orit

ies

and

resp

onsi

bili

ties

and

flow

ofin

form

atio

nto

man

age

the

acti

viti

esof

Com

pan

yX

.

Insp

ecte

dth

ean

nu

albu

sin

ess

plan

nin

gan

dri

skas

sess

men

tdo

cum

enta

tion

and

dete

rmin

edth

ator

gan

izat

ion

alst

ruct

ure

,re

port

ing

lin

es,a

uth

orit

ies,

and

resp

onsi

bili

ties

wer

ere

vise

d.

No

exce

ptio

ns

not

ed. (c

onti

nu

ed)



rust

Ser

vice

sC

rite

ria

for

the

Sec

uri

tya

nd

Ava

ila

bili

tyC

ate

gori

esD

escr

ipti

onof

Com

pa

ny

X’s

Con

trol

sP

ract

itio

ner

’sT

ests

ofC

ontr

ols

Res

ult

sof

Pra

ctit

ion

er’s

Tes

tsof

Con

trol

s

Com

pan

yX

has

ada

tacl

assi

fica

tion

syst

emth

attr

eats

allt

hir

d-pa

rty

info

rmat

ion

init

scu

stod

yan

dal

lin

tell

ecti

onpr

oper

tyas

con

fide

nti

alin

form

atio

n.

All

info

rmat

ion

reso

urc

esde

emed

"con

fide

nti

al"

are

affo

rded

the

sam

eh

igh

-lev

elpr

otec

tion

san

dsa

fegu

ards

thro

ugh

the

impl

emen

tati

onpo

lici

es,p

roce

dure

s,an

dco

ntr

ols.

Th

eIn

form

atio

nS

ecu

rity

Pol

icy

defi

nes

prot

ecti

onre

quir

emen

ts,a

cces

sri

ghts

,an

dac

cess

rest

rict

ion

s,as

wel

las

rete

nti

onan

dde

stru

ctio

nre

quir

emen

tsfo

rco

nfi

den

tial

data

.Th

ese

curi

typo

licy

also

defi

nes

asse

ssin

gri

sks

ona

peri

odic

basi

s,pr

even

tin

gu

nau

thor

ized

acce

ss,a

ddin

gn

ewu

sers

,m

odif

yin

gac

cess

leve

lsof

exis

tin

gu

sers

,an

dre

mov

ing

use

rsw

ho

no

lon

ger

nee

dac

cess

.

Obt

ain

edth

eda

tacl

assi

fica

tion

syst

emto

dete

rmin

eth

atal

lth

ird-

part

yin

form

atio

nin

the

Com

pan

y's

cust

ody

iscl

assi

fied

con

fide

nti

al.

Insp

ecte

dth

eIn

form

atio

nS

ecu

rity

Pol

icy

tode

term

ine

wh

eth

erit

defi

nes

prot

ecti

onre

quir

emen

ts,a

cces

sri

ghts

,an

dac

cess

rest

rict

ion

s,as

wel

las

rete

nti

onan

dde

stru

ctio

nre

quir

emen

tsfo

rco

nfi

den

tial

data

and

that

he

secu

rity

poli

cyal

sode

fin

esas

sess

ing

risk

son

ape

riod

icba

sis,

prev

enti

ng

un

auth

oriz

edac

cess

,add

ing

new

use

rs,

mod

ifyi

ng

acce

ssle

vels

ofex

isti

ng

use

rs,a

nd

rem

ovin

gu

sers

wh

on

olo

nge

rn

eed

acce

ss.

No

exce

ptio

ns

not

ed.

Th

eT

ech

nol

ogy

Com

mit

tee

com

pris

esde

sign

ated

repr

esen

tati

ves

ofth

eB

oard

,th

eC

hie

fT

ech

nol

ogy

Offi

cer

(CT

O),

the

Ch

ief

Ris

kO

ffice

r(C

RO

),C

hie

fIn

form

atio

nS

ecu

rity

Offi

cer

(CIS

O)

and

the

Gen

eral

Man

ager

sof

Com

pan

yX

'sbu

sin

ess

un

its.

Eva

luat

edth

eT

ech

nol

ogy

Com

mit

tee

Ch

arte

ran

dde

term

ined

that

the

mem

bers

hip

com

pris

esth

epo

siti

ons

asde

scri

bed.

No

exce

ptio

ns

not

ed.

Th

eT

ech

nol

ogy

Com

mit

tee

ensu

res

that

the

Com

pan

y's

tech

nol

ogy

dire

ctio

nan

dca

pabi

lity

,in

clu

din

gin

form

atio

nte

chn

olog

y,en

gin

eeri

ng,

and

prod

uct

ion

,can

supp

ort

its

curr

ent

oper

atio

ns,

stra

tegy

,an

dfu

ture

grow

th.T

he

Tec

hn

olog

yC

omm

itte

em

eets

atle

ast

quar

terl

yan

dre

port

sto

the

Boa

rd.

Eva

luat

edth

eT

ech

nol

ogy

Com

mit

tee

Ch

arte

ran

dde

term

ined

that

the

com

mit

tee

has

resp

onsi

bili

tyfo

rov

erse

ein

gth

een

tity

'ste

chn

olog

ydi

rect

ion

and

capa

bili

ty,i

ncl

udi

ng

ensu

rin

gth

atth

een

tity

'sin

form

atio

nte

chn

olog

y,en

gin

eeri

ng

and

prod

uct

ion

can

supp

ort

the

Com

pan

y's

curr

ent

and

futu

reob

ject

ives

asit

rela

tes

tose

curi

ty,a

vail

abil

ity

and

proc

essi

ng

inte

grit

y.In

spec

ted

the

Tec

hn

olog

yC

omm

itte

em

eeti

ng

min

ute

sto

dete

rmin

ew

het

her

mee

tin

gsoc

cur

atle

ast

quar

terl

yan

dth

em

eeti

ng

min

ute

sar

esh

ared

wit

hth

eB

oard

.

Exc

epti

onn

oted

.On

eof

two

quar

terl

yT

ech

nol

ogy

Com

mit

tee

mee

tin

gm

inu

tes

was

not

avai

labl

e.



Tru

stS

ervi

ces

Cri

teri

afo

rth

eS

ecu

rity

an

dA

vail

abi

lity

Ca

tego

ries

Des

crip

tion

ofC

omp

an

yX

’sC

ontr

ols

Pra

ctit

ion

er’s

Tes

tsof

Con

trol

sR

esu

lts

ofP

ract

itio

ner

’sT

ests

ofC

ontr

ols

CC

1.4

Th

een

tity

dem

onst

rate

sa

com

mit

men

tto

attr

act,

deve

lop,

and

reta

inco

mpe

ten

tin

divi

dual

sin

alig

nm

ent

wit

hob

ject

ives

.

Job

requ

irem

ents

and

requ

isit

esk

ills

ets

for

allc

andi

date

s(e

mpl

oyee

san

dco

ntr

acto

rs)

are

docu

men

ted

inth

ejo

bde

scri

ptio

ns,

and

can

dida

tes'

abil

itie

sto

mee

tth

ese

requ

irem

ents

are

eval

uat

edas

part

ofth

eh

irin

gor

tran

sfer

eval

uat

ion

proc

ess

tosu

ppor

tth

eac

hie

vem

ent

ofob

ject

ives

.T

he

expe

rien

cean

dtr

ain

ing

ofca

ndi

date

s,w

het

her

anem

ploy

ee,i

nte

rnal

tran

sfer

,co

ntr

acto

r,or

empl

oyee

,are

eval

uat

edbe

fore

they

assu

me

the

resp

onsi

bili

ties

ofth

eir

posi

tion

tosu

ppor

tth

eac

hie

vem

ent

ofob

ject

ives

.Exi

stin

gpe

rson

nel

are

eval

uat

edat

leas

tan

nu

ally

.

For

ase

lect

ion

ofn

ewh

ires

,wh

eth

eran

empl

oyee

,con

trac

tor,

orem

ploy

ee,a

nd

tran

sfer

s,in

spec

ted

the

pers

onn

elfi

lean

dde

term

ined

that

job

requ

irem

ents

and

requ

isit

esk

ills

ets

wer

edo

cum

ente

din

the

job

desc

ript

ion

s.F

ora

sele

ctio

nof

new

hir

es,w

het

her

anem

ploy

ee,i

nte

rnal

tran

sfer

,con

trac

tor,

orem

ploy

ee,i

nsp

ecte

dth

epe

rson

nel

file

and

dete

rmin

edth

atof

fer

lett

eran

dm

anag

emen

tn

otes

wer

em

ain

tain

edev

iden

cin

gth

atth

ese

lect

edpe

rson

nel

wer

eev

alu

ated

befo

reth

eyas

sum

eth

ere

spon

sibi

liti

esof

thei

rpo

siti

on.

For

ase

lect

ion

ofpe

rson

nel

,wh

eth

eran

empl

oyee

,con

trac

tor,

orem

ploy

ee,i

nsp

ecte

dth

epe

rson

nel

file

and

dete

rmin

edth

atan

nu

alpe

rfor

man

ceev

alu

atio

ns

wer

epe

rfor

med

incl

udi

ng

acti

onit

ems

for

any

shor

tcom

ings

orde

cisi

onto

term

inat

eth

eem

ploy

men

t.

No

exce

ptio

ns

not

ed.

Com

pan

yX

eval

uat

esou

tsou

rced

serv

ice

prov

ider

sag

ain

stes

tabl

ish

edpo

lici

esan

dpr

acti

ces

aspa

rtof

the

ann

ual

eval

uat

ion

proc

ess

orw

hen

new

outs

ourc

edse

rvic

epr

ovid

erre

lati

onsh

ips

are

esta

blis

hed

tosu

ppor

tth

eac

hie

vem

ent

ofC

ompa

ny

X's

serv

ice

com

mit

men

tsan

dsy

stem

requ

irem

ents

.An

ysh

ortc

omin

gsn

oted

duri

ng

the

eval

uat

ion

are

addr

esse

dw

ith

acti

onit

ems

and

reev

alu

ated

inth

efo

llow

ing

year

'sev

alu

atio

npr

oces

sor

soon

er.

For

ase

lect

ion

ofou

tsou

rced

serv

ice

prov

ider

s,in

clu

din

gex

isti

ng

and

new

prov

ider

s,in

spec

ted

the

ann

ual

serv

ice

prov

ider

risk

asse

ssm

ents

perf

orm

edan

dde

term

ined

that

exte

rnal

serv

ice

prov

ider

perf

orm

ance

and

risk

sw

ere

asse

ssed

,in

clu

din

gac

tion

item

sfo

ran

ysh

ortc

omin

gsas

wel

las

foll

ow-u

pon

prio

rye

ar's

acti

onit

ems

asn

eces

sary

.

No

exce

ptio

ns

not

ed. (c

onti

nu

ed)



Tru

stS

ervi

ces

Cri

teri

afo

rth

eS

ecu

rity

an

dA

vail

abi

lity

Ca

tego

ries

Des

crip

tion

ofC

omp

an

yX

’sC

ontr

ols

Pra

ctit

ion

er’s

Tes

tsof

Con

trol

sR

esu

lts

ofP

ract

itio

ner

’sT

ests

ofC

ontr

ols

Man

agem

ent

prov

ides

con

tin

ued

inte

rnal

and

exte

rnal

trai

nin

gba

sed

onem

ploy

ees'

resp

onsi

bili

ties

.In

addi

tion

,an

nu

alse

curi

ty,

priv

acy,

and

safe

tytr

ain

ings

are

man

dato

ryfo

ral

lem

ploy

ees,

con

trac

tors

,an

dem

ploy

ee.

New

hir

esw

het

her

anem

ploy

ee,c

ontr

acto

r,or

empl

oyee

,are

prov

ided

the

sam

etr

ain

ings

duri

ng

the

onbo

ardi

ng

proc

ess.

Man

agem

ent

mon

itor

sco

mpl

ian

cew

ith

trai

nin

gre

quir

emen

ts.

Obt

ain

edth

eda

tes

ofan

dat

ten

dan

cesh

eets

for

the

ann

ual

secu

rity

trai

nin

gan

dde

term

ined

that

atte

nde

esh

adsi

gned

the

atte

nda

nce

shee

tfo

rtr

ain

ing

sess

ion

s.F

ora

sele

ctio

nof

pers

onn

el,o

btai

ned

the

date

sof

and

atte

nda

nce

shee

tsfo

rro

lesp

ecifi

ctr

ain

ings

and

dete

rmin

edth

atth

eem

ploy

ee,

con

trac

tor,

orem

ploy

eese

lect

ed,h

adsi

gned

the

atte

nda

nce

shee

tfo

rtr

ain

ing

sess

ion

s.F

ora

sele

ctio

nof

new

hir

es,o

btai

ned

the

date

sof

and

atte

nda

nce

shee

tsan

dde

term

ined

that

the

empl

oyee

,con

trac

tor,

orem

ploy

eese

lect

ed,h

adsi

gned

the

atte

nda

nce

shee

tfo

rtr

ain

ing

sess

ion

s.F

ora

sele

ctio

nof

pers

onn

eln

otpr

esen

tdu

rin

gth

etr

ain

ing

date

s,in

spec

ted

man

agem

ent's

trai

nin

gre

late

ddo

cum

enta

tion

and

dete

rmin

edth

atth

ese

lect

edpe

rson

nel

wer

ere

quir

edto

take

the

trai

nin

gsu

bseq

uen

tly

wit

hin

the

exam

inat

ion

peri

od.

No

exce

ptio

ns

not

ed.

Du

rin

git

son

goin

gan

dpe

riod

icbu

sin

ess

plan

nin

g,bu

sin

ess

con

tin

uit

ypl

ann

ing

and

budg

etin

gpr

oces

s,m

anag

emen

tan

dth

ebo

ard

ofdi

rect

ors

eval

uat

eth

en

eed

for

addi

tion

alto

ols

and

reso

urc

esto

ach

ieve

busi

nes

sob

ject

ives

incl

udi

ng

con

tin

gen

cypl

ans

for

assi

gnm

ents

ofre

spon

sibi

lity

impo

rtan

tfo

rin

tern

alco

ntr

ol.

Insp

ecte

dC

ompa

ny

X's

ann

ual

busi

nes

spl

ann

ing,

busi

nes

sco

nti

nu

ity

plan

nin

gan

dbu

dget

ing

rela

ted

docu

men

tati

onan

dde

term

ined

that

Com

pan

yX

con

tin

ual

lyev

alu

ated

its

nee

dfo

rad

diti

onal

tool

san

dre

sou

rces

asw

ella

sco

nti

nge

ncy

plan

sfo

ras

sign

men

tsof

resp

onsi

bili

tyim

port

ant

for

inte

rnal

con

trol

.

No

exce

ptio

ns

not

ed.



Tru

stS

ervi

ces

Cri

teri

afo

rth

eS

ecu

rity

an

dA

vail

abi

lity

Ca

tego

ries

Des

crip

tion

ofC

omp

an

yX

’sC

ontr

ols

Pra

ctit

ion

er’s

Tes

tsof

Con

trol

sR

esu

lts

ofP

ract

itio

ner

’sT

ests

ofC

ontr

ols

Pri

orto

empl

oym

ent,

pers

onn

el,i

ncl

udi

ng

con

trac

tors

and

empl

oyee

s,ar

eve

rifi

edag

ain

stre

gula

tory

scre

enin

gda

taba

ses,

incl

udi

ng

ata

min

imu

m,c

redi

t,cr

imin

al,

dru

g,an

dem

ploy

men

tch

ecks

.For

pers

onn

elw

ith

acce

ssto

cust

omer

and

com

pan

yco

nfi

den

tial

info

rmat

ion

,su

chba

ckgr

oun

dch

ecks

are

re-p

erfo

rmed

ever

ytw

oye

ars.

For

ase

lect

ion

ofn

ewh

ires

,in

clu

din

gco

ntr

acto

rsan

dem

ploy

ees,

insp

ecte

dth

eba

ckgr

oun

dch

ecks

and

dete

rmin

edth

atse

lect

edpe

rson

nel

succ

essf

ull

yco

mpl

eted

back

grou

nd

chec

ksin

clu

din

g,cr

edit

,cri

min

al,

dru

gan

dem

ploy

men

tch

ecks

prio

rto

bein

gh

ired

byC

ompa

ny

X.

For

ase

lect

ion

ofpe

rson

nel

wit

hac

cess

tocu

stom

eran

dco

mpa

ny

con

fide

nti

alin

form

atio

n,i

nsp

ecte

dth

eba

ckgr

oun

dch

ecks

and

dete

rmin

edth

atse

lect

edpe

rson

nel

succ

essf

ull

yco

mpl

eted

back

grou

nd

chec

ksin

clu

din

g,cr

edit

,cri

min

al,d

rug

and

empl

oym

ent

chec

ksev

ery

two

year

s.

No

exce

ptio

ns

not

ed.

CC

1.5

Th

een

tity

hol

dsin

divi

dual

sac

cou

nta

ble

for

thei

rin

tern

alco

ntr

olre

spon

sibi

liti

esin

the

purs

uit

ofob

ject

ives

.

Com

pan

yX

man

agem

ent

and

the

boar

dof

dire

ctor

spe

rfor

man

nu

alpe

rfor

man

ceev

alu

atio

ns

toco

mm

un

icat

ean

dh

old

indi

vidu

als

acco

un

tabl

efo

rpe

rfor

man

ceof

inte

rnal

con

trol

resp

onsi

bili

ties

.Th

epe

rfor

man

ceev

alu

atio

nis

sign

edby

the

man

ager

and

empl

oyee

.Cor

rect

ive

acti

ons,

incl

udi

ng

trai

nin

gor

san

ctio

ns,

asn

eces

sary

.E

ach

Com

pan

yX

depa

rtm

ent,

such

asO

pera

tion

s,Q

ual

ity

Ass

ura

nce

,Sof

twar

eD

evel

opm

ent,

Info

rmat

ion

Sec

uri

ty,

Infr

astr

uct

ure

,Hu

man

Res

ourc

es,L

egal

,C

ompl

ian

ce,I

nte

rnal

Au

dit,

Fin

ance

,C

ust

omer

Su

ppor

t,h

old

peri

odic

(wee

kly)

mee

tin

gsto

mon

itor

and

man

age

resp

ecti

vede

part

men

t'spr

ogre

ssor

lack

ther

eof

asit

rela

tes

toth

eir

ach

ieve

men

tof

depa

rtm

ent's

resp

onsi

bili

ties

.

For

ase

lect

ion

ofpe

rson

nel

,wh

eth

eran

empl

oyee

,con

trac

tor,

orem

ploy

ee,i

nsp

ecte

dth

epe

rson

nel

file

and

dete

rmin

edth

atan

nu

alpe

rfor

man

ceev

alu

atio

ns

wer

epe

rfor

med

incl

udi

ng

acti

onit

ems

for

any

shor

tcom

ings

orde

cisi

onto

term

inat

eth

eem

ploy

men

t,an

dth

atev

alu

atio

ns

wer

esi

gned

byth

em

anag

eran

dth

eem

ploy

ee.

For

ase

lect

ion

ofw

eekl

yde

part

men

tm

eeti

ngs

insp

ecte

dth

em

eeti

ng

min

ute

san

dde

term

ined

that

depa

rtm

ent's

prog

ress

ism

onit

ored

and

mea

sure

dby

resp

ecti

vede

part

men

th

eads

,in

clu

din

ges

cala

tion

orco

rrec

tive

acti

onas

nec

essa

ry.

No

exce

ptio

ns

not

ed. (c

onti

nu

ed)



Tru

stS

ervi

ces

Cri

teri

afo

rth

eS

ecu

rity

an

dA

vail

abi

lity

Ca

tego

ries

Des

crip

tion

ofC

omp

an

yX

’sC

ontr

ols

Pra

ctit

ion

er’s

Tes

tsof

Con

trol

sR

esu

lts

ofP

ract

itio

ner

’sT

ests

ofC

ontr

ols

Man

agem

ent

and

the

boar

dof

dire

ctor

ses

tabl

ish

mea

sura

ble

goal

san

dpe

rfor

man

ceev

alu

atio

ncr

iter

ia,i

ncl

udi

ng,

ince

nti

ves,

oth

erre

war

ds,a

nd

san

ctio

ns

appr

opri

ate

for

resp

onsi

bili

ties

atal

llev

els

ofC

ompa

ny

X,

that

are

inal

ign

men

tw

ith

Com

pan

y's

shor

t-te

rman

dlo

nge

r-te

rmob

ject

ives

.E

stab

lish

edsh

ort-

term

and

lon

ger-

term

Com

pan

yX

goal

san

dpe

rfor

man

ceev

alu

atio

n,r

ewar

dan

dsa

nct

ion

scr

iter

iafo

rC

ompa

ny

Xex

ecu

tive

sar

ere

view

edan

dap

prov

edan

nu

ally

byth

eC

ompe

nsa

tion

Com

mit

tee

toen

sure

the

goal

san

dre

war

dsco

nsi

der

pres

sure

sas

soci

ated

wit

hth

eac

hie

vem

ent

ofob

ject

ives

.

For

ase

lect

ion

ofro

les,

insp

ecte

dC

ompa

ny

X's

docu

men

ted

goal

s,pe

rfor

man

ceev

alu

atio

ncr

iter

iaan

dco

mpe

nsa

tion

mat

rix

incl

udi

ng

ince

nti

ves

and

rew

ards

and

dete

rmin

edth

ata

form

alpr

oces

sh

asbe

enim

plem

ente

dfo

rpe

rfor

man

cem

easu

res,

ince

nti

ves

and

rew

ards

and

that

the

goal

sdo

cum

ente

dfo

rse

lect

edro

les

incl

ude

dbo

thsh

ort-

term

and

lon

ger-

term

goal

sth

atal

ign

edw

ith

Com

pan

yX

'ssh

ort-

term

and

lon

ger-

term

goal

s.In

spec

ted

the

ann

ual

Tot

alE

xecu

tive

Com

pen

sati

onP

acka

gean

dde

term

ined

that

the

Com

pen

sati

onC

omm

itte

eap

prov

edth

epa

ckag

e.

No

exce

ptio

ns

not

ed.

Est

abli

shed

shor

t-te

rman

dlo

nge

r-te

rmC

ompa

ny

Xgo

als

and

perf

orm

ance

eval

uat

ion

,rew

ard

and

san

ctio

ns

crit

eria

for

Com

pan

yX

exec

uti

ves

are

revi

ewed

and

appr

oved

ann

ual

lyby

the

Com

pen

sati

onC

omm

itte

eto

ensu

reth

ego

als

and

rew

ards

con

side

rpr

essu

res

asso

ciat

edw

ith

the

ach

ieve

men

tof

obje

ctiv

es.

For

ase

lect

ion

ofro

les,

insp

ecte

dth

ean

nu

alT

otal

Exe

cuti

veC

ompe

nsa

tion

Pac

kage

appr

oved

byth

eC

ompe

nsa

tion

Com

mit

tee

wh

ich

incl

ude

dC

ompa

ny

X's

docu

men

ted

goal

s,pe

rfor

man

ceev

alu

atio

ncr

iter

iaan

dco

mpe

nsa

tion

mat

rix

incl

udi

ng

ince

nti

ves

and

rew

ards

and

dete

rmin

edth

ata

form

alpr

oces

sh

asbe

enim

plem

ente

dfo

rpe

rfor

man

cem

easu

res,

ince

nti

ves

and

rew

ards

and

that

the

goal

sdo

cum

ente

dfo

rse

lect

edro

les

con

side

rsex

cess

ive

pres

sure

sor

con

flic

tin

ggo

als

and

eval

uat

ion

crit

eria

.

No

exce

ptio

ns

not

ed.



Tru

stS

ervi

ces

Cri

teri

afo

rth

eS

ecu

rity

an

dA

vail

abi

lity

Ca

tego

ries

Des

crip

tion

ofC

omp

an

yX

’sC

ontr

ols

Pra

ctit

ion

er’s

Tes

tsof

Con

trol

sR

esu

lts

ofP

ract

itio

ner

’sT

ests

ofC

ontr

ols

Man

agem

ent

and

the

boar

dof

dire

ctor

sev

alu

ate

perf

orm

ance

ofin

tern

alco

ntr

olre

spon

sibi

liti

es,p

rovi

din

gre

war

dsan

dsa

nct

ion

sap

prop

riat

efo

rre

spon

sibi

liti

es,

con

side

rin

gth

eac

hie

vem

ent

ofbo

thsh

ort-

term

and

lon

ger-

term

obje

ctiv

es.

For

ase

lect

ion

ofpe

rson

nel

,in

spec

ted

the

pers

onn

elfi

lean

dde

term

ined

that

ann

ual

perf

orm

ance

eval

uat

ion

sw

ere

perf

orm

edin

clu

din

gac

tion

item

sfo

ran

ysh

ortc

omin

gsan

dth

atre

war

dsor

disc

ipli

nes

docu

men

ted

wer

eco

nsi

sten

tw

ith

the

goal

san

dpe

rfor

man

ceev

alu

atio

ncr

iter

iaap

prov

edby

the

Com

pen

sati

onC

omm

itte

e.

No

exce

ptio

ns

not

ed.

Info

rmat

ion

and

Com

mu

nic

atio

n

CC

2.1

Th

een

tity

obta

ins

orge

ner

ates

and

use

sre

leva

nt,

qual

ity

info

rmat

ion

tosu

ppor

tth

efu

nct

ion

ing

ofin

tern

alco

ntr

ol.

Com

pan

yX

perf

orm

sas

sess

men

tat

leas

tan

nu

ally

toid

enti

fyth

ein

form

atio

nre

quir

edan

dex

pect

edto

supp

ort

the

inte

rnal

con

trol

and

the

ach

ieve

men

tof

Com

pan

yX

'ssy

stem

obje

ctiv

es.C

ompa

ny

X's

mos

tva

luab

lean

dse

nsi

tive

inte

llec

tual

prop

erty

,cri

tica

lde

sign

s,tr

ade

secr

ets,

man

ufa

ctu

rin

gde

pen

den

cies

,dat

aan

dm

issi

on-c

riti

cal

syst

ems,

"cro

wn

jew

els"

are

iden

tifi

eddu

rin

gth

eas

sess

men

t,in

clu

din

gin

tern

alan

dex

tern

also

urc

esof

data

.

Insp

ecte

dC

ompa

ny

X's

ann

ual

asse

ssm

ent

and

dete

rmin

edth

atit

iden

tifi

esth

ein

form

atio

nre

quir

edto

supp

ort

inte

rnal

con

trol

san

dth

eac

hie

vem

ent

ofC

ompa

ny

X's

syst

emob

ject

ives

,in

clu

din

gid

enti

fica

tion

ofm

ost

valu

able

and

sen

siti

vein

tell

ectu

alpr

oper

ty,c

riti

cald

esig

ns,

trad

ese

cret

s,m

anu

fact

uri

ng

depe

nde

nci

es,d

ata

and

mis

sion

crit

ical

syst

ems,

i.e.,

"cro

wn

jew

els"

wh

eth

erth

ose

are

inte

rnal

orex

tern

alto

Com

pan

yX

.

No

exce

ptio

ns

not

ed.

Com

pan

yX

has

impl

emen

ted

vari

ous

proc

esse

san

dpr

oced

ure

sre

leva

nt

tose

curi

tyan

dav

aila

bili

tyto

man

ufa

ctu

rew

idge

tsin

ati

mel

y,ac

cura

tean

dco

mpl

ete

man

ner

con

sist

ent

wit

hth

eC

ompa

ny'

sob

ject

ives

.C

ompa

ny

Xh

aslo

gica

lan

dph

ysic

alse

curi

ty,

chan

gem

anag

emen

t,in

cide

nt

mon

itor

ing,

and

data

clas

sifi

cati

on,i

nte

grit

y,an

dre

ten

tion

con

trol

s,as

nec

essa

ry,w

ith

chec

ksan

dba

lan

ces

wov

enin

toea

chap

plic

able

proc

ess

toen

sure

qual

ity

ofpr

oces

sin

g.

Insp

ecte

dC

ompa

ny

X's

docu

men

ted

poli

cies

and

proc

edu

res

asit

rela

tes

tose

curi

tyan

dav

aila

bili

tyof

its

man

ufa

ctu

rin

gpr

oces

san

dde

term

ined

that

thos

edo

cum

ent

Com

pan

yX

'sin

tern

alco

ntr

ols

for

man

ufa

ctu

rin

gw

idge

tsth

ath

elp

ach

ieve

the

Com

pan

y's

com

mit

men

tsan

dsy

stem

requ

irem

ents

ina

tim

ely,

accu

rate

and

com

plet

em

ann

er.

No

exce

ptio

ns

not

ed. (c

onti

nu

ed)



Tru

stS

ervi

ces

Cri

teri

afo

rth

eS

ecu

rity

an

dA

vail

abi

lity

Ca

tego

ries

Des

crip

tion

ofC

omp

an

yX

’sC

ontr

ols

Pra

ctit

ion

er’s

Tes

tsof

Con

trol

sR

esu

lts

ofP

ract

itio

ner

’sT

ests

ofC

ontr

ols

CC

2.2

Th

een

tity

inte

rnal

lyco

mm

un

icat

esin

form

atio

n,

incl

udi

ng

obje

ctiv

esan

dre

spon

sibi

liti

esfo

rin

tern

alco

ntr

ol,n

eces

sary

tosu

ppor

tth

efu

nct

ion

ing

ofin

tern

alco

ntr

ol.

Info

rmat

ion

nec

essa

ryfo

rde

sign

ing,

deve

lopi

ng,

impl

emen

tin

g,op

erat

ing,

mai

nta

inin

g,an

dm

onit

orin

gco

ntr

ols,

rele

van

tto

the

secu

rity

ofth

esy

stem

,is

prov

ided

tope

rson

nel

toca

rry

out

thei

rre

spon

sibi

liti

es.

Insp

ecte

dC

ompa

ny

X's

intr

anet

and

dete

rmin

edth

atdo

cum

ente

dpo

lici

esan

dpr

oced

ure

sas

itre

late

sto

secu

rity

ofm

ost

valu

able

data

and

mis

sion

crit

ical

syst

ems

isav

aila

ble

toin

tern

alpe

rson

nel

onth

ein

tran

et.

No

exce

ptio

ns

not

ed.

Com

pan

yX

man

agem

ent

and

the

boar

dof

dire

ctor

sm

eet

quar

terl

yan

dan

nu

ally

toco

mm

un

icat

ein

form

atio

nn

eede

dto

fulfi

llth

eir

role

sw

ith

resp

ect

toth

eac

hie

vem

ent

ofC

ompa

ny

X's

serv

ice

com

mit

men

tsan

dsy

stem

requ

irem

ents

.C

ompa

ny

Xh

asIn

cide

nt

Res

pon

sepo

lici

esan

dpr

oced

ure

sin

plac

eth

atin

clu

des

anes

cala

tion

plan

base

don

the

nat

ure

and

seve

rity

ofth

ein

cide

nt

tose

nio

rm

anag

emen

tan

dth

ebo

ard

ofdi

rect

ors

asn

eces

sary

.

For

ase

lect

ion

ofqu

arte

rsan

dth

eye

ar,

insp

ecte

dth

equ

arte

rly

and

ann

ual

boar

dm

eeti

ng

min

ute

san

dde

term

ined

that

thos

em

inu

tes

docu

men

ted

disc

uss

ion

ofke

yit

ems

wit

hre

spec

tto

the

ach

ieve

men

tof

Com

pan

yX

'ssy

stem

obje

ctiv

es,i

ncl

udi

ng

prog

ress

,de

lays

,ris

ks,a

nd

chal

len

ges

rela

ted

toth

ose

key

item

sas

appl

icab

le.

Insp

ecte

dC

ompa

ny

X's

docu

men

ted

Inci

den

tR

espo

nse

poli

cies

and

proc

edu

res

and

dete

rmin

edth

atth

eyin

clu

dees

cala

tion

tree

and

com

mu

nic

atio

npl

ans

depe

ndi

ng

onth

en

atu

reof

the

inci

den

t,in

clu

din

ges

cala

tion

toth

eB

oard

,as

nec

essa

ry.

No

exce

ptio

ns

not

ed.

Com

pan

yX

has

anon

ymou

sth

ird-

part

yad

min

iste

red

wh

istl

eblo

wer

hot

lin

esav

aila

ble

toin

tern

alan

dex

tern

alu

sers

.Man

agem

ent

mon

itor

scu

stom

eran

dw

orkf

orce

mem

ber

com

plai

nts

repo

rted

via

the

hot

lin

es.

Insp

ecte

dC

ompa

ny

X's

web

site

and

test

dial

edth

eh

otli

ne

nu

mbe

rpr

ovid

edan

dde

term

ined

that

anan

onym

ous

thir

d-pa

rty

adm

inis

tere

dh

otli

ne

isav

aila

ble.

For

ase

lect

ion

ofcu

stom

eran

dw

orkf

orce

mem

ber

com

plai

nts

logg

edvi

ath

eth

ird-

part

yad

min

iste

red

hot

lin

e,in

spec

ted

the

rela

ted

docu

men

tati

onan

dde

term

ined

that

pers

onn

elw

ho

viol

ated

the

code

ofbu

sin

ess

con

duct

wer

esa

nct

ion

edas

per

the

poli

cy.

No

exce

ptio

ns

not

ed.



Tru

stS

ervi

ces

Cri

teri

afo

rth

eS

ecu

rity

an

dA

vail

abi

lity

Ca

tego

ries

Des

crip

tion

ofC

omp

an

yX

’sC

ontr

ols

Pra

ctit

ion

er’s

Tes

tsof

Con

trol

sR

esu

lts

ofP

ract

itio

ner

’sT

ests

ofC

ontr

ols

Com

pan

yX

hol

dsqu

arte

rly

and

ann

ual

Boa

rdm

eeti

ngs

.In

addi

tion

,for

com

mu

nic

atio

nof

anu

nfo

rese

enev

ent,

Inci

den

tR

espo

nse

poli

cies

and

proc

edu

res

are

inpl

ace

that

incl

ude

ses

cala

tion

plan

base

don

the

nat

ure

and

seve

rity

ofth

ein

cide

nt

tose

nio

rm

anag

emen

tan

dth

ebo

ard

ofdi

rect

ors

asn

eces

sary

.

For

ase

lect

ion

ofqu

arte

rsan

dth

eye

ar,

insp

ecte

dth

equ

arte

rly

and

ann

ual

boar

dm

eeti

ng

min

ute

san

dde

term

ined

that

thos

edo

cum

ente

ddi

scu

ssio

nof

key

item

sw

ith

resp

ect

toth

eac

hie

vem

ent

ofC

ompa

ny

X's

syst

emob

ject

ives

,in

clu

din

gpr

ogre

ss,d

elay

s,ri

sks,

chal

len

ges

rela

ted

toth

ose

key

item

sas

appl

icab

le.

Insp

ecte

dC

ompa

ny

X's

docu

men

ted

Inci

den

tR

espo

nse

poli

cies

and

proc

edu

res

and

dete

rmin

edth

atit

incl

ude

ses

cala

tion

tree

and

com

mu

nic

atio

npl

ans

depe

ndi

ng

onth

en

atu

reof

the

inci

den

t,in

clu

din

ges

cala

tion

toth

eB

oard

,as

nec

essa

ry.

No

exce

ptio

ns

not

ed.

Com

pan

yX

'sse

curi

tyco

mm

itm

ents

are

com

mu

nic

ated

toex

tern

alu

sers

(Com

pan

yY,

GH

IC

orpo

rati

onan

dot

her

crit

ical

thir

dpa

rtie

s),a

sap

prop

riat

e,an

dth

ose

com

mit

men

tsan

dth

eas

soci

ated

syst

emre

quir

emen

tsar

eco

mm

un

icat

edto

inte

rnal

use

rsto

enab

leth

emto

carr

you

tth

eir

resp

onsi

bili

ties

.T

he

resp

onsi

bili

ties

ofin

tern

alu

sers

wh

ose

role

saf

fect

syst

emop

erat

ion

are

com

mu

nic

ated

toth

ose

part

ies.

Res

pon

sibi

liti

esan

dpo

lici

esan

dpr

oced

ure

spo

sted

onC

ompa

ny

X's

intr

anet

are

upd

ated

asn

eces

sary

.

Insp

ecte

dC

ompa

ny

X's

intr

anet

,cu

stom

erpo

rtal

,an

dw

ebsi

tes

and

dete

rmin

edth

atdo

cum

ente

dre

spon

sibi

liti

es,p

olic

ies

and

proc

edu

res

asth

eyre

late

tose

curi

tyco

mm

itm

ents

and

resp

onsi

bili

ties

are

avai

labl

eto

inte

rnal

pers

onn

elon

the

intr

anet

and

exte

rnal

pers

onn

elon

Com

pan

yX

'sw

ebsi

tes

and

cust

omer

port

als

asap

plic

able

.F

ora

sele

ctio

nof

resp

onsi

bili

ties

,pol

icie

san

dpr

oced

ure

spo

sted

onth

ein

tran

et,i

nsp

ecte

dth

edo

cum

ents

and

dete

rmin

edth

ath

isto

ryof

chan

ges

wit

hth

eda

teof

chan

gew

asdo

cum

ente

d.

No

exce

ptio

ns

not

ed.

Inte

rnal

and

exte

rnal

use

rsh

ave

been

prov

ided

wit

hin

form

atio

non

how

tore

port

secu

rity

fail

ure

s,in

cide

nts

,con

cern

s,an

dot

her

com

plai

nts

toap

prop

riat

epe

rson

nel

.

Insp

ecte

dC

ompa

ny

X's

docu

men

ted

Inci

den

tR

espo

nse

poli

cies

and

proc

edu

res

and

dete

rmin

edth

atit

incl

ude

ses

cala

tion

tree

and

com

mu

nic

atio

npl

ans

depe

ndi

ng

onth

en

atu

reof

the

inci

den

t,in

clu

din

ges

cala

tion

toth

eB

oard

,as

nec

essa

ry.

No

exce

ptio

ns

not

ed. (c

onti

nu

ed)



rust

Ser

vice

sC

rite

ria

for

the

Sec

uri

tya

nd

Ava

ila

bili

tyC

ate

gori

esD

escr

ipti

onof

Com

pa

ny

X’s

Con

trol

sP

ract

itio

ner

’sT

ests

ofC

ontr

ols

Res

ult

sof

Pra

ctit

ion

er’s

Tes

tsof

Con

trol

s

Ch

ange

sto

Com

pan

yX

'spr

inci

pals

yste

mob

ject

ives

are

com

mu

nic

ated

toin

tern

alan

dex

tern

alu

sers

,ven

dors

,an

dot

her

thir

dpa

rtie

s(C

ompa

ny

Y,G

HI

Cor

pora

tion

and

oth

ercr

itic

alth

ird

part

ies)

wh

ose

prod

uct

san

dse

rvic

esar

epa

rtof

the

syst

em.

Insp

ecte

dC

ompa

ny

X's

intr

anet

,cu

stom

erpo

rtal

,an

dw

ebsi

tes

and

dete

rmin

edth

atdo

cum

ente

dre

spon

sibi

liti

es,p

olic

ies

and

proc

edu

res

asit

rela

tes

tose

curi

tyco

mm

itm

ents

and

resp

onsi

bili

ties

are

avai

labl

eto

inte

rnal

pers

onn

elon

the

intr

anet

and

exte

rnal

pers

onn

elon

Com

pan

yX

'sw

ebsi

tes

and

cust

omer

port

als

asap

plic

able

,an

dth

atth

ose

resp

onsi

bili

ties

,po

lici

esan

dpr

oced

ure

sdo

cum

ente

dh

isto

ryof

chan

ges

wit

hth

eda

teof

chan

ge.

For

ase

lect

ion

ofag

reem

ents

wit

hth

esu

ppli

ers,

ven

dors

,an

dcr

itic

alth

ird

part

ies,

insp

ecte

dth

eag

reem

ents

and

dete

rmin

edth

atth

eag

reem

ent

outl

ined

Com

pan

yX

'sre

quir

emen

ts,i

ncl

udi

ng

term

s,co

ndi

tion

s,an

dre

spon

sibi

liti

esfo

rth

esu

ppli

ers,

ven

dors

,an

dcr

itic

alth

ird

part

ies

and

that

sign

edad

den

dum

toag

reem

ents

wer

eal

som

ain

tain

edw

hen

chan

ges

toco

mm

itm

ents

and

requ

irem

ents

occu

rred

,as

nec

essa

ry.

No

exce

ptio

ns

not

ed.

Man

agem

ent

prov

ides

con

tin

ued

trai

nin

gab

out

its

secu

rity

com

mit

men

tsan

dre

quir

emen

tsfo

rpe

rson

nel

tosu

ppor

tth

eac

hie

vem

ent

ofob

ject

ives

.M

anag

emen

tm

onit

ors

com

plia

nce

wit

hse

curi

tytr

ain

ing

requ

irem

ents

.C

ompa

ny

Xal

sopr

ovid

esu

ser

guid

es,s

ecu

rity

aler

tsan

dkn

own

issu

eson

its

web

site

san

dcu

stom

erpo

rtal

wit

hin

form

atio

nto

impr

ove

secu

rity

know

ledg

ean

daw

aren

ess.

Obt

ain

edth

eda

tes

ofan

dat

ten

dan

cesh

eets

for

the

ann

ual

secu

rity

trai

nin

g,as

wel

las

the

quar

terl

yse

curi

tyco

mpl

ian

ceu

pdat

esfo

rem

ploy

ees

and

dete

rmin

edth

atem

ploy

ees

had

sign

edth

eat

ten

dan

cesh

eet

for

trai

nin

gse

ssio

ns

and

upd

ates

onth

esp

ecifi

edda

tes.

For

ase

lect

ion

ofpe

rson

nel

not

pres

ent

duri

ng

the

trai

nin

gda

tes,

insp

ecte

dm

anag

emen

t'str

ain

ing

rela

ted

docu

men

tati

onan

dde

term

ined

that

the

sele

cted

pers

onn

elw

ere

requ

ired

tota

keth

etr

ain

ing

subs

equ

entl

yw

ith

inth

eex

amin

atio

npe

riod

.In

spec

ted

Com

pan

yX

'scu

stom

erpo

rtal

and

web

site

san

dde

term

ined

that

use

rgu

ides

and

his

tory

ofse

curi

tyal

erts

and

know

nis

sues

wit

hin

form

atio

nto

impr

ove

secu

rity

know

ledg

ean

daw

aren

ess

was

avai

labl

e.

No

exce

ptio

ns

not

ed.



Tru

stS

ervi

ces

Cri

teri

afo

rth

eS

ecu

rity

an

dA

vail

abi

lity

Ca

tego

ries

Des

crip

tion

ofC

omp

an

yX

’sC

ontr

ols

Pra

ctit

ion

er’s

Tes

tsof

Con

trol

sR

esu

lts

ofP

ract

itio

ner

’sT

ests

ofC

ontr

ols

Com

pan

yX

post

sa

desc

ript

ion

ofit

ssy

stem

,sy

stem

bou

nda

ries

,an

dsy

stem

proc

esse

sth

atin

clu

dein

fras

tru

ctu

re,s

oftw

are,

peop

le,

proc

esse

san

dpr

oced

ure

s,da

ta,a

nd

raw

mat

eria

lson

its

intr

anet

for

inte

rnal

use

rsan

don

the

Inte

rnet

for

exte

rnal

use

rs.

Insp

ecte

dC

ompa

ny

X's

intr

anet

and

Inte

rnet

desc

ript

ion

sof

Com

pan

yX

'ssy

stem

,sys

tem

bou

nda

ries

,an

dsy

stem

proc

esse

san

dde

term

ined

that

the

desc

ript

ion

addr

esse

din

fras

tru

ctu

re,s

oftw

are,

peop

le,p

roce

sses

and

proc

edu

res,

data

,an

dra

wm

ater

ials

for

the

in-s

cope

tech

nol

ogy

and

loca

tion

s.

No

exce

ptio

ns

not

ed.

Agr

eem

ents

are

esta

blis

hed

wit

hsu

ppli

ers

and

busi

nes

spa

rtn

ers

(Com

pan

yY,

GH

IC

orpo

rati

onan

dot

her

crit

ical

thir

dpa

rtie

s)th

atin

clu

decl

earl

yde

fin

edte

rms,

con

diti

ons,

and

resp

onsi

bili

ties

for

supp

lier

s,ve

ndo

rs,

and

crit

ical

thir

dpa

rtie

s.

For

ase

lect

ion

ofag

reem

ents

wit

hth

esu

ppli

ers,

ven

dors

,an

dcr

itic

alth

ird

part

ies,

insp

ecte

dth

eag

reem

ents

and

dete

rmin

edth

atth

eag

reem

ent

outl

ined

Com

pan

yX

'sre

quir

emen

ts,i

ncl

udi

ng

term

s,co

ndi

tion

s,an

dre

spon

sibi

liti

esfo

rth

esu

ppli

ers,

ven

dors

,an

dcr

itic

alth

ird

part

ies.

No

exce

ptio

ns

not

ed.

Pla

nn

edch

ange

sto

syst

emco

mpo

nen

tsar

ere

view

ed,s

ched

ule

d,an

dco

mm

un

icat

edto

man

agem

ent

aspa

rtof

the

wee

kly

ITm

ain

ten

ance

proc

ess.

Pla

nn

edch

ange

sto

syst

emco

mpo

nen

tsar

eco

mm

un

icat

edto

exte

rnal

use

rs(C

ompa

ny

Y,G

HI

Cor

pora

tion

and

oth

ercr

itic

alth

ird

part

ies)

via

the

Com

pan

yX

'sw

ebsi

te.

For

ase

lect

ion

ofw

eeks

,in

spec

ted

wee

kly

ITm

ain

ten

ance

sch

edu

les

and

com

mu

nic

atio

ns

and

dete

rmin

edth

atpl

ann

edsy

stem

chan

ges

wer

ein

clu

ded

and

had

been

revi

ewed

and

sign

edof

fby

ITm

anag

emen

t.In

spec

ted

Com

pan

yX

'scu

stom

erpo

rtal

and

dete

rmin

edth

atit

publ

ish

eda

cale

nda

rof

upc

omin

gsy

stem

chan

ges

exis

ted

and

that

itco

mm

un

icat

edu

pcom

ing

chan

ges

and

thei

rim

pact

onu

sers

,if

any.

No

exce

ptio

ns

not

ed.

Con

trol

Act

ivit

ies

CC

5.1

Th

een

tity

sele

cts

and

deve

lops

con

trol

acti

viti

esth

atco

ntr

ibu

teto

the

mit

igat

ion

ofri

sks

toth

eac

hie

vem

ent

ofob

ject

ives

toac

cept

able

leve

ls.

As

part

ofit

san

nu

alri

skas

sess

men

t,m

anag

emen

tli

nke

dth

eid

enti

fied

risk

sto

con

trol

sth

ath

ave

been

desi

gned

and

oper

ated

toad

dres

sth

em.W

hen

the

nee

dfo

rn

ewco

ntr

ols

isid

enti

fied

,man

agem

ent

deve

lops

the

requ

irem

ents

for

the

new

con

trol

san

du

ses

the

chan

gem

anag

emen

tpr

oces

sto

impl

emen

tth

em.

Obt

ain

edan

din

spec

ted

the

ann

ual

risk

asse

ssm

ent

docu

men

tati

onto

dete

rmin

eth

atn

ewco

ntr

ols

wer

eim

plem

ente

dfo

ran

yri

sks

not

adeq

uat

ely

addr

esse

dby

exis

tin

gco

ntr

ols.

Insp

ecte

da

sam

ple

ofsy

stem

chan

gere

ques

tsto

dete

rmin

eth

atth

ech

ange

man

agem

ent

proc

ess

was

foll

owed

.

No

exce

ptio

ns

not

ed. (c

onti

nu

ed)



rust

Ser

vice

sC

rite

ria

for

the

Sec

uri

tya

nd

Ava

ila

bili

tyC

ate

gori

esD

escr

ipti

onof

Com

pa

ny

X’s

Con

trol

sP

ract

itio

ner

’sT

ests

ofC

ontr

ols

Res

ult

sof

Pra

ctit

ion

er’s

Tes

tsof

Con

trol

s

As

part

ofth

eri

skas

sess

men

t,m

anag

emen

tas

sess

edth

een

viro

nm

ent,

com

plex

ity,

nat

ure

and

scop

eof

its

oper

atio

ns

wh

ende

velo

pin

gco

ntr

olac

tivi

ties

tom

itig

ate

the

risk

s.

Obt

ain

edan

din

spec

ted

the

risk

asse

ssm

ent

docu

men

tati

onto

dete

rmin

ew

het

her

man

agem

ent

asse

ssed

the

envi

ron

men

t,co

mpl

exit

y,n

atu

rean

dsc

ope

ofit

sop

erat

ion

sw

hen

deve

lopi

ng

con

trol

acti

viti

esto

mit

igat

eth

eri

sks

No

exce

ptio

ns

not

ed.

Wh

enm

anag

emen

tid

enti

fies

the

nee

dfo

rn

ewco

ntr

ols,

man

agem

ent

con

side

rsa

mix

ofco

ntr

olac

tivi

ties

,in

clu

din

gbo

thm

anu

alan

dau

tom

ated

con

trol

san

dpr

even

tive

and

dete

ctiv

eco

ntr

ols.

Obt

ain

edan

din

spec

ted

the

risk

asse

ssm

ent

docu

men

tati

onto

dete

rmin

ew

het

her

man

agem

ent

con

side

red

am

ixof

con

trol

acti

viti

esto

mit

igat

eth

eid

enti

fied

risk

s.

No

exce

ptio

ns

not

ed.

Com

pan

yX

has

desi

gned

appl

icat

ion

-en

forc

edse

greg

atio

nof

duti

esto

defi

ne

wh

atpr

ivil

eges

are

assi

gned

tou

sers

wit

hin

the

MC

S.

Insp

ecte

dth

eac

cess

con

trol

poli

cyto

dete

rmin

ew

het

her

appl

icat

ion

con

trol

sw

ere

desi

gned

toen

forc

ese

greg

atio

nof

duti

esto

use

rsw

ith

inth

eM

CS.

No

exce

ptio

ns

not

ed.

CC

5.2

Th

een

tity

also

sele

cts

and

deve

lops

gen

eral

con

trol

acti

viti

esov

erte

chn

olog

yto

supp

ort

the

ach

ieve

men

tof

obje

ctiv

es.

As

part

ofth

eIT

stra

tegi

cpl

an,s

trat

egic

ITri

sks

affe

ctin

gth

eor

gan

izat

ion

and

reco

mm

ende

dco

urs

esof

acti

onar

eid

enti

fied

and

disc

uss

ed.T

he

plan

isde

velo

ped

ann

ual

lyby

the

CIO

and

appr

oved

byse

nio

rm

anag

emen

tan

dth

eS

ecu

rity

Ste

erin

gC

omm

itte

e.

Insp

ecte

dth

ean

nu

alIT

stra

tegi

cpl

ando

cum

enta

tion

tode

term

ine

wh

eth

erIT

risk

affe

ctin

gth

eor

gan

izat

ion

and

reco

mm

ende

dco

urs

esof

acti

onw

ere

iden

tifi

edan

ddi

scu

ssed

and

wh

eth

erth

epl

anw

asap

prov

edby

sen

ior

man

agem

ent

and

the

Sec

uri

tyS

teer

ing

Com

mit

tee.

No

exce

ptio

ns

not

ed.

Man

agem

ent

deve

lope

da

list

ofco

ntr

olac

tivi

ties

tom

anag

eth

ete

chn

olog

yin

fras

tru

ctu

reri

sks

iden

tifi

eddu

rin

gth

ean

nu

alri

skas

sess

men

tpr

oces

s.

Insp

ecte

dth

eri

skas

sess

men

t,in

tern

alau

dit

plan

and

audi

tpr

ogra

mfo

rth

eca

len

dar

year

tode

term

ine

wh

eth

erm

anag

emen

tde

velo

ped

and

impl

emen

ted

con

trol

acti

viti

esov

erth

ete

chn

olog

yin

fras

tru

ctu

re.

No

exce

ptio

ns

not

ed.

Man

agem

ent

deve

lope

da

list

ofco

ntr

olac

tivi

ties

tom

anag

eth

ese

curi

tyac

cess

man

agem

ent

risk

sid

enti

fied

duri

ng

the

ann

ual

risk

asse

ssm

ent

proc

ess.

Insp

ecte

dth

eri

skas

sess

men

t,in

tern

alau

dit

plan

and

audi

tpr

ogra

mfo

rth

eca

len

dar

year

tode

term

ine

wh

eth

erm

anag

emen

tde

velo

ped

and

impl

emen

ted

con

trol

acti

viti

esde

sign

edto

rest

rict

tech

nol

ogy

acce

ssri

ghts

toau

thor

ized

use

rsco

mm

ensu

rate

wit

hth

eir

job

resp

onsi

bili

ties

and

prot

ect

corp

orat

eas

sets

from

exte

rnal

thre

ats.

No

exce

ptio

ns

not

ed.



Tru

stS

ervi

ces

Cri

teri

afo

rth

eS

ecu

rity

an

dA

vail

abi

lity

Ca

tego

ries

Des

crip

tion

ofC

omp

an

yX

’sC

ontr

ols

Pra

ctit

ion

er’s

Tes

tsof

Con

trol

sR

esu

lts

ofP

ract

itio

ner

’sT

ests

ofC

ontr

ols

Com

pan

yX

empl

oys

orga

niz

atio

n-d

efin

edta

ilor

edac

quis

itio

nst

rate

gies

and

proc

ure

men

tm

eth

ods

for

the

purc

has

e,de

velo

pmen

t,an

dm

ain

ten

ance

ofin

form

atio

nsy

stem

s,sy

stem

com

pon

ents

,or

info

rmat

ion

syst

emse

rvic

esfr

omte

chn

olog

ysu

ppli

ers.

Insp

ecte

dth

epr

ocu

rem

ent

poli

cym

anu

alto

dete

rmin

ew

het

her

man

agem

ent

empl

oyed

acqu

isit

ion

stra

tegi

esan

dpr

ocu

rem

ent

met

hod

sfo

rth

epu

rch

ase,

deve

lopm

ent,

and

mai

nte

nan

ceof

info

rmat

ion

syst

ems,

syst

emco

mpo

nen

ts,o

rin

form

atio

nsy

stem

serv

ices

from

tech

nol

ogy

supp

lier

s.

No

exce

ptio

ns

not

ed.

Com

pan

yX

has

afo

rmal

ized

secu

rity

and

syst

ems

deve

lopm

ent

met

hod

olog

yth

atin

clu

des

proj

ect

plan

nin

g,de

sign

,tes

tin

g,im

plem

enta

tion

,mai

nte

nan

ce,a

nd

disp

osal

orde

com

mis

sion

ing.

Insp

ecte

dth

esy

stem

sde

velo

pmen

tm

eth

odol

ogy

docu

men

tto

dete

rmin

ew

het

her

itin

clu

ded

proj

ect

plan

nin

g,de

sign

,tes

tin

g,im

plem

enta

tion

,mai

nte

nan

ce,a

nd

disp

osal

orde

com

mis

sion

ing.

No

exce

ptio

ns

not

ed.

Com

pan

yX

use

sa

stan

dard

ized

serv

erbu

ild

chec

klis

tto

hel

pse

cure

its

serv

ers.

For

ase

lect

ion

ofse

rver

s,in

spec

ted

the

asso

ciat

edse

rver

buil

dch

eckl

ist

tode

term

ine

wh

eth

erst

anda

rdiz

edch

eckl

ists

wer

eu

sed

toh

elp

secu

rese

rver

s.

No

exce

ptio

ns

not

ed.

Pat

ches

are

appl

ied

regu

larl

yap

plie

din

acco

rdan

cew

ith

Com

pan

yX

'spa

tch

man

agem

ent

proc

edu

res.

For

ase

lect

ion

ofpa

tch

es,i

nsp

ecte

dth

eas

soci

ated

patc

hin

gdo

cum

enta

tion

asw

ella

sth

epa

tch

man

agem

ent

proc

edu

res

tode

term

ine

wh

eth

erpa

tch

esw

ere

appl

ied

regu

larl

yap

plie

din

acco

rdan

cew

ith

Com

pan

yX

'spa

tch

man

agem

ent

proc

edu

res.

No

exce

ptio

ns

not

ed.

Com

pan

yX

uti

lize

sfi

rew

alls

,an

intr

usi

onde

tect

ion

syst

em(I

DS

),an

intr

usi

onpr

even

tion

syst

em(I

PS

),an

dop

erat

ing

syst

emev

ent

logs

topr

otec

tit

sen

viro

nm

ent.

Ale

rts

are

con

figu

red

arou

nd

the

uti

liti

esto

not

ify

the

secu

rity

adm

inis

trat

ion

team

ofpo

ten

tial

secu

rity

thre

ats

orin

cide

nts

.

Obs

erve

dth

efi

rew

allc

onfi

gura

tion

s,th

ein

tru

sion

dete

ctio

nsy

stem

,th

ein

tru

sion

prev

enti

onsy

stem

,an

dop

erat

ing

syst

emev

ent

logs

tode

term

ine

wh

eth

ersy

stem

mon

itor

ing

uti

liti

esw

ere

inpl

ace

topr

otec

tth

een

viro

nm

ent.

Obs

erve

dth

eal

ert

sett

ings

for

the

fire

wal

ls,

the

IDS,

the

IPS,

and

the

oper

atin

gsy

stem

even

tlo

gsto

dete

rmin

ew

het

her

aler

tsw

ere

inpl

ace

ton

otif

yth

ese

curi

tyad

min

istr

atio

nte

amof

pote

nti

alse

curi

tyth

reat

sor

inci

den

ts.

No

exce

ptio

ns

not

ed. (c

onti

nu

ed)



Tru

stS

ervi

ces

Cri

teri

afo

rth

eS

ecu

rity

an

dA

vail

abi

lity

Ca

tego

ries

Des

crip

tion

ofC

omp

an

yX

’sC

ontr

ols

Pra

ctit

ion

er’s

Tes

tsof

Con

trol

sR

esu

lts

ofP

ract

itio

ner

’sT

ests

ofC

ontr

ols

On

ada

ily

basi

s,th

ese

curi

tyad

min

istr

atio

nte

amre

view

sth

efo

llow

ing

secu

rity

inci

den

tan

dev

ent

mon

itor

ing

(SIE

M)

repo

rts:

•fa

iled

obje

ctle

vela

cces

s;

•da

ily

IDS

orIP

Sat

tack

s;

•cr

itic

alID

Sor

IPS

aler

ts;

•de

vice

sn

otre

port

ing

inth

epa

st24

hou

rs;

•fa

iled

logi

nde

tail

;

•fi

rew

allc

onfi

gura

tion

chan

ges;

•W

indo

ws

poli

cych

ange

s;

•W

indo

ws

syst

emsh

utd

own

san

dre

star

ts;a

nd

secu

rity

even

tsre

quir

ing

furt

her

inve

stig

atio

nar

etr

acke

du

sin

ga

hel

pde

skti

cket

and

mon

itor

edu

nti

lres

olve

d.

For

ase

lect

ion

ofda

ys,i

nsp

ecte

dth

eS

IEM

repo

rts

and

veri

fied

that

the

secu

rity

adm

inis

trat

ion

team

revi

ewed

the

SIE

Mre

port

son

ada

ily

basi

s.

No

exce

ptio

ns

not

ed.

CC

5.3

Th

een

tity

depl

oys

con

trol

acti

viti

esth

rou

ghpo

lici

esth

ates

tabl

ish

wh

atis

expe

cted

and

inpr

oced

ure

sth

atpu

tpo

lici

esin

toac

tion

.

Com

pan

yX

'spo

licy

and

proc

edu

rem

anu

als

addr

ess

con

trol

sre

late

dto

the

MC

S.P

olic

yse

ctio

ns

incl

ude

a.da

tacl

assi

fica

tion

and

busi

nes

sim

pact

asse

ssm

ent;

b.se

lect

ion

,doc

um

enta

tion

,an

dim

plem

enta

tion

ofse

curi

tyco

ntr

ols;

c.as

sess

men

tof

secu

rity

con

trol

s;d

.u

ser

acce

ssau

thor

izat

ion

and

prov

isio

nin

g;e.

rem

oval

ofu

ser

acce

ss;u

ser

prov

isio

nin

gan

dde

prov

isio

nin

g;f.

mon

itor

ing

ofse

curi

tyco

ntr

ols;

and

g.se

curi

tym

anag

emen

t.

Insp

ecte

dth

epo

licy

and

proc

edu

rem

anu

als

rela

ted

toth

eM

CS

tode

term

ine

wh

eth

erth

eyin

clu

ded

sect

ion

hea

din

gsth

atad

dres

sed

con

trol

sov

erth

esi

gnifi

can

tas

pect

sof

syst

emop

erat

ion

s.

No

exce

ptio

ns

not

ed.



Tru

stS

ervi

ces

Cri

teri

afo

rth

eS

ecu

rity

an

dA

vail

abi

lity

Ca

tego

ries

Des

crip

tion

ofC

omp

an

yX

’sC

ontr

ols

Pra

ctit

ion

er’s

Tes

tsof

Con

trol

sR

esu

lts

ofP

ract

itio

ner

’sT

ests

ofC

ontr

ols

App

lica

tion

TR

Kis

inst

alle

dto

enh

ance

the

wor

kflow

and

appr

oval

proc

ess

insu

ppor

tof

the

poli

cies

.

Obs

erve

dA

ppli

cati

onT

RK

tode

term

ine

wh

eth

erit

was

inst

alle

dto

enh

ance

the

wor

kflow

and

appr

oval

proc

ess

insu

ppor

tof

the

poli

cies

.

No

exce

ptio

ns

not

ed.

An

info

rmat

ion

secu

rity

poli

cyis

inpl

ace

toh

elp

ensu

reth

atem

ploy

ees

un

ders

tan

dth

eir

indi

vidu

alro

les

and

resp

onsi

bili

ties

con

cern

ing

proc

essi

ng

and

con

trol

s.

Insp

ecte

dth

ein

form

atio

nse

curi

typo

licy

tode

term

ine

wh

eth

erth

epo

licy

was

inpl

ace

and

wh

eth

erit

deta

iled

role

san

dre

spon

sibi

liti

esco

nce

rnin

gpr

oces

sin

gan

dco

ntr

ols.

No

exce

ptio

ns

not

ed.

Th

eC

ompa

ny'

sS

ecu

rity

Ste

erin

gC

omm

itte

eis

char

ged

wit

hes

tabl

ish

ing,

mai

nta

inin

g,an

den

forc

ing

the

over

alls

ecu

rity

poli

cies

and

proc

edu

res.

Insp

ecte

da

sam

ple

ofm

inu

tes

from

quar

terl

yS

ecu

rity

Ste

erin

gC

omm

itte

em

eeti

ngs

tode

term

ine

wh

eth

erth

eco

mm

itte

ew

asch

arge

dw

ith

esta

blis

hin

g,m

ain

tain

ing,

and

enfo

rcin

gth

eov

eral

lsec

uri

typo

lici

esan

dpr

oced

ure

s.

No

exce

ptio

ns

not

ed.

As

part

ofit

sQ

ual

ity

Ass

ura

nce

Sys

tem

(QA

S),

Com

pan

yX

perf

orm

squ

arte

rly

revi

ews

for

chan

ges

toor

gan

izat

ion

alpo

lici

es,

proc

esse

s,sp

ecifi

cati

ons

and

resu

lts.

For

ase

lect

ion

ofqu

arte

rs,i

nsp

ecte

dth

equ

arte

rly

revi

ewdo

cum

enta

tion

asw

ella

sth

eu

pdat

edpo

lici

esan

dpr

oced

ure

san

dde

term

ined

that

Com

pan

yX

perf

orm

edqu

arte

rly

revi

ews

for

chan

ges

toor

gan

izat

ion

alpo

lici

es,p

roce

sses

,sp

ecifi

cati

ons

and

resu

lts.

No

exce

ptio

ns

not

ed.

Th

ein

form

atio

nse

curi

tyte

amm

onit

ors

the

resu

lts

ofvu

lner

abil

ity

asse

ssm

ents

ona

mon

thly

basi

s.T

he

info

rmat

ion

secu

rity

team

use

sth

ese

resu

lts

toid

enti

fyn

eces

sary

chan

ges

toth

epo

lici

esan

dpr

oced

ure

s.

For

ase

lect

ion

ofm

onth

s,in

spec

ted

the

vuln

erab

ilit

yas

sess

men

tsas

wel

las

the

rela

ted

revi

ewdo

cum

enta

tion

tode

term

ine

wh

eth

erth

ere

sult

sof

vuln

erab

ilit

yas

sess

men

tsw

ere

mon

itor

edon

am

onth

lyba

sis.

Fu

rth

er,i

nsp

ecte

dth

epo

licy

and

proc

edu

rem

anu

als

and

veri

fied

that

nec

essa

rych

ange

sw

ere

mad

eas

are

sult

ofre

view

ing

the

resu

lts

ofth

evu

lner

abil

ity

asse

ssm

ents

.

No

exce

ptio

ns

not

ed. (c

onti

nu

ed)



rust

Ser

vice

sC

rite

ria

for

the

Sec

uri

tya

nd

Ava

ila

bili

tyC

ate

gori

esD

escr

ipti

onof

Com

pa

ny

X’s

Con

trol

sP

ract

itio

ner

’sT

ests

ofC

ontr

ols

Res

ult

sof

Pra

ctit

ion

er’s

Tes

tsof

Con

trol

s

Th

eC

hie

fR

isk

Offi

cer

isre

spon

sibl

efo

rcr

eati

ng,

upd

atin

g,co

mm

un

icat

ing,

and

mon

itor

ing

proc

edu

res

and

con

trol

acti

viti

esba

sed

onth

esp

ecifi

cati

ons

set

fort

hin

the

Inte

rnat

ion

alO

rgan

izat

ion

for

Sta

nda

rdiz

atio

nan

dIn

tern

atio

nal

Ele

ctro

tech

nic

alC

omm

issi

on(I

SO

/IE

C)

stan

dard

s.

Insp

ecte

dth

ejo

bde

scri

ptio

nfo

rth

eC

hie

fR

isk

Offi

cer

tode

term

ine

wh

eth

erth

ein

divi

dual

'sre

spon

sibi

liti

esin

clu

ded

upd

atin

g,co

mm

un

icat

ing,

and

mon

itor

ing

proc

edu

res

and

con

trol

acti

viti

es.

Insp

ecte

dth

epo

licy

and

proc

edu

rem

anu

als

asw

ella

sre

late

dre

view

docu

men

tati

onto

dete

rmin

ew

het

her

proc

edu

res

and

con

trol

acti

viti

esw

ere

upd

ated

base

don

ISO

and

IEC

stan

dard

s.

No

exce

ptio

ns

not

ed.

Com

pan

yX

has

wri

tten

job

desc

ript

ion

ssp

ecif

yin

gth

ere

spon

sibi

liti

esan

dth

eac

adem

ican

dpr

ofes

sion

alre

quir

emen

tsfo

rke

yjo

bpo

siti

ons.

Hu

man

reso

urc

espe

rson

nel

scre

enin

tern

alan

dex

tern

aljo

bap

plic

ant

qual

ifica

tion

sba

sed

onth

ede

fin

edre

quir

emen

tsw

ith

inth

ejo

bde

scri

ptio

n.T

ran

scri

pts

are

obta

ined

toev

iden

ceed

uca

tion

alat

tain

men

t,an

djo

bre

fere

nce

sar

ech

ecke

dto

vali

date

expe

rien

ce.

For

asa

mpl

eof

key

posi

tion

s,in

spec

ted

wri

tten

job

desc

ript

ion

sto

dete

rmin

ew

het

her

the

job

desc

ript

ion

sin

clu

ded

resp

onsi

bili

ties

and

acad

emic

and

prof

essi

onal

requ

irem

ents

.F

ora

sam

ple

ofem

ploy

ees,

inqu

ired

ofth

eem

ploy

ees

abou

tth

eir

un

ders

tan

din

gof

thei

rjo

bre

spon

sibi

liti

es,a

cade

mic

qual

ifica

tion

s,an

dpr

ofes

sion

alce

rtifi

cati

ons

and

com

pare

dth

eir

resp

onse

sfo

rco

nsi

sten

cyto

the

docu

men

ted

resp

onsi

bili

ties

,an

dac

adem

ican

dpr

ofes

sion

alre

quir

emen

tsdo

cum

ente

din

the

job

desc

ript

ion

appl

icab

leto

thei

rpo

siti

on.

For

asa

mpl

eof

new

empl

oyee

san

dem

ploy

ees

wh

oh

ave

tran

sfer

red

inte

rnal

ly,i

nsp

ecte

dth

epe

rson

nel

file

tode

term

ine

wh

eth

ertr

ansc

ript

sw

ere

obta

ined

,an

djo

bre

fere

nce

sw

ere

chec

ked.

No

exce

ptio

ns

not

ed.

Com

pan

yX

'spo

licy

and

proc

edu

rem

anu

als

are

revi

ewed

ann

ual

lyby

the

CIO

,Vic

eP

resi

den

tof

Ope

rati

ons,

and

the

Sec

uri

tyO

ffice

rfo

rco

nsi

sten

cyw

ith

the

orga

niz

atio

n's

risk

mit

igat

ion

stra

tegy

and

upd

ated

asn

eces

sary

for

chan

ges

inth

est

rate

gy.

Insp

ecte

dth

epo

licy

and

proc

edu

rem

anu

als

toas

cert

ain

wh

eth

erpo

lici

esan

dpr

oced

ure

sh

adbe

enu

pdat

edfo

rch

ange

sin

the

risk

mit

igat

ion

stra

tegy

.In

spec

ted

docu

men

tati

onof

the

ann

ual

revi

ewof

the

poli

cyan

dpr

oced

ure

sm

anu

als

byth

eC

IO,V

ice

Pre

side

nt

ofO

pera

tion

s,an

dth

eS

ecu

rity

Offi

cer.

No

exce

ptio

ns

not

ed.



Tru

stS

ervi

ces

Cri

teri

afo

rth

eS

ecu

rity

an

dA

vail

abi

lity

Ca

tego

ries

Des

crip

tion

ofC

omp

an

yX

’sC

ontr

ols

Pra

ctit

ion

er’s

Tes

tsof

Con

trol

sR

esu

lts

ofP

ract

itio

ner

’sT

ests

ofC

ontr

ols

Log

ica

la

nd

Ph

ysic

al

Acc

ess

CC

6.1

Th

een

tity

impl

emen

tslo

gica

lacc

ess

secu

rity

soft

war

e,in

fras

tru

ctu

re,a

nd

arch

itec

ture

sov

erpr

otec

ted

info

rmat

ion

asse

tsto

prot

ect

them

from

secu

rity

even

tsto

mee

tth

een

tity

'sob

ject

ives

.

Th

eco

mpa

ny

iden

tifi

es,c

lass

ifies

and

man

ages

anin

ven

tory

ofin

form

atio

nas

sets

thro

ugh

anac

cess

data

base

.Th

ein

ven

tory

isre

view

edan

dap

prov

edby

man

agem

ent

onan

ann

ual

basi

s.

Insp

ecte

dth

eac

cess

data

base

tode

term

ine

wh

eth

eran

inve

nto

ryis

mai

nta

ined

and

info

rmat

ion

asse

tsar

ecl

assi

fied

.In

spec

ted

docu

men

tati

onof

man

agem

ent's

revi

ewan

dap

prov

alof

the

inve

nto

ryan

dcl

assi

fica

tion

.

No

exce

ptio

ns

not

ed.

Th

eC

ompa

ny

mon

itor

ssy

stem

com

pon

ents

thro

ugh

anau

tom

ated

man

agem

ent

inte

rfac

eto

log,

trac

k,an

dm

ain

tain

inve

nto

ryco

mpo

nen

ts.

Insp

ecte

dth

eau

tom

ated

inve

nto

rym

anag

emen

tto

olto

dete

rmin

eth

atth

eto

olis

inpl

ace

tom

onit

orth

esy

stem

com

pon

ents

.In

spec

ted

info

rmat

ion

syst

emin

ven

tory

reco

rds

from

the

inve

nto

rym

anag

emen

tto

olto

dete

rmin

eth

atth

eto

olw

aspr

ovid

ing

nec

essa

ryin

form

atio

nto

man

age

asse

ts.

No

exce

ptio

ns

not

ed.

Log

ical

acce

ssto

info

rmat

ion

asse

tsis

rest

rict

edth

rou

ghu

seof

acce

ssco

ntr

olso

ftw

are

and

rule

sets

.

Insp

ecte

din

form

atio

nsy

stem

sco

nfi

gura

tion

tode

term

ine

wh

eth

erac

cess

con

trol

soft

war

ean

dru

lese

tsw

ere

use

dto

rest

rict

acce

ss.

No

exce

ptio

ns

not

ed.

Pro

duct

ion

syst

ems

are

con

figu

red

toau

then

tica

teu

sers

wit

ha

un

iqu

eu

ser

acco

un

tan

den

forc

epr

edefi

ned

use

rac

cou

nt

and

min

imu

mpa

ssw

ord

requ

irem

ents

.

Insp

ecte

dth

eIn

form

atio

nS

ecu

rity

Pol

icy

tode

term

ine

wh

eth

eru

niq

ue

use

rac

cou

nts

are

requ

ired

and

min

imu

mpa

ssw

ord

requ

irem

ents

for

prod

uct

ion

syst

ems

are

defi

ned

.

No

exce

ptio

ns

not

ed.

Adm

inis

trat

ive

acce

ssto

Act

ive

Dir

ecto

ry,

Un

ix,S

CM

syst

ems

and

syst

emse

rver

san

dda

taba

ses

isre

stri

cted

toau

thor

ized

empl

oyee

s.

Insp

ecte

din

form

atio

nsy

stem

sco

nfi

gura

tion

tode

term

ine

wh

eth

erad

min

istr

ativ

eac

cess

toA

ctiv

eD

irec

tory

,UN

IX,S

CM

syst

ems,

serv

ers,

and

data

base

sis

rest

rict

edto

auth

oriz

edem

ploy

ees.

No

exce

ptio

ns

not

ed. (c

onti

nu

ed)



Tru

stS

ervi

ces

Cri

teri

afo

rth

eS

ecu

rity

an

dA

vail

abi

lity

Ca

tego

ries

Des

crip

tion

ofC

omp

an

yX

’sC

ontr

ols

Pra

ctit

ion

er’s

Tes

tsof

Con

trol

sR

esu

lts

ofP

ract

itio

ner

’sT

ests

ofC

ontr

ols

Com

pan

yX

'str

ansp

orta

tion

prov

ider

s,as

sem

bly

prov

ider

s(u

ser

enti

ties

),tr

eati

ng

faci

liti

es,a

nd

com

pon

ent

prov

ider

s(s

ubc

ontr

acto

rs)

are

appr

oved

for

acce

ssby

anau

thor

ized

use

r.

Insp

ecte

da

sam

ple

ofdo

cum

ente

du

ser

enti

tyan

dsu

bcon

trac

tor

requ

ests

for

acce

ssto

the

syst

emto

dete

rmin

ew

het

her

they

wer

eap

prov

edfo

rac

cess

byan

auth

oriz

edu

ser.

Insp

ecte

da

sam

ple

ofu

ser

acce

ssco

nfi

gura

tion

san

dde

term

ined

that

syst

emco

nfi

gura

tion

sal

ign

edto

appr

oved

requ

ests

.

No

exce

ptio

ns

not

ed.

Com

pan

yX

perm

its

rem

ote

acce

ssto

prod

uct

ion

syst

ems

byau

thor

ized

empl

oyee

son

lyw

ith

mu

lti-

fact

orau

then

tica

tion

(MF

A)

over

encr

ypte

dvi

rtu

alpr

ivat

en

etw

ork

(VP

N)

con

nec

tion

Obs

erve

da

rem

ote

logi

nse

ssio

nto

dete

rmin

eth

atM

FA

VP

Nw

asre

quir

edto

acce

ssth

epr

odu

ctio

nn

etw

ork.

No

exce

ptio

ns

not

ed.

Web

serv

ers

uti

lize

TL

Sce

rtifi

cate

sfo

ren

cryp

ted

web

com

mu

nic

atio

nse

ssio

ns.

TL

Sce

rtifi

cate

sar

em

onit

ored

for

ren

ewal

.

Insp

ecte

dlo

gin

port

alfo

rea

chof

the

in-s

cope

info

rmat

ion

asse

tsto

dete

rmin

ew

het

her

web

com

mu

nic

atio

nse

ssio

ns

wer

ese

cure

dth

rou

ghT

LS

cert

ifica

tes.

Insp

ecte

dce

rtifi

cate

expi

rati

onre

port

tode

term

ine

wh

eth

erT

LS

cert

ifica

tes

wer

eva

lid

and

ren

ewal

sw

ere

trac

ked.

No

exce

ptio

ns

not

ed.

In-s

cope

syst

emco

mpo

nen

tsre

quir

eu

niq

ue

use

rnam

ean

dpa

ssw

ords

(or

auth

oriz

edS

SH

keys

)pr

ior

toau

then

tica

tin

gu

sers

.

Insp

ecte

dlo

gin

atte

mpt

sto

dete

rmin

eth

atth

ein

-sco

pesy

stem

com

pon

ents

requ

ired

auth

enti

cati

onm

easu

res

for

use

rs.

No

exce

ptio

ns

not

ed.

En

du

ser

and

serv

erw

orkl

oad

net

wor

ktr

affi

cis

segm

ente

dto

supp

ort

isol

atio

n.

Insp

ecte

dth

en

etw

ork

diag

ram

and

con

figu

rati

ons

tode

term

ine

that

cust

omer

envi

ron

men

tsan

dda

taar

ese

gmen

ted.

No

exce

ptio

ns

not

ed.



Tru

stS

ervi

ces

Cri

teri

afo

rth

eS

ecu

rity

an

dA

vail

abi

lity

Ca

tego

ries

Des

crip

tion

ofC

omp

an

yX

’sC

ontr

ols

Pra

ctit

ion

er’s

Tes

tsof

Con

trol

sR

esu

lts

ofP

ract

itio

ner

’sT

ests

ofC

ontr

ols

Inbo

un

din

tern

ettr

affi

cte

rmin

ates

ath

osts

inth

eD

MZ

wh

ich

isse

para

tefr

omth

eL

AN

.O

bser

ved

fire

wal

lsys

tem

con

figu

rati

ons

tode

term

ine

wh

eth

erin

bou

nd

Inte

rnet

traf

fic

term

inat

edat

hos

tsin

the

DM

Zw

hic

hw

asse

para

tefr

omth

eL

AN

.

No

exce

ptio

ns

not

ed.

Ada

tacl

assi

fica

tion

poli

cyis

inpl

ace

toh

elp

ensu

reth

atco

nfi

den

tial

data

ispr

oper

lyse

cure

dan

dre

stri

cted

toau

thor

ized

pers

onn

el.

Insp

ecte

dth

eda

tacl

assi

fica

tion

poli

cyto

dete

rmin

eth

atpr

oced

ure

sex

iste

dar

oun

dcl

assi

fyin

gan

dpr

otec

tin

gco

nfi

den

tial

info

rmat

ion

.

No

exce

ptio

ns

not

ed.

SS

Lce

rtifi

cate

sar

eu

sed

atth

een

try-

poin

tfi

rew

alls

toin

form

atio

nas

sets

toes

tabl

ish

acce

ssco

ntr

olru

les.

Insp

ecte

dth

eS

SL

cert

ifica

tes

for

veri

fica

tion

,is

suan

ce,s

ign

atu

real

gori

thm

,an

dva

lidi

tyda

te.

No

exce

ptio

ns

not

ed.

Pas

swor

dsfo

rin

-sco

pesy

stem

com

pon

ents

are

con

figu

red

acco

rdin

gto

the

Com

pan

yX

'spo

licy

,wh

ich

(a)

requ

ires

eigh

t-ch

arac

ter

min

imu

man

d90

-day

pass

wor

dch

ange

s;(b

)is

com

plex

ity

enab

led;

and

(c)

lock

su

sers

out

ofth

esy

stem

afte

rth

ree

inva

lid

atte

mpt

s.

Insp

ecte

din

-sco

pesy

stem

com

pon

ents

tode

term

ine

that

pass

wor

dsw

ere

con

figu

red

acco

rdin

gto

com

pan

ypo

licy

.

No

exce

ptio

ns

not

ed.

All

new

soft

war

ean

dde

vice

sin

stal

led

onth

en

etw

ork

orin

the

man

ufa

ctu

rin

gfa

cili

tygo

thro

ugh

ach

ange

man

agem

ent

proc

ess,

wh

ich

incl

ude

ses

tabl

ish

ing

appr

opri

ate

cred

enti

als

for

said

soft

war

ean

d/or

devi

ces

toop

erat

eon

com

pan

yin

fras

tru

ctu

re.

Insp

ecte

da

sam

ple

ofn

ewso

ftw

are

and

devi

ces

inst

alle

don

the

net

wor

kto

dete

rmin

ew

het

her

appr

opri

ate

use

rcr

eden

tial

sw

ere

esta

blis

hed

and

use

rac

cou

nts

sett

ings

alig

ned

tose

curi

typo

lici

es.

No

exce

ptio

ns

not

ed.

Dat

abas

esh

ousi

ng

sen

siti

vecu

stom

erda

taar

een

cryp

ted

atre

st.

Insp

ecte

dda

taba

seco

nfi

gura

tion

sto

dete

rmin

eth

atda

taba

ses

wer

een

cryp

ted

atre

st.

No

exce

ptio

ns

not

ed.

En

cryp

tion

keys

use

dby

inte

grat

edse

rvic

esar

een

cryp

ted

them

selv

esw

ith

au

niq

ue

mas

ter

key.

Insp

ecte

dth

eco

nfi

gura

tion

for

the

encr

ypti

onpr

oces

sto

dete

rmin

eth

aten

cryp

tion

acti

viti

esu

sean

acce

ptab

lecr

ypto

grap

hic

algo

rith

m.

No

exce

ptio

ns

not

ed. (c

onti

nu

ed)



Tru

stS

ervi

ces

Cri

teri

afo

rth

eS

ecu

rity

an

dA

vail

abi

lity

Ca

tego

ries

Des

crip

tion

ofC

omp

an

yX

’sC

ontr

ols

Pra

ctit

ion

er’s

Tes

tsof

Con

trol

sR

esu

lts

ofP

ract

itio

ner

’sT

ests

ofC

ontr

ols

CC

6.2

Pri

orto

issu

ing

syst

emcr

eden

tial

san

dgr

anti

ng

syst

emac

cess

,th

een

tity

regi

ster

san

dau

thor

izes

new

inte

rnal

and

exte

rnal

use

rsw

hos

eac

cess

isad

min

iste

red

byth

een

tity

.For

thos

eu

sers

wh

ose

acce

ssis

adm

inis

tere

dby

the

enti

ty,u

ser

syst

emcr

eden

tial

sar

ere

mov

edw

hen

use

rac

cess

isn

olo

nge

rau

thor

ized

.

Acc

ess

toin

-sco

pesy

stem

com

pon

ents

requ

ires

ado

cum

ente

dac

cess

requ

est

form

and

man

ager

appr

oval

and

auth

oriz

atio

npr

ior

toac

cess

bein

gpr

ovis

ion

ed.

Insp

ecte

dac

cess

requ

ests

form

sfo

ra

sam

ple

ofn

ewh

ires

that

rece

ived

acce

ssto

the

in-s

cope

syst

emco

mpo

nen

tsto

dete

rmin

eth

atan

acce

sspr

ovis

ion

ing

requ

est

was

appr

oved

prio

rto

acce

ssbe

ing

prov

isio

ned

.

No

exce

ptio

ns

not

ed.

ITis

not

ified

ofte

rmin

atio

ns

byem

ailf

rom

HR

.Acc

ess

isre

mov

ed/d

isab

led

from

the

net

wor

k,an

din

-sco

peap

plic

atio

ns

tim

ely.

Com

pare

da

syst

em-g

ener

ated

list

ofac

tive

use

rsto

asy

stem

-gen

erat

edli

stof

term

inat

edem

ploy

ees

tode

term

ine

wh

eth

eran

yte

rmin

ated

empl

oyee

sh

adac

cess

toth

ein

-sco

peap

plic

atio

ns.

No

exce

ptio

ns

not

ed.

Ate

rmin

atio

nch

eckl

ist

isco

mpl

eted

and

acce

ssis

revo

ked

for

empl

oyee

sw

ith

in24

hou

rsas

part

ofth

ete

rmin

atio

npr

oces

s.

Insp

ecte

dte

rmin

atio

nti

cket

sfo

ra

sam

ple

ofte

rmin

ated

empl

oyee

sdu

rin

gth

ere

view

peri

odto

dete

rmin

eth

atac

cess

was

revo

ked

wit

hin

24h

ours

asa

part

ofth

ete

rmin

atio

npr

oces

s.

No

exce

ptio

ns

not

ed.

Man

agem

ent

perf

orm

sa

quar

terl

yac

cess

revi

ewfo

rth

ein

-sco

pesy

stem

com

pon

ents

toen

sure

that

acce

ssis

rest

rict

edap

prop

riat

ely.

Tic

kets

are

crea

ted

tore

mov

eac

cess

asn

eces

sary

ina

tim

ely

man

ner

.

Insp

ecte

dac

cess

revi

ewdo

cum

enta

tion

for

sam

ple

ofqu

arte

rsto

dete

rmin

eth

atan

acce

ssre

view

was

perf

orm

edfo

rin

-sco

pesy

stem

com

pon

ents

and

that

tick

ets

wer

ecr

eate

dto

rem

ove

inap

prop

riat

eac

cess

.

No

exce

ptio

ns

not

ed.



Section 5 — Other Information Provided by Company XManagement That Is Not Covered by the Accountant’s ReportNote to Readers: The entity may wish to attach to the description of the manu-facturer's system, or to include in a document containing the accountant's report,information in addition to its description. The following are examples of suchinformation:

• Future plans for new systems.

• Other services provided by the organization that are not includedin the scope of the engagement

• Qualitative information, such as marketing claims, that may notbe objectively measurable

• Responses from management to deviations identified by the prac-titioner when such responses have not been subject to proceduresby the practitioner

For brevity, an example is not provided.


ii Main title here: Subhead title goes here

© 2020 Association of International Certified Professional Accountants. All rights reserved. AICPA and American Institute of CPAs are trademarks of the American Institute of Certified Public Accountants and are registered in the US, the EU and other countries. The Globe Design is a trademark owned by the Association of International Certified Professional Accountants and licensed to the AICPA. 2003A-52758

illustrative soc for supply chain report

Documents