lessor group · controls at a service organisation (isae 3402). besides, the description aims to...
TRANSCRIPT
REVI-ITA/S� stateauthorisedpublicaccountingfirmJensKofodsGade1�DK-1268CopenhagenK�Phone33118100�[email protected]�revi-it.dk�CVR-no.30988531
Independentserviceauditor’sassurancereportonthedescriptionofcontrols,theirdesignandoperating
effectivenessregardingtheoperationofhostedservicesfortheperiod01-04-2016to31-03-2017
ISAE3402-II
LESSORGroupCVRno.:24240010
May2017
LESSORGroup
REVI-ITA/S
Tableofcontents Section1: LESSORGroup’sstatement................................................................................................................1
Section2: LESSORGroup’sdescription...............................................................................................................2
Section3: Independentserviceauditor’sassurancereportonthedescriptionofcontrols,theirdesignandfunctionality..........................................................................................................12
Section4: Controlobjectives,controls,tests,andrelatedtestcontrols..........................................................15
LESSORGroup
REVI-ITA/S Page1of29
Section1: LESSORGroup’sstatement
ThisdescriptionhasbeenpreparedforcustomerswhohavemadeuseofLESSORGroup’shostingservices,andfortheirauditorswhohaveasufficientunderstandingtoconsiderthedescriptionalongwithotherinformation,includinginformationaboutcontrolsoperatedbycustomersthemselves,whenassessingtherisksofmaterialmisstatementsofcustomers’financialstatements.
LESSORGroupconfirmsthat:
(a) TheaccompanyingdescriptioninSection2fairlypresentsLESSORGrouphostingservicesrelatedtocus-tomertransactionsprocessedthroughouttheperiod01-04-2016to31-03-2017.Thecriteriaforthisstatementwerethattheincludeddescription:(i) Presentshowthesystemwasdesignedandimplemented,including:
• Thetypeofservicesprovided,whenrelevant• Theprocedures,withinbothinformationtechnologyandmanualsystems,bywhichtransac-
tionsareinitiated,recorded,processed,correctedasnecessary,andtransferredtothereportspresentedtothecustomers
• Relevantcontrolobjectivesandcontrolsdesignedtoachievetheseobjectives• Controlsthatweassumed,inthedesignofthesystem,wouldbeimplementedbyuserentities,
andwhich,ifnecessarytoachievecontrolobjectivesstatedintheaccompanyingdescription,areidentifiedinthedescriptionalongwiththespecificcontrolobjectivesthatcannotbeachievedbyourselvesalone
• Otheraspectsofourcontrolenvironment,riskassessmentprocess,informationsystemandcommunication,controlactivitiesandmonitoringcontrolsthatwereconsideredrelevanttoprocessingandreportingcustomertransactions.
(ii) Providesrelevantdetailsofchangesintheserviceorganisation’ssystemthroughouttheperiod01-04-2016to31-03-2017
(iii) Doesnotomitordistortinformationrelevanttothescopeofthedescribedsystem,whileacknowl-edgingthatthedescriptionispreparedtomeetthecommonneedsofabroadrangeofcustomersandtheirauditorsandmaynot,therefore,includeeveryaspectofthesystemthateachindividualcustomermayconsiderimportanttotheirparticularenvironment
(b) Thecontrolsrelatedtothecontrolobjectivesstatedintheaccompanyingdescriptionweresuitablyde-signedandoperatedeffectivelythroughouttheperiod01-04-2016to31-03-2017.Thecriteriausedinmakingthisstatementwerethat:
(i) Therisksthatthreatenedachievementofthecontrolobjectivesstatedinthedescriptionwereidentified(ii) Theidentifiedcontrolswould,ifoperatedasdescribed,providereasonableassurancethatthoserisksdid
notpreventthestatedcontrolobjectivesfrombeingachieved(iii) Thecontrolswereconsistentlyappliedasdesigned,includingthatmanualcontrolswereappliedbyper-
sonswhohavetheappropriatecompetenceandauthority,throughouttheperiod01-04-2016to31-03-2017
Allerød,3May2017
LESSORGroup
REVI-ITA/S Page2of29
Section2: LESSORGroup’sdescription
DescriptionofControlandHostingEnvironment
IntroductionTheLESSORGroupiscomposedof:
• LESSORA/S• LESSORGmbH• DanskeLønsystemerA/S• ilohngehaltinternetservicesGmbH• ISALAIREEURL• NORLØNNAS• ŁatwePłaceSp.zo.o.• quickpayrollLtd.• SwelönnAB• Pagaveloce• Hispanomina
TheobjectofthisdescriptionistoprovideinformationtothecustomersoftheLESSORGroupandtheiraudi-torsconcerningtherequirementslaiddownintheinternationalauditingstandardforassurancereportsonthecontrolsataserviceorganisation(ISAE3402).
Besides,thedescriptionaimstoprovideinformationaboutcontrolsusedfor”services”withusduringtheperi-od.
ThedescriptionincludesthecontrolobjectivesandcontrolswiththeLESSORGroup,whichcomprisemostofourcustomersandarebasedonourstandardsupplies.Individualcustomerrelationshipsarenotcoveredbythisdescription.
TheLESSORGrouphasbuiltupitscontrolenvironmentinaccordancewithISO27002.
LESSORGroupandourservices
TheLESSORGroupofferspayrollandhumanresourcemanagementsolutionsinanumberofcountries.InDenmark,theLESSORGroup’sprimarycustomergroupcomprisescompaniesrangingfromsmallbusinessestosomeofthelargestcompanies.IntheothercountriesinwhichtheLESSORGroupisalsorepresented,thefocusisfixedonsmallbusinesseswithfewemployees.
Inthisregard,weofferallrelevantsecuritymeasuresase.g.INERGEN®systems,cooling,redundantpowersourcesandfiberlinesandlastbutnotleastfully-equippedmonitoringsystems.
TheLESSORGrouponlyoffersprofessionalcloudservices.
OrganisationandResponsibility
Thecompanyischaracterizedbyaclearandtransparentcompanystructure.
LESSORGroup
REVI-ITA/S Page3of29
TheLESSORGroupemploysapproximately100employees.TheorganisationalstructureoftheLESSORGroupincludesthedepartmentsAdministration,EconomicandOperatingSupportaswellasvariousproductdepart-ments.
TheemployeesoftheLESSORGrouparethusresponsibleforthesupportofourownproductsaswellasthehostinginfrastructure.Thesupportteamshandleallincomingquestions.TheyeithersolvetheproblemsorpassonthetasktotheOperationsDepartmentforfurtherprocessing.
Thus,theOperationsDepartmentactsassecondlinesupportandmonitorsexistingoperatingsolutionsandothertasksassociatedwiththeday-to-daymanagementofourhostingenvironment.
RiskAssessmentandManagement
RiskAssessment
ITRiskAnalysisLESSORGroup’sISOteamhasproducedariskanalysis.Onanannualbasisorincaseofsignificantchanges,thegroupcarriesoutariskassessmentoftheassetsoftheLESSORGroup.Bothinternalandexternalfactorsaretakenintoconsideration.
Theriskanalysisprovidesanassessmentofallrisksidentified.Theriskanalysisisupdatedonayearlybasisorincaseofsignificantchangestoensurethattherisksassociatedwiththeservicesprovidedareminimizedtoanacceptablelevel.
TheresponsibilityforriskassessmentslieswiththeCEOofthecompanywhoalsoapprovestheriskanalysis.
HandlingofSecurityRisks
RiskManagementProcedureWehaveimplementedascoringsystemforrisksassociatedwiththeprovisionofourservices.
Weassesstherisks,whichwebelievewearefacingpointbypoint.Wemakeuseofasimplecalculationmeth-odforthispurpose:”probability%”*”impact%”.
Theacceptablelevelgoesto20%.Wecontinuouslyassessifwecanreducetherisksandtakeinitiativestoaddresstheserisks.
SecurityPolicy
ITSecurityPolicy
ITSecurityPolicyDocumentWehavedefinedourqualitystandardssystembasedonthegeneralobjectiveofprovidingourcustomerswithastableandsecurehostingsolution.Inordertocomplywiththeobjectives,wehaveimplementedpoliciesandprocedures,whichensurethatoursuppliesareuniformandtransparent.
OurITsecuritypolicyisproducedinaccordancewithISO27002:2013andappliestoallemployeesandallde-liveries.
OurmethodologyfortheimplementationofcontrolsisdefinedwithreferencetoISO27002:2013(guidelinesforinformationsecuritymanagement)andisthusdividedintothefollowingcontrolareas:
LESSORGroup
REVI-ITA/S Page4of29
• Informationsecuritypolicies• OrganisationofInformationSecurity• Employeesafety• AssetManagement• Conditionalaccess• Cryptography• Physicalsecurityandenvironmentalsafeguards• Operationalsafety• Communicationsecurity• Purchase,developmentandmaintenanceofsystems• Supplierrelationships• Informationsecuritybreachmanagement• Informationsecurityaspectsrelatedtoemergencyandrestorationmanagement• Compliance
Wecontinuetoimprovebothpolicies,proceduresandOperations.
EvaluationoftheITSecurityPolicyWeupdatetheITsecuritypolicyregularlyandatleastonceayear.TheCEOapprovestheITsecuritypolicy.
OrganisationofInformationSecurity
InternalOrganisation
DelegationofResponsibilityforInformationSecurityOurorganisationisdividedintodifferentareasofresponsibility.Wehavepreparedanumberofdetailedre-sponsibilityandroledescriptionsforemployeesonalllevels.
Confidentialityhasbeenestablishedforallpartiesinvolvedinourbusiness.Theconfidentialityisensuredviaemploymentcontracts.
SeparationofFunctionsThroughon-goingdocumentationandprocesses,wetrytoeliminateorminimizethedependenceonkeyman-agementpersonnel.Tasksareassignedanddefinedviaprocedures(Jira)formanagingtheoperationalservices.
ContactwithSpecialInterestGroupsTheoperatingstaffsubscribestonewslettersfrome.g.DK-CERTandinformsitselfaboutsubstantialsecurity-relatedcircumstancesonInternettraffic.
MobileEquipmentandTeleworking
MobileEquipmentandCommunicationWehavemadeitpossibleforouremployeestoworkfromhomeviaaVPNconnectionwithtwo-way-authentication.Noequipment(portablecomputersetc.)mustbeleftunattended.PortableunitsareprotectedbyHDDpasswords,logininformationandHDDencryption.
Mobiledevices(smartphones,tabletsetc.)canbeusedforthesynchronizationofemailsandthecalendar.Besidesthepassword,wehaveimplementednoothersecuritymeasurestoensuredevicesanduseraccesses.
LESSORGroup
REVI-ITA/S Page5of29
TelecommutingOnlyauthorizedpersonsaregrantedaccesstoournetworkandthuspotentiallytosystemsanddata.Ourem-ployeesaccessthesystemsviatelecommutingarrangements/SSH.
SecurityinRelationtoHumanResourceManagement
PriortoEmployment
ScreeningWehaveimplementedproceduresfortherecruitmentofstaffandestablishedcooperationwithanexternalpartnertoensurethatweemploytherightcandidatewithregardtobackgroundandskills.
ConditionsofEmploymentThegeneraltermsofemployment,e.g.confidentialityrelatedtothecustomers’andpersonalcircumstances,arespecifiedintheemploymentcontracts/jobdescriptionsofallemployeesinwhich,amongotherthings,theterminationofemploymentandsanctionsfollowingsecuritybreachesarealsodescribed.
DuringEmployment
Management’sResponsibilityAllnewemployeessignacontractpriortocommencementoftheiremployment.Thecontractprovidesthattheemployeemustcomplywiththepoliciesandproceduresexistingatanytime.Thecontract/jobdescriptionclearlydefinestheresponsibilityandroleoftheemployee.
AwarenessofandTrainingActivitiesrelatedtoInformationSecurityOurassetsarefirstofallouremployees.Weencourageouroperatingstafftomaintaintheirqualifications,educationsandcertificationsthroughtrainingcourses,lecturesandotherrelevantactivitiestoensurethattheemployeesconcernedcanbekeptuptodatewithsecurityandbecomeawareofnewthreats.
SanctionsThegeneraltermsofemployment,e.g.confidentialityrelatedtothecustomers’andpersonalcircumstances,arespecifiedintheemploymentcontractsofallemployeesinwhich,amongotherthings,theterminationofemploymentandsanctionsfollowingsecuritybreachesarealsodescribed.
ResponsibilityrelatedtotheTerminationofEmploymentWhenanemployeeterminates,aprocedurewillbeinitiatedtoensurethattheemployeereturnsallrelevantassets,e.g.portabledevicesetc.andthattheaccesstobuildings,systemsanddataiswithdrawn.TheoverallresponsibilitytoensureallcontrolproceduresuponterminationofemploymentlieswiththeCEOofthecom-pany.Thedocumentationrelatedtotheterminationofemploymentisavailableinelectronicforminthehu-manresourcesdepartment.
AssetManagement
ResponsibilityforAssets
ListofAssetsServersandnetworkequipmentincludingconfigurationareregisteredtobeusedfordocumentationpurposesandtogainanoverviewofequipmentetc.Inordertosecureagainstunauthorizedaccessandtoensurethetransparencyofthestructure,wehavepreparedsomedocumentsdescribingtheinternalnetworkincludingunits,namingofunits,logicaldivisionofthenetworketc.
LESSORGroup
REVI-ITA/S Page6of29
Thedocumentationforequipmentisupdatedonaregularbasisandreviewedatleastonceayearbyouroper-atingstaff.
OwnershipofAssetsCentralnetworkunits,servers,peripheralunits,systemsanddataareownedbyoperatingstaffmembersoftheLESSORGroup.Thecustomer’scontactpersonownsthecustomers’data.
AcceptableUseofAssetsThissubjectisdescribedintheemployeehandbook.
ReturnofAssetsWhenanemployeeterminates,aprocedurewillbeinitiatedtoensurethattheemployeereturnsallrelevantassets,e.g.portabledevicesetc.andthattheaccesstobuildings,systemsanddataiswithdrawn.TheoverallresponsibilitytoensureallcontrolproceduresuponterminationofemploymentlieswiththeCEOofthecom-pany.Thedocumentationrelatedtotheterminationofemploymentisavailableinelectronicforminthehu-manresourcesdepartment.
MediaHandling
ManagingPortableDevicesWeensure,tothebestpossibleextent,thattheportabledevicesofouremployees,e.g.portablecomputers,cellphonesetc.,areconfiguredatthesamesecuritylevelasallotherdevicesoftheenvironment.Wealsoensurethatalldataequipmentisupdatedwhennewsecuritymeasuresarefinalized.
AccessControl
AccessControlRequirements
ConditionalAccessPoliciesThemannerinwhichthegrantingofaccessishandledisdescribedinapolicydocument.ThepolicyispartofourITsecuritypolicy.
UserAccessAdministration
ProceduresforCreationandDeletionofUserProfilesTheuserprofilesofourcustomersarecreatedsolelyduetothewishesofourcustomers.Insomeofthesys-tems,theendcustomerhimselfcreateshisuserprofilewithoutinterferencebytheemployeesoftheLESSORGroup.Ourownusersarecreatedassuperuserstoensurethatoursupportteamsareabletoprovideprofes-sionalservice.
Alluserprofilesmustbepersonallyidentifiable.Theaccesstopasswordsforaccounts,whichonlyareusedbysystems(serviceusers),islimitedtofewauthorizedpersons.
GrantofRightsThegrantofprivilegesiscontrolledinaccordancewiththeregularuseradministrationprocess.Privilegesareonlygrantedonaneed-to-basis.
HandlingofConfidentialLoginInformationPersonallogininformationisknownonlybytheemployeeandsubjecttoapasswordpolicytoensurethecom-plexity.
LESSORGroup
REVI-ITA/S Page7of29
EvaluationofUserAccessRightsPeriodically,i.e.onceayear,wereviewtheinternalsystemsofthecompanyincludinguserprofilesandaccesslevelstoensurethattheprocedurerelatedtotheterminationofemploymentisfollowedandthatthecustom-ers’datacannotbeaccessedbyformeremployeesoftheLESSORGroup.
UserResponsibility
UseofConfidentialPasswordTheITsecuritypolicyprovidesthatallemployeepasswordsmustbepersonalandthatonlytheuserknowsthepassword.Passwordsforserviceaccountsetc.thatcannotbeusedforlogginginandwhicharenotchangedforsystemicreasonsarestoredinaseparatesystem.OnlyfourmembersoftheLESSORGroupcanaccessthissystem.
ControlofAccesstoSystemsandData
LimitedAccesstoDataTheaccessforouremployeesisdifferentiated.Onlysystems,serversanddata,whicharerelevanttotheareaofworkofeachsingleemployee,areaccessible.
SystemfortheAdministrationofPasswordsAllemployeesaresubjecttorestrictionsasregardsthepasswordstocustomersystemsaswellasthecustom-ers’ownsystems.Allusershavepasswords,whicharesubjecttorestrictionsrelatedtothecreationofthepasswords.Someofoursystemsrequirethatthepasswordiscomplexandchangedregularly.Inothersystems,thecustomerhimselfdeterminesthechangefrequencyandcomplexityofthepassword.
PhysicalSecurity
SecureAreasThephysicalaccesstothedatacenteroftheLESSORGroupinAllerødislimitedtothreepersonsfromtheLES-SORGroupwhoallhavebeenprovidedwithakeyandaPINcodeforthealarmsystem.Thelogicalaccessislimitedtotheminimum.AnemployeeoftheLESSORGroupalwaysaccompaniesexternalpartnerswhosetaskistoservicetheequipmentinthedatacenter.
MaintenanceofEquipment
FireSafetyTheLESSORGroup’sdatacenterisprotectedagainstfirebytwoINERGEN®systems-oneineachserverroom.RegularreviewsarecarriedouttoensurethattheINERGEN®systemoperatescorrectly.TheLESSORGrouphasmadeaservicecontractwiththesupplierincludingtwoannualservicingvisits.Besides,bothsystemsarecon-tinuouslymonitoredforoperationalerrors.
CoolingIntheLESSORGroup’sdatacenter,tworefrigerationsystemsareinstalledineachserverroom-efreecoolingsystemandatraditionalsystem,whichalsoservesasabackupforthefreecoolingsystem.Regularreviewsarecarriedouttoensurethatallrefrigerationsystemsoperatecorrectly.TheLESSORGrouphasmadeaservicecontractwiththesupplierincludingfourannualservicingvisits.Besides,allrefrigerationsystemsarecontinu-ouslymonitoredforoperationalerrors.
BackupPower(UPSandgenerator)IntheLESSORGroup’sdatacenter,bothUPSunitsandastandbygeneratorareinstalled.ThereisaUPSunitineachserverroomandacommonstandbygenerator.Regularreviewsarecarriedouttoensurethatboththe
LESSORGroup
REVI-ITA/S Page8of29
UPSunitsandthestandbygeneratoroperatecorrectly.BothUPSsystemsareservicedonceayear.Thesuppli-eroftheinstallationservicesthestandbygeneratoronceayear.Besides,boththeUPSunitsandthestandbygeneratorarecontinuouslymonitoredforoperationalerrors.
MonitoringTheentrancetothedatacenterisequippedwithanalarmsystemandundervideosurveillance.AllLESSORGrouphostingservicesincludingtheinfrastructurearemonitored.Themonitoringhasbeendescribedandisbeingmaintainedcontinuously.
SafeDisposalorReuseofEquipmentAlldataequipmentisdestroyedpriortodisposalinordertoensurethatnodataisavailable.
UnattendedUserEquipmentAllinternaluseraccountsarecentrallymanaged.Screensarelockedafter10minutesinactivity.Thus,wemin-imizetheriskofunauthorizedaccesstoconfidentialdata.
OperationalSafety
OperationalProceduresandResponsibilities
DocumentedOperatingProceduresAssometasksareperformedbyoneemployeeonly,wehavepreparedsomedetaileddescriptionsinordertoensurethatwecanre-establishagivenserviceinanewenvironment.
ChangeManagementAllchangesfollowanimplementedchangemanagementprocessandaredocumentedinJira.
CapacityManagementWehaveestablishedamonitoringsystemformonitoringcapacityconstraints.
Allincidentsfollowanimplementedincidentmanagementprocess.
ProtectionagainstMalware
MeasuresagainstMalwareOnWindowsplatforms,wehaveinstalledanti-virussoftware.Onthefirewall,wehaveinstalledanIntrusionPreventionSystem(IPS)tosafeguardoursystemsagainstknownmaliciousattacks.
Backup
BackupofdataWeensurethatwewillbeabletorecreatesystemsanddatainanappropriateandcorrectmannerinaccord-ancewiththeagreementsconcludedwithourcustomers.Wehave,forthatpurpose,developedatesttorec-reatesystemsanddata.Thetestisperformedonaregularbasisatleastonceayear.
Backupsofourcustomers’datatakeplacewithus.Backupcopiesaresavedinelectronicformonaphysicallocationotherthanthedatacenter.
LESSORGroup
REVI-ITA/S Page9of29
LoggingandMonitoring
IncidentLoggingNetworktrafficandserverlogsaremonitoredandlogged.Allloggedincidentsarebeingreviewed.Tobeabletomanagethemonitoringandfollow-upofincidentsandtoensurethatincidentsareregistered,prioritized,managedandescalated,wehaveimplementedformalincidentandeventmanagementprocedures.Thepro-cessisdocumentedinJira.
ProtectionofLoginInformationLogsareuploadedtoourownlogserverandprotectedagainstmodificationanddeletion.
AdministratorandOperatorLogsTheadministratorloggingprocessisperformedsimultaneouslywiththeordinaryloggingprocess.
TimeSynchronizationWemakeuseofInternetNTPserversforsynchronizationofallservers.
ManagingSoftwareinOperatingSystemsViaourpatchprocess,weensurethatonlyapprovedandtestedupdatesarebeinginstalled.Allpatchingfol-lowsapatchmanagementprocedure.
ManagingTechnicalVulnerabilitiesSafetywarningsfromDK-CERT(orothers)aremonitoredandanalysed.Ifrelevant,theyareinstalledonourinternalsystemswithinonemonthfromthedateofissue.Ourinternalsolutionsaresubjecttoongoingriskassessments.
Communicationsecurity
NetworkMeasuresTheITsecurityrelatedtothesystemanddataframeworkismadeupbytheInternetnetwork,theremotenet-worketc.Alltraffic,incomingaswellasoutgoing,isfilteredbythefirewallrules.
EnsuringNetworkServicesThecustomersaccessoursystemsviahttps.DatatransferredfromoursystemstoexternalpartnersareIPwhitelistedand,ifthisispossible,sentviaencrypteddataprotocols.
Ourredundantfirewall(aclustersolution)monitorsallincomingtraffic.
NetworkDivisionOurnetworkisdividedintoservicesegmentstoensureindependencebetweentheofferedservices.Further-more,testandproductionenvironmentsaredividedintotwosegments.
PoliciesandProceduresforDataTransmissionIfpossible,alldatafromtheLESSORGroupdatacenteristransmittedviaencryptedprotocols.
Thecommunicationwithusersiscarriedoutviaemails,supportforumsor,onlyrarely,viafax.
ConfidentialityAgreementsConfidentialityhasbeenestablishedforallpartiesinvolvedinourbusinessthroughemploymentcontractsandcooperationagreementswithsubcontractorsandpartners.
LESSORGroup
REVI-ITA/S Page10of29
Purchase,DevelopmentandMaintenance
SafetyRequirementsforInformationSystems
AnalysisandSpecificationofSafetyRequirementsWhenanewsystemisimplemented,anumberofanalysisandresearchproceduresareperformedinordertoensurethatthesystemfullycomplieswiththerulesandsecuritypoliciesadoptedbytheLESSORGroup.
ChangeManagementProceduresAllchangesfollowanimplementedchangemanagementprocess.
Ourtestandproductionenvironmentsarelogicallyandphysicallyseparated.
LimitationofSoftwarePackageChangesServicepacksandsystemspecificupdates,whichmayinvolvechangesinfunctionality,areassessedandin-stalledseparately.Securityupdatesare,asfaraspossible,implementedinallsystems.Inthefirstinstance,theywillbeimplementedonlyinthetestenvironment.Iftheproductmanageracceptstheupdates(thatisiftheserviceworksasintendedaftertheupdateprocess),thesamesecurityupdateswillbeimplementedintheproductionenvironment.
Supplierrelationships
InformationSecurityinRelationtoSupplierRelationshipsWerequirethesamelevelofconfidentialityfromoursuppliersasfromouremployees.
ManagingServicesfromThirdParties
ManagingChangesofServicesWedonotholdreviewmeetingswithallsuppliersbutkeepanongoingcontactwithallofthem.
EmergencyManagement
InformationSecurityinRelationtoSupplierRelationships
EmergencyPlanningTheLESSORGrouphaspreparedanemergencyplanforthehandlingofanemergency.TheemergencyplanisanchoredintheITriskanalysisandmaintainedatleastonceayearfollowingtheperformanceoftheanalysis.
Theplanandtheproceduresareanchoredinouroperatingdocumentationandprocedures.
Testing,MaintenanceandRe-evaluationofEmergencyPlansTheplanistestedonceayearasapartofouremergencypreparednessproceduretoensurethatthecustom-ers,atthelowestpossiblelevel,willbeaffectedbyanemergency.
RedundancyWeseektoensurethatallservicesareredundanttomakesurethatwe,intheshortestpossibletime,willbeabletore-establishtheproductionenvironmentinanewenvironmentincaseofnon-repairableerrorsintheproductionenvironment.Wecontinuetofocusonthisarea.
LESSORGroup
REVI-ITA/S Page11of29
Compliance
ReviewofInformationSecurity
IndependentEvaluationofInformationSecurityAnevaluationwillbecarriedoutbyanexternalITauditorandwhenpreparingtheannualISAE3402report.
CompliancewithSecurityPoliciesandStandardsWecarryoutinternalauditsonceayearinordertotestifourinternalpoliciesandproceduresarefollowed.Theauditsincludeallservicesandtheinfrastructureaswellasotherareas,ifnecessary.
ComplementaryControlProcedures
ThecustomersoftheLESSORGroupare,unlessotherwiseagreed,responsibleforestablishingconnectiontotheserversoftheLESSORGroup.Furthermore,thecustomersoftheLESSORGroupare,unlessotherwiseagreed,responsiblefor:
• administrationoftheirownuserprofiles• theownInternetconnection• owndata
Changesimplementedduringtheperiod
Thefollowingchangeshavebeenimplementedduringtheperiod:
• Penetrationtesting• Virtualizationofservers
LESSORGroup
REVI-ITA/S Page12of29
Section3: Independentserviceauditor’sassurancereportonthedescriptionofcontrols,theirdesignandfunctionality
TothemanagementofLESSORGroup,theircustomersandtheirauditors.
Scope
WehavebeenengagedtoreportonLESSORGroup’sdescription,presentedinSection2.Thedescription,asconfirmedbythemanagementofLESSORGroupinsection1,coversLESSORGroup’soperatingandhostingservicesintheperiod01-04-2016to31-03-2017aswellasthedesignandoperationofthecontrolsrelatedtothecontrolobjectivesstatedinthedescription.
Ouropinionisissuedwithreasonableassurance.
LESSORGroup’sresponsibility
LESSORGroupisresponsibleforpreparingthedescription(section2)andtherelatedstatement(section1)includingthecompleteness,accuracyandmethodofpresentationofthedescriptionandstatement.Addition-ally,LESSORGroupisresponsibleforprovidingtheservicescoveredbythedescription,andforthedesign,implementationandeffectivenessofoperatingcontrolsforachievingthestatedcontrolobjectives.
REVI-ITA/S’independenceandqualitycontrol
WehavecompliedwiththeindependenceandotherethicalrequirementsoftheCodeofEthicsforProfessionalAccountantsissuedbytheInternationalEthicsStandardsBoardforAccountants,whichisfoundedonfunda-mentalprinciplesofintegrity,objectivity,professionalcompetenceandduecare,confidentialityandprofes-sionalbehaviour.
ThefirmappliesInternationalStandardonQualityControl1andaccordinglymaintainsacomprehensivesys-temofqualitycontrolincludingdocumentedpoliciesandproceduresregardingcompliancewithethicalre-quirements,professionalstandardsandapplicablelegalandregulatoryrequirements.
REVI-ITA/S’responsibility
Basedonourprocedures,ourresponsibilityistoexpressanopiniononLESSORGroup’sdescription(section2)aswellasonthedesignandfunctionalityofthecontrolsrelatedtothecontrolsobjectivesstatedinthisde-scription.WeconductedourengagementinaccordancewithISAE3402,“AssuranceReportsonControlsataServiceOrganisation”,issuedbyIAASB.Thisstandardrequiresthatweplanandperformourprocedurestoobtainreasonableassuranceaboutwhether,inallmaterialrespects,thedescriptionisfairlypresentedandthecontrolsaresuitablydesignedandoperatingeffectively.
Anassuranceengagementtoreportonthedescription,designandoperatingeffectivenessofcontrolsataserviceorganisationinvolvesperformingprocedurestoobtainevidenceaboutthedisclosuresintheserviceorganisation’sdescriptionofitssystem,andthedesignandoperatingeffectivenessofcontrols.Theproceduresselecteddependontheserviceauditor’sjudgment,includingtheassessmentoftherisksthatthedescriptionisnotfairlypresented,andthatcontrolsarenotsuitablydesignedoroperatingeffectively.Ourproceduresin-cludedtestingtheoperatingeffectivenessofthosecontrolsthatweconsidernecessarytoprovidereasonableassurancethatthecontrolobjectivesstatedinthedescriptionwereachieved.Anassuranceengagementofthis
LESSORGroup
REVI-ITA/S Page13of29
typealsoincludesevaluatingtheoverallpresentationofthedescription,thesuitabilityoftheobjectivesstatedthereinandthesuitabilityofthecriteriaspecifiedbytheserviceorganisation,describedinsection2.
Webelievethattheevidencewehaveobtainedissufficientandappropriatetoprovideabasisforouropinion.
Limitationsofcontrolsataserviceorganisation
LESSORGroup’sdescriptioninsection2ispreparedtomeetthecommonneedsofabroadrangeofcustomersandtheirauditorsandmaynot,therefore,includeeveryaspectofthesystemsthateachindividualcustomermayconsiderimportantinitsownparticularenvironment.Also,becauseoftheirnature,controlsataserviceorganisationmaynotpreventordetectallerrorsoromissionsinprocessingorreportingtransactions.Also,theprojectionofanyevaluationofeffectivenesstofutureperiodsissubjecttotheriskthatcontrolsataserviceorganisationmaybecomeinadequateorfail.
Opinion
Ouropinionhasbeenformedonthebasisofthemattersoutlinedinthisreport.Thecriteriaweusedinform-ingouropinionwerethosedescribedinLESSORGroup’sdescriptioninSection2andonthebasisofthis,itisouropinionthat:
(a) thedescriptionof the controls, as theyweredesigned and implemented throughout theperiod01-04-2016to31-03-2017,isfairinallmaterialrespects
(b) thecontrolsrelatedtothecontrolobjectivesstatedinthedescriptionweresuitablydesignedthroughouttheperiod01-04-2016to31-03-2017inallmaterialrespects
(c) thecontrolstested,whichwerethecontrolsnecessaryforprovidingreasonableassurancethatthecon-trol objectives in the description were achieved in all material respects, have operated effectivelythroughouttheperiod01-04-2016to31-03-2017.
Descriptionoftestsofcontrols
Thespecificcontrolstested,andthenature,timingandresultsofthesetestsarelistedinthesubsequentmainsection(Section4).
LESSORGroup
REVI-ITA/S Page14of29
Intendedusersandpurpose
ThisassurancereportisintendedonlyforcustomerswhohaveusedLESSORGroup’sservicesandtheauditorsofthesecustomers,whohaveasufficientunderstandingtoconsiderthedescriptionalongwithotherinfor-mation,includinginformationaboutcontrolsoperatedbycustomersthemselves.Thisinformationservestoobtainanunderstandingofthecustomers’informationsystems,whicharerelevantforthefinancialstate-ments.
Copenhagen,3May2017
REVI-ITA/SStateauthorisedpublicaccountingfirm
HenrikPaaske MartinBrogaardNielsenStateAuthorisedPublicAccountant ITAuditor,CISA,CRISC,CEO
LESSORGroup
REVI-ITA/S Page15of29
Section4: Controlobjectives,controls,tests,andrelatedtestcontrols
Thefollowingoverviewisprovidedtofacilitateanunderstandingoftheeffectivenessofthecontrolsimple-mentedbyLESSORGroup.Ourtestingoffunctionalitycomprisedthecontrolsthatweconsiderednecessarytoprovidereasonableassurancethatthecontrolobjectivesstatedinthedescriptionwereachievedduringtheperiod01-04-2016to31-03-2017.
Thus,wehavenotnecessarilytestedallthecontrolsmentionedbyLESSORGroupinthedescriptioninSection2.
Moreover,ourstatementdoesnotapplytoanycontrolsperformedatLESSORGroup’scustomers,asthecus-tomers’ownauditorsshouldperformthisreviewandassessment.
WeperformedourtestsofcontrolsatLESSORGroupbytakingthefollowingactions:
Method Generaldescription
Enquiry Interview,i.e.enquirywithselectedpersonnelatthecompanyregardingcontrols
Observation Observinghowcontrolsareperformed
Inspection Reviewandevaluationofpolicies,procedures,anddocumentationconcerningtheperformanceofcontrols
Re-performingcontrolprocedures
Wehavere-performed–orhaveobservedthere-performanceof–controlsinordertoverifythatthecontrolisworkingasassumed
Adescriptionandtheresultsofourtestsbasedonthetestedcontrolsappearfromthetablesonthefollowingpages.Totheextentthatwehaveidentifiedsignificantweaknessesinthecontrolenvironmentordeviationstherefrom,wehavespecifiedthis.
LESSORGroup
REVI-ITA/S Page16of29
Riskassessmentandmanagement
RiskassessmentControlobjective:ToensurethatthecompanyperiodicallyperformsananalysisandassessmentoftheITriskprofile.
No. LESSORGroup’scontrol REVI-IT’stest Testresults
4.1 LESSORGroup’sISOteamhasproducedariskanalysis.Onanannualbasisorincaseofsignifi-cantchanges,thegroupcarriesoutariskassessmentoftheassetsoftheLESSORGroup.
Theresponsibilityforriskassess-mentslieswiththeCEOofthecompanywhoalsoapprovestheriskanalysis.
Wehaveenquiredabouttheprepara-tionofanITriskanalysis,andwehaveinspectedthepreparedITriskanalysis.
WehaveenquiredaboutreviewoftheITriskanalysis,andwehaveinspecteddocumentationforreviewduringtheauditperiod.
Wehaveenquiredaboutthemanage-ment’sapprovaloftheITriskanalysis,andwehaveinspecteddocumentationformanagementapproval.
Nosignificantdeviationsnoted.
Informationsecuritypolicies
ManagementdirectionforinformationsecurityControlobjective:Toprovidemanagementdirectionandsupportforinformationsecurityinaccordancewithbusinessrequirementsandrelevantlawsandregulations.No. LESSORGroup’scontrol REVI-IT’stest Testresults
5.1 Wehavedefinedourqualitystandardssystembasedonthegeneralobjectiveofprovidingourcustomerswithastableandse-curehostingsolution.Inordertocomplywiththeobjectives,wehaveimplementedpoliciesandprocedures,whichensurethatoursuppliesareuniformandtranspar-ent.
OurITsecuritypolicyisproducedinaccordancewithISO27002:2013andappliestoallemployeesandalldeliveries.
WeupdatetheITsecuritypolicyregularlyandatleastonceayear.TheCEOapprovestheITsecuritypolicy.
Wehaveenquiredabouttheprepara-tionofaninformationsecuritypolicy,andwehaveinspectedthedocument.
WehaveenquiredaboutreviewoftheITsecuritypolicy,andwehaveinspecteddocumentationforreviewduringtheauditperiod.
Wehaveenquiredaboutthemanage-ment’sapprovaloftheinformationsecuritypolicy.
Nosignificantdeviationsnoted.
LESSORGroup
REVI-ITA/S Page17of29
Organisationofinformationsecurity
InternalorganisationControlobjective:Toestablishamanagementframeworktoinitiateandcontroltheimplementationandoperationofinformationsecuritywithintheorganisation.No. LESSORGroup’scontrol REVI-IT’stest Testresults
6.1 Ourorganisationisdividedintodifferentareasofresponsibility.Wehavepreparedanumberofdetailedresponsibilityandroledescriptionsforemployeesonalllevels.
Throughon-goingdocumentationandprocesses,wetrytoeliminateorminimizethedependenceonkeymanagementpersonnel.Tasksareassignedanddefinedviapro-cedures(Jira)formanagingtheoperationalservices.
Theoperatingstaffsubscribestonewslettersfrome.g.DK-CERTandinformsitselfaboutsubstantialsecurity-relatedcircumstancesonInternettraffic.
Wehaveenquiredabouttheallocationofresponsibilitiesforinformationsecuri-ty,andwehaveinspecteddocumenta-tionfortheallocationofresponsibilities.
Wehaveenquiredaboutsegregationofduties,andwehaveinspecteddocu-mentationforsegregationofduties.
Wehaveenquiredaboutguidelinesforcontactwithauthorities.
Wehaveenquiredaboutcontactwithinterestgroups,andwehaveinspecteddocumentationforcontact.
Wehaveenquiredaboutthedecisiononinformationsecurityinconnectionwithprojectmanagement,andwehaveinspectedtheprojectmodel.
Nosignificantdeviationsnoted.
MobiledevicesandteleworkingControlobjective:Toensurethesecurityofteleworkinganduseofmobiledevices.No. LESSORGroup’scontrol REVI-IT’stest Testresults
6.2 Mobiledevices(smartphones,tabletsetc.)canbeusedforthesynchronizationofemailsandthecalendar.Besidesthepassword,wehaveimplementednoothersecuritymeasurestoensurede-vicesanduseraccesses.
Onlyauthorizedpersonsaregrantedaccesstoournetworkandthuspotentiallytosystemsanddata.Ouremployeesaccessthesystemsviatelecommutingar-rangements/SSH.
Wehaveenquiredaboutthemanage-mentofmobiledevices,andwehaveinspectedthesolution.
Wehaveenquiredaboutthesecurityofteleworking,andwehaveinspectedthesolution.
Nosignificantdeviationsnoted.
LESSORGroup
REVI-ITA/S Page18of29
Humanresourcesecurity
PriortoemploymentControlobjective:Toensurethatemployeesandcontractorsunderstandtheirresponsibilitiesandaresuitablefortherolesforwhichtheyareconsidered.No. LESSORGroup’scontrol REVI-IT’stest Testresults
7.1 Wehaveimplementedproceduresfortherecruitmentofstaffandestablishedcooperationwithanexternalpartnertoensurethatweemploytherightcandidatewithregardtobackgroundandskills.
Thegeneraltermsofemployment,e.g.confidentialityrelatedtothecustomers’andpersonalcircum-stances,arespecifiedintheem-ploymentcontracts/jobdescrip-tionsofallemployees.
Wehaveenquiredaboutaprocedureforscreeningnewemployees,andwehaveinspectedtheprocedure.
Wehaveinspotchecksinspecteddoc-umentationfortheprocedurebeingfollowed.
Wehaveenquiredabouttheformalisa-tionoftermsofemployment,andwehaveinspotchecksinspecteddocumen-tationfortheformalisationoftermsofemployment.
Nosignificantdeviationsnoted.
DuringemploymentControlobjective:Toensurethatemployeesandcontractorsareawareofandfulfiltheirinformationsecurityrespon-sibilities.No. LESSORGroup’scontrol REVI-IT’stest Testresults
7.2 Weencourageouroperatingstafftomaintaintheirqualifications,educationsandcertificationsthroughtrainingcourses,lecturesandotherrelevantactivitiestoensurethattheemployeescon-cernedcanbekeptuptodatewithsecurityandbecomeawareofnewthreats.
Thegeneraltermsofemployment,e.g.confidentialityrelatedtothecustomers’andpersonalcircum-stances,arespecifiedintheem-ploymentcontractsofallemploy-ees.
Wehaveenquiredaboutthemanage-ment’sresponsibilityfordisseminatinginformationsecuritycriteria,andwehaveinspectedtheguidelinesfordis-semination.
Wehaveenquiredaboutfurthertrainingofemployees,andwehaveinspotchecksinspecteddocumentationforfurthertraining.
Wehaveenquiredaboutguidelinesfordisciplinaryprocesses,andwehaveinspectedtheguidelines.
Nosignificantdeviationsnoted.
TerminationandchangeofemploymentControlobjective:Toprotecttheorganisation’sinterestsaspartoftheprocessofchangingorterminatingemploy-ment.No. LESSORGroup’scontrol REVI-IT’stest Testresults
7.3 Thegeneraltermsofemployment,e.g.confidentialityrelatedtothecustomers’andpersonalcircum-stances,arespecifiedintheem-ploymentcontractsofallemploy-ees.
Wehaveenquiredabouttheformalisa-tionofobligationsapplicableaftertheterminationofemployees.
Wehaveinspotchecksinspecteddoc-umentationforthematter.
Nosignificantdeviationsnoted.
LESSORGroup
REVI-ITA/S Page19of29
Assetmanagement
ResponsibilityforassetsControlobjective:Toidentifyorganisationalassetsanddefineappropriateprotectionresponsibilities.No. LESSORGroup’scontrol REVI-IT’stest Testresults
8.1 Serversandnetworkequipmentincludingconfigurationareregis-teredtobeusedfordocumenta-tionpurposesandtogainanover-viewofequipment.
Centralnetworkunits,servers,peripheralunits,systemsanddataareownedbyoperatingstaffmembersoftheLESSORGroup.
Acceptableuseisdescribedintheemployeehandbook.
Whenanemployeeterminates,aprocedurewillbeinitiatedtoensurethattheemployeereturnsallrelevantassets.
Wehaveenquiredaboutinventoriesofassets,andwehaveinspotchecksin-spectedinventoriesofassets.
Wehaveenquiredaboutownershipofassets,andwehaveinspectedtheallo-cationofownershipofassets.
Wehaveenquiredaboutguidelinesforacceptableuseofassets,andwehaveinspectedtheseguidelines.
Wehaveenquiredaboutaprocedureforsecuringthereturnofassets,andwehaveinspectedtheprocedure.
Wehaveinspotchecksinspecteddoc-umentationforthereturnofassets.
Nosignificantdeviationsnoted.
InformationclassificationControlobjective:Toensurethattheinformationreceivesanappropriatelevelofprotectioninaccordancewithitsimportancetotheorganisation.No. LESSORGroup’scontrol REVI-IT’stest Testresults
8.2 Serversandnetworkequipmentincludingconfigurationareregis-teredtobeusedfordocumenta-tionpurposesandtogainanover-viewofequipment.
Centralnetworkunits,servers,peripheralunits,systemsanddataareownedbyoperatingstaffmembersoftheLESSORGroup.Thecustomer’scontactpersonownsthecustomers’data.
Wehaveenquiredaboutguidelinesfortheclassificationandlabellingofdata,andwehaveinspectedtheguidelines.
Wehaveenquiredaboutguidelinesfordatamanagement,andwehavein-spectedtheguidelines.
Nosignificantdeviationsnoted.
MediahandlingControlobjective:Topreventunauthoriseddisclosure,modification,removalordestructionofinformationstoredonmedia.No. LESSORGroup’scontrol REVI-IT’stest Testresults
8.3 Weensure,tothebestpossibleextent,thattheportabledevicesofouremployees,e.g.portablecomputers,cellphonesetc.,areconfiguredatthesamesecuritylevelasallotherdevicesoftheenvironment.
Alldataequipmentisdestroyedpriortodisposalinordertoensurethatnodataisavailable.
Wehaveenquiredaboutguidelinesfortheuseofremovablemedia,andwehaveinspectedtheguidelines.
Wehaveenquiredaboutthedisposalofmedia,andwehaveinspecteddocu-mentationforsecuredisposal.
Wehaveenquiredaboutaprocedureforprotectingremovablemediaduringtransport,andwehaveinspectedtheprocedure.
Nosignificantdeviationsnoted.
LESSORGroup
REVI-ITA/S Page20of29
Accesscontrol
BusinessrequirementsControlobjective:Tolimitaccesstoinformationandinformationprocessingfacilities.No. LESSORGroup’scontrol REVI-IT’stest Testresults
9.1 Themannerinwhichthegrantingofaccessishandledisdescribedinapolicydocument.ThepolicyispartofourITsecuritypolicy.
Wehaveenquiredaboutpoliciesformanagingaccesstosystemsandpremis-es,andwehaveinspectedthepolicies.
Wehaveenquiredaboutproceduresformanagingaccesstonetworkandnet-workservices,andwehaveinspectedselectedprocedures.
Nosignificantdeviationsnoted.
UseraccessmanagementControlobjective:Toensureauthoriseduseraccessandtopreventunauthorisedaccesstosystemsandservices.No. LESSORGroup’scontrol REVI-IT’stest Testresults
9.2 Alluserprofilesmustbepersonal-lyidentifiable.
Thegrantofprivilegesiscon-trolledinaccordancewiththeregularuseradministrationpro-cess.Privilegesareonlygrantedonaneed-to-basis.
Periodically,i.e.onceayear,wereviewtheinternalsystemsofthecompanyincludinguserprofilesandaccesslevelstoensurethattheprocedurerelatedtotheter-minationofemploymentisfol-lowed.
Wehaveenquiredaboutaprocedureforusermanagement,andwehaveinspect-edtheprocedure.
Wehaveenquiredaboutaprocedurefortheallocationofrights,andwehaveinspectedtheprocedure.
Wehaveinspotchecksinspecteddoc-umentationforthecreationofusersandallocationofrights.
Wehaveenquiredaboutcontrolwithprivilegedrights,andwehaveinspectedselectedcontrols.
Wehaveenquiredaboutaprocessforthedisclosureoflogoninformation,andwehaveinspectedtheprocess.
Wehaveenquiredaboutperiodicreviewofusers,andwehaveinspecteddocu-mentationforreviewduringtheauditperiod.
Wehaveenquiredaboutaprocedureforrevokingaccessrights,andwehaveinspectedtheprocedure.
Wehaveinspotchecksinspecteddoc-umentationfortimelyrevocationofaccessrights.
Nosignificantdeviationsnoted.
UserresponsibilitiesControlobjective:Tomakeusersaccountableforsafeguardingtheirauthenticationinformation.No. LESSORGroup’scontrol REVI-IT’stest Testresults
9.3 TheITsecuritypolicyprovidesthatallemployeepasswordsmustbepersonalandthatonlytheuserknowsthepassword.
Wehaveenquiredaboutguidelinesformanagingconfidentialpasswords,andwehaveinspectedtheguidelines.
Nosignificantdeviationsnoted.
LESSORGroup
REVI-ITA/S Page21of29
SystemandapplicationaccesscontrolControlobjective:Topreventunauthorisedaccesstosystemsandapplications.No. LESSORGroup’scontrol REVI-IT’stest Testresults
9.4 Theaccessforouremployeesisdifferentiated.Onlysystems,serversanddata,whicharerele-vanttotheareaofworkofeachsingleemployee,areaccessible.
Allusershavepasswords,whicharesubjecttorestrictionsrelatedtothecreationofthepasswords.
Wehaveenquiredaboutrestrictedaccesstodata,andwehaveinspecteddocumentationforrestriction.
Wehaveenquiredaboutaprocedureforlogon,andwehaveinspectedthesolu-tionforadequatesecurity.
Wehaveenquiredaboutasystemfortheadministrationofpasswords,andwehaveinspotchecksinspectedrequire-mentsforpasswordquality.
Wehaveenquiredabouttheuseofprivilegedsystemtools.
Wehaveenquiredabouttherestrictionofaccesstoprivilegedsystemtools,andwehaveinspecteddocumentationforrestriction.
Nosignificantdeviationsnoted.
Cryptography
CryptographiccontrolsControlobjective:Toensureproperandeffectiveuseofcryptographytoprotecttheconfidentiality,authenticityand/orintegrityofinformation.No. LESSORGroup’scontrol REVI-IT’stest Testresults
10.1 Ifpossible,alldatafromtheLES-SORGroupdatacenteristransmit-tedviaencryptedprotocols.
Wehaveenquiredaboutapolicyfortheuseofcryptography,andwehavein-spectedthepolicy.
Wehaveenquiredaboutapolicyfortheadministrationofencryptionkeys,andwehaveinspectedthepolicy.
Nosignificantdeviationsnoted.
LESSORGroup
REVI-ITA/S Page22of29
Physicalandenvironmentalsecurity
SecureareasControlobjective:Topreventunauthorisedphysicalaccess,damageandinterferencetotheorganisation’sinfor-mationandinformationprocessingfacilities.No. LESSORGroup’scontrol REVI-IT’stest Testresults
11.1 ThephysicalaccesstothedatacenteroftheLESSORGroupinAllerødislimitedtothreepersonsfromtheLESSORGroupwhoallhavebeenprovidedwithakeyandaPINcodeforthealarmsystem.Thelogicalaccessislim-itedtotheminimum.Anemploy-eeoftheLESSORGroupalwaysaccompaniesexternalpartnerswhosetaskistoservicetheequipmentinthedatacenter.
Theentrancetothedatacenterisequippedwithanalarmsystemandundervideosurveillance.AllLESSORGrouphostingservicesincludingtheinfrastructurearemonitored.Themonitoringhasbeendescribedandisbeingmain-tainedcontinuously.
Wehaveenquiredaboutaphysicalsecu-rityperimeteratthecompany’spremis-es,andwehaveinspectedthesolutioninplace.
Wehaveenquiredaboutaccesscontrolsforsecuringoffices,roomsandopera-tionsfacilities,andwehaveinspectedselectedaccesscontrols.
Additionally,wehaveinspectedtheprocedureforallocationofaccesstopremisescriticaltooperations.
WehaveinspectedLESSORGroup’sofficesinordertocheckthephysicalsecurity.
Wehaveinspectedsecurityformitigat-ingexternalandenvironmentalthreats.
Wehaveenquiredaboutanareaforthedeliveryofparcelsandgoods.
Nosignificantdeviationsnoted.
LESSORGroup
REVI-ITA/S Page23of29
EquipmentControlobjective:Topreventloss,damage,theftorcompromiseofassetsandinterruptiontotheorganisation’sop-erations.No. LESSORGroup’scontrol REVI-IT’stest Testresults
11.2 Theentrancetothedatacenterisequippedwithanalarmsystemandisundervideosurveillance.
TheLESSORGroup’sdatacenterisprotectedagainstfirebytwoINERGEN®systems.Regularre-viewsarecarriedouttoensurethattheINERGEN®systemoper-atescorrectly.
IntheLESSORGroup’sdatacen-ter,tworefrigerationsystemsareinstalledineachserverroom.Regularreviewsarecarriedouttoensurethatallrefrigerationsys-temsoperatecorrectly.
IntheLESSORGroup’sdatacen-ter,bothUPSunitsandastandbygeneratorareinstalled.RegularreviewsarecarriedouttoensurethatboththeUPSunitsandthestandbygeneratoroperatecor-rectly.
Alldataequipmentisdestroyedpriortodisposalinordertoen-surethatnodataisavailable.
Screensarelockedafter10minutesinactivity.Thus,wemin-imizetheriskofunauthorizedaccesstoconfidentialdata.
Wehaveenquiredabouttheplacementofoperationsequipment,andwehaveinspectedthephysicalcircumstancesforprotectingoperationsequipment.
Wehaveenquiredabouttheuseofsupportingsupplies,andwehavein-spectedareascriticaltooperations.Additionally,wehaveverifiedtheexist-enceofsupportingsupplies.
Wehaveenquiredabouttheprotectionofcablesinthedatacentre,andwehavephysicallyinspectedthesolution.
Wehaveenquiredaboutmaintenanceofequipmentcriticaltooperations,andwehaveinspecteddocumentationformaintenanceandtestofequipmentcriticaltooperationsduringtheperiod.
Wehaveenquiredaboutapolicyforthedisposalofmediaandequipmentcarry-ingdata,andwehaveinspectedthepolicy.Additionally,wehaveinspecteddocumentationforsecuredisposalofmediacarryingdata.
Wehaveenquiredaboutprotectingunsuperviseduserequipment,andwehaveinspecteddocumentationfortheprotection.
Wehaveenquiredaboutapolicyforcleandeskandscreen,andwehaveinspectedthepolicy.
Nosignificantdeviationsnoted.
LESSORGroup
REVI-ITA/S Page24of29
Operationssecurity
OperationalproceduresandresponsibilitiesControlobjective:Toensurecorrectandsecureoperationofinformationprocessingfacilities.No. LESSORGroup’scontrol REVI-IT’stest Testresults
12.1 Assometasksareperformedbyoneemployeeonly,wehavepreparedsomedetaileddescrip-tionsinordertoensurethatwecanre-establishagivenserviceinanewenvironment.
Allchangesfollowanimplement-edchangemanagementprocessandaredocumented.
Wehaveestablishedamonitoringsystemformonitoringcapacityconstraints.
Ournetworkisdividedintoser-vicesegmentstoensureinde-pendencebetweentheofferedservices.Furthermore,testandproductionenvironmentsaredividedintotwosegments.
Wehaveenquiredaboutdocumentedoperationsprocedures,andwehaveinspotchecksinspectedtheprocedures.
Wehaveenquiredaboutaprocedureforchangemanagement,andwehavein-spectedtheprocedure.
Wehaveinspotchecksinspecteddocu-mentationfortheprocedurebeingfol-lowed.
Wehaveenquiredaboutcapacityman-agementandmonitoring,andwehaveinspecteddocumentationformanage-mentandmonitoring.
Wehaveenquiredaboutsegregationofdevelopment,test,andoperationsfacili-ties,andwehaveinspecteddocumenta-tionforsegregation.
Nosignificantdeviationsnoted.
ProtectionfrommalwareControlobjective:Toensurethatinformationandinformationprocessingfacilitiesareprotectedagainstmalware.No. LESSORGroup’scontrol REVI-IT’stest Testresults
12.2 OnWindowsplatforms,wehaveinstalledanti-virussoftware.Onthefirewall,wehaveinstalledanIntrusionPreventionSystem(IPS)tosafeguardoursystemsagainstknownmaliciousattacks.
Wehaveenquiredaboutmeasurestoprotectagainstmalware,andwehaveinspectedthemanagement.
Wehaveenquiredabouttheuseofanti-virusonuserequipment,andwehaveinspotchecksinspecteddocumentationfortheuseofanti-virus.
Nosignificantdeviationsnoted.
LESSORGroup
REVI-ITA/S Page25of29
BackupControlobjective:Toprotectagainstlossofdata.No. LESSORGroup’scontrol REVI-IT’stest Testresults
12.3 Backupsofourcustomers’datatakeplacewithus.Backupcopiesaresavedinelectronicformonaphysicallocationotherthanthedatacenter.
Wehave,forthatpurpose,devel-opedatesttorecreatesystemsanddata.Thetestisperformedonaregularbasisatleastonceayear.
Wehaveenquiredaboutaprocedureforsetupandexecutionofbackup,andwehaveinspectedtheprocedure.
Wehaveenquiredaboutdocumentationforthesetupofbackup,andwehaveinspecteddocumentationforthesetup.
Wehaveenquiredaboutbackupreten-tion,andwehaveinspecteddocumenta-tionforsetup.
Wehaveenquiredaboutcontrolsfortheexecutionofbackup,andwehavein-spectedthecontrol.
Wehaveenquiredaboutdocumentationfortestofrestore,andwehaveinspect-eddocumentationfortestofrestore.
Wehaveenquiredaboutregistrationoffailedbackup,andwehaveinspotchecksinspecteddocumentationforthehandlingoffailedbackups.
Nosignificantdeviationsnoted.
LoggingandmonitoringControlobjective:Torecordeventsandgenerateevidence.No. LESSORGroup’scontrol REVI-IT’stest Testresults
12.4 Theadministratorloggingprocessisperformedsimultaneouslywiththeordinaryloggingprocess.
Logsareuploadedtoourownlogserverandprotectedagainstmodificationanddeletion.
WemakeuseofInternetNTPserversforsynchronizationofallservers.
Wehaveenquiredaboutlogging,andwehaveinspotchecksinspectedloggingconfiguration.
Wehaveenquiredabouttheprotectionofloginformationthroughouttheperi-od,andwehaveinspectedthesolution.
Wehaveenquiredaboutclocksynchro-nisationonthenetwork,andwehaveinspotchecksinspecteddocumentationforclocksynchronisation.
System-relatedeventsareloggedandfollowedupupon.However,acontrolhasnotbeenimplementedforfollowinguponuser-relatedevents.
ControlofoperationalsoftwareControlobjective:Toensuretheintegrityofoperationalsystems.No. LESSORGroup’scontrol REVI-IT’stest Testresults
12.5 Viaourpatchprocess,weensurethatonlyapprovedandtestedupdatesarebeinginstalled.Allpatchingfollowsapatchman-agementprocedure.
Wehaveenquiredabouttheinstallationofprogramsandupdatesonoperationalsystems,andwehaveinspectedtheprocedure.
Wehaveinspotchecksinspecteddocu-mentationforupdatestooperationalsystems.
Nosignificantdeviationsnoted.
LESSORGroup
REVI-ITA/S Page26of29
TechnicalvulnerabilitymanagementControlobjective:Topreventexploitationoftechnicalvulnerabilities.No. LESSORGroup’scontrol REVI-IT’stest Testresults
12.6 SafetywarningsfromDK-CERT(orothers)aremonitoredandana-lysed.Ifrelevant,theyarein-stalledonourinternalsystemswithinonemonthfromthedateofissue.Ourinternalsolutionsaresubjecttoongoingriskassess-ments.
Wehaveenquiredaboutthemanage-mentoftechnicalvulnerabilities,andwehaveinspectedtheestablishedprecau-tions.
Wehaveenquiredaboutrestrictionstoinstallingprograms,andwehavein-spectedtheestablishedprecautions.
Nosignificantdeviationsnoted.
Communicationssecurity
NetworksecuritymanagementControlobjective:Toensuretheprotectionofinformationinnetworksanditssupportinginformationprocessingfacilities.No. LESSORGroup’scontrol REVI-IT’stest Testresults
13.1 TheITsecurityrelatedtothesystemanddataframeworkismadeupbytheInternetnetwork,theremotenetworketc.Alltraffic,incomingaswellasoutgoing,isfilteredbythefirewallrules.
Ournetworkisdividedintoservicesegmentstoensureindependencebetweentheofferedservices.Furthermore,testandproductionenvironmentsaredividedintotwosegments.
Wehaveenquiredaboutprecautionsforprotectingthenetworkandnetworkservices,andwehaveinspectedtheestablishedprecautions.
Wehaveenquiredaboutnetworksegre-gation,andwehaveinspecteddocu-mentationforthesegregation.
Nosignificantdeviationsnoted.
InformationtransferControlobjective:Tomaintainthesecurityofinformationtransferredwithinanorganisationandwithanyexternalentity.No. LESSORGroup’scontrol REVI-IT’stest Testresults
13.2 Ifpossible,alldatafromtheLES-SORGroupdatacenteristrans-mittedviaencryptedprotocols.
Thecommunicationwithusersiscarriedoutviaemails,supportforumsor,onlyrarely,viafax.
Confidentialityhasbeenestab-lishedforallpartiesinvolvedinourbusinessthroughemploymentcontractsandcooperationagreementswithsubcontractorsandpartners.
Wehaveenquiredaboutapolicyforinformationtransfers,andwehaveinspectedthepolicy.
Wehaveenquiredabouttheuseofsecureconnectionswhentransferringinformation,andwehaveinspecteddocumentationfortheuseofsecureconnections.
Wehaveenquiredabouttheestablish-mentofconfidentialityagreements,andwehaveinspotchecksinspecteddocu-mentationfortheestablishment.
Nosignificantdeviationsnoted.
LESSORGroup
REVI-ITA/S Page27of29
Informationsecurityincidentmanagement
ManagementofinformationsecurityincidentsandimprovementsControlobjective:Toensureaconsistentandeffectiveapproachtothemanagementofinformationsecurityinci-dents,includingcommunicationonsecurityeventsandweaknesses.No. LESSORGroup’scontrol REVI-IT’stest Testresults
16.1 Tobeabletomanagethemoni-toringandfollow-upofincidentsandtoensurethatincidentsareregistered,prioritized,managedandescalated,wehaveimple-mentedformalincidentandeventmanagementprocedures.TheprocessisdocumentedinJira.
Wehaveenquiredaboutaprocedureforthemanagementofinformationsecurityincidents,andwehaveinspectedtheprocedure.
Wehaveenquiredaboutallocationofresponsibilitiesinconnectionwithinfor-mationsecurityincidents,andwehaveinspecteddocumentationforthealloca-tionofresponsibilities.
Wehaveenquiredaboutthereportingofinformationsecurityincidentsandweak-nesses,andwehaveinspectedthepro-cedureforreporting.
Wehaveenquiredaboutassessmentandmanagementofinformationsecurityincidents,andwehaveinspotchecksinspecteddocumentationforassessingandmanaginginformationsecurityinci-dents.
Wehaveenquiredaboutlearningfrominformationsecurityincidents,andwehaveinspotchecksinspectedthepro-cess.
Wehaveenquiredaboutthecollectionofevidenceinconnectionwithsecuritybreaches,andwehaveinspectedtheprocessforthecollectionofevidence.
Nosignificantdeviationsnoted.
LESSORGroup
REVI-ITA/S Page28of29
Informationsecurityaspectsofbusinesscontinuitymanagement
InformationsecuritycontinuityControlobjective:Informationsecuritycontinuityshouldbeembeddedintheorganisation’sbusinesscontinuityman-agementsystems.No. LESSORGroup’scontrol REVI-IT’stest Testresults
17.1 TheLESSORGrouphaspreparedanemergencyplanforthehan-dlingofanemergency.Theemer-gencyplanisanchoredintheITriskanalysisandmaintainedatleastonceayearfollowingtheperformanceoftheanalysis.
Theplanistestedonceayearasapartofouremergencyprepared-nessproceduretoensurethatthecustomers,atthelowestpossiblelevel,willbeaffectedbyanemer-gency.
Wehaveenquiredaboutthepreparationofaninformationsecuritycontinuityplanforensuringthecontinuationofopera-tionsinconnectionwithfailuresandsimilar,andwehaveinspectedthecon-tinuityplan.
Wehaveinspecteddocumentationfortestofthecontinuityplanduringtheperiod,andwehaveinspecteddocumen-tationforthetest.
Nosignificantdeviationsnoted.
RedundanciesControlobjective:Toensureavailabilityofinformationprocessingfacilities.No. LESSORGroup’scontrol REVI-IT’stest Testresults
17.2 Weseektoensurethatallser-vicesareredundanttomakesurethatwe,intheshortestpossibletime,willbeabletore-establishtheproductionenvironmentinanewenvironmentincaseofnon-repairableerrorsintheproduc-tionenvironment.Wecontinuetofocusonthisarea.
Wehaveenquiredaboutadequatere-dundanciesformaintainingaccessibilitytooperationalsystems,andwehaveinspotchecksinspecteddocumentationforredundancies.
Nosignificantdeviationsnoted.
LESSORGroup
REVI-ITA/S Page29of29
Compliance
InformationsecurityreviewsControlobjective:Toensurethatinformationsecurityisimplementedandoperatedinaccordancewiththeorganisa-tionalpoliciesandprocedures.No. LESSORGroup’scontrol REVI-IT’stest Testresults
18.2 Wecarryoutinternalauditsonceayearinordertotestifourinter-nalpoliciesandproceduresarefollowed.Theauditsincludeallservicesandtheinfrastructureaswellasotherareas,ifnecessary.
Wehaveenquiredaboutanindepend-entreviewoftheinformationsecurity,andwehaveinspecteddocumentationthatindependentreviewhasbeenper-formed.
Wehaveenquiredaboutinternalcon-trolsforensuringcompliancewithpoli-ciesandprocedures,andwehaveinspotchecksinspecteddocumentationforinternalcontrols.
Wehaveenquiredaboutperiodicself-regulationofsecurityconfigurations,andwehaveinspecteddocumentationfortheself-regulation.
Nosignificantdeviationsnoted.