lessor group · controls at a service organisation (isae 3402). besides, the description aims to...

REVI-ITA/S� stateauthorisedpublicaccountingfirmJensKofodsGade1�DK-1268CopenhagenK�Phone33118100�[email protected]�revi-it.dk�CVR-no.30988531

Independentserviceauditor’sassurancereportonthedescriptionofcontrols,theirdesignandoperating

effectivenessregardingtheoperationofhostedservicesfortheperiod01-04-2016to31-03-2017

ISAE3402-II

LESSORGroupCVRno.:24240010

May2017

LESSORGroup

REVI-ITA/S

Tableofcontents Section1: LESSORGroup’sstatement................................................................................................................1

Section2: LESSORGroup’sdescription...............................................................................................................2

Section3: Independentserviceauditor’sassurancereportonthedescriptionofcontrols,theirdesignandfunctionality..........................................................................................................12

Section4: Controlobjectives,controls,tests,andrelatedtestcontrols..........................................................15

LESSORGroup

REVI-ITA/S Page1of29

Section1: LESSORGroup’sstatement

ThisdescriptionhasbeenpreparedforcustomerswhohavemadeuseofLESSORGroup’shostingservices,andfortheirauditorswhohaveasufficientunderstandingtoconsiderthedescriptionalongwithotherinformation,includinginformationaboutcontrolsoperatedbycustomersthemselves,whenassessingtherisksofmaterialmisstatementsofcustomers’financialstatements.

LESSORGroupconfirmsthat:

(a) TheaccompanyingdescriptioninSection2fairlypresentsLESSORGrouphostingservicesrelatedtocus-tomertransactionsprocessedthroughouttheperiod01-04-2016to31-03-2017.Thecriteriaforthisstatementwerethattheincludeddescription:(i) Presentshowthesystemwasdesignedandimplemented,including:

• Thetypeofservicesprovided,whenrelevant• Theprocedures,withinbothinformationtechnologyandmanualsystems,bywhichtransac-

tionsareinitiated,recorded,processed,correctedasnecessary,andtransferredtothereportspresentedtothecustomers

• Relevantcontrolobjectivesandcontrolsdesignedtoachievetheseobjectives• Controlsthatweassumed,inthedesignofthesystem,wouldbeimplementedbyuserentities,

andwhich,ifnecessarytoachievecontrolobjectivesstatedintheaccompanyingdescription,areidentifiedinthedescriptionalongwiththespecificcontrolobjectivesthatcannotbeachievedbyourselvesalone

• Otheraspectsofourcontrolenvironment,riskassessmentprocess,informationsystemandcommunication,controlactivitiesandmonitoringcontrolsthatwereconsideredrelevanttoprocessingandreportingcustomertransactions.

(ii) Providesrelevantdetailsofchangesintheserviceorganisation’ssystemthroughouttheperiod01-04-2016to31-03-2017

(iii) Doesnotomitordistortinformationrelevanttothescopeofthedescribedsystem,whileacknowl-edgingthatthedescriptionispreparedtomeetthecommonneedsofabroadrangeofcustomersandtheirauditorsandmaynot,therefore,includeeveryaspectofthesystemthateachindividualcustomermayconsiderimportanttotheirparticularenvironment

(b) Thecontrolsrelatedtothecontrolobjectivesstatedintheaccompanyingdescriptionweresuitablyde-signedandoperatedeffectivelythroughouttheperiod01-04-2016to31-03-2017.Thecriteriausedinmakingthisstatementwerethat:

(i) Therisksthatthreatenedachievementofthecontrolobjectivesstatedinthedescriptionwereidentified(ii) Theidentifiedcontrolswould,ifoperatedasdescribed,providereasonableassurancethatthoserisksdid

notpreventthestatedcontrolobjectivesfrombeingachieved(iii) Thecontrolswereconsistentlyappliedasdesigned,includingthatmanualcontrolswereappliedbyper-

sonswhohavetheappropriatecompetenceandauthority,throughouttheperiod01-04-2016to31-03-2017

Allerød,3May2017

LESSORGroup


Section2: LESSORGroup’sdescription

DescriptionofControlandHostingEnvironment

IntroductionTheLESSORGroupiscomposedof:

• LESSORA/S• LESSORGmbH• DanskeLønsystemerA/S• ilohngehaltinternetservicesGmbH• ISALAIREEURL• NORLØNNAS• ŁatwePłaceSp.zo.o.• quickpayrollLtd.• SwelönnAB• Pagaveloce• Hispanomina

TheobjectofthisdescriptionistoprovideinformationtothecustomersoftheLESSORGroupandtheiraudi-torsconcerningtherequirementslaiddownintheinternationalauditingstandardforassurancereportsonthecontrolsataserviceorganisation(ISAE3402).

Besides,thedescriptionaimstoprovideinformationaboutcontrolsusedfor”services”withusduringtheperi-od.

ThedescriptionincludesthecontrolobjectivesandcontrolswiththeLESSORGroup,whichcomprisemostofourcustomersandarebasedonourstandardsupplies.Individualcustomerrelationshipsarenotcoveredbythisdescription.

TheLESSORGrouphasbuiltupitscontrolenvironmentinaccordancewithISO27002.

LESSORGroupandourservices

TheLESSORGroupofferspayrollandhumanresourcemanagementsolutionsinanumberofcountries.InDenmark,theLESSORGroup’sprimarycustomergroupcomprisescompaniesrangingfromsmallbusinessestosomeofthelargestcompanies.IntheothercountriesinwhichtheLESSORGroupisalsorepresented,thefocusisfixedonsmallbusinesseswithfewemployees.

Inthisregard,weofferallrelevantsecuritymeasuresase.g.INERGEN®systems,cooling,redundantpowersourcesandfiberlinesandlastbutnotleastfully-equippedmonitoringsystems.

TheLESSORGrouponlyoffersprofessionalcloudservices.

OrganisationandResponsibility

Thecompanyischaracterizedbyaclearandtransparentcompanystructure.

LESSORGroup


TheLESSORGroupemploysapproximately100employees.TheorganisationalstructureoftheLESSORGroupincludesthedepartmentsAdministration,EconomicandOperatingSupportaswellasvariousproductdepart-ments.

TheemployeesoftheLESSORGrouparethusresponsibleforthesupportofourownproductsaswellasthehostinginfrastructure.Thesupportteamshandleallincomingquestions.TheyeithersolvetheproblemsorpassonthetasktotheOperationsDepartmentforfurtherprocessing.

Thus,theOperationsDepartmentactsassecondlinesupportandmonitorsexistingoperatingsolutionsandothertasksassociatedwiththeday-to-daymanagementofourhostingenvironment.

RiskAssessmentandManagement

RiskAssessment

ITRiskAnalysisLESSORGroup’sISOteamhasproducedariskanalysis.Onanannualbasisorincaseofsignificantchanges,thegroupcarriesoutariskassessmentoftheassetsoftheLESSORGroup.Bothinternalandexternalfactorsaretakenintoconsideration.

Theriskanalysisprovidesanassessmentofallrisksidentified.Theriskanalysisisupdatedonayearlybasisorincaseofsignificantchangestoensurethattherisksassociatedwiththeservicesprovidedareminimizedtoanacceptablelevel.

TheresponsibilityforriskassessmentslieswiththeCEOofthecompanywhoalsoapprovestheriskanalysis.

HandlingofSecurityRisks

RiskManagementProcedureWehaveimplementedascoringsystemforrisksassociatedwiththeprovisionofourservices.

Weassesstherisks,whichwebelievewearefacingpointbypoint.Wemakeuseofasimplecalculationmeth-odforthispurpose:”probability%”*”impact%”.

Theacceptablelevelgoesto20%.Wecontinuouslyassessifwecanreducetherisksandtakeinitiativestoaddresstheserisks.

SecurityPolicy

ITSecurityPolicy

ITSecurityPolicyDocumentWehavedefinedourqualitystandardssystembasedonthegeneralobjectiveofprovidingourcustomerswithastableandsecurehostingsolution.Inordertocomplywiththeobjectives,wehaveimplementedpoliciesandprocedures,whichensurethatoursuppliesareuniformandtransparent.

OurITsecuritypolicyisproducedinaccordancewithISO27002:2013andappliestoallemployeesandallde-liveries.

OurmethodologyfortheimplementationofcontrolsisdefinedwithreferencetoISO27002:2013(guidelinesforinformationsecuritymanagement)andisthusdividedintothefollowingcontrolareas:

LESSORGroup


• Informationsecuritypolicies• OrganisationofInformationSecurity• Employeesafety• AssetManagement• Conditionalaccess• Cryptography• Physicalsecurityandenvironmentalsafeguards• Operationalsafety• Communicationsecurity• Purchase,developmentandmaintenanceofsystems• Supplierrelationships• Informationsecuritybreachmanagement• Informationsecurityaspectsrelatedtoemergencyandrestorationmanagement• Compliance

Wecontinuetoimprovebothpolicies,proceduresandOperations.

EvaluationoftheITSecurityPolicyWeupdatetheITsecuritypolicyregularlyandatleastonceayear.TheCEOapprovestheITsecuritypolicy.

OrganisationofInformationSecurity

InternalOrganisation

DelegationofResponsibilityforInformationSecurityOurorganisationisdividedintodifferentareasofresponsibility.Wehavepreparedanumberofdetailedre-sponsibilityandroledescriptionsforemployeesonalllevels.

Confidentialityhasbeenestablishedforallpartiesinvolvedinourbusiness.Theconfidentialityisensuredviaemploymentcontracts.

SeparationofFunctionsThroughon-goingdocumentationandprocesses,wetrytoeliminateorminimizethedependenceonkeyman-agementpersonnel.Tasksareassignedanddefinedviaprocedures(Jira)formanagingtheoperationalservices.

ContactwithSpecialInterestGroupsTheoperatingstaffsubscribestonewslettersfrome.g.DK-CERTandinformsitselfaboutsubstantialsecurity-relatedcircumstancesonInternettraffic.

MobileEquipmentandTeleworking

MobileEquipmentandCommunicationWehavemadeitpossibleforouremployeestoworkfromhomeviaaVPNconnectionwithtwo-way-authentication.Noequipment(portablecomputersetc.)mustbeleftunattended.PortableunitsareprotectedbyHDDpasswords,logininformationandHDDencryption.

Mobiledevices(smartphones,tabletsetc.)canbeusedforthesynchronizationofemailsandthecalendar.Besidesthepassword,wehaveimplementednoothersecuritymeasurestoensuredevicesanduseraccesses.

LESSORGroup


TelecommutingOnlyauthorizedpersonsaregrantedaccesstoournetworkandthuspotentiallytosystemsanddata.Ourem-ployeesaccessthesystemsviatelecommutingarrangements/SSH.

SecurityinRelationtoHumanResourceManagement

PriortoEmployment

ScreeningWehaveimplementedproceduresfortherecruitmentofstaffandestablishedcooperationwithanexternalpartnertoensurethatweemploytherightcandidatewithregardtobackgroundandskills.

ConditionsofEmploymentThegeneraltermsofemployment,e.g.confidentialityrelatedtothecustomers’andpersonalcircumstances,arespecifiedintheemploymentcontracts/jobdescriptionsofallemployeesinwhich,amongotherthings,theterminationofemploymentandsanctionsfollowingsecuritybreachesarealsodescribed.

DuringEmployment

Management’sResponsibilityAllnewemployeessignacontractpriortocommencementoftheiremployment.Thecontractprovidesthattheemployeemustcomplywiththepoliciesandproceduresexistingatanytime.Thecontract/jobdescriptionclearlydefinestheresponsibilityandroleoftheemployee.

AwarenessofandTrainingActivitiesrelatedtoInformationSecurityOurassetsarefirstofallouremployees.Weencourageouroperatingstafftomaintaintheirqualifications,educationsandcertificationsthroughtrainingcourses,lecturesandotherrelevantactivitiestoensurethattheemployeesconcernedcanbekeptuptodatewithsecurityandbecomeawareofnewthreats.

SanctionsThegeneraltermsofemployment,e.g.confidentialityrelatedtothecustomers’andpersonalcircumstances,arespecifiedintheemploymentcontractsofallemployeesinwhich,amongotherthings,theterminationofemploymentandsanctionsfollowingsecuritybreachesarealsodescribed.

ResponsibilityrelatedtotheTerminationofEmploymentWhenanemployeeterminates,aprocedurewillbeinitiatedtoensurethattheemployeereturnsallrelevantassets,e.g.portabledevicesetc.andthattheaccesstobuildings,systemsanddataiswithdrawn.TheoverallresponsibilitytoensureallcontrolproceduresuponterminationofemploymentlieswiththeCEOofthecom-pany.Thedocumentationrelatedtotheterminationofemploymentisavailableinelectronicforminthehu-manresourcesdepartment.

AssetManagement

ResponsibilityforAssets

ListofAssetsServersandnetworkequipmentincludingconfigurationareregisteredtobeusedfordocumentationpurposesandtogainanoverviewofequipmentetc.Inordertosecureagainstunauthorizedaccessandtoensurethetransparencyofthestructure,wehavepreparedsomedocumentsdescribingtheinternalnetworkincludingunits,namingofunits,logicaldivisionofthenetworketc.

LESSORGroup


Thedocumentationforequipmentisupdatedonaregularbasisandreviewedatleastonceayearbyouroper-atingstaff.

OwnershipofAssetsCentralnetworkunits,servers,peripheralunits,systemsanddataareownedbyoperatingstaffmembersoftheLESSORGroup.Thecustomer’scontactpersonownsthecustomers’data.

AcceptableUseofAssetsThissubjectisdescribedintheemployeehandbook.

ReturnofAssetsWhenanemployeeterminates,aprocedurewillbeinitiatedtoensurethattheemployeereturnsallrelevantassets,e.g.portabledevicesetc.andthattheaccesstobuildings,systemsanddataiswithdrawn.TheoverallresponsibilitytoensureallcontrolproceduresuponterminationofemploymentlieswiththeCEOofthecom-pany.Thedocumentationrelatedtotheterminationofemploymentisavailableinelectronicforminthehu-manresourcesdepartment.

MediaHandling

ManagingPortableDevicesWeensure,tothebestpossibleextent,thattheportabledevicesofouremployees,e.g.portablecomputers,cellphonesetc.,areconfiguredatthesamesecuritylevelasallotherdevicesoftheenvironment.Wealsoensurethatalldataequipmentisupdatedwhennewsecuritymeasuresarefinalized.

AccessControl

AccessControlRequirements

ConditionalAccessPoliciesThemannerinwhichthegrantingofaccessishandledisdescribedinapolicydocument.ThepolicyispartofourITsecuritypolicy.

UserAccessAdministration

ProceduresforCreationandDeletionofUserProfilesTheuserprofilesofourcustomersarecreatedsolelyduetothewishesofourcustomers.Insomeofthesys-tems,theendcustomerhimselfcreateshisuserprofilewithoutinterferencebytheemployeesoftheLESSORGroup.Ourownusersarecreatedassuperuserstoensurethatoursupportteamsareabletoprovideprofes-sionalservice.

Alluserprofilesmustbepersonallyidentifiable.Theaccesstopasswordsforaccounts,whichonlyareusedbysystems(serviceusers),islimitedtofewauthorizedpersons.

GrantofRightsThegrantofprivilegesiscontrolledinaccordancewiththeregularuseradministrationprocess.Privilegesareonlygrantedonaneed-to-basis.

HandlingofConfidentialLoginInformationPersonallogininformationisknownonlybytheemployeeandsubjecttoapasswordpolicytoensurethecom-plexity.

LESSORGroup


EvaluationofUserAccessRightsPeriodically,i.e.onceayear,wereviewtheinternalsystemsofthecompanyincludinguserprofilesandaccesslevelstoensurethattheprocedurerelatedtotheterminationofemploymentisfollowedandthatthecustom-ers’datacannotbeaccessedbyformeremployeesoftheLESSORGroup.

UserResponsibility

UseofConfidentialPasswordTheITsecuritypolicyprovidesthatallemployeepasswordsmustbepersonalandthatonlytheuserknowsthepassword.Passwordsforserviceaccountsetc.thatcannotbeusedforlogginginandwhicharenotchangedforsystemicreasonsarestoredinaseparatesystem.OnlyfourmembersoftheLESSORGroupcanaccessthissystem.

ControlofAccesstoSystemsandData

LimitedAccesstoDataTheaccessforouremployeesisdifferentiated.Onlysystems,serversanddata,whicharerelevanttotheareaofworkofeachsingleemployee,areaccessible.

SystemfortheAdministrationofPasswordsAllemployeesaresubjecttorestrictionsasregardsthepasswordstocustomersystemsaswellasthecustom-ers’ownsystems.Allusershavepasswords,whicharesubjecttorestrictionsrelatedtothecreationofthepasswords.Someofoursystemsrequirethatthepasswordiscomplexandchangedregularly.Inothersystems,thecustomerhimselfdeterminesthechangefrequencyandcomplexityofthepassword.

PhysicalSecurity

SecureAreasThephysicalaccesstothedatacenteroftheLESSORGroupinAllerødislimitedtothreepersonsfromtheLES-SORGroupwhoallhavebeenprovidedwithakeyandaPINcodeforthealarmsystem.Thelogicalaccessislimitedtotheminimum.AnemployeeoftheLESSORGroupalwaysaccompaniesexternalpartnerswhosetaskistoservicetheequipmentinthedatacenter.

MaintenanceofEquipment

FireSafetyTheLESSORGroup’sdatacenterisprotectedagainstfirebytwoINERGEN®systems-oneineachserverroom.RegularreviewsarecarriedouttoensurethattheINERGEN®systemoperatescorrectly.TheLESSORGrouphasmadeaservicecontractwiththesupplierincludingtwoannualservicingvisits.Besides,bothsystemsarecon-tinuouslymonitoredforoperationalerrors.

CoolingIntheLESSORGroup’sdatacenter,tworefrigerationsystemsareinstalledineachserverroom-efreecoolingsystemandatraditionalsystem,whichalsoservesasabackupforthefreecoolingsystem.Regularreviewsarecarriedouttoensurethatallrefrigerationsystemsoperatecorrectly.TheLESSORGrouphasmadeaservicecontractwiththesupplierincludingfourannualservicingvisits.Besides,allrefrigerationsystemsarecontinu-ouslymonitoredforoperationalerrors.

BackupPower(UPSandgenerator)IntheLESSORGroup’sdatacenter,bothUPSunitsandastandbygeneratorareinstalled.ThereisaUPSunitineachserverroomandacommonstandbygenerator.Regularreviewsarecarriedouttoensurethatboththe

LESSORGroup


UPSunitsandthestandbygeneratoroperatecorrectly.BothUPSsystemsareservicedonceayear.Thesuppli-eroftheinstallationservicesthestandbygeneratoronceayear.Besides,boththeUPSunitsandthestandbygeneratorarecontinuouslymonitoredforoperationalerrors.

MonitoringTheentrancetothedatacenterisequippedwithanalarmsystemandundervideosurveillance.AllLESSORGrouphostingservicesincludingtheinfrastructurearemonitored.Themonitoringhasbeendescribedandisbeingmaintainedcontinuously.

SafeDisposalorReuseofEquipmentAlldataequipmentisdestroyedpriortodisposalinordertoensurethatnodataisavailable.

UnattendedUserEquipmentAllinternaluseraccountsarecentrallymanaged.Screensarelockedafter10minutesinactivity.Thus,wemin-imizetheriskofunauthorizedaccesstoconfidentialdata.

OperationalSafety

OperationalProceduresandResponsibilities

DocumentedOperatingProceduresAssometasksareperformedbyoneemployeeonly,wehavepreparedsomedetaileddescriptionsinordertoensurethatwecanre-establishagivenserviceinanewenvironment.

ChangeManagementAllchangesfollowanimplementedchangemanagementprocessandaredocumentedinJira.

CapacityManagementWehaveestablishedamonitoringsystemformonitoringcapacityconstraints.

Allincidentsfollowanimplementedincidentmanagementprocess.

ProtectionagainstMalware

MeasuresagainstMalwareOnWindowsplatforms,wehaveinstalledanti-virussoftware.Onthefirewall,wehaveinstalledanIntrusionPreventionSystem(IPS)tosafeguardoursystemsagainstknownmaliciousattacks.

Backup

BackupofdataWeensurethatwewillbeabletorecreatesystemsanddatainanappropriateandcorrectmannerinaccord-ancewiththeagreementsconcludedwithourcustomers.Wehave,forthatpurpose,developedatesttorec-reatesystemsanddata.Thetestisperformedonaregularbasisatleastonceayear.

Backupsofourcustomers’datatakeplacewithus.Backupcopiesaresavedinelectronicformonaphysicallocationotherthanthedatacenter.

LESSORGroup


LoggingandMonitoring

IncidentLoggingNetworktrafficandserverlogsaremonitoredandlogged.Allloggedincidentsarebeingreviewed.Tobeabletomanagethemonitoringandfollow-upofincidentsandtoensurethatincidentsareregistered,prioritized,managedandescalated,wehaveimplementedformalincidentandeventmanagementprocedures.Thepro-cessisdocumentedinJira.

ProtectionofLoginInformationLogsareuploadedtoourownlogserverandprotectedagainstmodificationanddeletion.

AdministratorandOperatorLogsTheadministratorloggingprocessisperformedsimultaneouslywiththeordinaryloggingprocess.

TimeSynchronizationWemakeuseofInternetNTPserversforsynchronizationofallservers.

ManagingSoftwareinOperatingSystemsViaourpatchprocess,weensurethatonlyapprovedandtestedupdatesarebeinginstalled.Allpatchingfol-lowsapatchmanagementprocedure.

ManagingTechnicalVulnerabilitiesSafetywarningsfromDK-CERT(orothers)aremonitoredandanalysed.Ifrelevant,theyareinstalledonourinternalsystemswithinonemonthfromthedateofissue.Ourinternalsolutionsaresubjecttoongoingriskassessments.

Communicationsecurity

NetworkMeasuresTheITsecurityrelatedtothesystemanddataframeworkismadeupbytheInternetnetwork,theremotenet-worketc.Alltraffic,incomingaswellasoutgoing,isfilteredbythefirewallrules.

EnsuringNetworkServicesThecustomersaccessoursystemsviahttps.DatatransferredfromoursystemstoexternalpartnersareIPwhitelistedand,ifthisispossible,sentviaencrypteddataprotocols.

Ourredundantfirewall(aclustersolution)monitorsallincomingtraffic.

NetworkDivisionOurnetworkisdividedintoservicesegmentstoensureindependencebetweentheofferedservices.Further-more,testandproductionenvironmentsaredividedintotwosegments.

PoliciesandProceduresforDataTransmissionIfpossible,alldatafromtheLESSORGroupdatacenteristransmittedviaencryptedprotocols.

Thecommunicationwithusersiscarriedoutviaemails,supportforumsor,onlyrarely,viafax.

ConfidentialityAgreementsConfidentialityhasbeenestablishedforallpartiesinvolvedinourbusinessthroughemploymentcontractsandcooperationagreementswithsubcontractorsandpartners.

LESSORGroup


Purchase,DevelopmentandMaintenance

SafetyRequirementsforInformationSystems

AnalysisandSpecificationofSafetyRequirementsWhenanewsystemisimplemented,anumberofanalysisandresearchproceduresareperformedinordertoensurethatthesystemfullycomplieswiththerulesandsecuritypoliciesadoptedbytheLESSORGroup.

ChangeManagementProceduresAllchangesfollowanimplementedchangemanagementprocess.

Ourtestandproductionenvironmentsarelogicallyandphysicallyseparated.

LimitationofSoftwarePackageChangesServicepacksandsystemspecificupdates,whichmayinvolvechangesinfunctionality,areassessedandin-stalledseparately.Securityupdatesare,asfaraspossible,implementedinallsystems.Inthefirstinstance,theywillbeimplementedonlyinthetestenvironment.Iftheproductmanageracceptstheupdates(thatisiftheserviceworksasintendedaftertheupdateprocess),thesamesecurityupdateswillbeimplementedintheproductionenvironment.

Supplierrelationships

InformationSecurityinRelationtoSupplierRelationshipsWerequirethesamelevelofconfidentialityfromoursuppliersasfromouremployees.

ManagingServicesfromThirdParties

ManagingChangesofServicesWedonotholdreviewmeetingswithallsuppliersbutkeepanongoingcontactwithallofthem.

EmergencyManagement

InformationSecurityinRelationtoSupplierRelationships

EmergencyPlanningTheLESSORGrouphaspreparedanemergencyplanforthehandlingofanemergency.TheemergencyplanisanchoredintheITriskanalysisandmaintainedatleastonceayearfollowingtheperformanceoftheanalysis.

Theplanandtheproceduresareanchoredinouroperatingdocumentationandprocedures.

Testing,MaintenanceandRe-evaluationofEmergencyPlansTheplanistestedonceayearasapartofouremergencypreparednessproceduretoensurethatthecustom-ers,atthelowestpossiblelevel,willbeaffectedbyanemergency.

RedundancyWeseektoensurethatallservicesareredundanttomakesurethatwe,intheshortestpossibletime,willbeabletore-establishtheproductionenvironmentinanewenvironmentincaseofnon-repairableerrorsintheproductionenvironment.Wecontinuetofocusonthisarea.

LESSORGroup


Compliance

ReviewofInformationSecurity

IndependentEvaluationofInformationSecurityAnevaluationwillbecarriedoutbyanexternalITauditorandwhenpreparingtheannualISAE3402report.

CompliancewithSecurityPoliciesandStandardsWecarryoutinternalauditsonceayearinordertotestifourinternalpoliciesandproceduresarefollowed.Theauditsincludeallservicesandtheinfrastructureaswellasotherareas,ifnecessary.

ComplementaryControlProcedures

ThecustomersoftheLESSORGroupare,unlessotherwiseagreed,responsibleforestablishingconnectiontotheserversoftheLESSORGroup.Furthermore,thecustomersoftheLESSORGroupare,unlessotherwiseagreed,responsiblefor:

• administrationoftheirownuserprofiles• theownInternetconnection• owndata

Changesimplementedduringtheperiod

Thefollowingchangeshavebeenimplementedduringtheperiod:

• Penetrationtesting• Virtualizationofservers

LESSORGroup


Section3: Independentserviceauditor’sassurancereportonthedescriptionofcontrols,theirdesignandfunctionality

TothemanagementofLESSORGroup,theircustomersandtheirauditors.

Scope

WehavebeenengagedtoreportonLESSORGroup’sdescription,presentedinSection2.Thedescription,asconfirmedbythemanagementofLESSORGroupinsection1,coversLESSORGroup’soperatingandhostingservicesintheperiod01-04-2016to31-03-2017aswellasthedesignandoperationofthecontrolsrelatedtothecontrolobjectivesstatedinthedescription.

Ouropinionisissuedwithreasonableassurance.

LESSORGroup’sresponsibility

LESSORGroupisresponsibleforpreparingthedescription(section2)andtherelatedstatement(section1)includingthecompleteness,accuracyandmethodofpresentationofthedescriptionandstatement.Addition-ally,LESSORGroupisresponsibleforprovidingtheservicescoveredbythedescription,andforthedesign,implementationandeffectivenessofoperatingcontrolsforachievingthestatedcontrolobjectives.

REVI-ITA/S’independenceandqualitycontrol

WehavecompliedwiththeindependenceandotherethicalrequirementsoftheCodeofEthicsforProfessionalAccountantsissuedbytheInternationalEthicsStandardsBoardforAccountants,whichisfoundedonfunda-mentalprinciplesofintegrity,objectivity,professionalcompetenceandduecare,confidentialityandprofes-sionalbehaviour.

ThefirmappliesInternationalStandardonQualityControl1andaccordinglymaintainsacomprehensivesys-temofqualitycontrolincludingdocumentedpoliciesandproceduresregardingcompliancewithethicalre-quirements,professionalstandardsandapplicablelegalandregulatoryrequirements.

REVI-ITA/S’responsibility

Basedonourprocedures,ourresponsibilityistoexpressanopiniononLESSORGroup’sdescription(section2)aswellasonthedesignandfunctionalityofthecontrolsrelatedtothecontrolsobjectivesstatedinthisde-scription.WeconductedourengagementinaccordancewithISAE3402,“AssuranceReportsonControlsataServiceOrganisation”,issuedbyIAASB.Thisstandardrequiresthatweplanandperformourprocedurestoobtainreasonableassuranceaboutwhether,inallmaterialrespects,thedescriptionisfairlypresentedandthecontrolsaresuitablydesignedandoperatingeffectively.

Anassuranceengagementtoreportonthedescription,designandoperatingeffectivenessofcontrolsataserviceorganisationinvolvesperformingprocedurestoobtainevidenceaboutthedisclosuresintheserviceorganisation’sdescriptionofitssystem,andthedesignandoperatingeffectivenessofcontrols.Theproceduresselecteddependontheserviceauditor’sjudgment,includingtheassessmentoftherisksthatthedescriptionisnotfairlypresented,andthatcontrolsarenotsuitablydesignedoroperatingeffectively.Ourproceduresin-cludedtestingtheoperatingeffectivenessofthosecontrolsthatweconsidernecessarytoprovidereasonableassurancethatthecontrolobjectivesstatedinthedescriptionwereachieved.Anassuranceengagementofthis

LESSORGroup


typealsoincludesevaluatingtheoverallpresentationofthedescription,thesuitabilityoftheobjectivesstatedthereinandthesuitabilityofthecriteriaspecifiedbytheserviceorganisation,describedinsection2.

Webelievethattheevidencewehaveobtainedissufficientandappropriatetoprovideabasisforouropinion.

Limitationsofcontrolsataserviceorganisation

LESSORGroup’sdescriptioninsection2ispreparedtomeetthecommonneedsofabroadrangeofcustomersandtheirauditorsandmaynot,therefore,includeeveryaspectofthesystemsthateachindividualcustomermayconsiderimportantinitsownparticularenvironment.Also,becauseoftheirnature,controlsataserviceorganisationmaynotpreventordetectallerrorsoromissionsinprocessingorreportingtransactions.Also,theprojectionofanyevaluationofeffectivenesstofutureperiodsissubjecttotheriskthatcontrolsataserviceorganisationmaybecomeinadequateorfail.

Opinion

Ouropinionhasbeenformedonthebasisofthemattersoutlinedinthisreport.Thecriteriaweusedinform-ingouropinionwerethosedescribedinLESSORGroup’sdescriptioninSection2andonthebasisofthis,itisouropinionthat:

(a) thedescriptionof the controls, as theyweredesigned and implemented throughout theperiod01-04-2016to31-03-2017,isfairinallmaterialrespects

(b) thecontrolsrelatedtothecontrolobjectivesstatedinthedescriptionweresuitablydesignedthroughouttheperiod01-04-2016to31-03-2017inallmaterialrespects

(c) thecontrolstested,whichwerethecontrolsnecessaryforprovidingreasonableassurancethatthecon-trol objectives in the description were achieved in all material respects, have operated effectivelythroughouttheperiod01-04-2016to31-03-2017.

Descriptionoftestsofcontrols

Thespecificcontrolstested,andthenature,timingandresultsofthesetestsarelistedinthesubsequentmainsection(Section4).

LESSORGroup


Intendedusersandpurpose

ThisassurancereportisintendedonlyforcustomerswhohaveusedLESSORGroup’sservicesandtheauditorsofthesecustomers,whohaveasufficientunderstandingtoconsiderthedescriptionalongwithotherinfor-mation,includinginformationaboutcontrolsoperatedbycustomersthemselves.Thisinformationservestoobtainanunderstandingofthecustomers’informationsystems,whicharerelevantforthefinancialstate-ments.

Copenhagen,3May2017

REVI-ITA/SStateauthorisedpublicaccountingfirm

HenrikPaaske MartinBrogaardNielsenStateAuthorisedPublicAccountant ITAuditor,CISA,CRISC,CEO

LESSORGroup


Section4: Controlobjectives,controls,tests,andrelatedtestcontrols

Thefollowingoverviewisprovidedtofacilitateanunderstandingoftheeffectivenessofthecontrolsimple-mentedbyLESSORGroup.Ourtestingoffunctionalitycomprisedthecontrolsthatweconsiderednecessarytoprovidereasonableassurancethatthecontrolobjectivesstatedinthedescriptionwereachievedduringtheperiod01-04-2016to31-03-2017.

Thus,wehavenotnecessarilytestedallthecontrolsmentionedbyLESSORGroupinthedescriptioninSection2.

Moreover,ourstatementdoesnotapplytoanycontrolsperformedatLESSORGroup’scustomers,asthecus-tomers’ownauditorsshouldperformthisreviewandassessment.

WeperformedourtestsofcontrolsatLESSORGroupbytakingthefollowingactions:

Method Generaldescription

Enquiry Interview,i.e.enquirywithselectedpersonnelatthecompanyregardingcontrols

Observation Observinghowcontrolsareperformed

Inspection Reviewandevaluationofpolicies,procedures,anddocumentationconcerningtheperformanceofcontrols

Re-performingcontrolprocedures

Wehavere-performed–orhaveobservedthere-performanceof–controlsinordertoverifythatthecontrolisworkingasassumed

Adescriptionandtheresultsofourtestsbasedonthetestedcontrolsappearfromthetablesonthefollowingpages.Totheextentthatwehaveidentifiedsignificantweaknessesinthecontrolenvironmentordeviationstherefrom,wehavespecifiedthis.

LESSORGroup


Riskassessmentandmanagement

RiskassessmentControlobjective:ToensurethatthecompanyperiodicallyperformsananalysisandassessmentoftheITriskprofile.

No. LESSORGroup’scontrol REVI-IT’stest Testresults

4.1 LESSORGroup’sISOteamhasproducedariskanalysis.Onanannualbasisorincaseofsignifi-cantchanges,thegroupcarriesoutariskassessmentoftheassetsoftheLESSORGroup.

Theresponsibilityforriskassess-mentslieswiththeCEOofthecompanywhoalsoapprovestheriskanalysis.

Wehaveenquiredabouttheprepara-tionofanITriskanalysis,andwehaveinspectedthepreparedITriskanalysis.

WehaveenquiredaboutreviewoftheITriskanalysis,andwehaveinspecteddocumentationforreviewduringtheauditperiod.

Wehaveenquiredaboutthemanage-ment’sapprovaloftheITriskanalysis,andwehaveinspecteddocumentationformanagementapproval.

Nosignificantdeviationsnoted.

Informationsecuritypolicies

ManagementdirectionforinformationsecurityControlobjective:Toprovidemanagementdirectionandsupportforinformationsecurityinaccordancewithbusinessrequirementsandrelevantlawsandregulations.No. LESSORGroup’scontrol REVI-IT’stest Testresults

5.1 Wehavedefinedourqualitystandardssystembasedonthegeneralobjectiveofprovidingourcustomerswithastableandse-curehostingsolution.Inordertocomplywiththeobjectives,wehaveimplementedpoliciesandprocedures,whichensurethatoursuppliesareuniformandtranspar-ent.

OurITsecuritypolicyisproducedinaccordancewithISO27002:2013andappliestoallemployeesandalldeliveries.

WeupdatetheITsecuritypolicyregularlyandatleastonceayear.TheCEOapprovestheITsecuritypolicy.

Wehaveenquiredabouttheprepara-tionofaninformationsecuritypolicy,andwehaveinspectedthedocument.

WehaveenquiredaboutreviewoftheITsecuritypolicy,andwehaveinspecteddocumentationforreviewduringtheauditperiod.

Wehaveenquiredaboutthemanage-ment’sapprovaloftheinformationsecuritypolicy.


LESSORGroup


Organisationofinformationsecurity

InternalorganisationControlobjective:Toestablishamanagementframeworktoinitiateandcontroltheimplementationandoperationofinformationsecuritywithintheorganisation.No. LESSORGroup’scontrol REVI-IT’stest Testresults

6.1 Ourorganisationisdividedintodifferentareasofresponsibility.Wehavepreparedanumberofdetailedresponsibilityandroledescriptionsforemployeesonalllevels.

Throughon-goingdocumentationandprocesses,wetrytoeliminateorminimizethedependenceonkeymanagementpersonnel.Tasksareassignedanddefinedviapro-cedures(Jira)formanagingtheoperationalservices.

Theoperatingstaffsubscribestonewslettersfrome.g.DK-CERTandinformsitselfaboutsubstantialsecurity-relatedcircumstancesonInternettraffic.

Wehaveenquiredabouttheallocationofresponsibilitiesforinformationsecuri-ty,andwehaveinspecteddocumenta-tionfortheallocationofresponsibilities.

Wehaveenquiredaboutsegregationofduties,andwehaveinspecteddocu-mentationforsegregationofduties.

Wehaveenquiredaboutguidelinesforcontactwithauthorities.

Wehaveenquiredaboutcontactwithinterestgroups,andwehaveinspecteddocumentationforcontact.

Wehaveenquiredaboutthedecisiononinformationsecurityinconnectionwithprojectmanagement,andwehaveinspectedtheprojectmodel.


MobiledevicesandteleworkingControlobjective:Toensurethesecurityofteleworkinganduseofmobiledevices.No. LESSORGroup’scontrol REVI-IT’stest Testresults

6.2 Mobiledevices(smartphones,tabletsetc.)canbeusedforthesynchronizationofemailsandthecalendar.Besidesthepassword,wehaveimplementednoothersecuritymeasurestoensurede-vicesanduseraccesses.

Onlyauthorizedpersonsaregrantedaccesstoournetworkandthuspotentiallytosystemsanddata.Ouremployeesaccessthesystemsviatelecommutingar-rangements/SSH.

Wehaveenquiredaboutthemanage-mentofmobiledevices,andwehaveinspectedthesolution.

Wehaveenquiredaboutthesecurityofteleworking,andwehaveinspectedthesolution.


LESSORGroup


Humanresourcesecurity

PriortoemploymentControlobjective:Toensurethatemployeesandcontractorsunderstandtheirresponsibilitiesandaresuitablefortherolesforwhichtheyareconsidered.No. LESSORGroup’scontrol REVI-IT’stest Testresults

7.1 Wehaveimplementedproceduresfortherecruitmentofstaffandestablishedcooperationwithanexternalpartnertoensurethatweemploytherightcandidatewithregardtobackgroundandskills.

Thegeneraltermsofemployment,e.g.confidentialityrelatedtothecustomers’andpersonalcircum-stances,arespecifiedintheem-ploymentcontracts/jobdescrip-tionsofallemployees.

Wehaveenquiredaboutaprocedureforscreeningnewemployees,andwehaveinspectedtheprocedure.

Wehaveinspotchecksinspecteddoc-umentationfortheprocedurebeingfollowed.

Wehaveenquiredabouttheformalisa-tionoftermsofemployment,andwehaveinspotchecksinspecteddocumen-tationfortheformalisationoftermsofemployment.


DuringemploymentControlobjective:Toensurethatemployeesandcontractorsareawareofandfulfiltheirinformationsecurityrespon-sibilities.No. LESSORGroup’scontrol REVI-IT’stest Testresults

7.2 Weencourageouroperatingstafftomaintaintheirqualifications,educationsandcertificationsthroughtrainingcourses,lecturesandotherrelevantactivitiestoensurethattheemployeescon-cernedcanbekeptuptodatewithsecurityandbecomeawareofnewthreats.

Thegeneraltermsofemployment,e.g.confidentialityrelatedtothecustomers’andpersonalcircum-stances,arespecifiedintheem-ploymentcontractsofallemploy-ees.

Wehaveenquiredaboutthemanage-ment’sresponsibilityfordisseminatinginformationsecuritycriteria,andwehaveinspectedtheguidelinesfordis-semination.

Wehaveenquiredaboutfurthertrainingofemployees,andwehaveinspotchecksinspecteddocumentationforfurthertraining.

Wehaveenquiredaboutguidelinesfordisciplinaryprocesses,andwehaveinspectedtheguidelines.


TerminationandchangeofemploymentControlobjective:Toprotecttheorganisation’sinterestsaspartoftheprocessofchangingorterminatingemploy-ment.No. LESSORGroup’scontrol REVI-IT’stest Testresults

7.3 Thegeneraltermsofemployment,e.g.confidentialityrelatedtothecustomers’andpersonalcircum-stances,arespecifiedintheem-ploymentcontractsofallemploy-ees.

Wehaveenquiredabouttheformalisa-tionofobligationsapplicableaftertheterminationofemployees.

Wehaveinspotchecksinspecteddoc-umentationforthematter.


LESSORGroup


Assetmanagement

ResponsibilityforassetsControlobjective:Toidentifyorganisationalassetsanddefineappropriateprotectionresponsibilities.No. LESSORGroup’scontrol REVI-IT’stest Testresults

8.1 Serversandnetworkequipmentincludingconfigurationareregis-teredtobeusedfordocumenta-tionpurposesandtogainanover-viewofequipment.

Centralnetworkunits,servers,peripheralunits,systemsanddataareownedbyoperatingstaffmembersoftheLESSORGroup.

Acceptableuseisdescribedintheemployeehandbook.

Whenanemployeeterminates,aprocedurewillbeinitiatedtoensurethattheemployeereturnsallrelevantassets.

Wehaveenquiredaboutinventoriesofassets,andwehaveinspotchecksin-spectedinventoriesofassets.

Wehaveenquiredaboutownershipofassets,andwehaveinspectedtheallo-cationofownershipofassets.

Wehaveenquiredaboutguidelinesforacceptableuseofassets,andwehaveinspectedtheseguidelines.

Wehaveenquiredaboutaprocedureforsecuringthereturnofassets,andwehaveinspectedtheprocedure.

Wehaveinspotchecksinspecteddoc-umentationforthereturnofassets.


InformationclassificationControlobjective:Toensurethattheinformationreceivesanappropriatelevelofprotectioninaccordancewithitsimportancetotheorganisation.No. LESSORGroup’scontrol REVI-IT’stest Testresults

8.2 Serversandnetworkequipmentincludingconfigurationareregis-teredtobeusedfordocumenta-tionpurposesandtogainanover-viewofequipment.

Centralnetworkunits,servers,peripheralunits,systemsanddataareownedbyoperatingstaffmembersoftheLESSORGroup.Thecustomer’scontactpersonownsthecustomers’data.

Wehaveenquiredaboutguidelinesfortheclassificationandlabellingofdata,andwehaveinspectedtheguidelines.

Wehaveenquiredaboutguidelinesfordatamanagement,andwehavein-spectedtheguidelines.


MediahandlingControlobjective:Topreventunauthoriseddisclosure,modification,removalordestructionofinformationstoredonmedia.No. LESSORGroup’scontrol REVI-IT’stest Testresults

8.3 Weensure,tothebestpossibleextent,thattheportabledevicesofouremployees,e.g.portablecomputers,cellphonesetc.,areconfiguredatthesamesecuritylevelasallotherdevicesoftheenvironment.

Alldataequipmentisdestroyedpriortodisposalinordertoensurethatnodataisavailable.

Wehaveenquiredaboutguidelinesfortheuseofremovablemedia,andwehaveinspectedtheguidelines.

Wehaveenquiredaboutthedisposalofmedia,andwehaveinspecteddocu-mentationforsecuredisposal.

Wehaveenquiredaboutaprocedureforprotectingremovablemediaduringtransport,andwehaveinspectedtheprocedure.


LESSORGroup


Accesscontrol

BusinessrequirementsControlobjective:Tolimitaccesstoinformationandinformationprocessingfacilities.No. LESSORGroup’scontrol REVI-IT’stest Testresults

9.1 Themannerinwhichthegrantingofaccessishandledisdescribedinapolicydocument.ThepolicyispartofourITsecuritypolicy.

Wehaveenquiredaboutpoliciesformanagingaccesstosystemsandpremis-es,andwehaveinspectedthepolicies.

Wehaveenquiredaboutproceduresformanagingaccesstonetworkandnet-workservices,andwehaveinspectedselectedprocedures.


UseraccessmanagementControlobjective:Toensureauthoriseduseraccessandtopreventunauthorisedaccesstosystemsandservices.No. LESSORGroup’scontrol REVI-IT’stest Testresults

9.2 Alluserprofilesmustbepersonal-lyidentifiable.

Thegrantofprivilegesiscon-trolledinaccordancewiththeregularuseradministrationpro-cess.Privilegesareonlygrantedonaneed-to-basis.

Periodically,i.e.onceayear,wereviewtheinternalsystemsofthecompanyincludinguserprofilesandaccesslevelstoensurethattheprocedurerelatedtotheter-minationofemploymentisfol-lowed.

Wehaveenquiredaboutaprocedureforusermanagement,andwehaveinspect-edtheprocedure.

Wehaveenquiredaboutaprocedurefortheallocationofrights,andwehaveinspectedtheprocedure.

Wehaveinspotchecksinspecteddoc-umentationforthecreationofusersandallocationofrights.

Wehaveenquiredaboutcontrolwithprivilegedrights,andwehaveinspectedselectedcontrols.

Wehaveenquiredaboutaprocessforthedisclosureoflogoninformation,andwehaveinspectedtheprocess.

Wehaveenquiredaboutperiodicreviewofusers,andwehaveinspecteddocu-mentationforreviewduringtheauditperiod.

Wehaveenquiredaboutaprocedureforrevokingaccessrights,andwehaveinspectedtheprocedure.

Wehaveinspotchecksinspecteddoc-umentationfortimelyrevocationofaccessrights.


UserresponsibilitiesControlobjective:Tomakeusersaccountableforsafeguardingtheirauthenticationinformation.No. LESSORGroup’scontrol REVI-IT’stest Testresults

9.3 TheITsecuritypolicyprovidesthatallemployeepasswordsmustbepersonalandthatonlytheuserknowsthepassword.

Wehaveenquiredaboutguidelinesformanagingconfidentialpasswords,andwehaveinspectedtheguidelines.


LESSORGroup


SystemandapplicationaccesscontrolControlobjective:Topreventunauthorisedaccesstosystemsandapplications.No. LESSORGroup’scontrol REVI-IT’stest Testresults

9.4 Theaccessforouremployeesisdifferentiated.Onlysystems,serversanddata,whicharerele-vanttotheareaofworkofeachsingleemployee,areaccessible.

Allusershavepasswords,whicharesubjecttorestrictionsrelatedtothecreationofthepasswords.

Wehaveenquiredaboutrestrictedaccesstodata,andwehaveinspecteddocumentationforrestriction.

Wehaveenquiredaboutaprocedureforlogon,andwehaveinspectedthesolu-tionforadequatesecurity.

Wehaveenquiredaboutasystemfortheadministrationofpasswords,andwehaveinspotchecksinspectedrequire-mentsforpasswordquality.

Wehaveenquiredabouttheuseofprivilegedsystemtools.

Wehaveenquiredabouttherestrictionofaccesstoprivilegedsystemtools,andwehaveinspecteddocumentationforrestriction.


Cryptography

CryptographiccontrolsControlobjective:Toensureproperandeffectiveuseofcryptographytoprotecttheconfidentiality,authenticityand/orintegrityofinformation.No. LESSORGroup’scontrol REVI-IT’stest Testresults

10.1 Ifpossible,alldatafromtheLES-SORGroupdatacenteristransmit-tedviaencryptedprotocols.

Wehaveenquiredaboutapolicyfortheuseofcryptography,andwehavein-spectedthepolicy.

Wehaveenquiredaboutapolicyfortheadministrationofencryptionkeys,andwehaveinspectedthepolicy.


LESSORGroup


Physicalandenvironmentalsecurity

SecureareasControlobjective:Topreventunauthorisedphysicalaccess,damageandinterferencetotheorganisation’sinfor-mationandinformationprocessingfacilities.No. LESSORGroup’scontrol REVI-IT’stest Testresults

11.1 ThephysicalaccesstothedatacenteroftheLESSORGroupinAllerødislimitedtothreepersonsfromtheLESSORGroupwhoallhavebeenprovidedwithakeyandaPINcodeforthealarmsystem.Thelogicalaccessislim-itedtotheminimum.Anemploy-eeoftheLESSORGroupalwaysaccompaniesexternalpartnerswhosetaskistoservicetheequipmentinthedatacenter.

Theentrancetothedatacenterisequippedwithanalarmsystemandundervideosurveillance.AllLESSORGrouphostingservicesincludingtheinfrastructurearemonitored.Themonitoringhasbeendescribedandisbeingmain-tainedcontinuously.

Wehaveenquiredaboutaphysicalsecu-rityperimeteratthecompany’spremis-es,andwehaveinspectedthesolutioninplace.

Wehaveenquiredaboutaccesscontrolsforsecuringoffices,roomsandopera-tionsfacilities,andwehaveinspectedselectedaccesscontrols.

Additionally,wehaveinspectedtheprocedureforallocationofaccesstopremisescriticaltooperations.

WehaveinspectedLESSORGroup’sofficesinordertocheckthephysicalsecurity.

Wehaveinspectedsecurityformitigat-ingexternalandenvironmentalthreats.

Wehaveenquiredaboutanareaforthedeliveryofparcelsandgoods.


LESSORGroup


EquipmentControlobjective:Topreventloss,damage,theftorcompromiseofassetsandinterruptiontotheorganisation’sop-erations.No. LESSORGroup’scontrol REVI-IT’stest Testresults

11.2 Theentrancetothedatacenterisequippedwithanalarmsystemandisundervideosurveillance.

TheLESSORGroup’sdatacenterisprotectedagainstfirebytwoINERGEN®systems.Regularre-viewsarecarriedouttoensurethattheINERGEN®systemoper-atescorrectly.

IntheLESSORGroup’sdatacen-ter,tworefrigerationsystemsareinstalledineachserverroom.Regularreviewsarecarriedouttoensurethatallrefrigerationsys-temsoperatecorrectly.

IntheLESSORGroup’sdatacen-ter,bothUPSunitsandastandbygeneratorareinstalled.RegularreviewsarecarriedouttoensurethatboththeUPSunitsandthestandbygeneratoroperatecor-rectly.

Alldataequipmentisdestroyedpriortodisposalinordertoen-surethatnodataisavailable.

Screensarelockedafter10minutesinactivity.Thus,wemin-imizetheriskofunauthorizedaccesstoconfidentialdata.

Wehaveenquiredabouttheplacementofoperationsequipment,andwehaveinspectedthephysicalcircumstancesforprotectingoperationsequipment.

Wehaveenquiredabouttheuseofsupportingsupplies,andwehavein-spectedareascriticaltooperations.Additionally,wehaveverifiedtheexist-enceofsupportingsupplies.

Wehaveenquiredabouttheprotectionofcablesinthedatacentre,andwehavephysicallyinspectedthesolution.

Wehaveenquiredaboutmaintenanceofequipmentcriticaltooperations,andwehaveinspecteddocumentationformaintenanceandtestofequipmentcriticaltooperationsduringtheperiod.

Wehaveenquiredaboutapolicyforthedisposalofmediaandequipmentcarry-ingdata,andwehaveinspectedthepolicy.Additionally,wehaveinspecteddocumentationforsecuredisposalofmediacarryingdata.

Wehaveenquiredaboutprotectingunsuperviseduserequipment,andwehaveinspecteddocumentationfortheprotection.

Wehaveenquiredaboutapolicyforcleandeskandscreen,andwehaveinspectedthepolicy.


LESSORGroup


Operationssecurity

OperationalproceduresandresponsibilitiesControlobjective:Toensurecorrectandsecureoperationofinformationprocessingfacilities.No. LESSORGroup’scontrol REVI-IT’stest Testresults

12.1 Assometasksareperformedbyoneemployeeonly,wehavepreparedsomedetaileddescrip-tionsinordertoensurethatwecanre-establishagivenserviceinanewenvironment.

Allchangesfollowanimplement-edchangemanagementprocessandaredocumented.

Wehaveestablishedamonitoringsystemformonitoringcapacityconstraints.

Ournetworkisdividedintoser-vicesegmentstoensureinde-pendencebetweentheofferedservices.Furthermore,testandproductionenvironmentsaredividedintotwosegments.

Wehaveenquiredaboutdocumentedoperationsprocedures,andwehaveinspotchecksinspectedtheprocedures.

Wehaveenquiredaboutaprocedureforchangemanagement,andwehavein-spectedtheprocedure.

Wehaveinspotchecksinspecteddocu-mentationfortheprocedurebeingfol-lowed.

Wehaveenquiredaboutcapacityman-agementandmonitoring,andwehaveinspecteddocumentationformanage-mentandmonitoring.

Wehaveenquiredaboutsegregationofdevelopment,test,andoperationsfacili-ties,andwehaveinspecteddocumenta-tionforsegregation.


ProtectionfrommalwareControlobjective:Toensurethatinformationandinformationprocessingfacilitiesareprotectedagainstmalware.No. LESSORGroup’scontrol REVI-IT’stest Testresults

12.2 OnWindowsplatforms,wehaveinstalledanti-virussoftware.Onthefirewall,wehaveinstalledanIntrusionPreventionSystem(IPS)tosafeguardoursystemsagainstknownmaliciousattacks.

Wehaveenquiredaboutmeasurestoprotectagainstmalware,andwehaveinspectedthemanagement.

Wehaveenquiredabouttheuseofanti-virusonuserequipment,andwehaveinspotchecksinspecteddocumentationfortheuseofanti-virus.


LESSORGroup


BackupControlobjective:Toprotectagainstlossofdata.No. LESSORGroup’scontrol REVI-IT’stest Testresults

12.3 Backupsofourcustomers’datatakeplacewithus.Backupcopiesaresavedinelectronicformonaphysicallocationotherthanthedatacenter.

Wehave,forthatpurpose,devel-opedatesttorecreatesystemsanddata.Thetestisperformedonaregularbasisatleastonceayear.

Wehaveenquiredaboutaprocedureforsetupandexecutionofbackup,andwehaveinspectedtheprocedure.

Wehaveenquiredaboutdocumentationforthesetupofbackup,andwehaveinspecteddocumentationforthesetup.

Wehaveenquiredaboutbackupreten-tion,andwehaveinspecteddocumenta-tionforsetup.

Wehaveenquiredaboutcontrolsfortheexecutionofbackup,andwehavein-spectedthecontrol.

Wehaveenquiredaboutdocumentationfortestofrestore,andwehaveinspect-eddocumentationfortestofrestore.

Wehaveenquiredaboutregistrationoffailedbackup,andwehaveinspotchecksinspecteddocumentationforthehandlingoffailedbackups.


LoggingandmonitoringControlobjective:Torecordeventsandgenerateevidence.No. LESSORGroup’scontrol REVI-IT’stest Testresults

12.4 Theadministratorloggingprocessisperformedsimultaneouslywiththeordinaryloggingprocess.

Logsareuploadedtoourownlogserverandprotectedagainstmodificationanddeletion.

WemakeuseofInternetNTPserversforsynchronizationofallservers.

Wehaveenquiredaboutlogging,andwehaveinspotchecksinspectedloggingconfiguration.

Wehaveenquiredabouttheprotectionofloginformationthroughouttheperi-od,andwehaveinspectedthesolution.

Wehaveenquiredaboutclocksynchro-nisationonthenetwork,andwehaveinspotchecksinspecteddocumentationforclocksynchronisation.

System-relatedeventsareloggedandfollowedupupon.However,acontrolhasnotbeenimplementedforfollowinguponuser-relatedevents.

ControlofoperationalsoftwareControlobjective:Toensuretheintegrityofoperationalsystems.No. LESSORGroup’scontrol REVI-IT’stest Testresults

12.5 Viaourpatchprocess,weensurethatonlyapprovedandtestedupdatesarebeinginstalled.Allpatchingfollowsapatchman-agementprocedure.

Wehaveenquiredabouttheinstallationofprogramsandupdatesonoperationalsystems,andwehaveinspectedtheprocedure.

Wehaveinspotchecksinspecteddocu-mentationforupdatestooperationalsystems.


LESSORGroup


TechnicalvulnerabilitymanagementControlobjective:Topreventexploitationoftechnicalvulnerabilities.No. LESSORGroup’scontrol REVI-IT’stest Testresults

12.6 SafetywarningsfromDK-CERT(orothers)aremonitoredandana-lysed.Ifrelevant,theyarein-stalledonourinternalsystemswithinonemonthfromthedateofissue.Ourinternalsolutionsaresubjecttoongoingriskassess-ments.

Wehaveenquiredaboutthemanage-mentoftechnicalvulnerabilities,andwehaveinspectedtheestablishedprecau-tions.

Wehaveenquiredaboutrestrictionstoinstallingprograms,andwehavein-spectedtheestablishedprecautions.


Communicationssecurity

NetworksecuritymanagementControlobjective:Toensuretheprotectionofinformationinnetworksanditssupportinginformationprocessingfacilities.No. LESSORGroup’scontrol REVI-IT’stest Testresults

13.1 TheITsecurityrelatedtothesystemanddataframeworkismadeupbytheInternetnetwork,theremotenetworketc.Alltraffic,incomingaswellasoutgoing,isfilteredbythefirewallrules.

Ournetworkisdividedintoservicesegmentstoensureindependencebetweentheofferedservices.Furthermore,testandproductionenvironmentsaredividedintotwosegments.

Wehaveenquiredaboutprecautionsforprotectingthenetworkandnetworkservices,andwehaveinspectedtheestablishedprecautions.

Wehaveenquiredaboutnetworksegre-gation,andwehaveinspecteddocu-mentationforthesegregation.


InformationtransferControlobjective:Tomaintainthesecurityofinformationtransferredwithinanorganisationandwithanyexternalentity.No. LESSORGroup’scontrol REVI-IT’stest Testresults

13.2 Ifpossible,alldatafromtheLES-SORGroupdatacenteristrans-mittedviaencryptedprotocols.

Thecommunicationwithusersiscarriedoutviaemails,supportforumsor,onlyrarely,viafax.

Confidentialityhasbeenestab-lishedforallpartiesinvolvedinourbusinessthroughemploymentcontractsandcooperationagreementswithsubcontractorsandpartners.

Wehaveenquiredaboutapolicyforinformationtransfers,andwehaveinspectedthepolicy.

Wehaveenquiredabouttheuseofsecureconnectionswhentransferringinformation,andwehaveinspecteddocumentationfortheuseofsecureconnections.

Wehaveenquiredabouttheestablish-mentofconfidentialityagreements,andwehaveinspotchecksinspecteddocu-mentationfortheestablishment.


LESSORGroup


Informationsecurityincidentmanagement

ManagementofinformationsecurityincidentsandimprovementsControlobjective:Toensureaconsistentandeffectiveapproachtothemanagementofinformationsecurityinci-dents,includingcommunicationonsecurityeventsandweaknesses.No. LESSORGroup’scontrol REVI-IT’stest Testresults

16.1 Tobeabletomanagethemoni-toringandfollow-upofincidentsandtoensurethatincidentsareregistered,prioritized,managedandescalated,wehaveimple-mentedformalincidentandeventmanagementprocedures.TheprocessisdocumentedinJira.

Wehaveenquiredaboutaprocedureforthemanagementofinformationsecurityincidents,andwehaveinspectedtheprocedure.

Wehaveenquiredaboutallocationofresponsibilitiesinconnectionwithinfor-mationsecurityincidents,andwehaveinspecteddocumentationforthealloca-tionofresponsibilities.

Wehaveenquiredaboutthereportingofinformationsecurityincidentsandweak-nesses,andwehaveinspectedthepro-cedureforreporting.

Wehaveenquiredaboutassessmentandmanagementofinformationsecurityincidents,andwehaveinspotchecksinspecteddocumentationforassessingandmanaginginformationsecurityinci-dents.

Wehaveenquiredaboutlearningfrominformationsecurityincidents,andwehaveinspotchecksinspectedthepro-cess.

Wehaveenquiredaboutthecollectionofevidenceinconnectionwithsecuritybreaches,andwehaveinspectedtheprocessforthecollectionofevidence.


LESSORGroup


Informationsecurityaspectsofbusinesscontinuitymanagement

InformationsecuritycontinuityControlobjective:Informationsecuritycontinuityshouldbeembeddedintheorganisation’sbusinesscontinuityman-agementsystems.No. LESSORGroup’scontrol REVI-IT’stest Testresults

17.1 TheLESSORGrouphaspreparedanemergencyplanforthehan-dlingofanemergency.Theemer-gencyplanisanchoredintheITriskanalysisandmaintainedatleastonceayearfollowingtheperformanceoftheanalysis.

Theplanistestedonceayearasapartofouremergencyprepared-nessproceduretoensurethatthecustomers,atthelowestpossiblelevel,willbeaffectedbyanemer-gency.

Wehaveenquiredaboutthepreparationofaninformationsecuritycontinuityplanforensuringthecontinuationofopera-tionsinconnectionwithfailuresandsimilar,andwehaveinspectedthecon-tinuityplan.

Wehaveinspecteddocumentationfortestofthecontinuityplanduringtheperiod,andwehaveinspecteddocumen-tationforthetest.


RedundanciesControlobjective:Toensureavailabilityofinformationprocessingfacilities.No. LESSORGroup’scontrol REVI-IT’stest Testresults

17.2 Weseektoensurethatallser-vicesareredundanttomakesurethatwe,intheshortestpossibletime,willbeabletore-establishtheproductionenvironmentinanewenvironmentincaseofnon-repairableerrorsintheproduc-tionenvironment.Wecontinuetofocusonthisarea.

Wehaveenquiredaboutadequatere-dundanciesformaintainingaccessibilitytooperationalsystems,andwehaveinspotchecksinspecteddocumentationforredundancies.


LESSORGroup


Compliance

InformationsecurityreviewsControlobjective:Toensurethatinformationsecurityisimplementedandoperatedinaccordancewiththeorganisa-tionalpoliciesandprocedures.No. LESSORGroup’scontrol REVI-IT’stest Testresults

18.2 Wecarryoutinternalauditsonceayearinordertotestifourinter-nalpoliciesandproceduresarefollowed.Theauditsincludeallservicesandtheinfrastructureaswellasotherareas,ifnecessary.

Wehaveenquiredaboutanindepend-entreviewoftheinformationsecurity,andwehaveinspecteddocumentationthatindependentreviewhasbeenper-formed.

Wehaveenquiredaboutinternalcon-trolsforensuringcompliancewithpoli-ciesandprocedures,andwehaveinspotchecksinspecteddocumentationforinternalcontrols.

Wehaveenquiredaboutperiodicself-regulationofsecurityconfigurations,andwehaveinspecteddocumentationfortheself-regulation.


lessor group · controls at a service organisation (isae 3402). besides, the description aims to...

Documents