lessor group · isae 3402-ii lessor group april 2016 this report was originally prepared in danish....
TRANSCRIPT
REVI-ITA/S� stateauthorisedpublicaccountingfirmJensKofodsGade1�DK-1268CopenhagenK�Phone33118100�[email protected]�revi-it.dk�CVR-no.30988531
Independentserviceauditor’sassurancereportonthedescriptionofcontrols,theirdesignandoperating
effectivenessregardingtheoperationofhostedservicesfortheperiod01-04-2015to31-03-2016
ISAE3402-II
LESSORGroup
April2016
ThisreportwasoriginallypreparedinDanish.Incaseofdiscrepancies,theDanishreportisapplicable.
LESSORGroup
REVI-ITA/S
Tableofcontents
Section1: LESSORGroup’sstatement..........................................................................................................1
Section2: LESSORGroup’sdescriptionofcontrolandhostingenvironment..............................................2
Section3: Independentserviceauditor’sassurancereportonthedescriptionofcontrols,theirdesignandfunctionality.....................................................................................12
Section4: Controlobjectives,controls,tests,andrelatedtestcontrols....................................................14
LESSORGroup
REVI-ITA/S Page1of24
Section1: LESSORGroup’sstatement
ThisdescriptionhasbeenpreparedforcustomerswhohavemadeuseofLESSORGroup’shostingservices,andfortheirauditorswhohaveasufficientunderstandingtoconsiderthedescriptionalongwithotherinformation,includinginformationaboutcontrolsoperatedbycustomersthemselves,whenassessingtherisksofmaterialmisstatementsofcustomers’financialstatements.
LESSORGroupconfirmsthat:
(a) TheaccompanyingdescriptioninSection2fairlypresentsLESSORGroup’shostingservicesrelatedtocustomertransactionsprocessedthroughouttheperiod01-04-2015to31-03-2016.Thecriteriaforthisstatementwerethattheincludeddescription:(i) Presentshowthesystemwasdesignedandimplemented,including:
• Thetypeofservicesprovided,whenrelevant• Theprocedures,withinbothinformationtechnologyandmanualsystems,bywhichtransac-
tionsareinitiated,recorded,processed,correctedasnecessary,andtransferredtothere-portspresentedtothecustomers
• Relevantcontrolobjectivesandcontrolsdesignedtoachievetheseobjectives• Controlsthatweassumed,inthedesignofthesystem,wouldbeimplementedbyuserenti-
ties,andwhich,ifnecessarytoachievecontrolobjectivesstatedintheaccompanyingde-scription,areidentifiedinthedescriptionalongwiththespecificcontrolobjectivesthatcannotbeachievedbyourselvesalone
• Otheraspectsofourcontrolenvironment,riskassessmentprocess,informationsystemandcommunication,controlactivitiesandmonitoringcontrolsthatwereconsideredrelevanttoprocessingandreportingcustomertransactions.
(ii) Providesrelevantdetailsofchangesintheserviceorganisation’ssystemthroughouttheperiod01-04-2015to31-03-2016
(iii) Doesnotomitordistortinformationrelevanttothescopeofthedescribedsystem,whileac-knowledgingthatthedescriptionispreparedtomeetthecommonneedsofabroadrangeofcus-tomersandtheirauditorsandmaynot,therefore,includeeveryaspectofthesystemthateachindividualcustomermayconsiderimportanttotheirparticularenvironment.
(b) Thecontrolsrelatedtothecontrolobjectivesstatedintheaccompanyingdescriptionweresuitablydesignedandoperatedeffectivelythroughouttheperiod01-04-2015to31-03-2016.Thecriteriausedinmakingthisstatementwerethat:
(i) Therisksthatthreatenedachievementofthecontrolobjectivesstatedinthedescriptionwereidentified
(ii) Theidentifiedcontrolswould,ifoperatedasdescribed,providereasonableassurancethatthoserisksdidnotpreventthestatedcontrolobjectivesfrombeingachieved
(iii) Thecontrolswereconsistentlyappliedasdesigned,includingthatmanualcontrolswereappliedbypersonswhohavetheappropriatecompetenceandauthority,throughouttheperiod01-04-2015to31-03-2016.
Allerød,26April2016
CEO
LESSORGroup
REVI-ITA/S Page2of24
Section2: LESSORGroup’sdescriptionofcontrolandhostingenvironment
Introduction
TheLESSORGroupiscomposedof:
- LESSORA/S- LESSORGmbH- DanskeLønsystemerA/S- ilohngehaltinternetservicesGmbH- ISALAIREEURL- NORLØNNAS- ŁatwePłaceSp.zo.o.- quickpayrollLtd.- SwelönAB- Pagaveloce- Hispanomina
TheobjectofthisdescriptionistoprovideinformationtothecustomersoftheLESSORGroupandtheirauditorsconcerningtherequirementslaiddownintheinternationalauditingstandardforassurancere-portsonthecontrolsataserviceorganization(ISAE3402).
Besides,thedescriptionaimstoprovideinformationaboutcontrolsusedfor“services”withusduringtheperiod.
ThedescriptionincludescontrolobjectivesandauditsconductedbytheLESSORGroup,whichcomprisemostofourcustomersandarebasedonourstandardsupplies.Individualcustomerrelationshipsarenotcoveredbythisdescription.
TheLESSORGrouphasbuiltupitscontrolenvironmentinaccordancewithISO27002.
LESSORGroupandourservices
TheLESSORGroupofferspayrollandhumanresourcemanagementsolutionsinanumberofcountries.InDenmarkandGermany,theLESSORGroup’sprimarycustomergroupcomprisescompaniesrangingfromsmallbusinessestosomeofthelargestDanishcompanies.IntheothercountriesinwhichtheLESSORGroupisalsorepresented,thefocusisfixedonsmallbusinesseswithfewemployees.
Inthisregard,weofferallrelevantsecuritymeasuresase.g.INERGEN®systems,cooling,redundantpowersourcesandfibrelinesandlastbutnotleastfully-equippedmonitoringsystems.
TheLESSORGrouponlyoffersprofessionalcloudservices.
Organisationandresponsibility
Thecompanyischaracterizedbyaclearandtransparentcompanystructure.
LESSORGroupemploysapproximately100employees.TheorganizationalstructureoftheLESSORGroupincludesthedepartmentsAdministration,EconomicandOperatingSupportaswellasvariousproductde-partments.
LESSORGroup
REVI-ITA/S Page3of24
TheemployeesoftheLESSORGrouparethusresponsibleforthesupportofourownproductsaswellasthehostinginfrastructure.Thesupportteamshandleallincomingquestions.TheyeithersolvetheproblemsorpassonthetasktotheOperationsDepartmentforfurtherprocessing.
Thus,theOperationsDepartmentactsassecondlinesupportandmonitorsexistingoperatingsolutionsandothertasksassociatedwiththeday-to-daymanagementofourhostingenvironment.
Riskassessmentandmanagement
Riskassessment
ITriskanalysisLESSORGroup’sISOteamhasproducedariskanalysis.Onanannualbasisorincaseofsignificantchanges,thegroupcarriesoutariskassessmentoftheassetsoftheLESSORGroup.Bothinternalandexternalfac-torsaretakenintoconsideration.
Theriskanalysisprovidesanassessmentofallrisksidentified.Theriskanalysisisupdatedonayearlybasisorincaseofsignificantchanges,toensurethattherisksassociatedwiththeservicesprovidedaremini-mizedtoanacceptablelevel.
TheresponsibilityforriskassessmentslieswiththeCEOofthecompanywhoalsoapprovestheriskanaly-sis.
Handlingofsecurityrisks
RiskmanagementprocedureWehaveimplementedascoringsystemforrisksassociatedwiththeprovisionofourservices.
Weassesstherisks,whichwebelievewearefacingpointbypoint.Wemakeuseofasimplecalculationmethodforthispurpose;”probability%”*”impact%”.
Theacceptablelevelgoesto20%.Wecontinuouslyassessifwecanreducetherisksandtakeinitiativestoaddresstheserisks.
Informationsecuritypolicies
Policiesforinformationsecurity
ITSecurityPolicyDocumentWehavedefinedourqualitystandardssystemonthebasisofthegeneralobjectiveofprovidingourcus-tomerswithastableandsecurehostingsolution.Inordertocomplywiththeobjectives,wehaveimple-mentedpoliciesandprocedures,whichensurethatoursuppliesareuniformandtransparent.
OurITsecuritypolicyisproducedinaccordancewithISO27002:2013andappliestoallemployeesandalldeliveries.
OurmethodologyfortheimplementationofcontrolsisdefinedwithreferencetoISO27002:2013(guide-linesforinformationsecuritymanagement)andisthusdividedintothefollowingcontrolareas:
• Informationsecuritypolicies• Organizationofinformationsecurity• Employeesafety
LESSORGroup
REVI-ITA/S Page4of24
• Assetmanagement• Conditionalaccess• Cryptography• Physicalsecurityandenvironmentalsafeguards• Operationalsafety• Communicationsecurity• Purchase,developmentandmaintenanceofsystems• Supplierrelationships• Informationsecuritybreachmanagement• Informationsecurityaspectsrelatedtoemergencyandrestorationmanagement• Compliance
Wecontinuetoimprovebothpolicies,proceduresandoperations.
ReviewofthepoliciesforinformationsecurityWeupdatetheITsecuritypolicyregularlyandatleastonceayear.TheITsecuritypolicyisapprovedbytheCEO.
Organisationofinformationsecurity
Informationsecurityrolesandresponsibilities
AllocationofinformationsecurityresponsibilitiesOurorganizationisdividedintodifferentareasofresponsibility.Wehavepreparedanumberofdetailedresponsibilityandroledescriptionsforemployeesonalllevels.
Confidentialityhasbeenestablishedforallpartiesinvolvedinourbusiness.Theconfidentialityisensuredviaemploymentcontracts.
SegregationofdutiesThroughon-goingdocumentationandprocesses,wetrytoeliminateorminimizethedependenceonkeymanagementpersonnel.Tasksareassignedanddefinedviaprocedures(Jira)formanagingtheoperationalservices.
ContactwithspecialinterestgroupsTheoperatingstaffsubscribestonewslettersfrome.g.DK-CERTandinformsitselfaboutsubstantialsecuri-ty-relatedcircumstancesonInternettraffic.
Mobiledevicesandteleworking
MobiledevicepolicyWehavemadeitpossibleforouremployeestoworkfromhomeviaaVPNconnectionwithtwo-way-authentication.Noequipment(portablecomputersetc.)mustbeleftunattended.Portableunitsarepro-tectedbyHDDpasswords,logininformationandHDDencryption.
Mobiledevices(smartphones,tabletsetc.)canbeusedforthesynchronizationofemailsandthecalendar.Besidesthepassword,wehaveimplementednoothersecuritymeasurestoensuredevicesanduserac-cesses.
LESSORGroup
REVI-ITA/S Page5of24
TeleworkingOnlyauthorizedpersonsaregrantedaccesstoournetworkandthuspotentiallytosystemsanddata.Ouremployeesaccessthesystemsviatelecommutingarrangements/ssh.
Humanresourcesecurity
Priortoemployment
ScreeningWehaveimplementedproceduresfortherecruitmentofstaffandestablishedcooperationwithanexternalpartnertoensurethatweemploytherightcandidatewithregardtobackgroundandskills.
TermsandconditionsofemploymentThegeneraltermsofemployment,e.g.confidentialityrelatedtothecustomers’andpersonalcircumstanc-es,arespecifiedintheemploymentcontracts/jobdescriptionsofallemployeesinwhich,amongotherthings,theterminationofemploymentandsanctionsfollowingsecuritybreachesarealsodescribed.
DuringEmployment
ManagementresponsibilitiesAllnewemployeessignacontractpriortocommencementoftheiremployment.Thecontractprovidesthattheemployeemustcomplywiththepoliciesandproceduresexistingatanytime.Thecontract/jobde-scriptionclearlydefinestheresponsibilityandroleoftheemployee.
Informationsecurityawareness,educationandtrainingOurassetsarefirstofallouremployees.Weencourageouroperatingstafftomaintainqualifications,edu-cationsandcertificationsthroughtrainingcourses,lecturesandotherrelevantactivitiestoensurethattheemployeesconcernedcanbekeptuptodatewithsecurityandbecomeawareofnewthreats.
DisciplinaryprocessThegeneraltermsofemployment,e.g.confidentialityrelatedtothecustomers’andpersonalcircumstanc-es,arespecifiedintheemploymentcontractsofallemployeesinwhich,amongotherthings,thetermina-tionofemploymentandsanctionsfollowingsecuritybreachesarealsodescribed.
TerminationandchangeofemploymentWhenanemployeeterminates,aprocedurewillbeinitiatedtoensurethattheemployeereturnsallrele-vantassets,e.g.portabledevicesetc.andthattheaccesstobuildings,systemsanddataiswithdrawn.TheoverallresponsibilitytoensureallcontrolproceduresuponterminationofemploymentlieswiththeCEOofthecompany.Thedocumentationrelatedtotheterminationofemploymentisavailableinelectronicforminthehumanresourcesdepartment.
Assetmanagement
Responsibilityforassets
InventoryofassetsServersandnetworkequipmentincludingconfigurationareregisteredtobeusedfordocumentationpur-posesandtogainanoverviewofequipmentetc.Inordertosecureagainstunauthorizedaccessandtoensurethetransparencyofthestructure,wehavepreparedanumberofdocumentsdescribingtheinternalnetworkincludingunits,namingofunits,logicaldivisionofthenetworketc.Thedocumentationforequip-mentisupdatedonaregularbasisandreviewedatleastonceayearbyouroperatingstaff.
LESSORGroup
REVI-ITA/S Page6of24
OwnershipofassetsCentralnetworkunits,servers,peripheralunits,systemsanddataareownedbyoperatingstaffmembersoftheLESSORGroup.Thecustomers’dataisownedbythecustomer’scontactperson.
AcceptableuseofassetsThesubjectisdescribedintheemployeehandbook.
ReturnofassetsWhenanemployeeterminates,aprocedurewillbeinitiatedtoensurethattheemployeereturnsallrele-vantassets,e.g.portabledevicesetc.andthattheaccesstobuildings,systemsanddataiswithdrawn.TheoverallresponsibilitytoensureallcontrolproceduresuponterminationofemploymentlieswiththeCEOofthecompany.Thedocumentationrelatedtotheterminationofemploymentisavailableinelectronicforminthehumanresourcesdepartment.
Mediahandling
ManagementofremovablemediaWeensure,tothebestpossibleextent,thattheportabledevicesofouremployees,e.g.portablecomput-ers,cellphonesetc.,areconfiguredatthesamesecuritylevelasallotherdevicesoftheenvironment.Wealsoensurethatalldataequipmentisupdatedwhennewsecuritymeasuresarefinalized.
Accesscontrol
Accesscontrolpolicy
ConditionalaccesspoliciesThemannerinwhichthegrantingofaccessishandledisdescribedinapolicydocument.ThepolicyispartofourITsecuritypolicy.
Useraccessmanagement
Userregistrationandde-registrationTheuserprofilesofourcustomersarecreatedsolelyduetothewishesofourcustomers.Insomesystems,theendcustomerhimselfcreateshisuserprofilewithoutinterferencebytheemployeesoftheLESSORGroup.Ourownusersarecreatedassuperuserstoensurethatoursupportteamsareabletoprovidepro-fessionalservice.
Alluserprofilesmustbepersonallyidentifiable.Theaccesstopasswordsforaccounts,whichonlyareusedbysystems(serviceusers),islimitedtofewauthorizedpersons.
AssignmentofrightsTheassignmentofprivilegesiscontrolledinaccordancewiththeregularuseradministrationprocess.Privi-legesareonlygrantedonaneed-to-basis.
ManagementofprivilegedaccessrightsPersonallogininformationisknownonlybytheemployeeandsubjecttoapasswordpolicytoensurethecomplexity.
ReviewofuseraccessrightsPeriodically,i.e.onceayear,wereviewtheinternalsystemsofthecompanyincludinguserprofilesandaccesslevelstoensurethattheprocedurerelatedtotheterminationofemploymentisfollowedandthatthecustomers’datacannotbeaccessedbyformeremployeesoftheLESSORGroup.
LESSORGroup
REVI-ITA/S Page7of24
Userresponsibilities
UseofsecretauthenticationinformationTheITsecuritypolicyprovidesthatallemployeepasswordmustbepersonalandthatonlytheuserknowsthepassword.Passwordsforserviceaccountsetc.thatcannotbeusedforlogginginandwhicharenotchangedforsystemicreasonsarestoredinaseparatesystem.OnlyfourmembersoftheLESSORGroupcanaccessthissystem.
Systemandapplicationaccesscontrol
InformationaccessrestrictionTheaccessforouremployeesisdifferentiated.Onlysystems,serversanddata,whicharerelevanttotheareaofworkofeachsingleemployee,areaccessible.
PasswordmanagementsystemAllemployeesaresubjecttorestrictionsasregardsthepasswordstocustomersystemsaswellasthecus-tomers’ownsystems.Allusershavepasswords,whicharesubjecttorestrictionsrelatedtothecreationofthepasswords.Somesystemsrequirethatthepasswordiscomplexandchangedregularly.Inothersys-tems,thecustomerhimselfdeterminesthechangefrequencyandcomplexityofthepassword.
Physicalandenvironmentalsecurity
SecureareasThephysicalaccesstothedatacentreoftheLESSORGroupinAllerødislimitedtofourpersonsfromtheLESSORGroupwhoallhavebeenprovidedwithakeyandaPINcodeforthealarmsystem.Thelogicalac-cessislimitedtotheminimum.ExternalpartnerswhosetaskistoservicetheequipmentinthedatacentrearealwaysaccompaniedbyanemployeeoftheLESSORGroup.
Equipmentmaintenance
FireSafetyTheLESSORGroup’sdatacentreisprotectedagainstfirebytwoINERGEN®systems-oneineachserverroom.RegularreviewsarecarriedouttoensurethattheINERGEN®systemoperatescorrectly.TheLESSORGrouphasmadeaservicecontractwiththesupplierincludingtwoannualservicingvisits.Besides,bothsystemsarecontinuouslymonitoredbyAliveServicesforoperationalerrors.
CoolingIntheLESSORGroup’sdatacentre,tworefrigerationsystemsareinstalledineachserverroom-afreecool-ingsystemandatraditionalsystem,whichalsoservesasabackupforthefreecoolingsystem.Regularre-viewsarecarriedouttoensurethatallrefrigerationsystemsoperatecorrectly.TheLESSORGrouphasmadeaservicecontractwiththesupplierincludingfourannualservicingvisits.Besides,allrefrigerationsystemsarecontinuouslymonitoredforoperationalerrors.
BackupPower(UPSandgenerator)IntheLESSORGroup’sdatacentre,bothUPSunitsandastandbygeneratorareinstalled.ThereisaUPSunitineachserverroomandacommonstandbygenerator.RegularreviewsarecarriedouttoensurethatboththeUPSunitsandthestandbygeneratoroperatecorrectly.BothUPSsystemsareservicedonceayear.Thestandbygeneratorisservicedonceayearbythesupplieroftheinstallation.Besides,boththeUPSunitsandthestandbygeneratorarecontinuouslymonitoredbyAliveServicesforoperationalerrors.
LESSORGroup
REVI-ITA/S Page8of24
MonitoringTheentrancetothedatacentreisequippedwithanalarmsystemandundervideosurveillance.AllLESSORGrouphostingservicesincludingtheinfrastructurearemonitored.Themonitoringhasbeendescribedandisbeingmaintainedcontinuously.
Securedisposalorre-useofequipmentAlldataequipmentisdestroyedpriortodisposalinordertoensurethatnodataisavailable.
UnattendeduserequipmentAllinternaluseraccountsarecentrallymanaged.Screensarelockedafter10minutesinactivity.Thus,weminimizetheriskofunauthorizedaccesstoconfidentialdata.
Operationssecurity
Operationalproceduresandresponsibilities
DocumentedoperatingproceduresAssometasksareperformedbyoneemployeeonly,wehavepreparedsomedetaileddescriptionsinordertoensurethatwecanre-establishagivenserviceinanewenvironment.
ChangemanagementAllchangesfollowanimplementedchangemanagementprocessandaredocumentedinJira.
CapacitymanagementWehaveestablishedamonitoringsystemformonitoringcapacityconstraints.
Allincidentsfollowanimplementedincidentmanagementprocess.
Protectionfrommalware
ControlsagainstmalwareOnWindowsplatforms,wehaveinstalledanti-virussoftware.Onthefirewall,wehaveinstalledanIntru-sionPreventionSystem(IPS)tosafeguardoursystemsagainstknownmaliciousattacks.
Backup
InformationbackupWeensurethatwewillbeabletorecreatesystemsanddatainanappropriateandcorrectmannerinac-cordancewiththeagreementsconcludedwithourcustomers.Wehave,forthatpurpose,developedatesttorecreatesystemsanddata.Thetestisperformedonaregularbasisatleastonceayear.
Backupsofourcustomers’datatakeplacewithus.Backupcopiesaresavedinelectronicformonaphysicallocationotherthanthedatacentre.
Loggingandmonitoring
EventloggingNetworktrafficandserverlogsaremonitoredandlogged.Allloggedincidentsarebeingreviewed.Tobeabletomanagethemonitoringandfollow-upofincidentsandtoensurethatincidentsareregistered,prior-itized,managedandescalated,wehaveimplementedformalincidentandeventmanagementprocedures.TheprocessisdocumentedinJira.
LESSORGroup
REVI-ITA/S Page9of24
ProtectionoflogInformationLogsareuploadedtoourownlogserverandprotectedagainstmodificationanddeletion.
AdministratorandoperatorlogsTheadministratorloggingprocessisperformedsimultaneouslywiththeordinaryloggingprocess.
ClocksynchronizationWemakeuseofInternetNTPserversforsynchronizationofallservers.
ControlofoperationalsoftwareViaourpatchprocessweensurethatonlyapprovedandtestedupdatesarebeinginstalled.Allpatchingfollowsapatchmanagementprocedure.
TechnicalvulnerabilitymanagementSafetywarningsfromDK-CERT(orothers)aremonitoredandanalysed.Ifrelevant,theyareinstalledonourinternalsystemswithinonemonthfromthedateofissue.Ourinternalsolutionsaresubjecttoon-goingriskassessments.
Communicationssecurity
NetworkcontrolsTheITsecurityrelatedtothesystemanddataframeworkismadeupbytheInternetnetwork,theremotenetworketc.Alltraffic,incomingaswellasoutgoing,isfilteredbythefirewallrules.
SecurityofnetworkservicesThecustomersaccessoursystemsviahttps.DatatransferredfromoursystemstoexternalpartnersareIPwhitelistedand,ifthisispossible,sentviaencrypteddataprotocols.
Ourredundantfirewall(aclustersolution)monitorsallincomingtraffic.
SegregationinnetworksOurnetworkisdividedintoservicesegmentstoensuretheindependencebetweentheofferedservices.Furthermore,testandproductionenvironmentsaredividedintotwosegments.
InformationtransferpoliciesandproceduresIfpossible,alldatafromtheLESSORGroupdatacentreistransmittedviaencryptedprotocols.
Thecommunicationwithusersiscarriedoutviaemails,supportforumsor,onlyrarely,viafax.
AgreementsoninformationtransferConfidentialityhasbeenestablishedforallpartiesinvolvedinourbusinessthroughemploymentcontractsandcooperationagreementswithsubcontractorsandpartners.
Systemacquisition,developmentandmaintenance
Securityrequirementsofinformationsystems
InformationsecurityrequirementsanalysisandspecificationWhenanewsystemisimplemented,anumberofanalysisandresearchproceduresisperformedinordertoensurethatthesystemfullycomplieswiththerulesandsecuritypoliciesadoptedbytheLESSORGroup.
SystemchangecontrolproceduresAllchangesfollowanimplementedchangemanagementprocess.
LESSORGroup
REVI-ITA/S Page10of24
Ourtestandproductionenvironmentsarelogicallyandphysicallyseparated.
RestrictionsonchangestosoftwarepackagesServicepacksandsystemspecificupdates,whichmayinvolvechangesinfunctionality,areassessedandinstalledseparately.Securityupdatesare,asfaraspossible,implementedinallsystems.Inthefirstin-stance,theywillbeimplementedonlyinthetestenvironment.Iftheproductmanageracceptstheupdates(thatisiftheserviceworksasintendedaftertheupdateprocess),thesamesecurityupdateswillbeimple-mentedintheproductionenvironment.
Supplierrelationships
InformationsecurityinsupplierrelationshipsWerequirethesamelevelofconfidentialityfromoursuppliersasfromouremployees.
Supplierservicedeliverymanagement
ManagingchangestosupplierservicesWedonotholdreviewmeetingswithallsuppliersbutkeepanon-goingcontactwithallofthem.
Informationsecurityaspectsofbusinesscontinuitymanagement
InformationsecuritycontinuityLESSORGrouphaspreparedanemergencyplanforthehandlingofanemergency.TheemergencyplanisanchoredintheITriskanalysisandmaintainedatleastonceayearfollowingtheperformanceoftheanaly-sis.
Theplanandtheproceduresareanchoredinouroperatingdocumentationandprocedures.
Verify,reviewandevaluateinformationsecuritycontinuityTheplanistestedonceayearasapartofouremergencypreparednessproceduretoensurethatthecus-tomers,atthelowestpossiblelevel,willbeaffectedbyanemergency.
RedundanciesWeseektoensurethatallservicesareredundanttomakesurethatwe,intheshortestpossibletime,willbeabletore-establishtheproductionenvironmentinanewenvironmentincaseofnon-repairableerrorsintheproductionenvironment.Wecontinuetofocusonthisarea.
Compliance
Informationsecurityreviews
IndependentreviewofinformationsecurityAnevaluationwillbecarriedoutbyanexternalITauditorandwhenpreparingtheannualISAE3402report.
CompliancewithsecuritypoliciesandstandardsWecarryoutinternalauditsonceayearinordertotestifourinternalpoliciesandproceduresarefollowed.Theauditsincludeallservicesandtheinfrastructureaswellasotherareas,ifnecessary.
LESSORGroup
REVI-ITA/S Page11of24
Complementarycontrolprocedures
LESSORGroupscustomersare,unlessotherwiseagreed,responsibleforestablishingconnectiontoserversofLESSORGroup.Furthermore,thecustomersoftheLESSORGroupare,unlessotherwiseagreed,responsi-blefor:
• administrationoftheirownuserprofiles• theownInternetconnection• owndata.
Changesimplementedduringtheperiod
Thefollowingchangeshavebeenimplementedduringtheperiod:
- Improvementofpatchmanagementpoliciesandprocedures- Introductionofanewlogpolicyandimprovementoftheprocedure- Purchaseofanewlogserver- Implementationofcentralizedlogging- Improvementofproceduresfortheinstallationofnewservers- ReplacementofZabbixmonitoringbyCheckMK- Implementationofnewstrongfirewalls- PurchaseofDDoSShield.
LESSORGroup
REVI-ITA/S Page12of24
Section3: Independentserviceauditor’sassurancereportonthedescriptionofcontrols,theirdesignandfunctionality
TothemanagementofLESSORGroup,theircustomersandtheirauditors.
Scope
WehavebeenengagedtoreportonLESSORGroup’sdescription,presentedinSection2.Thedescription,asconfirmedbythemanagementofLESSORGroupinsectionone,coversLESSORGroup’soperatingandhost-ingservicesthroughouttheperiod01-04-2015to31-03-2016,aswellasthedesignandoperationofthecontrolsrelatedtothecontrolobjectivesstatedinthedescription.
LESSORGroup’sresponsibility
LESSORGroupisresponsibleforpreparingthedescription(section2)andtherelatedstatement(section1)includingthecompleteness,accuracyandmethodofpresentationofthedescriptionandstatement.Addi-tionally,LESSORGroupisresponsibleforprovidingtheservicescoveredbythedescription,andforthedesign,implementationandeffectivenessofoperatingcontrolsforachievingthestatedcontrolobjectives.
REVI-ITA/S’independenceandqualitycontrol
WehavecompliedwiththeindependenceandotherethicalrequirementsoftheCodeofEthicsforProfes-sionalAccountantsissuedbytheInternationalEthicsStandardsBoardforAccountants,whichisfoundedonfundamentalprinciplesofintegrity,objectivity,professionalcompetenceandduecare,confidentialityandprofessionalbehaviour.
ThefirmappliesInternationalStandardonQualityControl1andaccordinglymaintainsacomprehensivesystemofqualitycontrolincludingdocumentedpoliciesandproceduresregardingcompliancewithethicalrequirements,professionalstandardsandapplicablelegalandregulatoryrequirements.
REVI-ITA/S’responsibility
Basedonourprocedures,ourresponsibilityistoexpressanopiniononLESSORGroup’sdescription(section2)aswellasonthedesignandfunctionalityofthecontrolsrelatedtothecontrolsobjectivesstatedinthisdescription.WeconductedourengagementinaccordancewithISAE3402,“AssuranceReportsonControlsataServiceOrganisation”,issuedbyIAASB.Thisstandardrequiresthatweplanandperformourproce-durestoobtainreasonableassuranceaboutwhether,inallmaterialrespects,thedescriptionisfairlypre-sentedandthecontrolsaresuitablydesignedandoperatingeffectively.
Anassuranceengagementtoreportonthedescription,designandoperatingeffectivenessofcontrolsataserviceorganisationinvolvesperformingprocedurestoobtainevidenceaboutthedisclosuresintheserviceorganisation’sdescriptionofitssystem,andthedesignandoperatingeffectivenessofcontrols.Theproce-duresselecteddependontheserviceauditor’sjudgment,includingtheassessmentoftherisksthatthedescriptionisnotfairlypresented,andthatcontrolsarenotsuitablydesignedoroperatingeffectively.Ourproceduresincludedtestingtheoperatingeffectivenessofthosecontrolsthatweconsidernecessarytoprovidereasonableassurancethatthecontrolobjectivesstatedinthedescriptionwereachieved.Anassur-anceengagementofthistypealsoincludesevaluatingtheoverallpresentationofthedescription,thesuita-bilityoftheobjectivesstatedthereinandthesuitabilityofthecriteriaspecifiedbytheserviceorganisation,describedinsection2.
LESSORGroup
REVI-ITA/S Page13of24
Webelievethattheevidencewehaveobtainedissufficientandappropriatetoprovideabasisforouropin-ion.
Limitationsofcontrolsataserviceorganisation
LESSORGroup’sdescriptioninsection2ispreparedtomeetthecommonneedsofabroadrangeofcus-tomersandtheirauditorsandmaynot,therefore,includeeveryaspectofthesystemsthateachindividualcustomermayconsiderimportantinitsownparticularenvironment.Also,becauseoftheirnature,controlsataserviceorganisationmaynotpreventordetectallerrorsoromissionsinprocessingorreportingtrans-actions.Also,theprojectionofanyevaluationofeffectivenesstofutureperiodsissubjecttotheriskthatcontrolsataserviceorganisationmaybecomeinadequateorfail.
Opinion
Ouropinionhasbeenformedonthebasisofthemattersoutlinedinthisreport.ThecriteriaweusedinformingouropinionwerethosedescribedinLESSORGroup’sdescriptioninSection2andonthebasisofthis,itisouropinionthat:
(a) Thedescriptionofthecontrols,astheyweredesignedandimplementedintheperiodthroughout01-04-2015to31-03-2016,isfairinallmaterialrespects
(b) thecontrolsrelatedtothecontrolobjectivesstatedinthedescriptionweresuitablydesignedintheentireperiodthroughout01-04-2015to31-03-2016inallmaterialrespects
(c) thecontrolstested,whichwerethecontrolsnecessaryforprovidingreasonableassurancethatthecontrolobjectivesinthedescriptionwereachievedinallmaterialrespects,haveoperatedeffectivelythroughouttheperiod01-04-2015to31-03-2016.
Descriptionoftestsofcontrols
Thespecificcontrolstested,andthenature,timingandresultsofthesetestsarelistedinthesubsequentmainsection(Section4).
Intendedusersandpurpose
ThisassurancereportisintendedonlyforcustomerswhohaveusedLESSORGroup’sservicesandtheaudi-torsofthesecustomers,whohaveasufficientunderstandingtoconsiderthedescriptionalongwithotherinformation,includinginformationaboutcontrolsoperatedbycustomersthemselves.Thisinformationservestoobtainanunderstandingofthecustomers’informationsystems,whicharerelevantforthefinan-cialstatements.
Copenhagen,26April2016
REVI-ITA/SStateauthorisedpublicaccountingfirm
HenrikPaaske MartinBrogaardNielsenStateAuthorisedPublicAccountant ITAuditor,CISA,CRISC,CEO
LESSORGroup
REVI-ITA/S Page14of24
Section4: Controlobjectives,controls,tests,andrelatedtestcontrols
Thefollowingoverviewisprovidedtofacilitateanunderstandingoftheeffectivenessofthecontrolsim-plementedbyLESSORGroup.Ourtestingoffunctionalitycomprisedthecontrolsthatweconsideredneces-sarytoprovidereasonableassurancethatthecontrolobjectivesstatedinthedescriptionwereachievedduringtheperiod01-04-2015to31-03-2016.
Thus,wehavenotnecessarilytestedallthecontrolsmentionedbyLESSORGroupinthedescriptioninSec-tion2.
Moreover,ourstatementdoesnotapplytoanycontrolsperformedatLESSORGroup’scustomers,asthecustomers’ownauditorsshouldperformthisreviewandassessment.
WeperformedourtestsofcontrolsatLESSORGroupbytakingthefollowingactions:
Method Generaldescription
Enquiry Interview,i.e.enquirywithselectedpersonnelatthecompanyregardingcontrols
Observation Observinghowcontrolsareperformed
Inspection Reviewandevaluationofpolicies,procedures,anddocumentationconcerningtheperformanceofcontrols
Re-performingcontrolprocedures
Wehavere-performed–orhaveobservedthere-performanceof–controlsinordertoverifythatthecontrolisworkingasassumed
Adescriptionandtheresultsofourtestsbasedonthetestedcontrolsappearfromthetablesonthefollow-ingpages.Totheextentthatwehaveidentifiedsignificantweaknessesinthecontrolenvironmentordevia-tionstherefrom,wehavespecifiedthis.
LESSORGroup
REVI-ITA/S Page15of24
Riskassessmentandmanagement
RiskassessmentNo. Controlobjective REVI-IT’stest Testresults
4.1 ToensurethatthecompanyperiodicallyperformsananalysisandassessmentoftheITriskprofile.
Wehaveenquiredabouttheprepara-tionofanITriskanalysis,andwehaveinspectedthepreparedITriskanalysis.
WehaveenquiredaboutreviewoftheITriskanalysis,andwehaveinspecteddocumentationforreviewduringtheauditperiod.
Nosignificantdeviationsnoted.
Informationsecuritypolicies
ManagementdirectionforinformationsecurityNo. Controlobjective REVI-IT’stest Testresults
5.1 Toprovidemanagementdirec-tionandsupportforinformationsecurityinaccordancewithbusi-nessrequirementsandrelevantlawsandregulations.
Wehaveenquiredabouttheprepara-tionofaninformationsecuritypolicy,andwehaveinspectedthedocument.
WehaveenquiredaboutreviewoftheITsecuritypolicy,andwehaveinspect-eddocumentationforreviewduringtheauditperiod.
Wehaveenquiredaboutthemanage-ment’sapprovaloftheinformationsecuritypolicy,andwehaveinspecteddocumentationformanagementap-proval.
Nosignificantdeviationsnoted.
LESSORGroup
REVI-ITA/S Page16of24
Organisationofinformationsecurity
InternalorganisationNo. Controlobjective REVI-IT’stest Testresults
6.1 Toestablishamanagementframeworktoinitiateandcontroltheimplementationandopera-tionofinformationsecuritywith-intheorganisation.
Wehaveenquiredabouttheallocationofresponsibilitiesforinformationsecurity,andwehaveinspecteddocu-mentationfortheallocationofrespon-sibilities.
Wehaveenquiredaboutsegregationofduties,andwehaveinspecteddoc-umentationforsegregationofduties.
Wehaveenquiredaboutguidelinesforcontactwithauthorities.
Wehaveenquiredaboutcontactwithinterestgroups,andwehaveinspecteddocumentationforcontact.
Wehaveenquiredaboutthedecisiononinformationsecurityinconnectionwithprojectmanagement,andwehaveinspectedtheprojectmodel.
Nosignificantdeviationsnoted.
Mobiledevicesandteleworking
6.2 Toensurethesecurityoftele-workinganduseofmobiledevic-es.
Wehaveenquiredaboutthemanage-mentofmobiledevices,andwehaveinspectedthesolution.
Wehaveenquiredaboutthesecurityofteleworking,andwehaveinspectedthesolution.
Nosignificantdeviationsnoted.
Humanresourcesecurity
PriortoemploymentNo. Controlobjective REVI-IT’stest Testresults
7.1 Toensurethatemployeesandcontractorsunderstandtheirresponsibilitiesandaresuitablefortherolesforwhichtheyareconsidered.
Wehaveenquiredaboutaprocedureforscreeningnewemployees,andwehaveinspectedtheprocedure.
Wehaveinspotchecksinspecteddocumentationfortheprocedurebeingfollowed.
Wehaveenquiredabouttheformalisa-tionoftermsofemployment,andwehaveinspotchecksinspecteddocu-mentationfortheformalisationoftermsofemployment.
Nosignificantdeviationsnoted.
LESSORGroup
REVI-ITA/S Page17of24
Duringemployment
7.2 Toensurethatemployeesandcontractorsareawareofandfulfiltheirinformationsecurityresponsibilities.
Wehaveenquiredaboutthemanage-ment’sresponsibilityfordisseminatinginformationsecuritycriteria,andwehaveinspectedtheguidelinesfordis-semination.
Wehaveenquiredaboutfurthertrain-ingofemployees,andwehaveinspotchecksinspecteddocumentationforfurthertraining.
Wehaveenquiredaboutguidelinesfordisciplinaryprocesses,andwehaveinspectedtheguidelines.
Nosignificantdeviationsnoted.
Terminationandchangeofemployment
7.3 Toprotecttheorganisation’sinterestsaspartoftheprocessofchangingorterminatingem-ployment.
Wehaveenquiredabouttheformalisa-tionofobligationsapplicableaftertheterminationofemployees.
Wehaveinspotchecksinspecteddocumentationforthematter.
Nosignificantdeviationsnoted.
Assetmanagement
ResponsibilityforassetsNo. Controlobjective REVI-IT’stest Testresults
8.1 Toidentifyorganisationalassetsanddefineappropriateprotec-tionresponsibilities.
Wehaveenquiredaboutinventoriesofassets,andwehaveinspotchecksinspectedinventoriesofassets.
Wehaveenquiredaboutownershipofassets,andwehaveinspectedtheallocationofownershipofassets.
Wehaveenquiredaboutguidelinesforacceptableuseofassets,andwehaveinspectedtheseguidelines.
Wehaveenquiredaboutaprocedureforsecuringthereturnofassets,andwehaveinspectedtheprocedure.
Wehaveinspotchecksinspecteddocumentationforthereturnofassets.
Nosignificantdeviationsnoted.
Informationclassification
8.2 Toensurethattheinformationreceivesanappropriatelevelofprotectioninaccordancewithitsimportancetotheorganisation.
Wehaveenquiredaboutguidelinesfortheclassificationandlabellingofdata,andwehaveinspectedtheguidelines.
Wehaveenquiredaboutguidelinesfordatamanagement,andwehavein-spectedtheguidelines.
Nosignificantdeviationsnoted.
LESSORGroup
REVI-ITA/S Page18of24
Mediahandling
8.3 Topreventunauthoriseddisclo-sure,modification,removalordestructionofinformationstoredonmedia.
Wehaveenquiredaboutguidelinesfortheuseofremovablemedia,andwehaveinspectedtheguidelines.
Wehaveenquiredaboutthedisposalofmedia,andwehaveinspecteddoc-umentationforsecuredisposal.
Wehaveenquiredaboutaprocedureforprotectingremovablemediaduringtransport,andwehaveinspectedtheprocedure.
Nosignificantdeviationsnoted.
Accesscontrol
BusinessrequirementsofaccesscontrolNo. Controlobjective REVI-IT’stest Testresults
9.1 Tolimitaccesstoinformationandinformationprocessingfacili-ties.
Wehaveenquiredaboutpoliciesformanagingaccesstosystemsandprem-ises,andwehaveinspectedthepoli-cies.
Wehaveenquiredaboutproceduresformanagingaccesstonetworkandnetworkservices,andwehaveinspect-edselectedprocedures.
Nosignificantdeviationsnoted.
Useraccessmanagement
9.2 Toensureauthoriseduseraccessandtopreventunauthorisedaccesstosystemsandservices.
Wehaveenquiredaboutaprocedureforusermanagement,andwehaveinspectedtheprocedure.
Wehaveenquiredaboutaprocedurefortheallocationofrights,andwehaveinspectedtheprocedure.
Wehaveinspotchecksinspecteddocumentationforthecreationofusersandallocationofrights.
Wehaveenquiredaboutcontrolwithprivilegedrights,andwehaveinspect-edselectedcontrols.
Wehaveenquiredaboutaprocessforthedisclosureoflogoninformation,andwehaveinspectedtheprocess.
Wehaveenquiredaboutperiodicreviewofusers,andwehaveinspecteddocumentationforreviewduringtheauditperiod.
Wehaveenquiredabutaprocedureforrevokingaccessrights,andwehaveinspectedtheprocedure.
Wehaveinspotchecksinspecteddocumentationfortimelyrevocationofaccessrights.
Duringsomepartsoftheauditperiodtherehasnotbeenaformalprocedureforusercreation.
Thematterhasbeenreme-diedinSeptember2015.
LESSORGroup
REVI-ITA/S Page19of24
Userresponsibilities
9.3 Tomakeusersaccountableforsafeguardingtheirauthenticationinformation.
Wehaveenquiredaboutguidelinesformanagingconfidentialpasswords,andwehaveinspectedtheguidelines.
Nosignificantdeviationsnoted.
Systemandapplicationaccesscontrol
9.4 Topreventunauthorisedaccesstosystemsandapplications.
Wehaveenquiredaboutrestrictedaccesstodata,andwehaveinspecteddocumentationforrestriction.
Wehaveenquiredaboutaprocedureforlogon,andwehaveinspectedthesolutionforadequatesecurity.
Wehaveenquiredaboutasystemfortheadministrationofpasswords,andwehaveinspotchecksinspectedre-quirementsforpasswordquality.
Wehaveenquiredabouttheuseofprivilegedsystemtools.
Wehaveenquiredabouttherestrictionofaccesstoprivilegedsystemtools,andwehaveinspecteddocumentationforrestriction.
Wehaveenquiredaboutthemanage-mentofaccesstosourcecode,andwehaveinspectedthesolution.
Nosignificantdeviationsnoted.
Cryptography
CryptographiccontrolsNo. Controlobjective REVI-IT’stest Testresults
10.1 Toensureproperandeffectiveuseofcryptographytoprotecttheconfidentiality,authenticityand/orintegrityofinformation.
Wehaveenquiredaboutapolicyfortheuseofcryptography,andwehaveinspectedthepolicy.
Wehaveenquiredaboutapolicyfortheadministrationofencryptionkeys,andwehaveinspectedthepolicy.
Nosignificantdeviationsnoted.
LESSORGroup
REVI-ITA/S Page20of24
Physicalandenvironmentalsecurity
SecureareasNo. Controlobjective REVI-IT’stest Testresults
11.1 Topreventunauthorisedphysicalaccess,damageandinterferencetotheorganisation’sinformationandinformationprocessingfacilities.
Wehaveenquiredaboutaphysicalsecurityperimeteratthecompany’spremises,andwehaveinspectedthesolutioninplace.
Wehaveenquiredaboutaccesscon-trolsforsecuringoffices,roomsandoperationsfacilities,andwehavein-spectedselectedaccesscontrols.
Additionally,wehaveinspectedtheprocedureforallocationofaccesstopremisescriticaltooperations.
WehaveinspectedLESSORGroup’sofficesinordertocheckthephysicalsecurity.
Wehaveinspectedsecurityformitigat-ingexternalandenvironmentalthreats.
Wehaveenquiredaboutanareaforthedeliveryofparcelsandgoods.
Nosignificantdeviationsnoted.
Equipment
11.2 Topreventloss,damage,theftorcompromiseofassetsandinter-ruptiontotheorganisation’soperations.
Wehaveenquiredabouttheplacementofoperationsequipment,andwehaveinspectedthephysicalcircumstancesforprotectingoperationsequipment.
Wehaveenquiredabouttheuseofsupportingsupplies,andwehavein-spectedareascriticaltooperationsandhaveverifiedtheexistenceofsupport-ingsupplies.
Wehaveenquiredabouttheprotectionofcablesinthedatacentre,andwehavephysicallyinspectedthesolution.
Wehaveenquiredaboutmaintenanceofequipmentcriticaltooperations,andwehaveinspecteddocumentationformaintenanceandtestofequipmentcriticaltooperationsduringtheperiod.
Wehaveenquiredaboutapolicyforthedisposalofmediaandequipmentcarryingdata,andwehaveinspectedthepolicy.Additionally,wehavein-specteddocumentationforsecuredisposalofmediacarryingdata.
Wehaveenquiredaboutprotectingunsuperviseduserequipment,andwehaveinspecteddocumentationfortheprotection.
Wehaveenquiredaboutapolicyforcleandeskandscreen,andwehaveinspectedthepolicy.
Nosignificantdeviationsnoted.
LESSORGroup
REVI-ITA/S Page21of24
Operationssecurity
OperationalproceduresandresponsibilitiesNo. Controlobjective REVI-IT’stest Testresults
12.1 Toensurecorrectandsecureoperationofinformationpro-cessingfacilities.
Wehaveenquiredaboutdocumentedoperationsprocedures,andwehaveinspotchecksinspectedtheprocedures.
Wehaveenquiredaboutaprocedureforchangemanagement,andwehaveinspectedtheprocedure.
Wehaveinspotchecksinspecteddoc-umentationfortheprocedurebeingfollowed.
Wehaveenquiredaboutcapacityman-agementandmonitoring,andwehaveinspecteddocumentationformanage-mentandmonitoring.
Wehaveenquiredaboutsegregationofdevelopment,test,andoperationsfacilities,andwehaveinspecteddocu-mentationforsegregation.
Nosignificantdeviationsnoted.
Protectionfrommalware
12.2 Toensurethatinformationandinformationprocessingfacilitiesareprotectedagainstmalware.
Wehaveenquiredaboutmeasurestoprotectagainstmalware,andwehaveinspectedthemanagement.
Wehaveenquiredabouttheuseofanti-virusonuserequipment,andwehaveinspotchecksinspecteddocu-mentationfortheuseofanti-virus.
Nosignificantdeviationsnoted.
Backup
12.3 Toprotectagainstlossofdata. Wehaveenquiredaboutaprocedureforsetupandexecutionofbackup,andwehaveinspectedtheprocedure.
Wehaveenquiredaboutdocumenta-tionforthesetupofbackup,andwehaveinspecteddocumentationforthesetup.
Wehaveenquiredaboutbackupreten-tion,andwehaveinspecteddocumen-tationforsetup.
Wehaveenquiredaboutcontrolsfortheexecutionofbackup,andwehaveinspectedthecontrol.
Wehaveenquiredaboutdocumenta-tionfortestofrestore,andwehaveinspecteddocumentationfortestofrestore.
Nosignificantdeviationsnoted.
LESSORGroup
REVI-ITA/S Page22of24
Loggingandmonitoring
12.4 Torecordeventsandgenerateevidence.
Wehaveenquiredaboutlogging,andwehaveinspotchecksinspectedlog-gingconfiguration.
Wehaveenquiredabouttheprotectionofloginformationthroughouttheperiod,andwehaveinspectedthesolution.
Wehaveenquiredaboutclocksynchro-nisationonthenetwork,andwehaveinspotchecksinspecteddocumenta-tionforclocksynchronisation.
System-relatedeventsareloggedandfollowedupupon.However,acontrolhasnotbeenimplementedforfollowinguponuser-relatedevents.
Wehaveobservedthatanewsystemhasbeenim-plementedinQ12016forloggingandfollowingupuponuser-relatedandsystem-relatedevents.
Controlofoperationalsoftware
12.5 Toensuretheintegrityofopera-tionalsystems.
Wehaveenquiredabouttheinstalla-tionofprogramsandupdatesonopera-tionalsystems,andwehaveinspectedtheprocedure.
Wehaveinspotchecksinspecteddoc-umentationforupdatestooperationalsystems.
Nosignificantdeviationsnoted.
Technicalvulnerabilitymanagement
12.6 Topreventexploitationoftech-nicalvulnerabilities.
Wehaveenquiredaboutthemanage-mentoftechnicalvulnerabilities,andwehaveinspectedtheestablishedprecautions.
Wehaveenquiredaboutrestrictionstoinstallingprograms,andwehavein-spectedtheestablishedprecautions.
Nosignificantdeviationsnoted.
Communicationssecurity
NetworksecuritymanagementNo. Controlobjective REVI-IT’stest Testresults
13.1 Toensuretheprotectionofin-formationinnetworksanditssupportinginformationpro-cessingfacilities.
Wehaveenquiredaboutprecautionsforprotectingthenetworkandnet-workservices,andwehaveinspectedtheestablishedprecautions.
Wehaveenquiredaboutnetworksegregation,andwehaveinspecteddocumentationforthesegregation.
Nosignificantdeviationsnoted.
LESSORGroup
REVI-ITA/S Page23of24
Informationtransfer
13.2 Tomaintainthesecurityofin-formationtransferredwithinanorganisationandwithanyexter-nalentity.
Wehaveenquiredaboutapolicyforinformationtransfers,andwehaveinspectedthepolicy.
Wehaveenquiredabouttheuseofsecureconnectionswhentransferringinformation,andwehaveinspecteddocumentationfortheuseofsecureconnections.
Wehaveenquiredabouttheestablish-mentofconfidentialityagreements,andwehaveinspotchecksinspecteddocumentationfortheestablishment.
Nosignificantdeviationsnoted.
Informationsecurityincidentmanagement
ManagementofinformationsecurityincidentsandimprovementsNo. Controlobjective REVI-IT’stest Testresults
16.1 Toensureaconsistentandeffec-tiveapproachtothemanage-mentofinformationsecurityincidents,includingcommunica-tiononsecurityeventsandweaknesses.
Wehaveenquiredaboutaprocedureforthemanagementofinformationsecurityincidents,andwehavein-spectedtheprocedure.
Wehaveenquiredaboutallocationofresponsibilitiesinconnectionwithinformationsecurityincidents,andwehaveinspecteddocumentationfortheallocationofresponsibilities.
Wehaveenquiredaboutthereportingofinformationsecurityincidentsandweaknesses,andwehaveinspectedtheprocedureforreporting.
Wehaveenquiredaboutassessmentandmanagementofinformationsecuri-tyincidents,andwehaveinspotchecksinspecteddocumentationforassessingandmanaginginformationsecurityincidents.
Wehaveenquiredaboutlearningfrominformationsecurityincidents,andwehaveinspotchecksinspectedthepro-cess.
Wehaveenquiredaboutthecollectionofevidenceinconnectionwithsecuritybreaches,andwehaveinspectedtheprocessforthecollectionofevidence.
Nosignificantdeviationsnoted.
LESSORGroup
REVI-ITA/S Page24of24
Informationsecurityaspectsofbusinesscontinuitymanagement
InformationsecuritycontinuityNo. Controlobjective REVI-IT’stest Testresults
17.1 Informationsecuritycontinuityshouldbeembeddedintheorganisation’sbusinesscontinui-tymanagementsystems.
Wehaveenquiredabouttheprepara-tionofaninformationsecuritycontinui-typlanforensuringthecontinuationofoperationsinconnectionwithfailuresandsimilar,andwehaveinspectedthecontinuityplan.
Wehaveinspecteddocumentationfortestofthecontinuityplanduringtheperiod,andwehaveinspecteddocu-mentationforthetest.
Nosignificantdeviationsnoted.
Redundancies
17.2 Toensureavailabilityofinfor-mationprocessingfacilities.
Wehaveenquiredaboutadequateredundanciesformaintainingaccessibil-itytooperationalsystems,andwehaveinspotchecksinspecteddocumenta-tionforredundancies.
Nosignificantdeviationsnoted.
Compliance
InformationsecurityreviewsNo. Controlobjective REVI-IT’stest Testresults
18.2 Toensurethatinformationsecu-rityisimplementedandoperatedinaccordancewiththeorganisa-tionalpoliciesandprocedures.
Wehaveenquiredaboutanindepend-entreviewoftheinformationsecurity.
Wehaveenquiredaboutinternalcon-trolsforensuringcompliancewithpoliciesandprocedures,andwehaveinspotchecksinspecteddocumenta-tionforinternalcontrols.
Wehaveenquiredaboutperiodicself-regulationofsecurityconfigurations,andwehaveinspecteddocumentationfortheself-regulation.
Nosignificantdeviationsnoted.