policy easi information security program · 2013-09-06 · 1.25 09/02/2011 scott bradley updates to...

EASi Information Security Program Company Policy Document Version 1.45 08/11/2013

Company Policy

EASi – Company Confidential of 38

Revision History

Document Version

Revised Date

Revised By Revision Description

1.0 08/07/2009 Scott Bradley

Draft created.


Updates to all Sections.


Updates to Section 3.


Updates to Section 2.


Updates to all Sections.


Updates to Section 2.3.2 re: background checks.


Updates to Section 3.1 and 3.2 re: password rqmts.


Updates to Section 4.4.






Updates to Section 4.x.




Updates to Section 2.3.6.




Updates to Section 2.x and 4.x.


Updates to Section 3.3 and 4.2.



Company Policy





Update to Section 4.3 to add in patch management and tracking.


Updates to Section 4.x.


Updates to Section 4.4 to add specific monitoring tools used.


Updates to Section 4.3 re: backup process.


Clarifications to Section 4.3 re: application log.


Updates to use new EASi logo.


Update to Section 3.7 re: frequency of anti-virus scans.




Updates to Section 3.1, 3.7, 4.1, 4.4.


Updates to Section 1.0, 2.2 and 2.3.2.


Updates to Section 1.0 re: 3 tier architecture.


Updates to Section 4.2 re: target date for application scans and Section 4.4 re: target date for DR and enhancements to BCP.


Updates to terminology for consistency with SSAE16.


Updates to Overview Section.


Updates to Section 3.5 and 4.4.


Re-organized Section 4.4.


Updates to Section 4.3 re: terminated Client data.


Update to Section 4.4.

Company Policy



Updates to Section 4.4 to add detail to deployment process.


Updates to all sections related to Firewalls to specify use of Sonicwall Firewalls.




Replaced EMS Application with EASi Platform, updates to Section 4.4.


Updated Section 4.4 with details of the DR site capability.


Updated Section 4.3 with server synchronization and section 4.4 with DR site clarifications.


Updated Section 4.4 with cloud-based CRM, Phone and Email.


Clarifications to ports in Section 4.2.


Updates to release schedule in Section 4.4.


Update to Section 3.3 to remove reference to LTO tape.


Clarifications to Section 2.3.6, 2.3.11, 2.3.12, 4.4

Company Policy


Table of Contents

1 OVERVIEW ......................................................................................................................................... 6

1.1 Terminology ............................................................................................. 6 1.2 Acronyms ................................................................................................. 8 1.3 Related Documents ................................................................................. 8

2 DUTY TO PROTECT AND STANDARDS FOR PROTECTING PERSONAL INFORMATION (201 CMR 17.03) ............................................................................................................. 8

2.1 Section 17.03.1 – Information Security Program ..................................... 8 2.2 Section 17.03.2 – Compliance Considerations ........................................ 9 2.3 Section 17.03.3 – General Information Security Program Controls ....... 10

3 COMPUTER SYSTEM SECURITY REQUIREMENTS (201 CMR 17.04) ................................ 17

3.1 Section 17.04.1 – Authentication Protocols ........................................... 17 3.2 Section 17.04.2 – Access Control .......................................................... 19 3.3 Section 17.04.3 – Encryption of Transmitted Data ................................. 21 3.4 Section 17.04.4 – Monitoring of Systems............................................... 22 3.5 Section 17.04.5 – Encryption of Personal Information ........................... 23 3.6 Section 17.04.6 – Firewall Protection And Operating System Security .. 24 3.7 Section 17.04.7 – System Security Agent Software ............................... 25 3.8 Section 17.04.8 – Employee Training and Education ............................ 25

4 ADDENDUM ...................................................................................................................................... 26

4.1 Physical Security and Protection ........................................................... 26 4.2 Network and Application Security .......................................................... 28 4.3 System Protection .................................................................................. 29 4.4 Availability and Continuity ...................................................................... 32

Company Policy


1 Overview The EASi Platform helps companies manage the complexities of employee equity compensation management. EASi combines world-class financial and SEC reporting along with a robust administration platform and participant portal for grant delivery, stock transactions and notifications. The EASi Platform is a web-based application operating under the Software as a Service (SaaS) paradigm. As a SaaS vendor, EASi does not require any EASi specific software or hardware be installed at the Client site. One of the key benefits of SaaS to Clients is that the software is current and available anytime they need it and all that is required is a browser and internet access. The EASi Platform architecture is three tier involving the following layers: 1. Application Layer using .NET 4.0 and Microsoft Visual Basic and C# for the

web interface. 2. Business Logic Layer utilizing Oracle packages, procedures and functions. 3. Database layer leveraging Oracle 10g database. Clients are required to have internet access using the Windows Internet Explorer Browser (version 7.0 or >). In addition to support importing data to the EASi database or obtaining reports submitted to the EASi Batch Reporting option, Clients must have a Secure FTP Client for transferring files. EASi respects the privacy and security of Client Data. EASi has implemented a number of controls to provide sufficient security and protection of Client data. These controls are reviewed annually by a Third Party as part of a SSAE16 Audit. The sections that follow provide information regarding the security measures employed by EASi to ensure the privacy and availability of data to EASi Clients. The Information Security Program described in this document is specifically intended to address the requirements for 201 CMR 17.00 – Standards for the Protection of Personal Information of Residents of the Commonwealth (of Massachusetts). Additional information regarding Physical Security and Protection, Network and Application Security, Protection of Systems and Availability and Continuity is provided in the Addendum of this document.

1.1 Terminology EMS: Equity Management System also known as the EASi Platform used by a Client to access their data.

Company Policy


Breach of Security*: The unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure. Electronic*: Relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities. Encrypted*: The transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key. Owns or licenses*: Receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment. Person*: A natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof. Personal information*: A Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. Record or Records*: Any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics. Service Provider*: Any person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation. User Entity: An EASi Client contracting with EASi to use the EASi Platform.

Company Policy


* - Descriptions as specified in the 201 CMR 17.00 Standard.

1.2 Acronyms CS Client Support CSR Client Support Representative EMS Equity Management System ISP Information Security Program PI Personal Information PII Personal Identifiable Information SaaS Software as a Service

1.3 Related Documents EASi SSAE16 Report 201 CMR 17.00 Standard: 201 CMR 17.00: STANDARDS FOR THE

PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH (http://privacyblog.littler.com/uploads/file/MA_201CMR17amended[1].pdf)

2 Duty to Protect and Standards For Protecting Personal Information (201 CMR 17.03)

2.1 Section 17.03.1 – Information Security Program This section covers the following topics: Every person that owns, licenses, stores or maintains personal information

about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information. Such comprehensive information security program shall be reasonably consistent with industry standards, and shall contain administrative, technical, and physical safeguards to ensure the security and confidentiality of such records. Moreover, the safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns, licenses, stores or maintains such information may be regulated.*

* - Descriptions as specified in the 201 CMR 17.00 Standard

Company Policy


This Information Security Program is intended to address the requirements of 201 CMR 17.00.

2.2 Section 17.03.2 – Compliance Considerations This section covers the following topics: Whether the comprehensive information security program is in compliance

with these regulations for the protection of personal information, whether pursuant to section 17.03 or 17.04 hereof, shall be evaluated taking into account: (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information.*

* - Descriptions as specified in the 201 CMR 17.00 Standard Evaluation of EASi’s compliance with 201 CMR 17.00 should be considered in light of the following: Size, Scope and Type of Business: EASi currently has 62 Employees and provides a Software-as-a-Service application available over the internet. The application allows companies to administer and perform accounting on their equity compensation management offerings. Amount of Resources Available: Part of EASi’s SaaS offering is a commitment to provide enough storage capacity to support the Client’s data requirements. Amount of Stored Data: EASi provides a structure for storing data typically required for equity compensation management. The volume of data is Client dependent based on the number of employees, number of plans, number of grants, etc. defined by the company. Need for Security and Confidentiality: As mentioned previously, EASi respects the privacy and security of Client Data and has implemented a number of controls to provide sufficient security and protection to Client data. To a large extent, Clients are in control of what, if any personal identifiers and level of personal information they decide to store in EASi. For instance, EASi does not require Social Security Numbers or any personal identifiers. EASi assigns an internal, unique identifier to each participant in the system. Still, every attempt is made to ensure the security and privacy of Client data as described in this document.

Company Policy


2.3 Section 17.03.3 – General Information Security Program Controls

The sections below describe the core information security controls in place at EASi in support of 201 CMR 17.00

2.3.1 Section 17.03.3.1 – Designated ISP Manager This section covers the following topics: Designating one or more employees to maintain the comprehensive

information security program.* * - Descriptions as specified in the 201 CMR 17.00 Standard EASi’s designated ISP Manager is Scott Bradley. Scott is the SVP, Engineering and Chief Risk Officer and is also responsible for compliance with the SSAE16 Audit.

2.3.2 Section 17.03.3.2 – Identifying and Assessing Risk This section covers the following topics: Identifying and assessing reasonably foreseeable internal and external risks

to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to: a. ongoing employee (including temporary and contract employee) training; b. employee compliance with policies and procedures; and c. means for detecting and preventing security system failures.*

* - Descriptions as specified in the 201 CMR 17.00 Standard Training requirements, employee compliance and potential security risks are reviewed, at a minimum, annually in conjunction with the SSAE16 Audit. Improvements to controls and the overall Information Security Program are considered and implemented as appropriate to ensure proper security of data in support of the audit and secure data business practices. More specifically: Hiring: As of Q42009 background checks are performed on all new EASi employees that handle Client data.

Company Policy


Ongoing Employee Training: All EASi employees are required to read the EASi Employee Handbook and also to sign a confidentiality agreement when they are hired. The Handbook and Agreement stipulate that employees treat any Third Party information confidential and proprietary and not disclose it to any person, firm or corporation or use it except as necessary in carrying out their work for EASi and the Third Party. EASi employees are also encouraged to review the EASi SSAE16 Report annually. The SSAE16 Report documents the process for authorizing access to Client data which the SSAE16 Audit verifies. Employee Compliance With Policies and Procedures: EASi is not authorized to provide access to User Entity data without a proper request from an authorized User Entity contact. The annual SSAE16 Audit is used to verify access was granted according to procedure. Once the Security Admin access is provided to the Client, the Client is responsible for authorizing and providing access to User Entity users desiring access to the EASi Platform. Means For Detecting and Preventing Security System Failures: Other means of monitoring for unauthorized access to Client data include the vulnerability management scans, threat management and intrusion protection that is reviewed on a weekly basis and additionally sends alerts to the IT Team if attacks are detected. Refer to the “Computer System Security Requirements” Section below from more detailed information.

2.3.3 Section 17.03.3.3 – Retaining, Accessing and Transporting Personal Information

This section covers the following topics: Developing security policies for employees that take into account whether and

how employees should be allowed to keep, access and transport records containing personal information outside of business premises.*

* - Descriptions as specified in the 201 CMR 17.00 Standard The EASi Platform is a SaaS offering where User Entities and authorized EASi employees access User Entity data via the internet. The data is accessible via the EASi Platform via a browser utilizing SSL/HTTPS. As such EASi employees do not maintain or transport records containing personal information offsite. Refer to the “Computer System Security Requirements” Section of this document for more information regarding the authentication, access control and encryption of data.

Company Policy


2.3.4 Section 17.03.3.4 – Disciplinary Actions for Violations This section covers the following topics: Imposing disciplinary measures for violations of the comprehensive information

security program rules.* * - Descriptions as specified in the 201 CMR 17.00 Standard Violations of the Information Security Program requirements are reviewed by the EASi Management team. Appropriate disciplinary action, including dismissal of the employee, is taken based on the seriousness of the situation.

2.3.5 Section 17.03.3.5 – Terminated Employee Access This section covers the following topics: Preventing terminated employees from accessing records containing personal

information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names.*

* - Descriptions as specified in the 201 CMR 17.00 Standard Access to the EASi Network and Facilities is removed immediately for terminated employees. Facility and Network Access Authorization Forms with appropriate approvals are required for initial access when employees are hired. Upon termination, the terminated employees Manager notifies the Office Manager. The Office Manager is responsible for collecting keys to the facility and ensuring the Network Administrator remove access to the network based on what was originally authorized on the Facility and Network Access forms. As an additional safeguard, the Office Manager maintains a key log detailing the employees with EASi corporate office and Colocation access. The Office manager reviews the key log annually to verify that access to the EASi corporate office and Colocations are restricted to authorized personnel. The Network, Remote (VPN), EMS User, EMS System Administrator, Network Administrator and Database Administrator access listings are reviewed annually by the VP of Engineering to verify that the access is restricted to authorized personnel.

Company Policy


2.3.6 Section 17.03.3.6 – Third Party Service Providers This section covers the following topics: Taking all reasonable steps to verify that any third-party service provider with

access to personal information has the capacity to protect such personal information in the manner provided for in 201 CMR 17.00; and taking all reasonable steps to ensure that such third party service provider is applying to such personal information protective security measures at least as stringent as those required to be applied to personal information under 201 CMR 17.00.*

* - Descriptions as specified in the 201 CMR 17.00 Standard Third Parties are only allowed access to the EASi Platform as an EMS User and are only granted access if agreed to by the Client. Third parties may contract directly with Clients and are bound by the Client/Third Party Agreement put in place. Third Parties may also be engaged by EASi, with disclosure to the Client, and are bound by the Master Service Agreement in place between EASi and the Third Party. EASi Third Party Service Providers are required to sign a Master Service Agreement, which includes a “Confidential Information” section, before engaging in business with EASi. EASi also provides the EASi SSAE16 Report as well as this Information Security Program document to all Third Parties it partners with to ensure they are familiar with their obligations regarding the security and privacy of Client data.

2.3.7 Section 17.03.3.7 – Amount of Personal Information This section covers the following topics: Limiting the amount of personal information collected to that reasonably

necessary to accomplish the legitimate purpose for which it is collected; limiting the time such information is retained to that reasonably necessary to accomplish such purpose; and limiting access to those persons who are reasonably required to know such information in order to accomplish such purpose or to comply with state or federal record retention requirements.*

* - Descriptions as specified in the 201 CMR 17.00 Standard EASi provides a robust database structure and application for the administration and reporting of equity compensation based on industry standards and requirements. Clients have the option to decide what level of personal information is stored in the EMS database, noting that limiting the input of PI may reduce the usefulness of the application. For instance, EASi does not require

Company Policy


Clients provide Social Security Numbers or any personal identifiers to use the EASi Platform. EASi assigns an internal, unique identifier to each participant in the system. Clients are in control of what, if any, personal identifiers and level of personal information they decide to store in EASi.

2.3.8 Section 17.03.3.8 – Definition of Records and Devices This section covers the following topics: Identifying paper, electronic and other records, computing systems, and

storage media, including laptops and portable devices used to store personal information, to determine which records contain personal information, except where the comprehensive information security program provides for the handling of all records as if they all contained personal information.*

* - Descriptions as specified in the 201 CMR 17.00 Standard The EASi Platform (application and supporting database) and the EASi SFTP site are where Client Data and personal information is stored at the Client’s discretion. All access to Client data is performed via the EASi Platform using a browser with SSL/HTTPS or file transfers using SFTP. The EASi Platform does not require the use of laptops or portable devices for accessing or managing Client data. Importing and exporting Client data in and out of the EASi Platform is performed at the Client’s discretion via secure protocols.

2.3.9 Section 17.03.3.9 – Physical Access This section covers the following topics: Reasonable restrictions upon physical access to records containing personal

information, including a written procedure that sets forth the manner in which physical access to such records is restricted; and storage of such records and data in locked facilities, storage areas or containers.*

* - Descriptions as specified in the 201 CMR 17.00 Standard The EASi EASi Platform is a SaaS offering where User Entities and authorized EASi employees access User Entity data via the internet. The data is accessible via the EASi Platform using a browser with SSL/HTTPS. As such, physical records containing personal information are not maintained and no specific controls are required.

Company Policy


2.3.10 Section 17.03.3.10 – Monitoring This section covers the following topics: Regular monitoring to ensure that the comprehensive information security

program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.*

* - Descriptions as specified in the 201 CMR 17.00 Standard EASi Client Support is primarily responsible for ensuring access to Client data is authorized. To authorize User Entity Stock Option Administrator (SOA) access, the authorized User Entity contact emails the EASi Client Support Representative (CSR). An EASi CSR with EMS administrator access sets up the user entities’ SOA access and provides a logon ID and temporary password to the SOA. An EASi CSR is not authorized to provide access to User Entity data without a proper request from an authorized User Entity contact. The annual SSAE16 Audit is used to verify access was granted according to procedure. Once the SOA access is provided to the Client, the Client is responsible for authorizing and providing access to User Entity users desiring access to the EASi Platform. Other means of monitoring for unauthorized access to Client data include the vulnerability management scans, threat management and intrusion protection that is reviewed on a weekly basis and additionally sends alerts to the IT Team if attacks are detected. Refer to the “Computer System Security Requirements” Section below from more detailed information. The overall Information Security Program is reviewed at least annually as part of the SSAE16 Audit. Changes to controls are considered and implemented as appropriate to ensure proper security of data. Upgrades to information safeguards may be initiated by changes in business practices, changes to infrastructure item configuration and/or Vendors as well as issues or concerns raised by Clients and Prospective Clients.

2.3.11 Section 17.03.3.11 – Review of Security Measures This section covers the following topics: Reviewing the scope of the security measures at least annually or whenever

there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.*

* - Descriptions as specified in the 201 CMR 17.00 Standard

Company Policy


EASi performs a review of the Information Security Program minimally in conjunction with the SSAE16 Audit. The SSAE16 Audit typically covers the twelve month period from September 01 – August 31. In addition, changes to the Information Security Program may be initiated by changes in business practices, changes to infrastructure item configuration and/or Vendors as well as issues or concerns raised by Clients and Prospective Clients.

2.3.12 Section 17.03.3.12 – Incident Handling This section covers the following topics: Documenting responsive actions taken in connection with any incident

involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.*

* - Descriptions as specified in the 201 CMR 17.00 Standard EASi performs the following in the event of a security breach that affects Client data: 1. Immediately resolve the breach by removing, locking and/or blocking

inappropriate access to re-institute security to Client confidential data. 2. Shall notify the Client of the unauthorized access to confidential data

including PII and/or Client proprietary data as soon as practicable (target of one business day) unless prevented from doing so by a law enforcement or regulatory agency. Notification will be via email and phone.

3. Determine the extent of the breach by reviewing the EASi system and audit

logs for evidence of log-ins, changes and deletions of data. 4. Provide the Client with a detailed explanation of the extent of the security

breach within 48 hours. 5. Assist the Client where possible in the development and execution of a plan

to resolve any additional issues or concerns. 6. Review processes and controls to prevent similar incidents in the future.

Company Policy


3 Computer System Security Requirements (201 CMR 17.04)

3.1 Section 17.04.1 – Authentication Protocols This section covers the following topics: Control of user IDs and other identifiers.* Reasonably secure method of assigning and selecting passwords, or use of

unique identifier technologies, such as biometrics or token devices.* Control of data security passwords to ensure that such passwords are kept in

a location and/or format that does not compromise the security of the data they protect.*

Restricting access to active users and active user accounts only.* Blocking access to user identification after multiple unsuccessful attempts to

gain access or the limitation placed on access for the particular system.* * - Descriptions as specified in the 201 CMR 17.00 Standard EMS Access EMS access is restricted to authorized EASi personnel and users authorized by the user entity. Access to EMS requires a user to enter a user ID and password. Password security parameters for EMS include the following requirements:

Minimum password length – 7 characters as follows: at least one upper and lower case letter and one number. Special characters can be used to replace one category.

Password expiration – 45 days Password history is maintained for 15 passwords Idle session time out – 45 minutes of inactivity Account lockout after 5 unsuccessful logon attempts with an administrator

reset required Upon successful logon, users are provided access to a drop down list of companies for which the user has access. EASi stores passwords encrypted in the database using the Oracle encryption algorithm scheme using AES256. All EASi Clients access the same servers and all Client data is stored in a single database instance (multi-tenant). Access to the EASi Platform requires a user to enter a unique user ID and confidential password. EASi utilizes single-factor

Company Policy


authentication with strong passwords as described previously. A user may access only the data for the company or companies for which the user has been given access by EASi. Client information is logically separated using a unique Client identifier and access to Client information is further protected based on roles. For this reason, Client data is not encrypted in the database. Note however that passwords are encrypted in the database. After authenticating a user, EASi validates the user’s access permissions. EASi then displays a series of pages and allows the user to select the role and company to access based on the access configured by EASi Client Support. Authentication is re-validated on each page refresh according to session variables. All page transitions are logged. Only EASi Client Support has permission to assign users access to companies. EASi restricts access to production data to Client Support personnel, the Database Administrator and backup DBA. No other EASi employees are allowed access to the production data. The production servers are only accessible to the Network Administrator, Database Administrator and their backups. User Entity EMS Access Authorization The EASi Client Support Team is by default provided with stock option administrator (SOA) access as well as security/group administrator access to user entity level stock option system functions. Each user entity assumes responsibility for setting up and maintaining access within its own organization by requesting the EASi Client Support Team to set up security/group administrator access for the entity. The user entity personnel with security/group administrator access are then responsible for the creation of SOA and lower roles for the given user entity. The security/group administrator level access provides the ability to: 1. Add new users 2. Update user information 3. Grant users additional roles 4. Delete users 5. Unlock user access 6. Reset user passwords To authorize new or additional user entity security/group administrator access, the authorized user entity representative emails the EASi Client Support Team. An EASi Client Support Team member with EMS system administrator access sets up the user entity’s security/group administrator access and provides a logon id and temporary password to the user entity personnel with the security/group administrator access via a telephone call.

Company Policy


User Entity Disable/Delete SOA or User Access to EMS To delete a user entity’s security/group administrator access, the authorized user entity representative or Corporate Officer notifies the EASi Client Support Team. Upon notification, an EASi Client Support Team member deletes the security/group administrator access and confirms to the user entity by email or updating the CRM request that the EMS access was deleted. The end user access for user entity users is deleted by the respective user entity personnel with the security/group administrator access.

3.2 Section 17.04.2 – Access Control This section covers the following topics: Restrict access to records and files containing personal information to those who

need such information to perform their job duties.* Assign unique identifications plus passwords, which are not vendor supplied

default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls.*

* - Descriptions as specified in the 201 CMR 17.00 Standard EASi Personnel Access Authorization The IT Team is responsible for assigning and maintaining access rights to the network, EMS and the EMS database. To authorize network administrator access or EMS database access as applicable, the CTO or SVP of Engineering completes and signs the Access Authorization Form. The Network Administrator sets up the access as authorized. Network Administrator and EMS database access are restricted to the IT Team. Access to the system administrator role within EMS is restricted to the Client Support Team. To authorize network, remote or EMS access (as applicable), the CTO, SVP of Engineering or the hiring manager completes and signs the Access Authorization Form. The Network Administrator sets up the access as authorized. EASi has created access controls to appropriately restrict access to systems and data by EASi personnel. The various levels of access available to EASi personnel include: Network: Basic network access to the corporate network for performing

regular duties (e.g., email, internet, shared file access) provided to all EASi employees. Requires hiring manager approval only.

Company Policy


VPN: Virtual Private Network required for remotely accessing EASi systems. Requires hiring manager approval only.

EMS User: Access provided to user entities, including EASi, to access equity

compensation data. Requires hiring manager approval only. EMS System Administrator: Administrator level access to the EASi Platform

provided to EASi Client Support. Requires CTO, SVP of Engineering, VP of Operations or VP of Client Experience approval.

Network Administrator: Administrator level access to the EASi Corporate and

Colocation Networks provided to the IT Team only. Requires CTO or SVP of Engineering approval.

Database Administrator (DBA): Administrator level access to the EMS

database provided to the IT Team only. Requires CTO or SVP of Engineering approval.

EASi restricts access to the production database where Client data is stored, to Client Support personnel, the Database Administrator and the backup DBA. No other EASi employees are allowed access to Client data via the EASi production application or database. The production servers are only accessible to the Network Administrator, Database Administrator and their backups. User specific logins and passwords are utilized on all systems on the Network. Note however that in some instances such as the master Oracle database account and Root accounts on Unix machines, non-named accounts are required to be used to maintain the system. Access to these accounts is restricted to the IT Team only. EASi Personnel Disable/Delete Access When employees terminate, the Office Manager notifies the Network Administrator to disable/delete the terminated employee’s access as applicable. The Network Administrator disables/deletes the terminated employee’s access and notifies the Office Manager. The Office Manager completes and signs the Access Authorization Form to acknowledge that the terminated employee’s access was disabled/deleted. User List Review The SVP of Engineering reviews the network, remote, EMS system administrator, network administrator and EMS database user access lists annually to verify that the access is restricted to authorized personnel. The SVP of Engineering signs the User Access Audit Log to evidence the review performed.

Company Policy


Network, Remote, EMS System Administrator, Network Administrator and EMS Database Access Network and remote access is restricted to authorized EASi personnel. Access to the EASi network requires a user to enter a user ID and password. Password security parameters for the network include the following requirements: Minimum password length – 7 characters as follows: at least one upper and

lower case letter and one number. Special characters can be used to replace one category.

Password expiration – 45 days Password history is maintained for 24 passwords Password complexity – enabled Account lockout after 5 unsuccessful logon attempts with an automatic 30

minute reset Remote network access is available through Virtual Private Network (VPN) client software which requires the user to enter their network user ID and password for authentication. The Network Administrator sets up the user with network access under the VPN user group. EMS system administrator access is restricted to the EASi Client Support Team. Network administrator access is restricted to the IT Team. Direct access to the EMS database is restricted to the IT Team and requires the user to enter a user ID and password.

3.3 Section 17.04.3 – Encryption of Transmitted Data This section covers the following topic: Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.* * - Descriptions as specified in the 201 CMR 17.00 Standard Protection of Data Via Browser Access By User Entities To protect against disclosure to third parties, the above website transmits data utilizing Hypertext Transfer Protocol Secure (HTTPS) using Secure Socket Layer (SSL) encryption which utilizes 256-bit encryption when communicating with Internet browsers. In addition, EASi uses Network Solutions Certificate Authority

Company Policy


as the trusted certificate authority to assure user entities that the website (www.easiadmin.com) is authentic. Users are authenticated against the EMS server upon login. Users are required to enter a user ID and password to access EMS. Protection of Data Via File Transfer By User Entities Clients can bulk import data into the EASi database using templates provided by EASi. Files being transferred to the system for upload are not encrypted themselves, but are sent to a Secure FTP site within the EASi Data Center using encrypted enveloping protocols. The import process requires that Clients use Secure FTP software (SFTP), such as the Globalscape CuteFTP product, to transfer files from their company to the EASi FTP site. Once the files have been transferred securely, they are automatically imported into the EASi database. Clients use the EASi Importer console to view the status of their data import activity. Protection of Data Transferred By EASi Employees EASi employees have access to the EASi Network and EMS as described in the Access Control Section of this document. The primary activities engaged in by EASi employees is accessing data and performing backups of data. EASi CS has access to User Entity data via the EASi Platform using a browser with SSL/HTTPS in the same manner as User Entities. Data is transferred securely to an EASi CS Representatives Browser in the same manner as for User Entities users. Backups of the production database at the PHX Colocation facility are written to backup disk. Disk backups are encrypted using 256 bit AES software encryption. Database backups are also copied nightly over the network (via VPN) from the PHX Colocation to the SJC Colocation where it is stored on disk. Wireless access is only available on the internal corporate network to EASi employees. Wireless security is WPA with a validated MAC address. All devices on the EASi network are audited quarterly via IP scans. Wireless access is only granted on a limited basis and is primarily used for system maintenance by the IT Team. User Entity data is not typically accessed via wireless connection.

3.4 Section 17.04.4 – Monitoring of Systems This section covers the following topics:

Company Policy


Reasonable monitoring of systems for unauthorized use of or access to personal information.*

* - Descriptions as specified in the 201 CMR 17.00 Standard Monitoring of unauthorized use or access is performed in several ways. The network, application and logical security have been designed and implemented to provide what EASi believes to be an appropriate level of security for Client data. All EASi Clients access the application through the same point. EASi utilizes dual Sonicwall Firewalls for automatic failover and Barracuda Load Balancers for web server balancing. The Firewalls provide Anti-Virus, Anti-Spyware, and Intrusion Prevention System (IPS) and the Load Balancers also provide IPS. The threat management features monitor for phishing, spyware, adware, spam, spoofing and hijacking. These features protect both LAN and WAN traffic from worms, Spyware, Trojans, malware and other emerging attacks. Firewall and Load Balancer logs track all activities and are reviewed on a regular basis. In addition, email alerts are sent to the IT Team when attacks are detected. Please refer to the “Firewall Protection And Operating System Security” Section of this document for more details on this subject. From an application perspective, penetration testing has been performed which identified the visibility of parameters and key field data in queries used within the application. The EASi Platform has been modified to secure parameters and key field data. Other types of ethical hack testing have been performed and identified vulnerabilities, including cross-site scripting, which have since been remediated. Finally, the overall EASi infrastructure is evaluated on a weekly basis for vulnerabilities. A vulnerability scan is performed by a Third Party that checks 5 levels of exposure in order to identify potential issues that may expose the system to attacks.

3.5 Section 17.04.5 – Encryption of Personal Information This section covers the following topics: Encryption of all personal information stored on laptops or other portable

devices* * - Descriptions as specified in the 201 CMR 17.00 Standard EASi operates under a Software-as-a-Service paradigm where User Entity data is accessible via the Internet using secure protocols. Access to User Entity data by EASi employees is limited to EASi Client Support (CS). EASi CS accesses User Entity data as needed to support its Clients for training and problem

Company Policy


resolution situations. All access is performed via the EASi Platform using a browser with SSL/HTTPS or file transfers using SFTP. As such, EASi does not typically export User Entity data to laptops or portable devices unless required in order to support a Client request or issue. As an additional safeguard, all EASi Client Support laptops are encrypted with Symantec PGP Whole Disk Encryption.

3.6 Section 17.04.6 – Firewall Protection And Operating System Security

This section covers the following topics: For files containing personal information on a system that is connected to the

Internet, there must be reasonably up-to-date Firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.*

* - Descriptions as specified in the 201 CMR 17.00 Standard Industry standard Firewalls protect the EASi corporate office and Colocation networks. The Firewalls sit on the networks and analyze the data and packets routed through the networks to the EASi Platforms. The Unified Threat Management features of the Firewalls employ intrusion prevention and monitor for phishing, spyware, adware, spam, spoofing and hijacking. These features protect both LAN and WAN traffic from worms, Spyware, Trojans, malware and other emerging attacks. The Firewall generates a diagnostic log that documents any intrusion attempts which is reviewed on a weekly basis by the Network Administrator. Firewall administrator access is restricted to the IT Team. Access to the Firewalls requires a user to enter a user ID and password. The Firewall rules are configured by the Network Administrator based on the concept of least privilege meaning unless specifically granted, access is denied. Password security parameters for the Firewalls include: Minimum password length – 8 characters Complexity enabled: Yes In addition to the Firewalls, Load Balancers employ an Intrusion Protection System (IPS) that utilizes a refined set of constantly updated vulnerability definitions to automatically block malicious attacks as they happen. The vulnerability definitions focus on Protocol-specific, Application-specific and Operating System-specific attacks. When an attack is detected, the Load

Company Policy


Balancer sends a TCP RESET in both directions (server and client) and an email alert is sent to IT personnel. EASi utilizes a combination of Windows 2003 Server and Oracle Enterprise Linux for its Web, Application and Database servers. Automatic updates are run weekly on all Windows servers to obtain the latest security patches from Microsoft. This process is monitored weekly by the Network Administrator. Oracle and Linux patches are handled by the Database Administrator who monitors security alerts from Oracle and applies them as needed. The Database Administrator is also notified of critical updates by standard subscription notifications from Microsoft and Oracle. The vendor websites are also periodically reviewed on an adhoc basis for information regarding updates that would be of interest to EASi.

3.7 Section 17.04.7 – System Security Agent Software This section covers the following topics: Reasonably up-to-date versions of system security agent software which must

include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.*

* - Descriptions as specified in the 201 CMR 17.00 Standard EASi employs anti-virus software for the EASi servers located at the Colocation facilities and for the corporate office workstations. The anti-virus software performs: (1) a real-time scan of data as it is saved to the server file systems; (2) a scan on each file read; and (3) a daily scan of all files on all workstations and servers to detect infected files. The anti-virus software is updated with both code and virus pattern files on a daily basis. Weekly reviews are performed to ensure that the anti-virus software received its daily update and that the daily virus scans completed successfully.

3.8 Section 17.04.8 – Employee Training and Education This section covers the following topics: Education and training of employees on the proper use of the computer security

system and the importance of personal information security.* * - Descriptions as specified in the 201 CMR 17.00 Standard

Company Policy


All EASi employees are required to read the EASi Employee Handbook and also to sign a confidentiality agreement when they are hired. The Handbook and Agreement stipulate that employees treat any Third Party information confidential and proprietary and not disclose it to any person, firm or corporation or use it except as necessary in carrying out their work for EASi and the Third Party. EASi employees are also encouraged to review the EASi SSAE16 Report annually. The SSAE16 Report documents the process for authorizing access to Client data which the SSAE16 Audit verifies. The SSAE16 Report documents the controls that EASi adheres to including the following: Physical Security Environmental Security Network Security Internet Application Security Logical Security Software Development Data Backup Reference the current Equity Administration Solutions, Inc. SSAE16 Report for additional relevant information.

4 Addendum The information below provides additional information on safeguards and controls in place at EASi in support of the security and control of Client data.

4.1 Physical Security and Protection EASi utilizes a number of techniques to ensure its facilities, computers, network and data are secure and access restricted to authorized personnel. In addition, a variety of environmental devices are maintained to protect the facilities and equipment. The facilities security and environmental protection employed by EASi are described in more detail below. Colocation Facility Locations: Production System Location: PHX Colocation: CyberTrails, 1919 West Lone

Cactus Drive, Phoenix, AZ 85027, Phone: 888.462.9237 Disaster Recovery System Location: SJC Colocation: Datapipe, 150 S. 1st

Street, Suite 101, San Jose, CA 95113, Phone: 877-773-3306 PHX Colocation Service Description:

Company Policy


EASi utilizes CyberTrails as a Colocation Facility to host EASi’s production, development and test systems. The equipment in the PHX Colocation is installed in a dedicated, locked cage. EASi manages the system software (i.e. operating system and all applications). CyberTrails service includes 24 x 7 x 365 monitoring of environmental controls and on-site technical support is available as a separate service (Remote Hands). EASi maintains all of its own equipment, backups, etc. CyberTrails is responsible for maintaining the environmental security and controls of the Colocation facility and maintains a SSAE16. SJC Colocation Service Description: EASi utilizes Datapipe as a Colocation Facility to host EASi’s Disaster Recovery system. The equipment in the SJC Colocation is installed in a dedicated, locked cage. EASi manages the system software (i.e. operating system and all applications). Datapipe’s service includes 24 x 7 x 365 monitoring of environmental controls and on-site technical support is available as a separate service (Remote Hands). EASi maintains all of its own equipment, backups, etc. Datapipe is responsible for maintaining the environmental security and controls of the Colocation facility and maintains a SSAE16. Corporate Network Room Description: The corporate network room contains networking equipment required for the corporate office to connect to the internet and corporate network. Facility Security: The PHX and SJC Colocation facilities used by EASi are world-class providers of managed IT services that focus on application management, hosting, professional services and security services for mid to large-sized organizations. The Colocations provide only the facility for EASi’s equipment and do not have login access to any of the equipment. EASi retains complete responsibility for management of the equipment. Access to the locked server cages at the Colocation facilities is limited to authorized individuals only as approved by the SVP, Engineering or Chief Technology Officer / President of EASi. Access is granted to authorized individuals at the Colocation server cages after showing proper identification. Authorized individuals are then escorted to the server cages by a Colocation facility staff. The authorized EASi employee is then able to unlock the cage to gain access to the servers. Access to the network room at the EASi corporate office is restricted to entry by the Network Administrator, Database Administrator, VP of Operations and SVP, Engineering. The network room is locked at all times and is only accessible by requesting access through one of these individuals.

Environmental Protection:

Company Policy


Both the PHX and SJC Colocation facilities are built using the highest standards to withstand natural disasters, security breaches (physical and cyber), power outages, and networking and computing failures. Such measures, among others, include mechanical systems with multiple levels of redundancy; superior cooling systems that ensure climate temperatures do not affect computing power; Continuous Power Supply systems that protect against degraded commercial power and interruptions; Very Early Smoke Detection Alarm (VESDA) that continuously samples the air for dangerous particles; biometric authentication and around-the-clock surveillance. The EASi corporate office also has a network room containing networking equipment required for the corporate office to connect to the internet and corporate network. The network room at the corporate office is equipped with a dedicated air conditioning unit, fire extinguisher and heat-activated dry pipe water sprinklers.

4.2 Network and Application Security In addition to what’s already been discussed regarding network and application security, EASi has additional processes and controls in place to help ensure that connections to the EASi Platform are protected from unauthorized access as described below. Protection of Data: A variety of data related to participants and their equity compensation can be stored in the EASi database. A question that often comes up relates to Social Security Numbers. While Social Security Numbers are not required, some form of unique identifier, either Client provided or provided by EASi is required to uniquely identify participants. Accessibility: The server ports utilized for the EASi Platform are listed below: Port 80: General HTTP traffic to the public Easiadmin.com website. Port 443: Secure traffic via HTTPS/SSL to access the EASi Platform. Also

used by EASi Administrators for VPN (SSL) access to production infrastructure.

Port 22: SFTP (SSH) inbound and outbound requests. Port 990: FTPS (SSL) control port for inbound connection requests to EASi

servers for importing data via the EASi Importer service and accessing reports generated via the Batch Reporting service.

Ports 28000 - 28004: FTPS (SSL) data port for inbound file transfers to EASi servers for importer templates for the EASi Importer service and outbound file transfers from EASi servers for reports generated via the Batch Reporting service.

Company Policy


Application Security: Access to the EASi Platform requires entry of a user id and password. The authentication mechanism is built using a combination of .Net logic and Oracle password management. The EASi Base Classes built using .Net technology contain authentication logic that supports the following security parameters: 1) Minimum password length – 7 alphanumeric characters as follows: at least one upper and lower case letter and one number. Special characters can be used to replace one category, 2) Password expiration – 45 days, 3) Password history is maintained for 15 passwords, 4) Idle session time out – 45 minutes of inactivity and 5) Account lockout after 5 unsuccessful logon attempts with an administrator reset required. EASi stores passwords encrypted in the database using an Oracle encryption algorithm scheme. The EASi architecture is defined such that the security for all pages is handled centrally and consistently in the Base Classes so the pages all behave in the same secure manner. The EASi Base Classes have been modified to secure parameters and key field data. Security Related Testing: The overall EASi infrastructure is currently evaluated on a weekly basis for vulnerabilities. A vulnerability scan is performed using QualysGuard VM (Vulnerability Management) that checks 5 levels of exposure in order to identify potential network and system security issues that may expose the system to attacks. EASi performs security related testing including navigation to unauthorized pages and SQL Injection testing as part of the QA test cycle. EASi has been the subject of Penetration Tests performed by Customers in 2007, 2011, 2012 and 2013. Issues identified during the Penetration Tests have since been remediated. EASi is targeting to incorporate regular web application security assessments using Qualys WAS (Web Application Scanning) to it’s operations by the end of 2013. Qualys WAS includes testing web application vulnerabilities such as those described in the OWASP Top 10, including SQL injection and cross-site scripting.

4.3 System Protection As discussed previously, the infrastructure utilized by EASi is configured and maintained with up to date versions of software to maximize protection. Additional information regarding environments and data destruction is provided below. Separate Environments:

Company Policy


EASi maintains separate, distinct environments for production vs. corporate, development and test environments. The EASi production application environment is located in the PHX Colocation facility. Development and testing environments are also located in the PHX Colocation facility. The production EASi Platform and components including the Database, Application Servers and Web Services are physically isolated together at the PHX Colocation facility and logically isolated on their own subnet from the corporate, development and test network. Data Destruction: There are three scenarios to consider related to the need to destroy Client data: Scenario 1: Active and Terminated Clients: Active Client: Data in the database is available to Clients as long as they are an active Client. Data is backed-up on a daily basis to backup disk. The data on the backup disk drives is expunged after 365 days. Terminated Client: When Clients terminate from EASi, Client access to the EASi production system is disabled on the agreed to termination date. Client data is deleted from the EASi production system 90 days after the agreed to termination date unless the Client makes other arrangements with EASi in advance of the 90 day cutoff. The direct deletion of data only occurs for data residing on the production database. The data on backup disk drive will be expunged 365 days after it is expunged from the production system. Scenario 2: Disk Crash: The disk is unusable and not readable in this scenario. No specific actions are taken by EASi to expunge Client data. EASi has service contracts with Vendors who replace the disk and are responsible for disposing of it in a confidential manner where the disk is physically shredded. Scenario 3: Maintenance Disk Replacement: This scenario involves proactive replacement of equipment before it fails based on a warning light / message from the equipment. No specific actions are taken by EASi to expunge Client data. EASi has service contracts with Vendors who replace the disk and are responsible for disposing of it in a confidential manner. The process is a 3 step wipe: all 1’s, then all 0’s, then all 1’s again. If any data can’t be removed the disk is physically shredded. TCP/IP Ports and Protocols Utilized: EASi utilizes the following ports: Port 80: General HTTP traffic to the public Easiadmin.com website. Port 443: Secure traffic via HTTPS on our private site (SSL) to access the

EASi Platform.

Company Policy


Port 21, 990 and 28000-4: Secure FTP traffic to EASi servers for importing data and accessing reports.

Software Escrow Account (Optional): Iron Mountain Intellectual Property Management 2100 Norcross Parkway, Suite 150 Norcross, GA 30071 Phone: 770.239.9200 Direct: 770.225.8164 System Hardening: EASi hardens servers as listed below: Database Servers: Mail server: not installed Web server: not installed DNS server: not installed FTP server: not installed Telnet: disabled Rlogin: disabled Rsh: disabled All non essential users: disabled to “nologin” – exceptions are users “root”

and “oracle” Active Directory and Domain Name Service: Mail server: not installed FTP server: disabled Telnet: disabled Rlogin: disabled Rsh: disabled Web, Application and File Servers: Mail server: not installed AD server: not installed DNS server: not installed FTP server: disabled Telnet: disabled Rlogin: disabled Rsh: disabled Cryptography: Data backup to disk is encrypted using AES256 software. Internet Cryptogrphic technologies utilized include: SSL and HTTPS for

application connections, SFTP / SSH with optional PGP for file transfers.

Company Policy


Cryptographic algorithms utilized include Oracle encryption algorithms and Microsoft Hashing algorithms (encrypt the ssid written to the cookies per session).

Server Synchronization: All equipment is synchronized to nist.gov time servers. Patch Management: Production hardware patch levels are maintained as follows: MS Server O/S Based Machines: These are automatically maintained using automatic anti-virus and MS updates. The logs are reviewed on a weekly basis. Linux O/S Based Machines: The Oracle website is reviewed for issues quarterly. The DBA also subscribes to the Oracle website to be alerted on security issues. If an email alert is received the alert is immediately reviewed for applicability by the DBA. A Security Patch Review Log is maintained to document that the website has been reviewed for any security patches, vulnerabilites, etc. for both Linux Operating Systems and Oracle Database RDBMS. Automation is in place to receive any critical patch update notifications from Oracle that are relevant to our environment for both Linux and Oracle DB. The Oracle web site is reviewed at the beginning of each quarter for security updates / advisories.

4.4 Availability and Continuity EASi places high priority on keeping its equipment and facilities well maintained and operational. EASi employs fully redundant hardware and websites, world- class Colocation facilities with 24 monitoring, a stand-by website for failover, backup generators, system monitoring software with real-time alerts and support contracts with Dell and Oracle. EASi has considered a number of areas in making the application continuously available. General Availability: The EASi Platform is available to EASi Clients on a 24 x 7 basis. The EASi Client Support Team is available from 9:00 am to 9:00 pm Eastern time and 24 x 7 by email. In addition, the EASi Platform accepts Client Support requests (cases) through the EASi Platform interface, which communicates with EASi’s CRM system. Once a case has been submitted, EASi clients can also track the status of the case in real time through the interface of the EASi Platform as it pulls real time data from the EASi CRM system. Scheduled Releases: EASi typically releases 2 major versions of the Platform per year; one in May and one in November. Each major version is followed by two service packs in June and July and December and January.

Company Policy


EASi has scheduled downtimes during the deployment of a new version of the Platform. Deployment of new versions of the EASi Platform are typically the second Thursday of the month in May, June, July, November, December and January. During the deployment of a new version, the Platform will not be available for 30 – 60 minutes beginning at 6:00 PM Pacific Time. Clients are provided reasonable advance warning to the extent possible as noted below: Major Releases: Email notification 2 weeks in advance of the release.

Downtimes are typically 60 minutes. Service Packs: Individual Clients affected notified after the Service Pack is

deployed. Downtimes are typically 30 minutes. Hotfixes: Individual Clients affected notified after the Hotfix is deployed.

Downtimes are typically 15 minutes. Planned Maintenance: Posted on the EASi Home Page 48 hours in advance.

Downtime is dependent on the situation. Redundancy and Failover: The EASi Platform Web and Database Servers have identical backup servers and configurations in the event of a failure. Disk management techniques reduce the risk that a single disk problem brings the entire system down. A Redundant Array of Independent Disks (RAID) – 1 configuration is used on the file, database and application servers. The Web Servers are redundant and managed for fail over and load balancing using Barracuda Hardware/Software. A full database restore of the EASi production database is performed daily to verify the availability of data. System Monitoring: EASi utilizes the following tools to monitor the EASi Platform: Database Monitoring: Zoho's - Adventnet Applications Manager monitors the following: Free space SGA activity and usage Session activity and usage Rollback activity Locks Top 10 queries

Confio's - Ignite monitors the following: Top SQL statements Wait time Resource usage Explain plans Workload

Company Policy


Operating Systems: Zoho's - Adventnet Applications Manager monitors the following: CPU usage Memory usage Disk space and I/O usage System load

Application Services: Zoho's - Adventnet Applications Manager monitors the following: Application services (up/down)

Web Services: Zoho's - Adventnet Applications Manager monitors the following: Web services (up/down) IIS services (up/down)

Website: External Vendor web site monitoring by Zoho - Site24/7 monitors the following: Connectivity from Internet to easiadmin.com website Connectivity from Internet to easiadmin login page Connectivity from Internet to easiadmin sftp site System Activity Auditing: A comprehensive auditing process is in place to capture all Update or Delete activity associated with database/application transactions in the EASi Platform. A “before update / delete” record is maintained in a history table before a record is changed or deleted. In addition, an audit trail record is created specifying the type of transaction, user performing the transaction, date/time the transaction was performed and the IP address the requested transaction was made from. Additional logging of web user sessions is maintained from page to page as well as capturing information regarding invalid login attempts. Direct database logins (i.e., logins from outside the EASi Platform) are also logged. All logs are only accessible by the Database and Network Administrators and are reviewed on a regular basis. The Firewalls generate audit logs which contain all actions. The Firewalls logs are reviewed weekly by the Network Administrator. The database logs are reviewed annually in conjunction with the SSAE16. Audit Logs: A variety of logs are retained as described below. Firewall logs: Retained for 8 days, reviewed weekly Load Balancer Logs: Retained for 12 months, reviewed weekly Database audit history activity on all update and delete transactions:

Retained for 365 days, not reviewed

Company Policy


Database access (non-application): Retained for 365 days, reviewed annually Database access (application page hits by user): Retained for 365 days,

reviewed quarterly Backups: A full backup and restoration of the production database is performed on a daily basis (Monday thru Friday) to verify the availability of data backups of the production database are written to disk. Database backups are also copied nightly over the network (via VPN) from the PHX Colocation facility to the SJC Colocation Facility where they are stored on disk and kept for 365 days. Emails are automatically generated to notify IT personnel of the status of the backup jobs. All corporate data is backed up and stored on a file server with a RAID array for hardware redundancy. These files are also copied to disk on another machine and kept for 90 days. A backup of the EASi Platform and Database source code is performed on a daily basis. A restoration test of the source code is performed quarterly. Summary of Backup, Disaster Recovery Procedures: Daily Production Database Backup To Disk at the PHX Colocation Daily Duplication of PHX Colocation to SJC Colocation Daily Backup of Corporate Data Daily Backup of Source Code Firewall diagnostic log that documents any intrusion attempts reviewed on a

weekly basis Database Backup logs reviewed on a daily basis PHX Colocation infrastructure vulnerability scans reviewed on a weekly basis External 3rd party website monitoring tool to monitor the availability of the

EASi Platform. Website Monitoring: EASi uses an external 3rd party website monitoring tool to monitor the availability of the EASi Platform. In the event that the tool is unable to connect to the EASi Platform, a text message and email are sent to the Database Administrator, Network Administrator and SVP, Engineering notifying them of the failure. Clients are notified if/as needed. Disaster Recovery and Business Continuity: EASi places a high value on providing continuity of service to its user organizations. The ability to restore system data after the interruption of services, corruption of data, or failure of computer services is vital for the ability to continue providing services to users.

Company Policy


EASi has developed processes to protect data and provide backup access to systems in the case of unplanned events. The EASi disaster recovery and business continuity plan is described below: Backup of Data for Restoration: To ensure that the mission critical production data is available for use in the event of a production system failure or disaster, the following schedule of backups and data duplication controls are in place: Daily Production Database Backup: Three types of Database backups are

performed daily: o Incremental Oracle archive logs files are transferred from the PHX

Colocation to the SJC Colocation every 15 minutes. o An Oracle full level 0 “hot” backup of the entire production database is

performed nightly at 7:00 PM to disk. o An Oracle full export of the entire production database is performed at

5:00 PM and then again at 8:00 PM nightly to disk. The backup files are then copied to a separate file server at the PHX Colocation and then copied to a file server at the SJC Colocation. These backup Oracle export files are used to refresh the Client Support database at the PHX Colocation as a test of “restorablility” of the backup file.

Daily Duplication of PHX Colocation to SJC Colocation: A duplication of the

latest backup taken each day at the PHX Colocation is made to a file server at the SJC Colocation on a daily basis at 1:00 am.

Daily Corporate Data Backup: A backup of key corporate data at the PHX

Colocation is automatically performed and sent to a separate file server at the PHX Colocation on a daily basis.

Daily Source Code Backup: A backup copy of the source code is

automatically generated and sent to a separate file server on a daily basis. Source code is also backed-up twice per year to a 3rd Party Software Escrow Service.

Disaster Recovery - Production Database Server Failure: In the event the production database in the PHX Colocation Facility is unavailable, the web servers and services from the PHX Colocation are connected to the disaster recovery database located at the SJC Colocation facility as described below: Maintenance page is displayed on easiadmin.com. All Web Servers and Services from the PHX Colocation are configured to

connect to the database server in the SJC Colocation Facility. Oracle archive logs are applied.

Company Policy


Easiadmin.com is made live again. Approximate Elapsed Time: 60 to 120 minutes depending on the nature of

failure and Archive log activity at the time of Failure. Overall time is also based on the domain reconfiguration required.

Disaster Recovery – Full Production System Failure: In the event the entire PHX Colocation Facility is unavailable, a cutover to the Disaster Recovery (DR) system at the SJC Colocation facility is performed as described below:

Maintenance page is displayed on easiadmin.com. The Web Server, Services and the database server at the SJC Colocation

Facility are activated and configured as needed for production operation. Oracle archive logs are applied. Easiadmin.com is made live again. Approximate Elapsed Time: 60 to 120 minutes depending on the nature of

failure and Archive log activity at the time of Failure. Overall time is also based on the domain reconfiguration required.

Details regarding the DR capability include: The DR database is updated incrementally every 15 minutes with production

data Automation is in place to keep the DR site database and website code current

with the production site All services including FIX connectivity are available on the DR site Depending on the timing of the outage, maximum data loss is estimated at 30

minutes Estimated downtime to perform the cutover to the DR site is 60 to 120

minutes depending on the nature of failure and Archive log activity at the time of Failure. Overall time is also based on the domain reconfiguration required.

DR testing is performed annually. Business Continuity of Corporate Office: In the event the EASi corporate offices are not available, EASi has the following items in place to ensure continued operations: The majority of EASi personnel and all Client Support and Information

Technology personnel, have high speed Internet connections from their homes. This enables EASi personnel to access the corporate network remotely using VPN over the internet.

Cloud-based CRM, email and phone systems that are not dependent on locally managed / supported hardware.

Corporate documents are stored on servers at the PHX Colocation and available remotely via the internet.

Company Policy


Additional enhancements to business continuity are targeted for 2013.