Cloud-FAQ

Architecture & Environment 1-4

Service Level Agreement 5-7

High Availability & Scalability 8-9

Backup & Disaster Recovery 10-11

Data Security 12

Network Security 13-14

MetricStream Cloud

Frequently Asked Questions

Pg1 © 2013 MetricStream Inc., All Rights Reserved.

1.0 Architecture & Environment

1.1 Does MetricStream operate its own hosting center?MetricStream partners with multiple SSAE 16 Type II Audited Tier IV data centers.

1.2 Does MetricStream offer shared or dedicated server environments? MetricStream does not multi-tenant. To eliminate the potential for co-mingling of data, each customer is provided dedicated servers helping ensure we meet the compliance & regulatory requirements of industries like Banking, Finance, Insurance, Life sciences, Healthcare, Energy, Utilities, etc.

1.3 What is the minimum and maximum duration for contracting Cloud services? Typically, we require a three (3) year contract commitment for our hosted services and term licenses, and we are open to discussing maximum terms of five and seven years.

1.4 Describe MetricStream’s compliance with various laws, codes and regulations relating to security, privacy and data

protection. The MetricStream Cloud solution and services include robust capabilities for security, access controls, identity management, audit trails, electronic signatures, encryption, authorization and authentication. These cloud capabilities ensure compliance with various international, national and regional regulations on record keeping, privacy, and protection of the quality and integrity of data (such as HIPAA, PCI and 21 CFR Part 11).

MetricStream partners with SSAE 16 Type II Audited Tier IV data centers with state-of-the-art infrastructure and services for serving our clients in North and South America, Europe, Asia and Africa. Beyond being widely adopted by small and medium enterprises, even some of the world’s largest companies are using the MetricStream Cloud after rigorously testing the security and reliability of our infrastructure.

1.5 What is MetricStream’s HIPAA compliance statement. MetricStream understands that some of its customers that are considered “covered entities” under HIPAA may transmit or store Protected Health Information (“PHI”) in connection with the Hosting Services provided by MetricStream. However, MetricStream does not use or access PHI in order to provide the Services. Furthermore, MetricStream is not conducting a function or activity regulated by the Administrative Simplification Rules on behalf of such covered entities. Instead MetricStream is merely storing PHI data and records using techniques and processes that meet or exceed the requirements of such covered entities. Given the foregoing, MetricStream does not believe that the HIPAA regulations apply in its provision of the Services.

1.6 Describe the physical controls in place for delivering a secured environment, network, and data center. MetricStream’s partner facilities are secured by four layers of physical security:

• Entry to the data centers is limited to authorized personnel (carrying identification badges) requiring PIN for access. Biometric hand scanners govern access to the offices and data center.

• The computer data center takes a separate electronic key fob to enter, and servers can be configured in an optional locking rack cabinet.

• Customer personnel have access to their servers 24 X 7, but must be escorted at all times unless a colocation suite with

separate security precautions is established. All visits are logged.• Video surveillance of all ingress and egress, as well as rack activity is conducted 24 X 7. All logs are reviewed periodically.

1.7 Describe the power redundancy setup to support the cloud infrastructure.Data center environmental security includes redundant cooling, power, and fire suppression systems.

• The data centers are covered by a redundant UPS system and power distribution grid that includes UPS batteries and a gas-powered generator farm that has a 3 day supply of gas and can be refueled during operations. The facilities will never lose power.

• Air handling systems for the facilities are augmented by N+2 air-conditioning systems to keep over 1000 servers on the floor cool. The data centers are regularly cleaned and maintained to ensure a safe and dust-free environment.

Pg2© 2013 MetricStream Inc., All Rights Reserved.

1.8 Has the data center ever had any major power failures and how did the emergency systems perform?MetricStream’s data center partners have never reported any major power failures. All emergency systems are periodically tested.

1.9 Describe the network controls in place to maximize system uptime.MetricStream’s partner data centers maintain multi-homed internet access to reduce single points of failure. They have rich fiber connections to all major carriers, with scalable bandwidth capacity from OC3 to OC192.

1.10 What is the average or expected up time for the system in %? MetricStream can support 99.5% system availability.

1.11Who (employees or contractors of the site) has physical and/or login access to the servers and applications that hold customer data?MetricStream does not employ contractors. While MetricStream employees manage the Cloud environment, Application data cannot be altered, deleted, or retrieved by anyone other than users with appropriate privileges.

1.12 What industry standards has MetricStream adopted for securing application(s) and infrastructure (e.g. OWASP, NIST, ISO, etc)MetricStream applies its software security assurance process as part of its Software Development Life Cycle, to design and develop applications. The SDLC helps to ensure that communication and collaboration services are highly secure -even at the foundation level. MetricStream has adopted the OWASP Standard for Web applications.

1.13 Please describe MetricStream’s vulnerability assessment process. AppSec Consulting, Inc., an independent information security firm, is periodically engaged to conduct extensive penetration testing of the application based on PCI standards. The penetration tests are conducted with the following primary objectives:

• Identify and assess the controls in place to protect against both external and internal threats

• Identify Web application and server configuration vulnerabilities that put sensitive information at risk and impact PCI compliance

• Test the application from the standpoint of unauthorized users attempting to gain access as well as authorized users trying to escalate access

• Provide a detailed risk analysis and remediation advice for each vulnerability identified

• Detest any vulnerability after MetricStream has per formed remediation

In addition, in-house penetration testing is also conducted for every major release of the Platform using the Burp Suite (an integrated platform for performing security testing of web applications).

During MetriStream’s scans, we cover the following key areas:

• Cross Site Scripting

• SQLInjection

• Sessioncookiemanagement

• Relianceonclientsideinputvalidation

• Excessiveprivilegesfordatabaseaccount

• Unsafeattachmentsmaybeuploaded

• CompleteStackTraceerrorprovidedtouser

Pg3© 2013 MetricStream Inc., All Rights Reserved.

1.14 How does MetricStream update security against emerging cyber security threats?At MetricStream, security is considered as an important aspect throughout the SDLC. The following measures are currently part of the development lifecycle:

• Regular design/architecture review meetings to identify vulnerabilities around user permissions, logins, data privacy and unauthorized accesses

• Multi-level Code reviews – peer code review, lead code review and a review by the technical architect(if required)

• Detailed documentation/tech notes are maintained on any findings

• On every major release we ensure that we carry out a security upgrade of all the 3rd party systems and the OS. For every major release of the platform, Penetration tests are performed using the Burp tool and any vulnernability found is addressed in the subsequent release :

» SQL Injection » Cross-Site Scripting (XSS) » Path Traversal » HTTP Response Splitting » Password returned in later response » Open redirection » Cleartext submission of password » Cookie without HttpsOnly flag set

1.15 Does MetricStream track and report on attempts (both successful and unsuccessful to access hosted systems)?The MetricStream application tracks the number of attempts at accessing a user account. If desired, a configurable option allows for disabling an account after X number of unsuccessful login attempts.

1.16 What access controls are in place to prevent “improper use” (such as deleting data, altering data)?System Administrators can configure Access Controls as follows:

• FeatureAccess Controls: Features such as digital dashboards, reports, and input forms. have access controls and rights that are allocated based on the user.

• Application Access Controls: The application modules (for example, Audits, Document Control, CAPA, Non-Conformance Management) have access controls and rights that are allocated based on user.

• DataAccess Controls: These include Row Level Security and Column Level Security.

Additionally, the MetricStream solution maintains a complete track record of changes, version history, and a detailed audit trail of all activities and changes. The MetricStream solution records all data modifications within the system, including user and system data:

• Anydatafield changes results in an auditable record of who, when, the old value and the new value.

• Dataisnever deleted from the database, so a full and complete audit trail/history is always available. Since this feature is a part of the MetricStream Platform, the system ensures integrity that all data changes at the application level are recorded and available for audit purposes.

• Reportscan then be generated to display this audit history data in the appropriate views. • Thesystemprovidesaccuratetimestampedaudittrailswithwhat,who,whenandwhyinformationfortaskcreation,editing, modification, deletion.

1.17 Can MetricStream restrict user access (data and services) to certain IP addresses?MetricStream can implement a rule in the firewall to only allow traffic from a pre-defined set of IP address subnets (thereby limiting access to only those users from the customer’s internal networks), although this would prevent legitimate users from accessing the services from the internet.

» TRACE method is enabled » Directory listing » Email addresses disclosed » Private IP addresses disclosed » Credit card numbers disclosed » HTML does not specify charset » Content type incorrectly stated » Request impersonalization

Pg4

1.18 How is the authentication process controlled and protected?The MetricStream platform provides multi-layered authentication capabilities such as electronic signatures, passwords, system access through defined IP network rangers, automatic logging off after a period of inactivity, and disabling of user accounts after repeated failed login attempts.

All MetricStream applications have configurable rules for passwords, password complexity and expiry, as well as authentication and signoffs at major transactional steps of business process workflows. Passwords are never stored and/ or transmitted in clear text. The minimal security is to store or transmit passwords in a one-way hashed format.

The platform also supports stronger encryption algorithms like AES/ DES. Bit strength is configurable based on requirement.

When integrated with an LDAP server, the MetricStream platform authenticates user identity against the LDAP server, and does not keep a copy of user passwords in its repository. All user profile information is maintained only on the LDAP server. That way, users do not need to remember multiple passwords and e-signatures. They can also import authorization information from the LDAP server, if required.

The platform also supports integration with Single Sign-On (SSO) infrastructure. Thus, users can use a single password to log in to MetricStream applications as well as other corporate accounts.

1.19 What audit trails and logs are created?MetricStream’s platform records all data modifications within the system, including user and system data. Any data field changes results in an auditable record of user, timestamp, the old value and the new value. Data is never deleted from the database, so a full and complete audit trail/history is always available. Since this a feature a part of the MetricStream platform, the system ensures integrity that all data changes at the application level are recorded and available for audit purposes. Reports can then be generated to display this audit history data in the appropriate views.

1.20 Can a customer start with the SaaS solution and migrate to on-premise at a later date? The MetricStream Cloud is the industry’s most robust offering. The solution enables companies to get their operations up and running quickly, without requiring extensive internal IT resources. With MetricStream, the transition from on-demand to in-house deployment and vice versa is uniquely seamless, virtually eliminating risk in the solution acquisition process. The entire migration can be completed over a weekend when planned with appropriate systems & software over the two end points.

© 2013 MetricStream Inc., All Rights Reserved.

2.0 Service Level Agreement

2.1 Does MetricStream monitor the entire solution 24x7x365?MetricStream works closely with its data center partners to provide 24x7x365 support and monitoring services. Typically, automated monitoring tools poll the system on a periodic basis (usually every 5 minutes) and test such connections as the web server, the J2EE server, the Oracle database, and various parts of the application layer as well.

HTTP requests are sent to various parts of the application and the response is monitored. If one of these connections fails, an automated alert message is sent over email and/or pager to the data center’s help desk and/or the MetricStream help desk.

2.2 Describe the service level agreement around response time and problem resolution time.MetricStream provides a Service Level Agreement (SLA) around uptime, problem resolution time and can include response time of the system (although there will be some dependencies on the customer’s network that has to be factored into the contract).

2.3 Does MetricStream provide complete and regular reports on the interaction with the customer, including types of calls, status of issues, and resolution times?MetricStream offers a web-based customer support portal that is powered by MetricStream GRC Platform, where customers can log issues, view the status of their open issues, and the current resolution status to those issues. All issues, whether reported via phone, email or the customer support portal, are logged to the same TAR (Technical Action Request) system and are viewable online via customer-specific reports and dashboards.

We can also provide these reports manually via preset customer meetings, as well as have these reports automatically emailed to selected users if desired.

2.4 What is the average response and resolution time for problems encountered with the infrastructure; network, operating systems, or data center?The MetricStream Cloud SLA includes a response time of less than two (2) hours for critical and severe errors. For critical errors, MetricStream will use commercially reasonable efforts, on a twenty-four (24) hour, seven (7) days per week basis, to provide a workaround or error correction for such critical error. For other types of issues, we generally resolve within four (4) hours.

2.5 Describe how technical issues are resolved. We propose three levels of support. Level 1 is typically provided by the customer. MetricStream’s technical staff on its help desk area provides Level 2 support. If the help desk is unable to resolve an issue quickly, it is escalated to Level 3 (the development staff and/or the original professional services staff that worked on the solution), based on the type of issue. If further escalation is required, our CTO is the next path of escalation.

If a data center issue is determined to be the cause of the problem, they will contact the data center’s help desk, which is 24x7 as well and has a similar escalation process.

2.6 Describe MetricStream’s escalation procedure. Are there tiered response layers? What happens at each stage?MetricStream has a defined escalation procedure. In addition to escalating based on the type of issue, the help desk will escalate issues based on if a problem remains unresolved for a specific duration.

This duration is different based on the severity of the issues, which are classified as critical, severe, moderate and minor.

For additional information on our support policies and procedures, please contact us for our support policies and procedures manual.

2.7 Does the MetricStream SLA include provisions for a disaster recovery plan? MetricStream has included provisions in our SLA for a disaster recovery plan and timeframe.

The specifics around the disaster recovery plan are created as part of the SLA contract and are dependent on customer requirements such as standard backups and recovery, hot backup systems, redundant systems, etc.

© 2013 MetricStream Inc., All Rights Reserved. Pg5

2.8 Does MetricStream have documented change management procedures in place? MetricStream’sQualityprocessincludesachangemanagementprocedurethatminimizestheimpacttoacustomersystemwhileit ensures that a customer is aware of any changes being made to the system.

As part of the change management procedure, MetricStream can optionally offer and implement a ‘staging’ system that emulates theproductionsystem.ThisallowsMetricStream’ssupportandQAstaffaswellasourcustomerstotestandverifythesoftwarechange before any change is applied to the production environment.

As part of the SLA contract, scheduled maintenance windows are also defined. MetricStream works with its customers to define the maintenance window to match individual customers’ system downtime window for the other systems they use.

2.9 How often are MetricStream customers scheduled down for routine maintenance? For how long?Typically, maintenance of the system such as patches/upgrades and backups are performed in less than a couple of hours.

2.10 How often are customers down for unscheduled maintenance? For what period of time?MetricStream strives to minimize downtime as much as possible. Patches can often be applied in a hot-fix mode supported by our architecture. If the system has been down outside the scheduled maintenance window, the system is usually restored within 5 minutes on average after the call is reported to MetricStream’s help desk. Our standard SLA provides for credit if the downtime exceeds 4 hours in a month.

Note: MetricStream has never encountered a downtime of this duration.

2.11 How does the customer retain access to its data and systems should MetricStream cease to operate?To provide assurance to customers that they will still be able to use their system and access their data should MetricStream cease to operate, contracts can been created between all parties involved specifically stating that the customer owns the data. If desired, backups of the data and system files can also be provided to the customer on a periodic basis. In addition, the source code for our software can be provided in an escrow account at the customer’s costs so that our customers would have access to the complete system and software should MetricStream cease to operate.

2.12 What are the procedures for creating user accounts? The MetricStream Solution includes an administrative interface that will provide the customer and any other party it may designate, the capability to add and delete user accounts and associated passwords, as well as define roles, permissions and access rules for each such user account. Such roles, permissions, and access rules may be assigned to individual user accounts or to a customer-defined group of user accounts. The customer can issue and administer Authorized User access and passwords, including additions, deletions and changes in access levels of Authorized Users.


2.13 How are upgrades, patches, releases handled? What is the frequency?Typically, a release is targeted for every six months, with a major release targeted every 18 months. Service Patches may be released on an as-needed basis depending on the severity of any reported issues.

• Majorrelease(X.0)

» Significantnewfunctionality,datamodelchanges,appimpact» Potentialupgradeimpact» Onemajorreleaseeveryyear

• StabilizationMinorRelease(X.1)

» FewsignificantnewfeaturesbasedonX.0customersneeds» Minorupgradeimpact» Sixmonthsaftermajorrelease

• IntermediateMinorRelease(X.5)

» Somenewfeaturesforanalystvisibility,customerneeds&differentiators» Minorupgradeimpact» Sixmonthsafter1minorrelease

Upgrades are provided at no additional cost beyond the annual support charge, although professional services may be required to implement the upgrade in the customer environment.

Changes in a new release are made at the Platform level, and configuration changes made by the customer to their application are usually preserved across releases and/or migration scripts are provided. While the upgrade time may vary based on the particular release and the particular solution implementation, MetricStream typically estimates 1-2 weeks to perform the major upgrades, with the majority of the time spent testing the application to ensure that nothing broke during the upgrade process.

All releases and patches come with comprehensive documentation describing the change(s), its impact, the steps to apply it, and detailed test cases for the issues addressed in the release or patch.

The MetricStream Platform consists of several JAR files as well as platform metadata. The MetricStream application consists of resource files (templates, properties files etc.) and application metadata. Upgrading the MetricStream Platform does not affect the application resource files and application metadata, thus preserving all customizations. Upgrades of the application are performed by using the IUP (Install Upgrade Patch) tool that migrate resource files as well as application metadata.

The steps involved in upgrading and promoting the application into production include:

• Installation and/or upgrade of the new MetricStream Platform in the test instance

• Installation and/or upgrade of the application module in the test instance

• Installation of any patches specifically required

• PerformUserAcceptance Testing and Validation (if required) of the application module on the test instance

• Transitionfrom the test/staging instance to the production instance using the IUP

2.14 How does the customer participate in the upgrade/enhancement process? As part of any upgrade/enhancement process, the customer usually participates at a minimum by performing the User Acceptance Testing (UAT). This is usually conducted on a separate ‘staging’ system that emulates the production system and allowsoursupportandQAstaffaswellasourcustomerstotestandverifythesoftwarechangebeforeanychangeisapplied to the production environment. Upgrades and enhancements are applied to the production environment only after the UAT has been completed and approved by the customer.

When an upgrade/enhancement is targeted, the customer is involved in the installation planning, what will be accomplished, the potential impact to any areas of the software, and what will be required from the customer.


3.0 High Availability & Scalability

3.1 Does MetricStream provide high-availability systems? MetricStream’s solution is a web-based, J2EE n-tier application, using a database, application and web server architecture. Our solutions can run on any hardware and operating systems.

High-availability deployment architecture is supported by MetricStream and can be used to provide fail-over capabilities.

• Atthepresentation and application server layers, MetricStream can be configured in a redundant manner with a hot standby that automatically wakes up and starts accepting requests if the primary servers go down

• Atthedatabase layer, MetricStream recommends that it be configured using approaches outlined by Oracle for high availability

3.2 Does the application support load balancing? Load balancing mechanisms (static and dynamic, hardware and software) are supported by MetricStream. The solution provides both horizontal scalability and vertical scalability to meet growth in number of concurrent users and queries as well as to support growth in volume of data, record and document processing. The exact configuration and setup is jointly determined by customers’ IT department and MetricStream Solution Architects.

The MetricStream solution can be configured to run in a clustered load-balanced configuration for scalability and high-availability.

• Multiple applications instances can be run on a single server to provide both application isolation and redundancy. • Multiplewebserverscanalsobeconfiguredwithaloadbalancer.

A typical load-balanced architecture is illustrated in the figure:

Load Balanced / High Availability Architecture



3.3 Describe how website availability is monitored.Website availability is monitored as follows:

• Hosting provider pings for hardware availability

• Metricstream uses third party Alertbot to monitor application availability

The report from Alertbot provides the uptime, response time, and cause of any failure. MetricStream can also setup a manual process to email a periodic report to the Customer

3.4 Describe any contingency plans should the primary host become unavailable.All data on the MetricStream Cloud is backed up daily and weekly. All backups are encrypted on a per customer basis. Additionally, MetricStream also maintains a DR site.

If primary servers become unavailable due to a hardware fault, MetricStream has SLAs in place to ensure components are replaced within 4 hours and then the application can be subsequently restored. The hard drives are RAID5 or better and such drive failures do not cause application outage.

When a complete new server needs to be recreated (application or database), the downtime can be up to two business days. In such cases the RPO is < 24 hours.

If the data center is struck by natural disaster, then MetricStream will restore the application from its DR backup. MetricStream’s DR SLA is as follows:

•RecoveryTime Objective (RTO): < 1 day

•RecoveryPointObjective (RPO): < 6 hours

The MetricStream Cloud can support mission-critical applications with RTO and RPO of 0 hours, if required.

Pg9

4.0 Backup & Disaster Recovery

4.1 Is all the data and document stored at the hosting facility or through a third party storage area network?Under our default hosting SLA, the data and documents are stored at the hosting facility on the primary database and application servers, as well as the backup file servers (duplicate copies). In addition, tapes may be periodically made of the backup file servers and stored offsite.

4.2 Is MetricStream capable of archiving historical data that is no longer necessary for day-to-day operations?MetricStream Cloud has comprehensive data archive and restore capabilities.

The MetricStream Cloud supports usage of database functions for archiving and retention of all records and data. It supports auto-archiving and manual archiving options. Using a Rules Engine users can setup rules / conditions to specify when, whose, which, what type of artifacts / data (full system, partial system, specified system data or file areas) should be archived. IT administrators can specify what type of compressed file formats should be used and the storage location as well.

Archiving and purging can be scheduled at desired frequency and time intervals.

In addition, customers can archive data such as attachments, but will leave a subset of the data on the system permanently so that they can be used for analysis purposes.

Typically, MetricStream’s customers store between 5-7 years worth of data on the server at a minimum before archiving the data and they have not reported any performance degradation so far. Reports can also be set up to analyze the archived data in a separate repository if that is desired.

4.3 What are MetricStream’s data retention and destruction policies?MetricStream ensures full weekly and daily incremental backups of the database and file systems are backed up to a dedicated backup file server.

Additional backup options include backing up to a duplicate backup file server at a second backup data center, hot backup servers for the database and application servers, redundant failover servers for instant recovery, and redundant systems at different data centers. Backup data can also be stored to tape on a frequency as often as every day and stored at an offsite storage center such as Iron Mountain. All of these options are additional services that can be offered by MetricStream.

On discontinuing the hosting contract with MetricStream, no data is retained on our infrastructure. We can shred to meet specs ranging from simple one pass to DoD 5220.22-M to Guttman algorithm with 35 passes.

4.4 Does MetricStream have a Disaster Recovery plan and facility? Our Disaster Recovery plan depends on the customer’s choice of hosting architecture. Broadly, DR sites range from storage on the AWS Cloud for the basic offering, to a dedicated offsite data center for the premium and enterprise offerings.

4.5 Describe MetricStream’s backup and recovery procedures.

This can vary based on specific customer requirements and selected options. By default, full weekly and daily incremental backups of the database and file systems are backed up to a dedicated backup file server. Periodically, a copy of this backup file server is recorded to tape and stored at an off-site location.

If a MetricStream System crashes, the hardware will be typically replaced within two hours. After this, the operating system, databases and applications are reloaded, and the database restored to recover the system. Replacement of the hardware and restoration of the data is expected to consume six hours. If desired, Oracle translation logs can also be enabled as an optional service that would allow up-to-minute recovery of the system in cases of system failures.

Additional backup options include backing up to a duplicate backup file server at a second backup data center, hot backup servers for the database and application servers, redundant failover servers for instant recovery, and redundant systems at different data centers.

Backup data can also be stored to tape. The frequency of storage to an offsite storage center such as Iron Mountain can be as often as every day.

All of these options are additional services offered by MetricStream.

4.6 Can MetricStream roll back the entire database (or specific data) to a prior save point? MetricStream schedules daily backups. The restore can be whole or partial.


4.7 Does MetricStream have separate backup & disaster recovery locations? How frequently are the recovery procedures tested?MetricStream maintains multiple co-location providers to provide backup hosting and disaster recovery. By default, MetricStream tests the disaster recovery plan once a quarter to ensure that the backup policies and data are being properly backed up.

4.8 Are backup tapes stored offsite in a secure facility?Offsite Tape backup is offered optionally. If this option is chosen, the tapes would likely be stored by Iron Mountain, a leading provider of tape storage facilities.

4.9 Are backup tapes encrypted?Backup tapes can be provided and encrypted at additional cost.

4.10 Is the fail-over active/passive or active/active?This depends on the type of cloud architecture implemented. For the Enterprise OnDemand Offering, fail-over is Active/ Passive

4.11 How is the fail-over implemented? MetricStream implements a manual fail-over to the DR site.


5.0 Data Security 5.1 If Mobile devices are supported, describe the access restrictions.The MetricStream Solution is 100% web-enabled and can be accessed from any internet-enabled web-browser. The system can therefore be accessed from a Mobile device’s browser. No mobile access restrictions apply.

5.2 What types and levels of data encryption are supported? If encryption is used, what type and what key length?The MetricStream platform protects data through advanced encryption functionalities based on encryption algorithms such as AES with 256-bit keys and transport layer protocols including SSL and HTTPS. It also enables companies to build their own specific encryption and decryption plug-ins using industry-standard algorithms such as RSA and PKCS.

Data encryption is enabled for both data at rest (database/ files) and data in transit:

Data-at-rest encryption: A key feature in the security foundation within the Platform is the provision to encrypt file attachments uploaded to the MetricStream application. Once this functionality has been enabled, the MetricStream Platform provides transparent attachment file encryption while uploading. Subject to role based authorization controls, when a user downloads the attachment, the file contents will be decrypted as well. File attachment encryption is a critical piece of Data-At-Rest security requirements especially important for Internet facing application. A complete solution for Data-At-Rest security also entails Oracle database encryption leveraging Oracle TDE options available with Oracle Enterprise edition. SSL in combination with file/database encryption ensures that Data in motion (network) and at rest (filesystem/Database) is encrypted thereby safeguarding any sensitive information that flows through the MetricStream application and addressing one of the most important security vulnerabilities with any Internet facing application.Data-in-transit encryption:

For data in motion, the platform leverages SSL or HTTPS technology for encryption. Therefore, any sensitive information flowing through a MetricStream application is safeguarded, even if the application is Web-based. The MetricStream application proxy server can be specially configured to address regional data security requirements in a distributed set-up. It enables file attachments to be flagged as confidential or Client Identifying Data (CID), and stored only in the regional proxy server – not in the distributed or central server. That means that users outside the region will not be able to access the attachments.

5.3 Describe how MetricStream provides Data-encryption-at-rest.In the MetricStream solution, application data is stored in two places. Each has a separate mechanism for Data-encryption-at-rest:

• File attachments uploaded through the application are stored as raw files on the server. These are encrypted using 3DES or a better algorithm when storing on the server.

• Oracle database is enabled with a feature called Transparent Data Encryption (TDE). Using this, all database columns that need encryption are appropriately enabled during implementation phase. This requires Oracle Enterprise Edition.

5.4 Is authentication information encrypted (e.g. passwords)?For data in motion, the platform leverages SSL or HTTPS technology for encryption.

5.5 Describe the teams and roles that have access (physical/ logical) to systems holding customer data.MetricStream will have no access either to server-side components or to the client data of the production environment. However, access to development and testing environment is usually maintained or provided as needed for any support requirements.

It is not possible for Customer application data to be altered / deleted or retrieved by anyone other than authorized users.

5.6 How is data segregation managed? Specifically address segregating third parties from seeing internal Customer data and other third parties’ data.Each customer’s data is on their own server(s). Physical, Application, and network security schemes prevent customers from accessing data other than their own.

MetricStream employs a number of documented controls to ensure the security and segregation of customer data. These controls provide defense in depth and include data at rest encryption, method filtering at the application tier, and data access enforcement at the database tier. This ensures segregating third parties from seeing internal Customer data and other third parties’ data.


6.0 Network Security

6.1 What interfaces does customer data have to the outside world (IP addresses, ports, and protocols. For example, HTTPS, XML, upload or download to financial systems)? The MetricStream platform’s data integration services consists of powerful and flexible adapters called “Infolets” that execute periodic (scheduled or on-demand) queries and functions on external systems to extract relevant data.

Infolets enable the platform to seamlessly connect to external applications and communicate through appropriate technologies suchasSQL,APIs,executableprograms,textfiles,WebServicesandXML.

MetricStream supports integration with external systems in a “configurable” fashion, with no source code changes made to the MetricStream GRC Platform.

All relevant data can be pushed or pulled in real-time or on a scheduled-basis between the MetricStream repository and an external system. Customers can also use Secure FTP for batch uploads.

6.2 Which network access methods are employed?MetricStream provides access to its servers over HTTP or HTTPS (SSL 128-bit protocol), based on customer requirements. Access from the application to the database server may be on a separate network, and access to the file backup servers is usually on a separate network.

6.3 What program(s) need to be installed on a user’s computer in order to use the MetricStream Application? None. MetricStream’s Solution is 100% web-based and can be accessed from any internet-enabled web-browser

6.4 Can the end customer monitor bandwidth usage to the data center.If a customer opts for a dedicated server / database as part of the installation then bandwidth usage charts can be provided through a secure login to the customer.

6.5 Are firewalls shared across several customers or does each customer have its own firewall?Each customer is provided with a dedicated software firewall.

6.6 Describe the intrusion detection systems in place.MetricStream maintains Intrusion Detection (IDS) at the firewall and software based Intrusion Detection on the server. Intrusion detection is typically alerted over email. A dedicated IDS is optional.

6.7 Describe the mitigation strategies for “Distributed Denial of Service Attacks (DDoS)”.A firewall is configured to protect against intrusions and security attacks. If necessary, the upstream router from the data center can also be configured to protect against DDoS attacks.

6.8 Describe endpoint protection used.MetricStream implements measures to protect customer data against viruses, worms, trojan horses, and other harmful elements designed to disrupt the orderly operation of, or impair the integrity of Hosted Data. Our endpoint protection ensures that the security of the MetricStream system, the client data, and other transmissions through the MetricStream system is not compromised for any reason.

6.9 Are all components of the architecture secured?Based on customer specifications, all our architectural components can be secured by one of the following technology options: Basic, LDAP connect, or SAML connect.

6.10 Are all components hardened and locked down?The installation/configuration steps will ensure that the system is hardened and locked down. This is done across the deployment stack – Operating System Level (File Permissions, Ports), Java Virtual Machine level (Security Policies) and Application level authentication & authorization controls.


6.11 Describe how the database is secured.The database server is never exposed on the Internet. Port hardening is diligently undertaken. For database access only Port 1521 is open for internal network access. RDP/ SSH controlled access is enabled to the servers from internal networks for ongoing maintenance.

6.12 Are internal application middleware interfaces secured?Internal application middleware interfaces are secured through secure web services and digital signature based integration mechanisms.

6.13 Are network access controls implemented to restrict access from the internet to the application and components to certain ports?MetricStream uses two layers of firewalls:

• Firewall devices deployed on the network perimeter

• Software firewalls that run on each server that hosts components of the solution.

6.14 Does MetricStream have non-Internet facing integrations (e.g. site-to-site VPN)?For non-internet facing integrations, SSO/ SAML is the preferred choice. VPN is optional with added cost.

6.15 Does remote access to the MetricStream network require 2 factor authentication.No. There is no direct remote access to the production network.

6.16 Is out-of-band management of servers performed?MetricStream performs out-of-band management by deploying remote access cards.

31029210 Pg14

ContactUs:MetricStream,Inc.,2600E.BayshoreRoad,PaloAlto,CA94303,USA.|Phone:650-620-2900|Email:[email protected]


Date post:	26-Nov-2015
Category:	Documents
Upload:	sampada1986
View:	51 times
Download:	4 times

Cloud-FAQ

Documents