any.cloud a/srevi-it a/s state authorised public accounting firm jens kofods gade 1 dk-1268...
TRANSCRIPT
REVI-ITA/S� stateauthorisedpublicaccountingfirmJensKofodsGade1�DK-1268CopenhagenK�Phone33118100�[email protected]�revi-it.dk�CVR-no.30988531
Independentserviceauditor’sassurancereportonthedescriptionofcontrols,theirdesignandoperating
effectivenessregardingtheoperationofhostedservicesfortheperiod01-12-2015to30-11-2016
ISAE3402-II
any.cloudA/SCVR-no.:31161509
December2016
ThisreportwasoriginallypreparedinDanish.
Incaseofanydisputes,thereportinDanishisapplicable.
any.cloudA/S
REVI-ITA/S
Tableofcontents
Section1: any.cloudA/S’statement.............................................................................................................1
Section2: any.cloudA/S’descriptionofcontrolsinrelationtotheoperationoftheirhostingservices...................................................................................................................2
Section3: Independentserviceauditor’sassurancereportonthedescriptionofcontrols,theirdesignandfunctionality.....................................................................................14
Section4: Controlobjectives,controls,tests,andrelatedtestcontrols....................................................17
any.cloudA/S
REVI-ITA/S Page1of31
Section1: any.cloudA/S’statement
Thisdescriptionhasbeenpreparedforcustomerswhohavemadeuseofany.cloudA/S’hostingservices,andfortheirauditorswhohaveasufficientunderstandingtoconsiderthedescriptionalongwithotherinformation,includinginformationaboutcontrolsoperatedbycustomersthemselves,whenassessingtherisksofmaterialmisstatementsofcustomers’financialstatements.any.cloudA/Sconfirmsthat:
(a) TheaccompanyingdescriptioninSection2fairlypresentsany.cloudA/S’hostingservicesrelatedtocustomertransactionsprocessedthroughouttheperiod01-12-2015to30-11-2016.Thecriteriaforthisstatementwerethattheincludeddescription:
(i) Presentshowthesystemwasdesignedandimplemented,including:• Thetypeofservicesprovided,whenrelevant• Theprocedures,withinbothinformationtechnologyandmanualsystems,bywhichtransac-
tionsareinitiated,recorded,processed,correctedasnecessary,andtransferredtothereportspresentedtothecustomers
• Relevantcontrolobjectivesandcontrolsdesignedtoachievetheseobjectives• Controlsthatweassumed,inthedesignofthesystem,wouldbeimplementedbyuserentities,
andwhich,ifnecessarytoachievecontrolobjectivesstatedintheaccompanyingdescription,areidentifiedinthedescriptionalongwiththespecificcontrolobjectivesthatcannotbeachievedbyourselvesalone
• Otheraspectsofourcontrolenvironment,riskassessmentprocess,informationsystemandcommunication,controlactivitiesandmonitoringcontrolsthatwereconsideredrelevanttoprocessingandreportingcustomertransactions.
(ii) Providesrelevantdetailsofchangesintheserviceorganisation’ssystemthroughouttheperiod01-12-2015to30-11-2016
(iii) Doesnotomitordistortinformationrelevanttothescopeofthedescribedsystem,whileacknowl-edgingthatthedescriptionispreparedtomeetthecommonneedsofabroadrangeofcustomersandtheirauditorsandmaynot,therefore,includeeveryaspectofthesystemthateachindividualcustomermayconsiderimportanttotheirparticularenvironment.
(b) Thecontrolsrelatedtothecontrolobjectivesstatedintheaccompanyingdescriptionweresuitablyde-signedandoperatedeffectivelythroughouttheperiod01-12-2015to30-11-2016.Thecriteriausedinmakingthisstatementwerethat:(i) Therisksthatthreatenedachievementofthecontrolobjectivesstatedinthedescriptionwere
identified(ii) Theidentifiedcontrolswould,ifoperatedasdescribed,providereasonableassurancethatthose
risksdidnotpreventthestatedcontrolobjectivesfrombeingachieved(iii) Thecontrolswereconsistentlyappliedasdesigned,includingthatmanualcontrolswereapplied
bypersonswhohavetheappropriatecompetenceandauthority,throughouttheperiod01-12-2015to30-11-2016.
Copenhagen,19December2016
any.cloudA/S
REVI-ITA/S Page2of31
Section2: any.cloudA/S’descriptionofcontrolsinrelationtotheoperationoftheirhostingservices
Introduction
Thepurposeofthisdescriptionistoinformany.cloudA/S’customersandtheirauditorsabouttherequire-mentslistedintheinternationalstandardonassuranceengagementsregardingassurancereportsoncontrolsataserviceorganisation,ISAE3402.
Moreover,thepurposeofthisdescriptionistoprovideinformationaboutthecontrolsusedforcloudserviceswithusduringtheaboveperiod.
Thedescriptionincludesthecontrolareasandcontrolswithany.cloud,whichincludethemajorityofourcus-tomersandarebasedonourstandarddelivery.Individualcustomermattersarenotincludedinthisdescrip-tion.
any.cloudA/S
any.cloudprovidesprofessionalISO-certifiedhosting-andconsultancyservicestotheDanishbusinesscommu-nity.
any.cloud’smostsignificantactivityissupplyingservices,including:
• PaaS-VPS(VirtualPrivateServer) • DRaaS-virtualbackupwithDRS(DisasterRecoverySolution)• Networksecurity • MPLSandfibreinfrastructure • DDoSandhackingsecurityproducts• Consultancy,supportandoperations
WesupplythehighestqualityofinfrastructurethroughthebestsupplierssuchasIBMandVMwareandpre-sentthistoourcustomersbymeansofsimpleandinnovativesolutions.
Wemakeagreatefforttorendercomplicatedservicessimpleforourcustomers.Wetakeoverallthemachinesandsystemsusuallywhirringinaserverroominorderforthecustomertofocusontheirbusiness.WeoperateITforcompaniesandtheiremployeesandensurethattheyalwayscanwork–securely,efficiently,andataveryfavourableprice.
any.cloudhasanISAE3402TypeIIassurancereportandworksundertheISO27002standard.ThisensuresthatweconstantlymaintainthequalityneededtobelongtotheabsoluteelitewithinhostedITsolutions.
any.cloudishostedatInterXionDenmarkinBallerupandGlobalConnectinTaastrup;bothareEuropeansup-pliersofcloudandoperatorneutraldatacentreswithmorethan48datacentresin11countries.WeprovideallrelevantsecuritymeasuressuchasInergen,cooling,redundantpowersources,fibrelines,andfullyequippedmonitoringsystems.Additionally,any.cloudhashostingservicesintheIBM-ownedcompanySoftlay-er,whohas31datacentres,wherebyany.cloudcansupplytheirsolutionsworldwide.
Any.cloudis,i.a.duetoourrecertificationsofthehostingcertificatefromBFIH,partofDenmark’sbesthostingcompanies.Asacontinuallycertifiedmemberandwiththeattainmentofthehostingbrandany.cloudis
any.cloudA/S
REVI-ITA/S Page3of31
obligedtoprovideinconsiderationofstrictcontrolmeasures,highsecurityrequirements,andtransparencyinrelationtothecontentsofqualityandsecurityinIThostingservices.
Weareastrong,composedteamwithdepartmentsinDenmark,PolandandTheCzechRepublic.
any.cloud–RESHAPETHEFUTURE
Organisationandresponsibilities
any.cloudhasaclearandtransparentcorporatestructure.
any.cloudA/Shas15employees,coveringthedepartmentsAdministration,Finance,andOperations-Support.Anadditional16personsareemployedinthesistercompanyany.macA/Sprovidingallon-sitesupportandoperationsforany.cloud’scustomers.
Thus,any.cloud’semployeessolelyworkonthehostinginfrastructure.
Supportreceivesallincominginquiriesandeithersolvesthecustomer’sissuesorforwardsthetasktoOpera-tionsforprocessing.
Operationsthusfunctionsbothassecondlinesupportforhotlineandadditionallyhandlesthepracticalimple-mentationofnewcustomers;monitorsexistingoperationssolutionsandanyothertasksinconnectionwiththeday-to-daymanagementofourhostingenvironment.
Riskassessmentandmanagement
Riskassessment
ITriskanalysisWehaveproceduresinplaceforon-goingriskassessmentofourbusiness,especiallyourcloudservices.Thisenablesustoensurethattherisksassociatedwiththeservicesweprovideareminimisedtoanacceptablelevel.
Riskassessmentisperformedperiodicallyandwhenweintroducechangesorimplementnewsystemswhichwedeemrelevantinrelationtore-performingourgeneralriskassessment.
any.cloudA/S
REVI-ITA/S Page4of31
Thecompany’sCTOisresponsiblefortheriskassessmentsandtheymustsubsequentlybeembeddedinandapprovedbymanagement.
Managementofsecurityrisks
ProcedureforriskmanagementWehaveintroducedascoringsystemwithregardtotherisksrelatedtotheprovisionofcloudservices.Weusethecalculationformularisk*effectwithascorefrom1to10.Theacceptablelevelisupto30points.Itiscon-tinuouslyassessedwhetherwecanreducerisksandtakemeasurestoimproveourscore.
Securitypolicies
ITsecuritypolicies
PoliciesforinformationsecurityWehavedefinedourqualitycontrolsystembasedonouroverallobjectivetodeliverstableandsecurehostingtoourcustomers.Inordertodothat,wehaveintroducedpoliciesandproceduresensuringthatourdeliveriesareuniformandtransparent.
OurITsecuritypolicyispreparedwithreferencetotheaboveandappliestoallemployeesandallourdeliver-ies.
OurmethodsforimplementationofcontrolsaredefinedaccordingtoISO27002(frameworkformanagementofinformationsecurity)andisoveralldividedintothefollowingcontrolareas:
• Organisationandresponsibilities• Humanresourcesecurity• Logicaccesscontrol• Riskassessmentandmanagement• Physicalandenvironmentalsecurity• UseofITequipment• Proceduresforoperations• Thenetwork• Support• Protectionagainstmalware• Systemacquisition,developmentandmaintenance• Supplierrelationships• Informationsecurityincidentmanagement.
Wecontinuouslyimproveourpolicies,proceduresandoperations.
WeareamemberofBFIH(BrancheforeningenforIT-HostingvirksomhederiDanmark–TradeassociationforIThostingcompaniesinDenmark)andinconnectionwithourmembershipwearesubjecttoanannualaudittoverifythatwecomplywiththesetofrulesestablishedbyBFIH,focusingonhowweprovideourservices,per-formrestore,managesecurityback-up,etc.
AssessmentoftheITsecuritypoliciesWecontinuouslyupdateourITsecuritypolicies,asaminimumonceayear.
any.cloudA/S
REVI-ITA/S Page5of31
Organisationofinformationsecurity
Internalorganisation
DelegationofresponsibilitiesforinformationsecurityWehaveaclearlydividedorganisationinregardtoresponsibilities;andwehavethoroughdescriptionsofre-sponsibilitiesandrolesatalllevels,frommanagementtoeachoperationsemployee.
Wehaveestablishedconfidentialityingeneralforallpartiesinvolvedinourbusiness.Thisisdoneviaemploy-mentcontracts.
SegregationofdutiesThroughcontinuousdocumentationandprocessesweensurethatweareabletoeliminateorminimisekeystaffdependency.Tasksareallocatedandestablishedviaproceduresformanagementofoperations.
ContactwithspecificinterestgroupsWehaveestablishedcontacttoahotlineatDK-CERTwithwhomwehaveenteredamutualagreementonnotificationincaseofmaterialsecurityrelatedmattersregardingInternettraffic.
InformationsecurityinprojectmanagementIfwefindthataprojectfailstocomplywithourinformationsecurityprocedures,theprojectwillbeadaptedinawaythatitsubsequentlymatchesourstandardwithininformationsecurity.Ifwefindthattheprojectisnotfeasibleoramendablewithoutbeinginconflictwithoursecuritypolicies,thentheprojectwillbeabandoned.
Mobiledevicesandteleworking
MobiledevicesandcommunicationWeallowouremployeestoworkfromhomedueto,amongstothers,operationsdutiesandourpolicyisthatdevices(portable,etc.)mayonlybeusedforwork-relatedpurposesandmustnotbeleftunattended,etc.Portabledevicesareprotectedwithlogonandencryption.
Wehaveenabledthatweandourcustomerscanusemobiledevices(smartphones,tablets,etc.)forsynchro-nisingmailsandcalendars.Wehavenotimplementedsecuritymeasuresotherthanpasswordprotectiontosecuresuchdevicesanduseraccess.
Ourcustomershavethesameoptionsanditisuptothemtoimplementsecuritypoliciesfortheirusers.
RemoteworkAccesstoournetworkandtherebypotentiallysystemsanddataisonlypossibleforauthorisedindividuals.OuremployeeshaveaccessviaremoteworkplacesusingRemoteDesktopandIPrestriction.
Humanresourcesecurity
Priortoemployment
ScreeningWehaveproceduresinplacegoverningrecruitmentofemployeesandcollaborationwithexternalsensuringthatwerecruittherightcandidatebasedonbackgroundandskills.Wehavedescriptionsofrolesandresponsi-bilitiesforemployeesandgroupsofemployeesinordertoensurethatallemployeesareawareoftheirre-sponsibilities.Whenjoiningthecompany,allemployeesarereviewedandaregistrationsformisfollowed.
any.cloudA/S
REVI-ITA/S Page6of31
TermsandconditionsofemploymentGeneraltermsofemployment,includingconfidentialityregardinginternalandcustomermatters,aredescribedineachemployee’semploymentcontractwheretermsofallareasoftheemployment,includingterminationandsanctionsincaseofpotentialsecuritybreaches,arelaiddown.
Duringemployment
ManagementresponsibilitiesInconnectionwithemployment,thenewemployeesignsacontract.Thecontractstatesthattheemployeemustobservethecurrentpoliciesandprocedures.Moreover,itclearlydefines,aspartofthecontractmaterial,theemployee’sresponsibilitiesandrole.
Informationsecurityawareness,educationandtrainingOurassetsaretoalargeextentouremployeesandwefollowastructuredsetofmethodsinrelationtoouremployees’qualifications,educationandcertifications.Courses,seminarsandotherrelevantactivitiesareorganisedonacurrentbasis,asaminimumonceayear,toensurethatrelevantemployeesandanyexternalcollaboratingpartnersarekeptuptodatewithsecurityandaremadeawareofnewthreats,ifany.Employees,andexternalpartnerswhererelevanttoincludetheminoursecurityguidelines,areperiodicallyinformedaboutoursecurityguidelinesandwhenamendmentsaremadetothem.
DisciplinaryprocessGeneraltermsofemployment,includingconfidentialityregardinginternalandcustomermatters,aredescribedineachemployee’semploymentcontractwheretermsofallareasoftheemployment,includingterminationandsanctionsincaseofpotentialsecuritybreaches,arelisted.
TerminationorchangeofemploymentresponsibilitiesIntheeventofterminationofemployment,wehaveimplementedathoroughprocedurewhichmustbeob-servedtoensurethattheemployeesreturnallrelevantassets,includingportablemedia,etc.andtoensurethatallemployees’accesstobuildings,systemsanddataisrevoked.Theoverallresponsibilityforallcontrolsrelatedtotheterminationprocesslieswiththecompany’sCTO.
Assetmanagement
Responsibilityforassets
InventoryofassetsSoftware,serversandnetworkdevices,includingconfiguration,areregisteredforusefordocumentation,overviewofdevices,etc.Wehaveacomplexnetworkincludingmanysystemsandcustomersandtoprotectagainstunauthorisedaccessandtoensureatransparentstructure,wehaveprepareddocumentationdescrib-ingtheinternalnetworkwithunits,namesofunits,logiccompositionofnetworks,etc.
Thedocuments,networktopologiesandsimilararecontinuouslyupdatedintheeventofchangesandarere-viewedatleastonceayearbyournetworkspecialists.
OwnershipofassetsBymeansofdivisionofresponsibilitiescentralnetworkunits,servers,peripherals,systemsanddataarededi-catedtosystemadministratorsinourcompany.Customerdataandsystemsarededicatedtothecustomer’scontactperson.
AcceptableuseofassetsThisisdescribedinthestaffmanual.
any.cloudA/S
REVI-ITA/S Page7of31
ReturnofassetsIntheeventofterminationofemployment,wehaveacomprehensiveprocedureinplacewhichmustbeob-servedtoensurethattheemployeesreturnallrelevantassets,includingportablemedia,etc.,andtoensurethatallemployees’accesstobuildings,systemsanddataisrevoked.Theoverallresponsibilityforallcontrolsrelatedtotheterminationprocesslieswiththecompany’sCTO.
Mediahandling
ManagementofremovablemediaWeensuretothewidestextentpossiblethatourstaff’sportablemedia,e.g.laptops,mobilephonesandsimi-lar,issecurelyconfiguredtothesameextentastherestofourenvironment;andwealsoensurethatthedatacarryingmediaareupdatedwhenweintroducenewsecuritymeasures.
Accesscontrol
Businessrequirementsofaccesscontrol
AccesscontrolpolicyWehaveapolicyregardingallocationofaccess.ThispolicyisanintegralpartofourITsecuritypolicies.
Useraccessmanagement
UseraccountcreationandterminationproceduresOurcustomers’usersareonlycreateduponrequestfromourcustomers.Ourcustomersaretherebyresponsi-bleforthecreationandterminationofuseraccounts.
Allusersmustbepersonallyidentifiable,i.e.haveaclearidentificationwithapersonalname.Incaseofserviceusers,i.e.accountsonlyusedforsystempurposes,theoptionregardingactuallogonwillbedisabled.
AllocationofrightsAllocationofprivilegesiscontrolledinconnectionwithournormalusermanagementprocess.
ManagementofsecretauthenticationinformationofusersAllpersonallogonsareonlyknowntotheindividualemployeeandaresubjecttopasswordpoliciesinordertoensurecomplexity.
ReviewofuseraccessrightsForourownusers,thecompany'sCTOwillperiodically,onceayearasaminimum,reviewthecompany’sin-housesystemsforcreationofusersandtheiraccessleveltopreventunauthorisedaccess.
Userresponsibilities
UseofsecretauthenticationinformationAccordingtoourITsecuritypoliciesouremployees’passwordsarepersonalandonlytheusermustknowthepassword.EveryyeartheemployeessignadocumentstatingthattheyhavereadandunderstoodthelatestversionofourITsecuritypolicy.Aswehaveusers,suchasserviceaccountsandsimilar,thatcannotbeusedforlogonandforsystem-relatedreasonsdonotchangepasswords,wehaveasystemforstorageofsuchpass-words.Onlyauthorisedstaffhasaccesstothesystem.
any.cloudA/S
REVI-ITA/S Page8of31
Systemandapplicationaccesscontrol
InformationaccessrestrictionOuremployeesaresetupwithdifferentiatedaccessprivilegesandthereforeonlyhaveaccesstothesystemsanddatathatarerelevantfortheirworkeffort.
PasswordmanagementsystemAllemployeesacrossbothcustomersystemsandproprietarysystemshaverestrictionsasregardspasswords.Allusershaveapasswordandsystemicallyitissetupsothattherearerestrictionsinrelationtothedesignofthepassword.Passwordsmustbechangedregularlyandtheymustbecomplex.
OurITsecuritypolicydescribesrulesforcomplexity;ouremployees’passwordsarepersonal,andonlytheusermustknowthepassword.
Physicalandenvironmentalsecurity
EquipmentmaintenanceThedatacentre'scoolingandfirepreventionsystemsarecheckedregularlyandtheback-uppowersystem(UPS)ischeckedeverysixmonths.Systemsareinstalledinthedatacentremonitoringtemperaturesandvolt-agesintheserverroom.
Securityofequipmentandassetsoff-premisesWeconductback-upproceduresduringthenighttoprotectourcustomers’dataandsystemsifourhostingsystemsforsomereasonbecomeunavailable.
Wehaveenteredintoanagreementwiththeconcernedsupplieronhousingofourproprietaryserversandsimilarmeasuresareimplementedtopreventtheft,fire,waterandtemperaturedeviations.
Weannuallyreceiveanauditor’sopinioncoveringthephysicalsecurityatoursubcontractor.
Themostrecentauditor’sopinionscovertheperiods1/12015through31/122015,and15/62015through14/62016.Theopinionsareissuedwithoutqualifications.
Securedisposalorre-useofequipmentAlldata-carryingdevicesaredestroyedbeforedisposaltoensurethatnodataisaccessible.
UnattendeduserequipmentAllinternaluseraccountsarecentrallymanagedtoenterscreenlockmodeafteramaximumof2minutesofinactivity.Therebyweensurethatunauthorisedstaffcannotaccessconfidentialdata.
Operationssecurity
Operationalproceduresandresponsibilities
DocumentedoperationalproceduresAlthoughourorganisationdoesnotnecessarilyallowoverlapwithinallprojectsandsystems,weensureviadocumentationanddescriptions-andviacompetentanddiligentemployees-thatexistingornewemployeescancommenceworkingonasystemforwhichthesaidpersondoesnothaveoperationalorpreviousexperi-ence.Weoperatewithdualrolesonallsystemsinordertoensurethatthekeyresponsibleemployeeisre-sponsibleforcommunicatingpracticalissuestotheircolleagues.Thesystemdocumentationisupdatedcontin-uously.
any.cloudA/S
REVI-ITA/S Page9of31
ChangemanagementWehavedefinedaprocessforchangemanagementinordertoensurethatchangesaremadeasagreedwithcustomersandareproperlyplannedaccordingtothein-houseconditions.Changesareonlymadeonthebasisofaqualificationoftheproject,thecomplexityandassessmentofeffectsonothersystems.Moreover,apro-cessisfollowedregardingdevelopmentandtesting.
Regardlessofthechangeinquestion,wealwaysensureasaminimumthat:
• Allchangesarediscussed,prioritisedandapprovedbymanagement• Allchangesaretested• Allchangesareapprovedbeforedeployment• Allchangesaredeployedataspecifictimeasagreedwiththecompanyandthecustomers• Fall-backplanningisperformed,ensuringthatthechangescanberolledbackorcancelledincasetheyfail
tobeoperational• Thesystemdocumentationisupdatedaccordingtothenewchangeincaseitisfoundnecessary.
Ourenvironmentislogicallysegregatedanddividedintotestingandproductionwherebyweensurethataproductistestedbeforeitisbroughtintoproduction.Bymeansofaccesscontrolsweensurethatonlyauthor-isedpersonnelwillhaveaccesshereto.
CapacitymanagementViaourgeneralmonitoringsystem,wehavesetlimitsforwhenouroverallsystems,andtherebyourcustom-ers’systems,mustbeupscaledwithregardtoelectronicspace,responsetime,etc.Whenwesetupnewsys-tems,functionalitytestingneedstobeperformed,includingcapacityandperformancetesting.Aregularpro-cedureispreparedforreportingcapacityissues.
Protectionfrommalware
ControlsagainstmalwareWehaveimplementedscanningandmonitoringsystemstoprotectagainstknownharmfulcode,i.e.whatweandourcustomers-viaourplatforms-mayrisktobeinfectedwithontheInternetviamailsetc.Wehaveantivirussystems,systemsformonitoringInternetusage,trafficandresourcesonSaaSplatforms,securitybymeansofothertechnicalandcentralinstallations(firewalletc.)inplace.
Backup
InformationbackupWeensurethatwecanrestoresystemsanddataappropriatelyandcorrectlyincompliancewiththeagree-mentswehavewithourcustomers.
Wehaveatestforhowsystemsanddatacanberestoredinpractice.Wekeepalogofthesetests,enablingustofollowuponwhetherwecanchangeourproceduresandprocessestoimproveoursolution.
Unlessotherwiseagreedwithourcustomers,weperformbackupoftheirentirevirtualenvironmentwithus.Weperformbackupsofourproprietarysystemsanddataliketheonesweperformofcustomers’systemsanddata.
Wehavedefinedguidelinesastohowweperformbackups.Everynightacompletecopyofourcentralsystemiscarriedforwardtoourbackupsystems.Therebythedataisphysicallyseparatedfromouroperationalsys-tems,andaftercompletionanautomaticverificationisperformedtoseeiftheamountandcontentofdatabetweenouroperationalsystemandbackupsystemmatch.
any.cloudA/S
REVI-ITA/S Page10of31
Aresponsibleemployeewillthenensurethatthebackupiscompletedandwilltakethenecessaryactionifthejobhasfailed,andafterwardsenteritinthelog.
Loggingandmonitoring
EventloggingWehavesetupmonitoringandloggingofnetworktrafficandOperationsfollowsthis.Wedonotperformpro-activemonitoringofloggedincidents,butwefollowupifwesuspectthatanincidentcanberelatedtoissuesaddressedinthelog.Formanagementofmonitoringandfollow-uponincidentswehaveimplementedformalincidentandproblemmanagementprocedurestosafeguardthatincidentsareregistered,prioritised,man-aged,escalatedandthatnecessaryactionsaretaken.Theprocessisdocumentedinourhotlinesystem.
ProtectionofloginformationLogsareuploadedtoourlogserver.
AdministratorandoperatorlogAdministratorlogsareperformedsimultaneouslywiththenormallog.
ClocksynchronisationWeuseNTPserversfromtheInternet,whichallserversaresynchronisedupagainst.
InstallationofsoftwareonoperationalsystemsWeensurethatonlyapprovedandtestedupdatesareinstalled.InaccordancewithourmembershipofBFIHweensurethatcriticalpatchesthathaveaneffectonsecurityareinstallednolaterthan2monthsaftertheyarereleased.Intheeventofmajorchanges,thiswillbediscussedatinternalmeetingsinOperations.
Moreover,ourstaffisawareofthepolicyregardingsoftwaredownloads.
ManagementoftechnicalvulnerabilitiesSecurityannouncementsfromDK-CERTaremonitoredandanalysedandiftheyarefoundrelevant,theyareinstalledonourinternalsystemswithin1monthfromrelease.Additionally,wecontinuouslyperformariskassessmentofourin-housesolutions.
Communicationssecurity
NetworkcontrolsTheITsecurityproceduresregardingtheexternalframeworkforsystemsanddataarethenetworkagainsttheInternet,remoteorsimilar.Protectionofdataandsystemswithinthenetworkandexternalprotectionagainstunauthorisedaccessisofthehighestprioritytous.
SecurityofnetworkservicesOurcustomershaveaccesstooursystemseitherviathepublicnetworks,whereaccessisallowedviaencrypt-edVPNaccess,IP-whitelistingorMPLS/VPLS.Accessandcommunicationbetweenourserversandourco-locationtakesplacewithinaclosednetwork.
Onlyapprovednetworktraffic(inbound)isallowedthroughourfirewall.
Weareresponsibleforoperationsandsecuritywithus,i.e.fromoursystemsonwardsandouttotheInternet(orMPLS/VPLS).OurcustomersareresponsibleforbeingabletoaccesstotheInternet.
any.cloudA/S
REVI-ITA/S Page11of31
SegregationinnetworksOurnetworkisdividedintovarioussegmentswherebyweensurethatourinternalnetworkissegregatedfromthecustomers’networks.Moreover,theserviceswithsensitivedataareplacedinspecial,securedenviron-ments.
InformationtransferpoliciesandproceduresExternaldatacommunicationonlytakesplaceviamailsasourcustomers’accesstoanduseofourserversarenotconsideredexternaldatacommunication.
Initialpasswordstocustomersystemsaresentviamail,buttheymustbechangedatfirstlogon.Forgottenpasswords,personaldetails,orders,etc.areneverhandledviaphone,butonlyinwritingandnotuntilourstaffhasverifiedthatitisarealandauthorisedpersonthatwearecommunicatingwith.
Confidentialityornon-disclosureagreementsWehaveestablishedconfidentialityingeneralforallpartiesinvolvedinourbusiness.Thisisdonebymeansofemploymentcontractsorserviceagreementswithsubcontractorsandbusinesspartners.
Systemacquisition,developmentandmaintenance
Securityrequirementsofinformationsystems
InformationsecurityrequirementsanalysisandspecificationIfanewsystemisintroduced,analysesandresearchwillbecarriedoutinordertoensurethatitcomplieswithbestpracticeforhardening.
ChangemanagementproceduresWehavedefinedaprocessforchangemanagementinordertoensurethatchangesaremadeasagreedwithcustomersandareproperlyplannedaccordingtothein-houseconditions.Changesareonlymadeonthebasisofaqualificationoftheproject,thecomplexityandassessmentofeffectsonothersystems.Moreover,apro-cessisfollowedregardingdevelopmentandtesting,aswellasacceptancebyusandthecustomer.
Regardlessofthechangeinquestion,wealwaysensureasaminimumthat:
• Allchangesarediscussed,prioritisedandapprovedbymanagement• Allchangesaretested• Allchangesareapprovedbeforedeployment• Allchangesaredeployedataspecifictimeasagreedwiththebusinessandanycustomers• Fall-backplanningisperformed,ensuringthatthechangescanberolledbackorcancelledincasetheyfail
tobeoperational• Thesystemdocumentationisupdatedaccordingtothenewchangeincaseitisfoundnecessary.
Ourenvironmentislogicallysegregatedanddividedintotestingandproduction,wherebyweensurethataproductistestedbeforeitisbroughtintoproduction.Bymeansofaccesscontrolsweensurethatonlyauthor-isedpersonnelhasaccesshereto.
RestrictiononchangestosoftwarepackagesServicepacksandsystemspecificupdatesthatmaycausefunctionalitychangesarereviewedandinstalledseparately.Securityupdatesarerolledoutonallsystemsinsofaritispossible.
any.cloudA/S
REVI-ITA/S Page12of31
Supplierrelationships
Managementofthirdpartyservices
ManagingchangestosupplierservicesWhenchangesoccurinternallyintheorganisation,includingpoliciesandprocedures,andamendmentsaremadetoourservicesorservicesfromourexternalpartners,ariskassessmentwillalwaysbeperformedtoexplorewhetherthechangeswillhaveanimpactonouragreementwiththecustomers.
Monitoringofthird-partyservicesViamonitoringsetupbyathirdpartyweensurethatallservicesdeliveredbythirdpartiesareincompliancewiththerequirementsandtermswehaveagreedwiththirdparties.Wevisitsuchthirdpartiesregularly,wherebyweensurethattheagreedtermsarecontinuallyfulfilled.
Informationsecurityincidentmanagement
Managementofinformationsecuritybreachesandimprovements
ResponsibilitiesandproceduresOuremployeesareunderobligationtokeepthemselvesupdatedbymeansofproviders’supportsites,discus-sionforumsetc.forknownweaknessesinthesystemsweuseandprovide.
ThereareformallyappointedASPsandtherequirementstheyaresubjecttoareclearlyandformallydefined.TheASPisresponsibleforpreparingandmaintainingproceduresthatensuretimelyandcorrectinterventioninconnectionwithsecuritybreaches.
ReportinginformationsecurityincidentsOurhotlinesystemthatweusetohandleallissuesforcustomersandinternalmattersisthesamesystemthatweusetohandlesecurityincidents.Herewecanescalateissuessothatsomeincidentshavehigherprioritythanothers.Moreover,securityincidentsidentifiedfromownobservations,alarmsfromlogandmonitoringsystems,telephonecallsfromcustomers,subcontractorsorpartners,respectively,areescalatedfromourhot-linetoOperations,alertingmanagementaswell.
WehaveestablishedcontacttoahotlineatDK-CERTwithwhomwehaveenteredintoamutualagreementonnotificationincaseofsignificantsecurityrelatedmattersregardingInternettraffic.
ReportinginformationsecurityweaknessesOuremployeesandexternalpartnersare,viatheenteredcontractsandagreements,underanobligationtoreportanysecurityincidenttotheirimmediatesuperiorinorderthatactioncanbetakentoaddresstheissueassoonaspossibleandnecessarymeasurescanbetakeninaccordancewiththeproceduresestablished.
Businesscontinuitymanagement
Informationsecurityaspectsofbusinesscontinuitymanagement
InformationsecuritycontinuityIntheeventofanemergency,any.cloudhaspreparedabusinesscontinuityplan.ThebusinesscontinuityplanisembeddedintheITriskanalysisandisupdatedatleastonceayearincontinuationoftheconductionoftheanalysis.
Theplanandtheproceduresareembeddedinouroperationsdocumentationandprocedures.
any.cloudA/S
REVI-ITA/S Page13of31
ViaourmembershipofBFIH(BrancheforeningenforIT-hostingvirksomhederiDanmark–TradeassociationforIThostingcompaniesinDenmark)weareunderanobligationtobeabletore-establishanyunitinourdatacentrewithinthreedays.Weensurethatthisisdonebyconsideringtherisks,classifyingtheunitsinouropera-tions,andhavingproceduresinplacethatensurethatinrelationtoourbusinesscontinuityplanningwecanreplaceouroperationsplatforminordertoensurethattheservicessuppliedwillbere-establishedinatimelymanner.
Testing,maintenanceandreassessmentofbusinesscontinuityplansTheplanistestedonceortwiceannuallyaspartofourbusinesscontinuityprocedureinorderforustoensurethatthecustomerswillonlyexperiencelimitedinterruptionofservicesinconnectionwithanyemergencies.
Compliance
Reviewofinformationsecurity
IndependentreviewofinformationsecurityAreviewisperformedbyanexternalITauditorandinconnectionwiththepreparationoftheannualISAE3402reports.
CompliancewithsecuritypoliciesandstandardsOuremployeesreadtheITsecuritypoliciesonceayearasaminimumandsignthattheyunderstandandcom-plywithit.Wehaveon-goingcontrols,conductedbyourmanagementteam,toensurethatouremployeescomplywiththesecuritymeasuresthatarespecifiedinourITsecuritypolicies,inrelationtothephysicalaswellasthelogicalconditions.
TechnicalcompliancereviewWehaveestablishedproceduresthatensurethatallsystemsareupdated,andwehaveimplementedextensivemonitoringofallsystems,includingourcustomers’services.Moreover,wehave,withanotherISOcertifiedhostingprovider,anexternalsystemmonitoringtheavailabilityofallourservices.Furthermore,wehavecon-trolsensuringcompliancewithmonitoringandsecurity.
Changesduringtheperiod
Throughouttheperiodof1/122015to30/112016fewsignificantchangeshaveoccurred.Wehaveincreasedthecompetencyofourtechnicalstaffintermsofnewappointments,andmoreover,wehave:
• Improvedoursystemfordocumentingtasks• Implementedanddocumentednewproducts• Developedandimprovedinternalsystems.
Supplementarycontrols
any.cloudA/S‘customersare,unlessotherwiseagreed,responsibleforestablishingaconnectiontoany.cloudA/S‘servers.Moreover,any.cloud’scustomersare,unlessotherwiseagreed,responsiblefor:
• Ensuringthattheagreedbackuplevelcoversthecustomer'sneeds• Periodicallyreviewingthecustomer'sownusers• Compliancewithany.cloudA/S’atanytimeapplicableServiceLevelAgreement,whichcanbefoundon
any.cloudA/S’website• Maintainingtraceabilityinthird-partysoftware,managedbythecustomer.
any.cloudA/S
REVI-ITA/S Page14of31
Section3: Independentserviceauditor’sassurancereportonthedescriptionofcontrols,theirdesignandfunctionality
Tothemanagementofany.cloudA/S,theircustomersandtheirauditors.
Scope
Wehavebeenengagedtoreportonany.cloudA/S’description,presentedinSection2.Thedescription,asconfirmedbythemanagementofany.cloudA/SinSection1,coversany.cloudA/S’operatingandhostingser-vicesintheperiod01-12-2015to30-11-2016,aswellasthedesignandoperationofthecontrolsrelatedtothecontrolobjectivesstatedinthedescription.
any.cloudA/S’description(Section2)containsanumberofconditions,whichthecompanymustcomplywithaccordingtothecompany’smembershipofBFIH(BrancheforeningenforIT-HostingvirksomhederIDanmark).Ouraudithasincludedtheseconditionsandconsists,otherthanofthephysicalmatters,includingserverhardware,LAN,WAN,andfirewalls,of:
• Whetherany.cloudA/Simplementscriticalsecurityupdateswithin2monthsofrelease• Whetherany.cloudA/Scanrestoreunitsindatacentreswithin3days• Whetherany.cloudA/ScomplieswithBFIH’srequirementsfora”modicumofgoodhosting”.
any.cloudA/S’responsibility
any.cloudA/Sisresponsibleforpreparingthedescription(Section2)andtherelatedstatement(Section1)includingthecompleteness,accuracyandmethodofpresentationofthedescriptionandstatement.Addition-ally,any.cloudA/Sisresponsibleforprovidingtheservicescoveredbythedescription,forstatingcontrolob-jectivesandforthedesign,implementationandeffectivenessofoperatingcontrolsforachievingthestatedcontrolobjectives.
REVI-ITA/S’independenceandqualitycontrol
WehavecompliedwiththeindependenceandotherethicalrequirementsoftheCodeofEthicsforProfessionalAccountantsissuedbytheInternationalEthicsStandardsBoardforAccountants,whichisfoundedonfunda-mentalprinciplesofintegrity,objectivity,professionalcompetenceandduecare,confidentialityandprofes-sionalbehaviour.
ThefirmappliesInternationalStandardonQualityControl1andaccordinglymaintainsacomprehensivesys-temofqualitycontrolincludingdocumentedpoliciesandproceduresregardingcompliancewithethicalre-quirements,professionalstandardsandapplicablelegalandregulatoryrequirements.
REVI-ITA/S’responsibility
Basedonourprocedures,ourresponsibilityistoexpressanopiniononany.cloudA/S’description(section2)aswellasonthedesignandfunctionalityofthecontrolsrelatedtothecontrolsobjectivesstatedinthisdescrip-tion.WeconductedourengagementinaccordancewithISAE3402,“AssuranceReportsonControlsataSer-viceOrganisation”,issuedbyIAASB.Thisstandardrequiresthatweplanandperformourprocedurestoobtainreasonableassuranceaboutwhether,inallmaterialrespects,thedescriptionisfairlypresentedandthecon-trolsaresuitablydesignedandoperatingeffectively.
any.cloudA/S
REVI-ITA/S Page15of31
Anassuranceengagementtoreportonthedescription,designandoperatingeffectivenessofcontrolsataserviceorganisationinvolvesperformingprocedurestoobtainevidenceaboutthedisclosuresintheserviceorganisation’sdescriptionofitssystem,andthedesignandoperatingeffectivenessofcontrols.Theproceduresselecteddependontheserviceauditor’sjudgment,includingtheassessmentoftherisksthatthedescriptionisnotfairlypresented,andthatcontrolsarenotsuitablydesignedoroperatingeffectively.Ourproceduresin-cludedtestingtheoperatingeffectivenessofthosecontrolsthatweconsidernecessarytoprovidereasonableassurancethatthecontrolobjectivesstatedinthedescriptionwereachieved.Anassuranceengagementofthistypealsoincludesevaluatingtheoverallpresentationofthedescription,thesuitabilityoftheobjectivesstatedthereinandthesuitabilityofthecriteriaspecifiedbytheserviceorganisation,describedinsection2.
Webelievethattheevidencewehaveobtainedissufficientandappropriatetoprovideabasisforouropinion.
Limitationsofcontrolsataserviceorganisation
any.cloudA/S’descriptioninsection2ispreparedtomeetthecommonneedsofabroadrangeofcustomersandtheirauditorsandmaynot,therefore,includeeveryaspectofthesystemsthateachindividualcustomermayconsiderimportantinitsownparticularenvironment.Also,becauseoftheirnature,controlsataserviceorganisationmaynotpreventordetectallerrorsoromissionsinprocessingorreportingtransactions.Also,theprojectionofanyevaluationofeffectivenesstofutureperiodsissubjecttotheriskthatcontrolsataserviceorganisationmaybecomeinadequateorfail.
Opinion
Ouropinionhasbeenformedonthebasisofthemattersoutlinedinthisreport.Thecriteriaweusedinform-ingouropinionwerethosedescribedinany.cloudA/S’descriptioninSection2andonthebasisofthis,itisouropinionthat:
(a) thedescriptionofcontrols,astheyweredesignedandimplementedthroughouttheperiod01-12-2015to30-11-2016,isfairinallmaterialrespects
(b) thecontrolsrelatedtothecontrolobjectivesstatedinthedescriptionweresuitablydesignedthroughouttheperiod01-12-2015to30-11-2016
(c) thecontrolsforthespecialrequirements,causedbythecompany’smembershipofBFIHcf.thedescrip-tioninSection2,weresuitablydesignedthroughouttheperiod01-12-2015to30-11-2016
(d) thecontrolstested,whichwerethecontrolsnecessaryforprovidingreasonableassurancethatthecon-trolobjectivesinthedescriptionwereachievedinallmaterialrespects,haveoperatedeffectivelythroughouttheperiod01-12-2015to30-11-2016.
Descriptionoftestsofcontrols
Thespecificcontrolstested,andthenature,timingandresultsofthesetestsarelistedinthesubsequentmainsection(Section4).
any.cloudA/S
REVI-ITA/S Page16of31
Intendedusersandpurpose
Thisassurancereportisintendedonlyforcustomerswhohaveusedany.cloudA/S’hostingservicesandtheauditorsofthesecustomers,whohaveasufficientunderstandingtoconsiderthedescriptionalongwithotherinformation,includinginformationaboutcontrolsoperatedbycustomersthemselves.Thisinformationservestoobtainanunderstandingofthecustomers’informationsystems,whicharerelevantforthefinancialstate-ments.
Copenhagen,19December2016
REVI-ITA/SStateauthorisedpublicaccountingfirm
HenrikPaaske MartinBrogaardNielsenStateAuthorisedPublicAccountant ITAuditor,CISA,CRISC,CEO
any.cloudA/S
REVI-ITA/S Page17of31
Section4: Controlobjectives,controls,tests,andrelatedtestcontrols
Thefollowingoverviewisprovidedtofacilitateanunderstandingoftheeffectivenessofthecontrolsimple-mentedbyany.cloudA/S.Ourtestingoffunctionalitycomprisedthecontrolsthatweconsiderednecessarytoprovidereasonableassurancethatthecontrolobjectivesstatedinthedescriptionwereachievedthroughouttheperiod01-12-2015to30-11-2016.
Thus,wehavenotnecessarilytestedallthecontrolsmentionedbyany.cloudA/SintheirdescriptioninSection2.
Moreover,ourstatementdoesnotapplytoanycontrolsperformedatany.cloudA/S’customers,asthecus-tomers’ownauditorsshouldperformthisreviewandassessment.
Weperformedourtestsofcontrolsatany.cloudA/Sbytakingthefollowingactions:
Method Generaldescription
Enquiry Interview,i.e.enquirywithselectedpersonnelatthecompanyregardingcontrols
Observation Observinghowcontrolsareperformed
Inspection Reviewandevaluationofpolicies,procedures,anddocumentationconcerningtheper-formanceofcontrols
Re-performingcontrolpro-cedures
Wehavere-performed–orhaveobservedthere-performanceof–controlsinordertoverifythatthecontrolisworkingasassumed
Adescriptionandtheresultsofourtestsbasedonthetestedcontrolsappearfromthetablesonthefollowingpages.Totheextentthatwehaveidentifiedsignificantweaknessesinthecontrolenvironmentordeviationstherefrom,wehavespecifiedthis.
any.cloudA/S
REVI-ITA/S Page18of31
Riskassessmentandmanagement
RiskassessmentControlobjective:ToensurethatthecompanyperiodicallyperformsananalysisandassessmentoftheITriskprofile.No. any.cloudA/S’control REVI-IT’stest Testresults
4.1 Riskassessmentisperformedperiodicallyandwhenweintro-ducechangesorimplementnewsystemswhichwedeemrelevantinrelationtoreassessingourgen-eralriskassessment.
Thecompany’sCTOisresponsiblefortheriskassessmentsandtheymustsubsequentlybeembeddedinandapprovedbymanagement.
Itiscontinuouslyassessedwhetherwecanreducerisksandtakemeasurestoimproveourscore.
Wehaveenquiredabouttheprepara-tionofariskanalysis,andwehaveinspectedthepreparedriskanalysis.
WehaveenquiredaboutreviewoftheITriskanalysisduringtheperiod,andwehaveinspecteddocumentationfortheriskanalysisbeingreviewedandapprovedbymanagementduringtheauditperiod.
Nosignificantdeviationsnoted.
Informationsecuritypolicies
ManagementdirectionforinformationsecurityControlobjective:Toprovidemanagementdirectionandsupportforinformationsecurityinaccordancewithbusinessrequirementsandrelevantlawsandregulations.No. any.cloudA/S’control REVI-IT’stest Testresults
5.1 Wehavedefinedourqualitycon-trolsystembasedonouroverallobjectivetodeliverstableandsecurehostingtoourcustomers.Inordertodothat,wehaveintro-ducedpoliciesandproceduresensuringthatourdeliveriesareuniformandtransparent.
Wecontinuouslyimproveourpolicies,proceduresandopera-tions.
WecontinuouslyupdateourITsecuritypolicy,asaminimumonceayear.
Wehaveenquiredabouttheprepara-tionofaninformationsecuritypolicy,andwehaveinspectedthepolicy.
Wehaveenquiredaboutperiodicre-viewoftheinformationsecuritypolicy,andwehavecheckedthatthepolicyhasbeenreviewedduringtheauditperiod.Additionally,wehaveinspectedcontrolforperiodicreviewofthedocu-ment.
Wehaveenquiredaboutmanagementapprovaloftheinformationsecuritypolicy,andwehaveinspecteddocu-mentationformanagementapproval.
Nosignificantdeviationsnoted.
any.cloudA/S
REVI-ITA/S Page19of31
Organisationofinformationsecurity
InternalorganisationControlobjective:Toestablishamanagementframeworktoinitiateandcontroltheimplementationandoperationofinformationsecuritywithintheorganisation.No. any.cloudA/S’control REVI-IT’stest Testresults
6.1 Wehaveaclearlydividedorganisa-tioninregardtoresponsibilities;andwehavethoroughdescriptionsofresponsibilitiesandrolesatalllevels,frommanagementtoeachoperationsemployee.
Throughcontinuousdocumenta-tionandprocessesweensurethatweareabletoeliminateormini-misekeystaffdependency.Tasksareallocatedandestablishedviaproceduresformanagementofoperations.
WehaveestablishedcontacttoahotlineatDK-CERTwithwhomwehaveenteredamutualagreementonnotificationincaseofmaterialsecurityrelatedmattersregardingInternettraffic.
Wehaveenquiredaboutallocationofresponsibilityforinformationsecurity,andwehaveinspecteddocumentationfortheallocationandmaintenanceofdescriptionsofresponsibilities.
Wehaveenquiredaboutaccesssegre-gationinrelationtofunction,andwehaveinspecteddocumentationfordifferentiatedaccess.
Wehaveenquiredaboutguidelinesforcontactwithauthorities.
Wehaveenquiredaboutcontactwithinterestgroups,andwehaveinspect-eddocumentationforcontactwithDK-CERT.
Wehaveenquiredabouttheconsider-ationofinformationsecurityinprojectmanagement.
Wehaveinspotchecksinspectedprojectprocessesandverifiedthatinformationsecurityisconsidered.
Nosignificantdeviationsnoted.
MobiledevicesandteleworkingControlobjective:Toensurethesecurityofteleworkinganduseofmobiledevices.No. any.cloudA/S’control REVI-IT’stest Testresults
6.2 Weallowouremployeestoworkfromhomedueto,amongstoth-ers,operationsdutiesandourpolicyisthatdevices(portable,etc.)mayonlybeusedforwork-relatedpurposesandmustnotbeleftunattended,etc.Portabledevicesareprotectedwithlogonandencryption.
OuremployeeshaveaccessviaremoteworkplacesusingRemoteDesktopandIPrestriction.
Wehaveenquiredaboutmobilede-vicemanagement,andwehavein-spectedthesolution.
Wehaveenquiredaboutsecuringremoteworkplaces,andwehaveinspectedthesolution.
Nosignificantdeviationsnoted.
any.cloudA/S
REVI-ITA/S Page20of31
Humanresourcesecurity
PriortoemploymentControlobjective:Toensurethatemployeesandcontractorsunderstandtheirresponsibilitiesandaresuitablefortherolesforwhichtheyareconsidered.No. any.cloudA/S’control REVI-IT’stest Testresults
7.1 Wehaveproceduresinplacegov-erningrecruitmentofemployees,ensuringthatwerecruittherightcandidatesbasedonbackgroundandskills.
Whenjoiningthecompany,allemployeesarereviewedandaregistrationsformisfollowed.
Inconnectionwithemploymentallnewhiressignacontract.Thecontractdetailsthattheemployeemustcomplywiththeatalltimesapplicablepoliciesandprocedures.
Wehaveenquiredaboutaprocedureforhiringnewemployees,andwehaveinspectedtheprocedure.
Wehaveinspotchecksinspecteddocumentationshowingthatthepro-cedurehasbeenfollowed.
Wehaveenquiredabouttheformali-sationoftermsofemployment,andwehaveinspotchecksinspectedthecontentsofcontracts.
Nosignificantdeviationsnoted.
DuringemploymentControlobjective:Toensurethatemployeesandcontractorsareawareofandfulfiltheirinformationsecurityrespon-sibilities.No. any.cloudA/S’control REVI-IT’stest Testresults
7.2 Wehaveaclearlydividedorganisa-tioninregardtoresponsibilities;andwehavethoroughdescriptionsofresponsibilitiesandrolesatalllevels,frommanagementtoeachoperationsemployee.
Ourassetsaretoalargeextentouremployeesandwefollowastruc-turedsetofmethodsinrelationtoouremployees’qualifications,educationandcertifications.Courses,seminarsandotherrele-vantactivitiesareorganisedonacurrentbasis,asaminimumonceayear,toensurethatrelevantem-ployeesandanyexternalcollabo-ratingpartnersarekeptuptodatewithsecurityandaremadeawareofnewthreats,ifany.
Generaltermsofemployment,includingconfidentialityregardinginternalandcustomermatters,aredescribedineachemployee’semploymentcontractwheretermsofallareasoftheemployment,includingterminationandsanc-tionsincaseofpotentialsecuritybreaches,arelisted.
Wehaveenquiredaboutadescriptionofmanagement’sresponsibilityforcommunicatinginformationsecuritycriteria,andwehaveinspectedthedescription.
Wehaveenquiredaboutstafftraining,andwehaveinspotchecksinspecteddocumentationforparticipationincourses.
Wehaveenquiredaboutguidelinesfordisciplinaryprocesses,andwehaveinspectedtheguidelines.
Nosignificantdeviationsnoted.
any.cloudA/S
REVI-ITA/S Page21of31
TerminationandchangeofemploymentControlobjective:Toprotecttheorganisation’sinterestsaspartoftheprocessofchangingorterminatingemploy-ment.No. any.cloudA/S’control REVI-IT’stest Testresults
7.3 Generaltermsofemployment,includingconfidentialityregardinginternalandcustomermatters,aredescribedineachemployee’semploymentcontractwheretermsofallareasoftheemployment,includingterminationandsanc-tionsincaseofpotentialsecuritybreaches,arelaiddown.
Wehaveenquiredaboutemployees’obligationstomaintaininginformationsecurityinconnectionwithtermina-tionofemployment,andwehaveinspecteddocumentationfortheemployees’obligations.
Nosignificantdeviationsnoted.
Assetmanagement
ResponsibilityforassetsControlobjective:Toidentifyorganisationalassetsanddefineappropriateprotectionresponsibilities.No. any.cloudA/S’control REVI-IT’stest Testresults
8.1 Software,serversandnetworkdevices,includingconfiguration,areregisteredforusefordocu-mentation,overviewofdevices,etc.
Thedocuments,networktopolo-giesandsimilararecontinuouslyupdatedintheeventofchangesandarereviewedatleastonceayearbyournetworkspecialists.
Bymeansofdivisionofresponsibil-itiesandroledescriptionscentralnetworkunits,servers,peripherals,systemsanddataarededicatedtosystemadministratorsinourcom-pany.
Customerdataandsystemsarededicatedtothecustomer’scon-tactperson.
Intheeventofterminationofemployment,wehaveacompre-hensiveprocedureinplacewhichmustbeobservedtoensurethattheemployeesreturnallrelevantassets,includingportablemedia,etc.,andtoensurethatallemploy-ees’accesstobuildings,systemsanddataisrevoked.
Wehaveenquiredaboutinventoriesofassets,andwehaveinspotchecksinspectedinventoriesofassets.
Wehaveenquiredaboutcontrolsforensuringassetsareupdated,andwehaveinspectedthecontrolsinplace.
Wehaveenquiredaboutaninventoryofassetownership,andwehavein-spectedtheinventory.
Wehaveenquiredaboutguidelinesfortheuseofassets,andwehavein-spectedtheguidelines.
Wehaveenquiredaboutaprocedureforensuringthereturnofhanded-outassets,andwehaveinspotchecksinspectedtheprocedure.Additionally,wehaveinspotchecksinspecteddocumentationforthereturnofas-sets.
Nosignificantdeviationsnoted.
any.cloudA/S
REVI-ITA/S Page22of31
MediahandlingControlobjective:Topreventunauthoriseddisclosure,modification,removalordestructionofinformationstoredonmedia.No. any.cloudA/S’control REVI-IT’stest Testresults
8.3 Weensuretothewidestextentpossiblethatourstaff’sportablemedia,e.g.laptops,mobilephonesandsimilar,haveasecurityconfig-urationtothesameextentastherestofourenvironment;andwealsoensurethatthedatacarryingmediaareupdatedwhenweintro-ducenewsecuritymeasures.
Wehaveenquiredaboutmobilede-vicemanagement,andwehavein-specteddocumentationforthesolu-tion.
Wehaveenquiredaboutaprocessfordisposalofmedia,andwehavein-spectedtheprocess.
Wehaveenquiredabouttransportofphysicalmedia.
Nosignificantdeviationsnoted.
Accesscontrol
BusinessrequirementsofaccesscontrolControlobjective:Tolimitaccesstoinformationandinformationprocessingfacilities.No. any.cloudA/S’control REVI-IT’stest Testresults
9.1 Wehaveapolicyregardingalloca-tionofaccess.ThispolicyisanintegralpartofourITsecuritypolicy.
Wehaveenquiredaboutapolicyformanagementofaccesstosystemsandbuildings,andwehaveinspectedthepolicy.
Wehaveenquiredaboutmanagementofaccesstonetworkandnetworkservices,andwehaveinspectedthesolution.
Nosignificantdeviationsnoted.
UseraccessmanagementControlobjective:Toensureauthoriseduseraccessandtopreventunauthorisedaccesstosystemsandservices.No. any.cloudA/S’control REVI-IT’stest Testresults
9.2 Allusersmustbepersonallyidenti-fiable,i.e.haveaclearidentifica-tionwithapersonalname.Incaseofserviceusers,i.e.accountsonlyusedforsystempurposes,theoptionregardingactuallogonwillbedisabled.
Allocationofprivilegesiscon-trolledinconnectionwithournormalusermanagementprocess.
Allpersonallogonsareonlyknowntotheindividualemployeeandaresubjecttopasswordpoliciesforsecuringcomplexity.
Forourownusers,thecompany'sCTOwillperiodically,onceayearasaminimum,reviewthecompa-ny’sin-housesystemsforcreationofusersandtheiraccessleveltopreventunauthorisedaccess.
Wehaveenquiredaboutaprocedureforcreatinganddisablingusers,andwehaveinspectedtheprocedures.
Wehaveinspotchecksinspecteddocumentationforcreationanddisa-blingofusersduringtheperiod.
Wehaveenquiredaboutaprocedureforallocatingrights,andwehaveinspectedtheprocedure.
Wehaveenquiredaboutstorageofconfidentialpasswords,andwehaveinspecteddocumentationforadequatestorage.
Wehaveenquiredaboutaprocessforperiodicreviewofusers,andwehaveinspecteddocumentationforthelatestreview.
Nosignificantdeviationsnoted.
any.cloudA/S
REVI-ITA/S Page23of31
UserresponsibilitiesControlobjective:Tomakeusersaccountableforsafeguardingtheirauthenticationinformation.No. any.cloudA/S’control REVI-IT’stest Testresults
9.3 OurITsecuritypolicystatesthatouremployees’passwordsarepersonal,andonlytheuseristoknowthepassword.Everyyeartheemployeessignadocumentstatingthattheyhavereadandunder-stoodthelatestversionofourITsecuritypolicy.
Wehaveenquiredaboutguidelinesfortheuseofconfidentialpasswords,andwehaveinspectedtheguidelines.
Wehaveenquiredaboutannualtrain-ingofstaffinrelationtoinformationsecurity,andwehaveinspecteddocu-mentationforstafftraining.
Nosignificantdeviationsnoted.
SystemandapplicationaccesscontrolControlobjective:Topreventunauthorisedaccesstosystemsandapplications.No. any.cloudA/S’control REVI-IT’stest Testresults
9.4 Ouremployeesaresetupwithdifferentiatedaccessprivilegesandthereforeonlyhaveaccesstothesystemsanddatathatarerelevantfortheirworkeffort.
Allemployeesacrossbothcustom-ersystemsandproprietarysystemshaverestrictionsasregardspass-words.Allusershaveapasswordandsystemicallyitissetupsothattherearerestrictionsinrelationtothedesignofthepassword.Pass-wordsmustbechangedregularlyandtheymustbecomplex.
Wehaveenquiredaboutrestrictionsonaccesstodata,andwehavein-specteddocumentationforrestriction.
Wehaveenquiredaboutaprocedureforsecurelogon,andwehaveinspect-edthesolution.
Wehaveenquiredaboutasystemforpasswordmanagement.Wehaveinspectedthesolutionandselectedconfigurations.
Nosignificantdeviationsnoted.
Cryptography
CryptographiccontrolsControlobjective:Toensureproperandeffectiveuseofcryptographytoprotecttheconfidentiality,authenticityand/orintegrityofinformation.No. any.cloudA/S’control REVI-IT’stest Testresults
10.1 Ourcustomershaveaccesstooursystemsviathepublicnetworks,whereaccessisallowedviaen-cryptedVPNaccess,IP-whitelistingorMPLS/VPLS.
Portabledevicesareprotectedwithlogonandencryption.
Wehaveenquiredaboutapolicyfortheuseofencryption,andwehaveinspotchecksinspecteddocumentationfortheuseofcryptography.
Wehaveenquiredaboutadministra-tionofencryptionkeys,andwehaveinspecteddocumentationforthismanagement.
Nosignificantdeviationsnoted.
any.cloudA/S
REVI-ITA/S Page24of31
Physicalandenvironmentalsecurity
SecureareasControlobjective:Topreventunauthorisedphysicalaccess,damageandinterferencetotheorganisation’sinfor-mationandinformationprocessingfacilities.No. any.cloudA/S’control REVI-IT’stest Testresults
11.1 Wehaveenteredintoanagree-mentwiththeconcernedsupplieronhousingofourproprietaryserversandsimilarmeasuresareimplementedtopreventtheft,fire,waterandtemperaturedeviations.
Weannuallyreceiveanauditor’sopinioncoveringthephysicalsecu-rityatoursubcontractor.
Wehaveenquiredaboutanauditor’sopinionfromthesubcontractorforthephysicalenvironment,andwehaveinspectedtheauditor’sopinionforadequatephysicalsecurity.
Wehaveobservedthattheauditor’sopinionfromsubcontractorrespectivelycoverstheperiod1January2015to31December2015and16June2015to15June2016.
Wehaveenquiredaboutperiodicreviewofexternallocation,andwehaveinspotchecksinspecteddocumentationforinspection.
Wehaveenquiredabouttheallocationandrevocationofaccesstooperationsfacilitiesatthesubcontractor,andwehaveinspotchecksinspecteddocumen-tationfortheallocationofaccesstooperationsfacilities.
Wehaveinspectedthephysicalenvi-ronmentatany.cloud’sofficesinordertocheckthephysicalsecurity.
Wehaveenquiredaboutthedeliveryofparcelsandgoods.
Nosignificantdeviationsnoted.
any.cloudA/S
REVI-ITA/S Page25of31
EquipmentControlobjective:Topreventloss,damage,theftorcompromiseofassetsandinterruptiontotheorganisation’soperations.No. any.cloudA/S’control REVI-IT’stest Testresults
11.2 Wehaveenteredintoanagree-mentwiththeconcernedsupplieronhousingofourproprietaryserversandsimilarmeasuresareimplementedtopreventtheft,fire,waterandtemperaturedeviations.
Thedatacentre'scoolingandfirepreventionsystemsarecheckedregularlyandtheback-uppowersystem(UPS)ischeckedeverysixmonths.Systemsareinstalledinthedatacentremonitoringtem-peraturesandvoltagesintheserv-erroom.
Weannuallyreceiveanauditor’sopinioncoveringthephysicalsecu-rityatoursubcontractor.
Alldata-carryingdevicesarede-stroyedbeforedisposaltoensurethatnodataisaccessible.
Allinternaluseraccountsarecen-trallymanagedtoenterscreenlockmodeafteramaximumof2minutesofinactivity.Therebyweensurethatunauthorisedstaffcannotaccessconfidentialdata.
Wehaveenquiredaboutanauditor’sopinionfromsubcontractorregardingphysicalenvironment.
Wehaveinspectedtheauditor’sopinioninordertoidentifyobservationsinrelationtophysicalsecurity;andinrelationtothiswehave,amongstoth-ers,checkedthattherearesupportingsupplies,andthatthesearemaintained.
Wehaveobservedthattheauditor’sopinionfromsubcontractorrespectivelycoverstheperiod1January2015to31December2015and16June2015to15June2016.
Wehaveenquiredaboutperiodicreviewofexternallocation,andwehaveinspotchecksinspecteddocumentationforinspection.
Additionally,bymeansofre-performingthecontrolwehaveinspectedtheex-ternallocation.
Wehaveenquiredaboutthesecuringofcabling,andwehaveinspectedauditor’sopinionfromsupplier.
Wehaveenquiredaboutapolicyforthedisposalofequipment.
Wehaveenquiredaboutthesecuringofunattendeduserequipment,andwehaveinspotchecksinspectedthatuserequipmentislockedatinactivity.
Nosignificantdeviationsnoted.
any.cloudA/S
REVI-ITA/S Page26of31
Operationssecurity
OperationalproceduresandresponsibilitiesControlobjective:Toensurecorrectandsecureoperationofinformationprocessingfacilities.No. any.cloudA/S’control REVI-IT’stest Testresults
12.1 Weensureviadocumentationanddescriptionsthatexistingornewemployeescancommenceworkingonasystemforwhichthesaidpersondoesnothaveoperationalorpreviousexperience.
Thesystemdocumentationisupdatedcontinuously.
Changesareonlymadeonthebasisofaqualificationofthepro-ject,thecomplexityandassess-mentofeffectsonothersystems.Moreover,aprocessisfollowedregardingdevelopmentandtest-ing.
Viaourgeneralmonitoringsystem,wehavesetlimitsforwhenouroverallsystems,andtherebyourcustomers’systems,mustbeup-scaledwithregardtoelectronicspace,responsetime,etc.
Ourenvironmentislogicallysegre-gatedanddividedintotestingandproductionwherebyweensurethataproductistestedbeforeitisbroughtintoproduction.
Wehaveenquiredaboutproceduresinconnectionwithoperations,andwehaveinspotchecksinspectedthepro-cedures.
Wehaveenquiredaboutcontrolsforupdatingoperationsprocedures,andwehaveinspectedthecontrol.
Wehaveenquiredaboutaprocedureforchangemanagement,andwehaveinspectedtheprocedure.Wehaveinspotchecksinspecteddocumentationforchangemanagementduringtheperiod.
Wehaveenquiredaboutcapacitymoni-toring,andwehaveinspotchecksin-specteddocumentationforcapacitymonitoring.
Wehaveenquiredabouttheuseofatestenvironment,andwehaveinspect-eddocumentationfortheexistenceofatestenvironment.
Nosignificantdeviationsnoted.
ProtectionfrommalwareControlobjective:Toensurethatinformationandinformationprocessingfacilitiesareprotectedagainstmalware.No. any.cloudA/S’control REVI-IT’stest Testresults
12.2 Wehaveimplementedscanningandmonitoringsystemstoprotectagainstknownharmfulcode,i.e.whatweandourcustomers-viaourplatforms-mayrisktobeinfectedwithontheInternetviamailsetc.Wehaveantivirussys-tems,systemsformonitoringInternetusage,trafficandre-sourcesonSaaSplatforms,securitybymeansofothertechnicalandcentralinstallations(firewalletc.)inplace.
Wehaveenquiredaboutmeasurestoprotectagainstmalware.
Wehaveenquiredabouttheuseofantivirussoftware,andwehaveinspect-eddocumentationfortheuse.
Nosignificantdeviationsnoted.
any.cloudA/S
REVI-ITA/S Page27of31
BackupControlobjective:Toprotectagainstlossofdata.No. any.cloudA/S’control REVI-IT’stest Testresults
12.3 Weensurethatwecanrestoresystemsanddataappropriatelyandcorrectlyincompliancewiththeagreementswehavewithourcustomers.
Wehaveatestforhowsystemsanddatacanberestoredinprac-tice.Wekeepalogofthesetests,enablingustofollowuponwheth-erwecanchangeourproceduresandprocessestoimproveoursolution.
Unlessotherwiseagreedwithourcustomers,weperformbackupoftheirentirevirtualenvironmentwithus.
Wehavedefinedguidelinesastohowweperformbackups.
Wehaveenquiredabouttheconfigura-tionofbackup,andwehaveinspotchecksinspecteddocumentationforthesetup.
Wehaveenquiredaboutthestorageofbackup,andwehaveinspectedtheauditor’sopinionfromsubcontractorinordertoverifythatbackupisstoredsecurely.Additionally,wehaveinspect-eddocumentationforbackupbeingstoredinaseparatelocationinrelationtotheproductionenvironment.
Wehaveenquiredabouttestofrestorefrombackupfiles,andwehaveinspect-eddocumentationforrestoretest.
Nosignificantdeviationsnoted.
LoggingandmonitoringControlobjective:Torecordeventsandgenerateevidence.No. any.cloudA/S’control REVI-IT’stest Testresults
12.4 WehavesetupmonitoringandloggingofnetworktrafficandOperationsfollowsthis.Wefollowupifwesuspectthatanincidentcanberelatedtoissuesaddressedinthelog.
Logsareuploadedtoourlogserv-er.
Administratorlogsareperformedsimultaneouslywiththenormallog.
WeuseNTPserversfromtheIn-ternet,whichallserversaresyn-chronisedupagainst.
Wehaveenquiredabouttheloggingofuseractivity.Wehaveinspotchecksinspectedtheloggingconfigurations.
Wehaveenquiredaboutthesecuringofloginformation,andwehaveinspectedthesolution.
Wehaveenquiredaboutsynchronisa-tionwithanadequateclockserver,andwehaveinspectedthesolution.
Nosignificantdeviationsnoted.
ControlofoperationalsoftwareControlobjective:Toensuretheintegrityofoperationalsystems.No. any.cloudA/S’control REVI-IT’stest Testresults
12.5 Bymeansofourpatchprocessweensurethatonlyapprovedandtestedupdatesareinstalled.Intheeventofmajorchanges,thiswillbediscussedatinternalmeetingsinOperations.
Moreover,ourstaffisawareofthepolicyregardingsoftwaredown-loads.
Wehaveenquiredaboutguidelinesforinstallationofsoftwareonoperationssystems,andwehaveinspectedtheguidelines.
Wehaveenquiredabouttimelyupdatestooperationssystems,andwehaveinspecteddocumentationforupdatesofoperationssystems,whichisinaccord-ancewithBFIH’srequirements.
Nosignificantdeviationsnoted.
any.cloudA/S
REVI-ITA/S Page28of31
TechnicalvulnerabilitymanagementControlobjective:Topreventexploitationoftechnicalvulnerabilities.No. any.cloudA/S’control REVI-IT’stest Testresults
12.6 SecurityannouncementsfromDK-CERTaremonitoredandanalysedandiftheyarefoundrelevant,theyareinstalledonourinternalsys-temswithin1monthfromrelease.Additionally,wecontinuouslyperformariskassessmentofourin-housesolutions.
Wehaveenquiredaboutmanagementoftechnicalvulnerabilities,andwehaveinspecteddocumentationforthisman-agement.
Wehaveenquiredaboutmanagementofaccesstoinstallingsoftware,andwehaveinspecteddocumentationforthelimitationofuserswithrightsallowingthemtoinstallsoftware.
Nosignificantdeviationsnoted.
Communicationssecurity
NetworksecuritymanagementControlobjective:Toensuretheprotectionofinformationinnetworksanditssupportinginformationprocessingfacilities.No. any.cloudA/S’control REVI-IT’stest Testresults
13.1 Ourcustomershaveaccesstooursystemseitherviathepublicnet-works,whereaccessisallowedviaencryptedVPNaccess,IP-whitelis-tingorMPLS/VPLS.Accessandcommunicationbetweenourserv-ersandourco-locationtakesplacewithinaclosednetwork.
Onlyapprovednetworktraffic(inbound)isallowedthroughourfirewall.
Ournetworkisdividedintovarioussegmentswherebyweensurethatourinternalnetworkissegregatedfromthecustomers’networks.
Wehaveenquiredaboutmeasurestosecurenetworkandnetworkservices.Wehaveinspecteddocumentationfortheestablishmentoffirewallandpatch-ingoffirewall.
Wehaveenquiredaboutsecuringnet-workservices,andwehaveinspecteddocumentationforadequatesecuring.
Nosignificantdeviationsnoted.
InformationtransferControlobjective:Tomaintainthesecurityofinformationtransferredwithinanorganisationandwithanyexternalentity.No. any.cloudA/S’control REVI-IT’stest Testresults
13.2 Externaldatacommunicationonlytakesplaceviamailsasourcus-tomers’accesstoanduseofourserversarenotconsideredexternaldatacommunication.
Wehaveestablishedconfidentiali-tyingeneralforallpartiesinvolvedinourbusiness.Thisisdonebymeansofemploymentcontractsorserviceagreementswithsubcon-tractorsandbusinesspartners.
Wehaveenquiredaboutapolicyforinformationtransfer,andwehavein-spectedthepolicy.
Wehaveenquiredaboutguidelinesforhandlingelectronicmessages,andwehaveinspectedtheguidelines.
Wehaveenquiredabouttheestablish-mentofconfidentialityagreements,andwehaveinspotchecksinspecteddocu-mentationforenteredconfidentialityagreements.
Nosignificantdeviationsnoted.
any.cloudA/S
REVI-ITA/S Page29of31
Supplierrelationships
InformationsecurityinsupplierrelationshipsControlobjective:Toensureprotectionoftheorganisation’sassetsthatareaccessiblebysuppliers.No. any.cloudA/S’control REVI-IT’stest Testresults
15.1 Viamonitoringsetupbyathirdpartyweensurethatallservicesdeliveredbythirdpartiesareincompliancewiththerequirementsandtermswehaveagreedwiththirdparties.Wevisitsuchthirdpartiesregularly,wherebyweensurethattheagreedtermsarecontinuallyfulfilled.
Wehaveenquiredabouttheformalisa-tionofsupplieragreements,andwehaveinspectedtheagreementinordertochecktheconsiderationofinfor-mationsecurity.
Wehaveinspectedanauditor’sopinionfromsubcontractorinordertoidentifyadequatesecurity.
Nosignificantdeviationsnoted.
SupplierservicedeliverymanagementControlobjective:Tomaintainanagreedlevelofinformationsecurityandservicedeliveryinlinewithsupplieragreements.No. any.cloudA/S’control REVI-IT’stest Testresults
15.2 Viamonitoringsetupbyathirdpartyweensurethatallservicesdeliveredbythirdpartiesareincompliancewiththerequirementsandtermswehaveagreedwiththirdparties.Wevisitsuchthirdpartiesregularly,wherebyweensurethattheagreedtermsarecontinuallyfulfilled.
Wehaveenquiredaboutmonitoringofsubcontractors,andwehaveinspecteddocumentationformonitoring.
Wehaveenquiredaboutchangeman-agementatsubcontractors.
Nosignificantdeviationsnoted.
any.cloudA/S
REVI-ITA/S Page30of31
Informationsecurityincidentmanagement
ManagementofinformationsecurityincidentsandimprovementsControlobjective:Toensureaconsistentandeffectiveapproachtothemanagementofinformationsecurityinci-dents,includingcommunicationonsecurityeventsandweaknesses.No. any.cloudA/S’control REVI-IT’stest Testresults
16.1 ThereareformallyappointedASPsandtherequirementstheyaresubjecttoareclearlyandformallydefined.TheASPisresponsibleforpreparingandmaintainingproce-duresthatensuretimelyandcor-rectinterventioninconnectionwithsecuritybreaches.
Ouremployeesandexternalpart-nersare,viatheenteredcontractsandagreements,underanobliga-tiontoreportanysecurityincidenttotheirimmediatesuperiorinorderthatactioncanbetakentoaddresstheissueassoonaspossi-bleandnecessarymeasurescanbetakeninaccordancewiththepro-ceduresestablished.
Wehaveenquiredaboutresponsibilityandproceduresincaseofinformationsecurityincidents,andwehaveinspect-eddocumentationfortheallocationofresponsibilities.Additionally,wehaveinspectedtheprocedureformanaginginformationsecurityincidents.
Wehaveenquiredaboutguidelinesforreportinginformationsecurityincidentsandweaknesses,andwehaveinspectedtheguidelines.
Wehaveenquiredaboutaprocedureforassessing,reactingtoandevaluatinginformationsecuritybreaches,andwehaveinspectedtheprocedure.
Wehaveenquiredaboutinformationsecurityincidentsduringtheperiod,andwehaveinspotchecksinspecteddocu-mentationforthehandlingofinfor-mationsecuritybreaches.
Nosignificantdeviationsnoted.
Informationsecurityaspectsofbusinesscontinuitymanagement
InformationsecuritycontinuityControlobjective:Informationsecuritycontinuityshouldbeembeddedintheorganisation’sbusinesscontinuityman-agementsystems.No. any.cloudA/S’control REVI-IT’stest Testresults
17.1 ThebusinesscontinuityplanisembeddedintheITriskanalysisandisupdatedatleastonceayearincontinuationoftheconductionoftheanalysis.
Theplanandtheproceduresareembeddedinouroperationsdoc-umentationandprocedures.
Theplanistestedonceortwiceannuallyaspartofourbusinesscontinuityinorderforustoensurethatthecustomerswillonlyexpe-riencelimitedinterruptionofser-vicesinconnectionwithanyemer-gencies.
Wehaveenquiredabouttheprepara-tionofabusinesscontinuityplanforsecuringthecontinuityofoperationsincaseoffailuresandsimilar,andwehaveinspectedtheplan.
Wehaveinspecteddocumentationformanagementapprovalandperiodiccontrolofreviewofthebusinessconti-nuityplan.
Wehaveenquiredabouttestofthebusinesscontinuityplan,andwehaveinspecteddocumentationfortestofthebusinesscontinuityplan.
Nosignificantdeviationsnoted.
any.cloudA/S
REVI-ITA/S Page31of31
RedundanciesControlobjective:Toensureavailabilityofinformationprocessingfacilities.No. any.cloudA/S’control REVI-IT’stest Testresults
17.2 any.cloudishostedinInterXionDanmarkinBallerupandGlobalConnectinTaastrup.
Wehaveenquiredabouttheavailabilityofoperationssystems,andwehaveinspectedtheestablishedmeasures.
WehaveenquiredaboutredundancyonInternetconnections,andwehaveinspecteddocumentationforredundan-cyonInternetconnectionscf.BFIH’srequirements.
Nosignificantdeviationsnoted.
Compliance
InformationsecurityreviewsControlobjective:Toensurethatinformationsecurityisimplementedandoperatedinaccordancewiththeorganisa-tionalpoliciesandprocedures.No. any.cloudA/S’control REVI-IT’stest Testresults
18.2 OuremployeesreadtheITsecuritypoliciesonceayearasaminimumandsignthattheyunderstandandcomplywithit.Wehaveon-goingcontrols,conductedbyourman-agement,toensurethatourem-ployeescomplywiththesecuritymeasuresthatarespecifiedinourITsecuritypolicy,inrelationtothephysicalaswellasthelogicalcon-ditions.
Furthermore,wehavecontrolsensuringcompliancewithmonitor-ingandsecurity.
Wehaveenquiredaboutindependentevaluationoftheinformationsecurity.
Wehaveenquiredaboutinternalcon-trolsforensuringcompliancewithsecu-ritypolicyandprocedures,andwehaveinspectedselectedcontrols.
Wehaveenquiredaboutperiodiccon-troloftechnicalcompliance,andwehaveinspecteddocumentationformon-itoring.
Nosignificantdeviationsnoted.