christopher hughes...christopher hughes (jul 1, 2019) christopher hughes 0'@va?@h attachment a...

Christopher Hughes (Jul 1, 2019)Christopher Hughes Jul 1, 2019

https://secure.na1.echosign.com/verifier?tx=CBJCHBCAABAAcdGntCCDdNtaH8mwpzKlxvIqjsZo9xwb

Attachment A – Page 1 of 23

Attachment A: NASPO ValuePoint Master Agreement Terms and Conditions

1. Master Agreement Order of Precedence

a. Any Order placed under this Master Agreement shall consist of the followingdocuments:

(1) A Participating Entity’s Participating Addendum1 (“PA”);(2) NASPO ValuePoint Master Agreement Terms & Conditions, including the applicableExhibits2 to the Master Agreement;(3) The Solicitation;(4) Contractor’s response to the Solicitation, as revised (if permitted) and accepted bythe Lead State; and(5) A Service Level Agreement issued against the Participating Addendum.

b. These documents shall be read to be consistent and complementary. Any conflictamong these documents shall be resolved by giving priority to these documents in theorder listed above. Contractor terms and conditions that apply to this Master Agreementare only those that are expressly accepted by the Lead State and must be in writing andattached to this Master Agreement as an Exhibit or Attachment.

2. Definitions - Unless otherwise provided in this Master Agreement, capitalized termswill have the meanings given to those terms in this Section.

Confidential Information means any and all information of any form that is marked as confidential or would by its nature be deemed confidential obtained by Contractor or its employees or agents in the performance of this Master Agreement, including, but not necessarily limited to (1) any Purchasing Entity’s records, (2) personnel records, and (3) information concerning individuals, is confidential information of Purchasing Entity.

Contractor means the person or entity providing solutions under the terms and conditions set forth in this Master Agreement. Contractor also includes its employees, subcontractors, agents and affiliates who are providing the services agreed to under the Master Agreement.

Data means all information, whether in oral or written (including electronic) form,

1 A Sample Participating Addendum will be published after the contracts have been awarded. 2 The Exhibits comprise the terms and conditions for the service models: PaaS, IaaS, and PaaS.

Note: Exceptions negotiated on sections 13, 16, 31, 32.


created by or in any way originating with a Participating Entity or Purchasing Entity, and all information that is the output of any computer processing, or other electronic manipulation, of any information that was created by or in any way originating with a Participating Entity or Purchasing Entity, in the course of using and configuring the Services provided under this Agreement. Data Breach means any actual or reasonably suspected non-authorized access to or acquisition of computerized Non-Public Data or Personal Data that compromises the security, confidentiality, or integrity of the Non-Public Data or Personal Data, or the ability of Purchasing Entity to access the Non-Public Data or Personal Data. Data Categorization means the process of risk assessment of Data. See also “High Risk Data”, “Moderate Risk Data” and “Low Risk Data”. Disabling Code means computer instructions or programs, subroutines, code, instructions, data or functions, (including but not limited to viruses, worms, date bombs or time bombs), including but not limited to other programs, data storage, computer libraries and programs that self-replicate without manual intervention, instructions programmed to activate at a predetermined time or upon a specified event, and/or programs purporting to do a meaningful function but designed for a different function, that alter, destroy, inhibit, damage, interrupt, interfere with or hinder the operation of the Purchasing Entity’s’ software, applications and/or its end users processing environment, the system in which it resides, or any other software or data on such system or any other system with which it is capable of communicating. Fulfillment Partner means a third-party contractor qualified and authorized by Contractor, and approved by the Participating State under a Participating Addendum, who may, to the extent authorized by Contractor, fulfill any of the requirements of this Master Agreement including but not limited to providing Services under this Master Agreement and billing Customers directly for such Services. Contractor may, upon written notice to the Participating State, add or delete authorized Fulfillment Partners as necessary at any time during the contract term. Fulfillment Partner has no authority to amend this Master Agreement or to bind Contractor to any additional terms and conditions. High Risk Data is as defined in FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems (“High Impact Data”). Infrastructure as a Service (IaaS) as used in this Master Agreement is defined the capability provided to the consumer to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications; and possibly limited control of select networking components (e.g., host firewalls).


Intellectual Property means any and all patents, copyrights, service marks, trademarks, trade secrets, trade names, patentable inventions, or other similar proprietary rights, in tangible or intangible form, and all rights, title, and interest therein. Lead State means the State centrally administering the solicitation and any resulting Master Agreement(s). Low Risk Data is as defined in FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems (“Low Impact Data”). Master Agreement means this agreement executed by and between the Lead State, acting on behalf of NASPO ValuePoint, and the Contractor, as now or hereafter amended. Moderate Risk Data is as defined in FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems (“Moderate Impact Data”). NASPO ValuePoint is the NASPO ValuePoint Cooperative Purchasing Program, facilitated by the NASPO Cooperative Purchasing Organization LLC, a 501(c)(3) limited liability company (doing business as NASPO ValuePoint) is a subsidiary organization the National Association of State Procurement Officials (NASPO), the sole member of NASPO ValuePoint. The NASPO ValuePoint Cooperative Purchasing Organization facilitates administration of the cooperative group contracting consortium of state chief procurement officials for the benefit of state departments, institutions, agencies, and political subdivisions and other eligible entities (i.e., colleges, school districts, counties, cities, some nonprofit organizations, etc.) for all states and the District of Columbia. The NASPO ValuePoint Cooperative Development Team is identified in the Master Agreement as the recipient of reports and may be performing contract administration functions as assigned by the Lead State. Non-Public Data means High Risk Data and Moderate Risk Data that is not subject to distribution to the public as public information. It is deemed to be sensitive and confidential by the Purchasing Entity because it contains information that is exempt by statute, ordinance or administrative rule from access by the general public as public information. Participating Addendum means a bilateral agreement executed by a Contractor and a Participating Entity incorporating this Master Agreement and any other additional Participating Entity specific language or other requirements, e.g. ordering procedures specific to the Participating Entity, other terms and conditions. Participating Entity means a state, or other legal entity, properly authorized to enter into a Participating Addendum. Participating State means a state, the District of Columbia, or one of the territories of the United States that is listed in the Request for Proposal as intending to participate.


Upon execution of the Participating Addendum, a Participating State becomes a Participating Entity. Personal Data means data alone or in combination that includes information relating to an individual that identifies the individual by name, identifying number, mark or description can be readily associated with a particular individual and which is not a public record. Personal Information may include the following personally identifiable information (PII): government-issued identification numbers (e.g., Social Security, driver’s license, passport); financial account information, including account number, credit or debit card numbers; or Protected Health Information (PHI) relating to a person. Platform as a Service (PaaS) as used in this Master Agreement is defined as the capability provided to the consumer to deploy onto the cloud infrastructure consumer-created or -acquired applications created using programming languages and tools supported by the provider. This capability does not necessarily preclude the use of compatible programming languages, libraries, services, and tools from other sources. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. Product means any deliverable under this Master Agreement, including Services, software, and any incidental tangible goods. Protected Health Information (PHI) means individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. PHI excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), as amended, 20 U.S.C. 1232g, records described at 20 U.S.C. 1232g(a)(4)(B)(iv) and employment records held by a covered entity in its role as employer. PHI may also include information that is a subset of health information, including demographic information collected from an individual, and (1) is created or received by a health care provider, health plan, employer or health care clearinghouse; and (2) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and (a) that identifies the individual; or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual. Purchasing Entity means a state, city, county, district, other political subdivision of a State, and a nonprofit organization under the laws of some states if authorized by a Participating Addendum, who issues a Purchase Order against the Master Agreement and becomes financially committed to the purchase. Services mean any of the specifications described in the Scope of Services that are supplied or created by the Contractor pursuant to this Master Agreement. Security Incident means the possible or actual unauthorized access to a Purchasing


Entity’s Non-Public Data and Personal Data the Contractor believes could reasonably result in the use, disclosure or theft of a Purchasing Entity’s Non-Public Data within the possession or control of the Contractor. A Security Incident also includes a major security breach to the Contractor’s system, regardless if Contractor is aware of unauthorized access to a Purchasing Entity’s Non-Public Data. A Security Incident may or may not turn into a Data Breach. Service Level Agreement (SLA) means a written agreement between both the Purchasing Entity and the Contractor that is subject to the terms and conditions in this Master Agreement and relevant Participating Addendum unless otherwise expressly agreed in writing between the Purchasing Entity and the Contractor. SLAs should include: (1) the technical service level performance promises, (i.e. metrics for performance and intervals for measure), (2) description of service quality, (3) identification of roles and responsibilities, (4) remedies, such as credits, and (5) an explanation of how remedies or credits are calculated and issued. Software as a Service (SaaS) as used in this Master Agreement is defined as the capability provided to the consumer to use the Contractor’s applications running on a Contractor’s infrastructure (commonly referred to as ‘cloud infrastructure). The applications are accessible from various client devices through a thin client interface such as a Web browser (e.g., Web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Solicitation means the documents used by the State of Utah, as the Lead State, to obtain Contractor’s Proposal. Statement of Work means a written statement in a solicitation document or contract that describes the Purchasing Entity’s service needs and expectations. 3. Term of the Master Agreement: Unless otherwise specified as a shorter term in a Participating Addendum, the term of the Master Agreement will run from contract execution to September 15, 2026.

4. Amendments: The terms of this Master Agreement shall not be waived, altered, modified, supplemented or amended in any manner whatsoever without prior written approval of the Lead State and Contractor.

5. Assignment/Subcontracts: Contractor shall not assign, sell, transfer, or sublet rights, or delegate responsibilities under this Master Agreement, in whole or in part, without the prior written approval of the Lead State. The Lead State reserves the right to assign any rights or duties, including written assignment of contract administration duties to the NASPO Cooperative Purchasing


Organization LLC, doing business as NASPO ValuePoint. 6. Discount Guarantee Period: All discounts must be guaranteed for the entire term of the Master Agreement. Participating Entities and Purchasing Entities shall receive the immediate benefit of price or rate reduction of the services provided under this Master Agreement. A price or rate reduction will apply automatically to the Master Agreement and an amendment is not necessary. 7. Termination: Unless otherwise stated, this Master Agreement may be terminated by either party upon 60 days written notice prior to the effective date of the termination. Further, any Participating Entity may terminate its participation upon 30 days written notice, unless otherwise limited or stated in the Participating Addendum. Termination may be in whole or in part. Any termination under this provision shall not affect the rights and obligations attending orders outstanding at the time of termination, including any right of any Purchasing Entity to indemnification by the Contractor, rights of payment for Services delivered and accepted, data ownership, Contractor obligations regarding Purchasing Entity Data, rights attending default in performance an applicable Service Level of Agreement in association with any Order, Contractor obligations under Termination and Suspension of Service, and any responsibilities arising out of a Security Incident or Data Breach. Termination of the Master Agreement due to Contractor default may be immediate.

8. Confidentiality, Non-Disclosure, and Injunctive Relief a. Confidentiality. Contractor acknowledges that it and its employees or agents may, in the course of providing a Product under this Master Agreement, be exposed to or acquire information that is confidential to Purchasing Entity’s or Purchasing Entity’s clients. Any reports or other documents or items (including software) that result from the use of the Confidential Information by Contractor shall be treated in the same manner as the Confidential Information. Confidential Information does not include information that (1) is or becomes (other than by disclosure by Contractor) publicly known; (2) is furnished by Purchasing Entity to others without restrictions similar to those imposed by this Master Agreement; (3) is rightfully in Contractor’s possession without the obligation of nondisclosure prior to the time of its disclosure under this Master Agreement; (4) is obtained from a source other than Purchasing Entity without the obligation of confidentiality, (5) is disclosed with the written consent of Purchasing Entity or; (6) is independently developed by employees, agents or subcontractors of Contractor who can be shown to have had no access to the Confidential Information. b. Non-Disclosure. Contractor shall hold Confidential Information in confidence, using at least the industry standard of confidentiality, and shall not copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give, or disclose Confidential Information to third parties or use Confidential Information for any purposes whatsoever other than what is necessary to the performance of Orders placed under this Master Agreement. Contractor shall advise each of its employees and agents of their obligations to keep Confidential Information confidential. Contractor shall use commercially reasonable efforts to assist Purchasing Entity in identifying and preventing any unauthorized use or disclosure of any Confidential Information. Without limiting the


generality of the foregoing, Contractor shall advise Purchasing Entity, applicable Participating Entity, and the Lead State immediately if Contractor learns or has reason to believe that any person who has had access to Confidential Information has violated or intends to violate the terms of this Master Agreement, and Contractor shall at its expense cooperate with Purchasing Entity in seeking injunctive or other equitable relief in the name of Purchasing Entity or Contractor against any such person. Except as directed by Purchasing Entity, Contractor will not at any time during or after the term of this Master Agreement disclose, directly or indirectly, any Confidential Information to any person, except in accordance with this Master Agreement, and that upon termination of this Master Agreement or at Purchasing Entity’s request, Contractor shall turn over to Purchasing Entity all documents, papers, and other matter in Contractor's possession that embody Confidential Information. Notwithstanding the foregoing, Contractor may keep one copy of such Confidential Information necessary for quality assurance, audits and evidence of the performance of this Master Agreement. c. Injunctive Relief. Contractor acknowledges that breach of this section, including disclosure of any Confidential Information, will cause irreparable injury to Purchasing Entity that is inadequately compensable in damages. Accordingly, Purchasing Entity may seek and obtain injunctive relief against the breach or threatened breach of the foregoing undertakings, in addition to any other legal remedies that may be available. Contractor acknowledges and agrees that the covenants contained herein are necessary for the protection of the legitimate business interests of Purchasing Entity and are reasonable in scope and content. d. Purchasing Entity Law. These provisions shall be applicable only to extent they are not in conflict with the applicable public disclosure laws of any Purchasing Entity.

9. Right to Publish: Throughout the duration of this Master Agreement, Contractor must secure prior approval from the Lead State or Participating Entity for the release of any information that pertains to the potential work or activities covered by the Master Agreement , including but not limited to reference to or use of the Lead State or a Participating Entity’s name, Great Seal of the State, Coat of Arms, any Agency or other subunits of the State government, or any State official or employee, for commercial promotion which is strictly prohibited. News releases or release of broadcast e-mails pertaining to this Master Agreement or Participating Addendum shall not be made without prior written approval of the Lead State or a Participating Entity.

The Contractor shall not make any representations of NASPO ValuePoint’s opinion or position as to the quality or effectiveness of the services that are the subject of this Master Agreement without prior written consent. Failure to adhere to this requirement may result in termination of the Master Agreement for cause.

10. Defaults and Remedies a. The occurrence of any of the following events shall be an event of default under this Master Agreement:

(1) Nonperformance of contractual requirements; or

(2) A material breach of any term or condition of this Master Agreement; or


(3) Any certification, representation or warranty by Contractor in response to the solicitation or in this Master Agreement that proves to be untrue or materially misleading; or

(4) Institution of proceedings under any bankruptcy, insolvency, reorganization or similar law, by or against Contractor, or the appointment of a receiver or similar officer for Contractor or any of its property, which is not vacated or fully stayed within thirty (30) calendar days after the institution or occurrence thereof; or

(5) Any default specified in another section of this Master Agreement.

b. Upon the occurrence of an event of default, Lead State shall issue a written notice of default, identifying the nature of the default, and providing a period of 30 calendar days in which Contractor shall have an opportunity to cure the default. The Lead State shall not be required to provide advance written notice or a cure period and may immediately terminate this Master Agreement in whole or in part if the Lead State, in its sole discretion, determines that it is reasonably necessary to preserve public safety or prevent immediate public crisis. Time allowed for cure shall not diminish or eliminate Contractor’s liability for damages.

c. If Contractor is afforded an opportunity to cure and fails to cure the default within the period specified in the written notice of default, Contractor shall be in breach of its obligations under this Master Agreement and Lead State shall have the right to exercise any or all of the following remedies:

(1) Exercise any remedy provided by law; and

(2) Terminate this Master Agreement and any related Contracts or portions thereof; and

(3) Suspend Contractor from being able to respond to future bid solicitations; and

(4) Suspend Contractor’s performance; and

(5) Withhold payment until the default is remedied.

d. Unless otherwise specified in the Participating Addendum, in the event of a default under a Participating Addendum, a Participating Entity shall provide a written notice of default as described in this section and have all of the rights and remedies under this paragraph regarding its participation in the Master Agreement, in addition to those set forth in its Participating Addendum. Nothing in these Master Agreement Terms and Conditions shall be construed to limit the rights and remedies available to a Purchasing Entity under the applicable commercial code.

11. Changes in Contractor Representation: The Contractor must notify the Lead State of changes in the Contractor’s key administrative personnel, in writing within 10 calendar days of the change. The Lead State reserves the right to approve changes in key personnel, as identified in the Contractor’s proposal. The Contractor agrees to propose replacement key personnel having substantially equal or better education, training, and experience as was possessed by the key person proposed and evaluated in the Contractor’s proposal.


12. Force Majeure: Neither party shall be in default by reason of any failure in performance of this Contract in accordance with reasonable control and without fault or negligence on their part. Such causes may include, but are not restricted to, acts of nature or the public enemy, acts of the government in either its sovereign or contractual capacity, fires, floods, epidemics, quarantine restrictions, strikes, freight embargoes and unusually severe weather, but in every case the failure to perform such must be beyond the reasonable control and without the fault or negligence of the party.

13. Indemnification

a. The Contractor shall defend, indemnify and hold harmless NASPO, NASPO ValuePoint, the Lead State, Participating Entities, and Purchasing Entities, along with their officers, agents, and employees as well as any person or entity for which they may be liable, from and against claims, damages or causes of action including reasonable attorneys’ fees and related costs for any death, injury, or damage to property arising directly or indirectly from act(s), error(s), or omission(s) of the Contractor, its employees or subcontractors or volunteers, at any tier, relating to the performance under the Master Agreement. b. Indemnification – Intellectual Property. The Contractor shall defend, indemnify and hold harmless NASPO, NASPO ValuePoint, the Lead State, Participating Entities, Purchasing Entities, along with their officers, agents, and employees as well as any person or entity for which they may be liable ("Indemnified Party"), from and against claims, damages or causes of action including reasonable attorneys’ fees and related costs arising out of the claim that the Product or its use, infringes Intellectual Property rights ("Intellectual Property Claim") of another person or entity.

(1) The Contractor’s obligations under this section shall not extend to any claims arising from the combination of the Product with any other product, system or method, unless the Product, system or method is:

(a) provided by the Contractor or the Contractor’s subsidiaries or affiliates; (b) specified by the Contractor to work with the Product; or (c) reasonably required, in order to use the Product in its intended

manner, and the infringement could not have been avoided by substituting another reasonably available product, system or method capable of performing the same function; or

(d) It would be reasonably expected to use the Product in combination

with such product, system or method. (2) The Indemnified Party shall notify the Contractor within a reasonable time after receiving notice of an Intellectual Property Claim. Even if the Indemnified Party fails to provide reasonable notice, the Contractor shall not be relieved from its obligations unless the Contractor can demonstrate that it was prejudiced in defending the Intellectual Property Claim resulting in increased expenses or loss to the Contractor


and then only to the extent of the prejudice or expenses. If the Contractor promptly and reasonably investigates and defends any Intellectual Property Claim, it shall have control over the defense and settlement of it. However, the Indemnified Party must consent in writing for any money damages or obligations for which it may be responsible. The Indemnified Party shall furnish, at the Contractor’s reasonable request and expense, information and assistance necessary for such defense. If the Contractor fails to pursue the defense or settlement of the Intellectual Property Claim, the Indemnified Party may assume the defense or settlement of it and the Contractor shall be liable for all costs, including reasonable attorneys’ fees and related costs, incurred by the Indemnified Party in the pursuit of the Intellectual Property Claim. Unless otherwise agreed in writing, this section is not subject to any limitations of liability in this Master Agreement or in any other document executed in conjunction with this Master Agreement.

14. Independent Contractor: The Contractor shall be an independent contractor. Contractor shall have no authorization, express or implied, to bind the Lead State, Participating States, other Participating Entities, or Purchasing Entities to any agreements, settlements, liability or understanding whatsoever, and agrees not to hold itself out as agent except as expressly set forth herein or as expressly agreed in any Participating Addendum.

15. Individual Customers: Except to the extent modified by a Participating Addendum, each Purchasing Entity shall follow the terms and conditions of the Master Agreement and applicable Participating Addendum and will have the same rights and responsibilities for their purchases as the Lead State has in the Master Agreement, including but not limited to, any indemnity or right to recover any costs as such right is defined in the Master Agreement and applicable Participating Addendum for their purchases. Each Purchasing Entity will be responsible for its own charges, fees, and liabilities. The Contractor will apply the charges and invoice each Purchasing Entity individually.

16. Insurance

a. Unless otherwise agreed in a Participating Addendum, Contractor shall, during the term of this Master Agreement, maintain in full force and effect, the insurance described in this section. Contractor shall acquire such insurance from an insurance carrier or carriers licensed to conduct business in each Participating Entity’s state and having a rating of A-, Class VII or better, in the most recently published edition of Best’s Reports. Failure to buy and maintain the required insurance may result in this Master Agreement’s termination or, at a Participating Entity’s option, result in termination of its Participating Addendum. b. Coverage shall be written on an occurrence basis. The minimum acceptable limits shall be as indicated below, with any deductible paid by Contractor for each of the following categories:

(1) Commercial General Liability covering premises operations, independent contractors, products and completed operations, blanket contractual liability,


personal injury (including death), advertising liability, and property damage, with a limit of not less than $1 million per occurrence/$3 million general aggregate; (2) CLOUD MINIMUM INSURANCE COVERAGE:

Level of Risk

Data Breach and Privacy/Cyber Liability including Technology Errors and Omissions

Minimum Insurance Coverage Low Risk Data $2,000,000 Moderate Risk Data $5,000,000 High Risk Data $10,000,000 (3) Contractor must comply with any applicable State Workers Compensation or Employers Liability Insurance requirements. (4) Professional Liability. As applicable, Professional Liability Insurance Policy in the minimum amount of $1,000,000 per occurrence and $1,000,000 in the aggregate, written on an occurrence form that provides coverage for its work undertaken pursuant to each Participating Addendum.

c. Contractor shall pay premiums on all insurance policies. Such policies shall not be revoked by the insurer until thirty (30) calendar days after notice of intended revocation thereof shall have been given to Purchasing Entity and Participating Entity by the Contractor. d. Prior to commencement of performance, Contractor shall provide to the Lead State a written endorsement to the Contractor’s general liability insurance policy or other documentary evidence acceptable to the Lead State that (1) names the Participating States identified in the Request for Proposal as additional insureds, and (2) provides that the Contractor’s liability insurance policy shall be primary, with any liability insurance of any Participating State as secondary and noncontributory. Unless otherwise agreed in any Participating Addendum, the Participating Entity’s rights and Contractor’s obligations are the same as those specified in the first sentence of this subsection. Before performance of any Purchase Order issued after execution of a Participating Addendum authorizing it, the Contractor shall provide to a Purchasing Entity or Participating Entity who requests it the same information described in this subsection. e. Contractor shall furnish to the Lead State, Participating Entity, and, on request, the Purchasing Entity copies of certificates of all required insurance within thirty (30) calendar days of the execution of this Master Agreement, the execution of a Participating Addendum, or the Purchase Order’s effective date and prior to performing any work. The insurance certificate shall provide the following information: the name and address of the insured; name, address, telephone number and signature of the authorized agent; name of the insurance company (authorized to operate in all states);


a description of coverage in detailed standard terminology (including policy period, policy number, limits of liability, exclusions and endorsements). Copies of renewal certificates of all required insurance shall be furnished within thirty (30) days after any renewal date. Failure to provide evidence of coverage may, at sole option of the Lead State, or any Participating Entity, result in this Master Agreement’s termination or the termination of any Participating Addendum. f. Coverage and limits shall not limit Contractor’s liability and obligations under this Master Agreement, any Participating Addendum, or any Purchase Order.

17. Laws and Regulations: Any and all Services offered and furnished shall comply fully with all applicable Federal and State laws and regulations.

18. No Waiver of Sovereign Immunity: In no event shall this Master Agreement, any Participating Addendum or any contract or any Purchase Order issued thereunder, or any act of a Lead State, a Participating Entity, or a Purchasing Entity be a waiver of any form of defense or immunity, whether sovereign immunity, governmental immunity, immunity based on the Eleventh Amendment to the Constitution of the United States or otherwise, from any claim or from the jurisdiction of any court.

This section applies to a claim brought against the Participating State only to the extent Congress has appropriately abrogated the Participating State’s sovereign immunity and is not consent by the Participating State to be sued in federal court. This section is also not a waiver by the Participating State of any form of immunity, including but not limited to sovereign immunity and immunity based on the Eleventh Amendment to the Constitution of the United States.

19. Ordering

a. Master Agreement order and purchase order numbers shall be clearly shown on all acknowledgments, shipping labels, packing slips, invoices, and on all correspondence.

b. This Master Agreement permits Purchasing Entities to define project-specific requirements and informally compete the requirement among other firms having a Master Agreement on an “as needed” basis. This procedure may also be used when requirements are aggregated or other firm commitments may be made to achieve reductions in pricing. This procedure may be modified in Participating Addenda and adapted to Purchasing Entity rules and policies. The Purchasing Entity may in its sole discretion determine which firms should be solicited for a quote. The Purchasing Entity may select the quote that it considers most advantageous, cost and other factors considered.

c. Each Purchasing Entity will identify and utilize its own appropriate purchasing procedure and documentation. Contractor is expected to become familiar with the Purchasing Entities’ rules, policies, and procedures regarding the ordering of supplies and/or services contemplated by this Master Agreement.

d. Contractor shall not begin providing Services without a valid Service Level


Agreement or other appropriate commitment document compliant with the law of the Purchasing Entity.

e. Orders may be placed consistent with the terms of this Master Agreement during the term of the Master Agreement.

f. All Orders pursuant to this Master Agreement, at a minimum, shall include:

(1) The services or supplies being delivered; (2) The place and requested time of delivery; (3) A billing address; (4) The name, phone number, and address of the Purchasing Entity representative; (5) The price per unit or other pricing elements consistent with this Master Agreement and the contractor’s proposal; (6) A ceiling amount of the order for services being ordered; and (7) The Master Agreement identifier and the Participating State contract identifier.

g. All communications concerning administration of Orders placed shall be furnished solely to the authorized purchasing agent within the Purchasing Entity’s purchasing office, or to such other individual identified in writing in the Order.

h. Orders must be placed pursuant to this Master Agreement prior to the termination date of this Master Agreement. Contractor is reminded that financial obligations of Purchasing Entities payable after the current applicable fiscal year are contingent upon agency funds for that purpose being appropriated, budgeted, and otherwise made available.

i. Notwithstanding the expiration or termination of this Master Agreement, Contractor agrees to perform in accordance with the terms of any Orders then outstanding at the time of such expiration or termination. Contractor shall not honor any Orders placed after the expiration or termination of this Master Agreement. Orders from any separate indefinite quantity, task orders, or other form of indefinite delivery order arrangement priced against this Master Agreement may not be placed after the expiration or termination of this Master Agreement, notwithstanding the term of any such indefinite delivery order agreement.

20. Participants and Scope

a. Contractor may not deliver Services under this Master Agreement until a Participating Addendum acceptable to the Participating Entity and Contractor is executed. The NASPO ValuePoint Master Agreement Terms and Conditions are applicable to any Order by a Participating Entity (and other Purchasing Entities covered by their Participating Addendum), except to the extent altered, modified, supplemented or amended by a Participating Addendum. By way of illustration and not limitation, this authority may apply to unique delivery and invoicing requirements, confidentiality requirements, defaults on Orders, governing law and venue relating to Orders by a


Participating Entity, indemnification, and insurance requirements. Statutory or constitutional requirements relating to availability of funds may require specific language in some Participating Addenda in order to comply with applicable law. The expectation is that these alterations, modifications, supplements, or amendments will be addressed in the Participating Addendum or, with the consent of the Purchasing Entity and Contractor, may be included in the ordering document (e.g. purchase order or contract) used by the Purchasing Entity to place the Order. b. Subject to subsection 20c and a Participating Entity’s Participating Addendum, the use of specific NASPO ValuePoint cooperative Master Agreements by state agencies, political subdivisions and other Participating Entities (including cooperatives) authorized by individual state’s statutes to use state contracts is subject to the approval of the respective State Chief Procurement Official. c. Unless otherwise stipulated in a Participating Entity’s Participating Addendum, specific services accessed through the NASPO ValuePoint cooperative Master Agreements for Cloud Services by state executive branch agencies, as required by a Participating Entity’s statutes, are subject to the authority and approval of the Participating Entity’s Chief Information Officer’s Office3. d. Obligations under this Master Agreement are limited to those Participating Entities who have signed a Participating Addendum and Purchasing Entities within the scope of those Participating Addenda. States or other entities permitted to participate may use an informal competitive process to determine which Master Agreements to participate in through execution of a Participating Addendum. Financial obligations of Participating States are limited to the orders placed by the departments or other state agencies and institutions having available funds. Participating States incur no financial obligations on behalf of political subdivisions.

e. NASPO ValuePoint is not a party to the Master Agreement. It is a nonprofit cooperative purchasing organization assisting states in administering the NASPO ValuePoint cooperative purchasing program for state government departments, institutions, agencies and political subdivisions (e.g., colleges, school districts, counties, cities, etc.) for all 50 states, the District of Columbia and the territories of the United States.

f. Participating Addenda shall not be construed to amend the terms of this Master Agreement between the Lead State and Contractor.

g. Participating Entities who are not states may under some circumstances sign their own Participating Addendum, subject to the approval of participation by the Chief Procurement Official of the state where the Participating Entity is located. Coordinate requests for such participation through NASPO ValuePoint. Any permission to participate through execution of a Participating Addendum is not a determination that 3 Chief Information Officer means the individual designated by the Governor with Executive Branch, enterprise‐wide responsibility for the leadership and management of information technology resources of a state.


procurement authority exists in the Participating Entity; they must ensure that they have the requisite procurement authority to execute a Participating Addendum. h. Resale. Subject to any explicit permission in a Participating Addendum, Purchasing Entities may not resell goods, software, or Services obtained under this Master Agreement. This limitation does not prohibit: payments by employees of a Purchasing Entity as explicitly permitted under this agreement; sales of goods to the general public as surplus property; and fees associated with inventory transactions with other governmental or nonprofit entities under cooperative agreements and consistent with a Purchasing Entity’s laws and regulations. Any sale or transfer permitted by this subsection must be consistent with license rights granted for use of intellectual property.

21. Payment: Orders under this Master Agreement are fixed-price or fixed-rate orders, not cost reimbursement contracts. Unless otherwise stipulated in the Participating Addendum, Payment is normally made within 30 days following the date of a correct invoice is received. Purchasing Entities reserve the right to withhold payment of a portion (including all if applicable) of disputed amount of an invoice. After 45 days the Contractor may assess overdue account charges up to a maximum rate of one percent per month on the outstanding balance. Payments will be remitted by mail. Payments may be made via a State or political subdivision “Purchasing Card” with no additional charge.

22. Data Access Controls: Contractor will provide access to Purchasing Entity’s Data only to those Contractor employees, contractors and subcontractors (“Contractor Staff”) who need to access the Data to fulfill Contractor’s obligations under this Agreement. Contractor shall not access a Purchasing Entity’s user accounts or Data, except on the course of data center operations, response to service or technical issues, as required by the express terms of this Master Agreement, or at a Purchasing Entity’s written request. Contractor may not share a Purchasing Entity’s Data with its parent corporation, other affiliates, or any other third party without the Purchasing Entity’s express written consent. Contractor will ensure that, prior to being granted access to the Data, Contractor Staff who perform work under this Agreement have successfully completed annual instruction of a nature sufficient to enable them to effectively comply with all Data protection provisions of this Agreement; and possess all qualifications appropriate to the nature of the employees’ duties and the sensitivity of the Data they will be handling. 23. Operations Management: Contractor shall maintain the administrative, physical, technical, and procedural infrastructure associated with the provision of the Product in a manner that is, at all times during the term of this Master Agreement, at a level equal to or more stringent than those specified in the Solicitation.

24. Public Information: This Master Agreement and all related documents are subject to disclosure pursuant to the Purchasing Entity’s public information laws.

25. Purchasing Entity Data: Purchasing Entity retains full right and title to Data


provided by it and any Data derived therefrom, including metadata. Contractor shall not collect, access, or use user-specific Purchasing Entity Data except as strictly necessary to provide Service to the Purchasing Entity. No information regarding Purchasing Entity’s use of the Service may be disclosed, provided, rented or sold to any third party for any reason unless required by law or regulation or by an order of a court of competent jurisdiction. The obligation shall extend beyond the term of this Master Agreement in perpetuity. Contractor shall not use any information collected in connection with this Master Agreement, including Purchasing Entity Data, for any purpose other than fulfilling its obligations under this Master Agreement.

26. Records Administration and Audit.

a. The Contractor shall maintain books, records, documents, and other evidence pertaining to this Master Agreement and orders placed by Purchasing Entities under it to the extent and in such detail as shall adequately reflect performance and administration of payments and fees. Contractor shall permit the Lead State, a Participating Entity, a Purchasing Entity, the federal government (including its grant awarding entities and the U.S. Comptroller General), and any other duly authorized agent of a governmental agency, to audit, inspect, examine, copy and/or transcribe Contractor's books, documents, papers and records directly pertinent to this Master Agreement or orders placed by a Purchasing Entity under it for the purpose of making audits, examinations, excerpts, and transcriptions. This right shall survive for a period of six (6) years following termination of this Agreement or final payment for any order placed by a Purchasing Entity against this Agreement, whichever is later, to assure compliance with the terms hereof or to evaluate performance hereunder. b. Without limiting any other remedy available to any governmental entity, the Contractor shall reimburse the applicable Lead State, Participating Entity, or Purchasing Entity for any overpayments inconsistent with the terms of the Master Agreement or orders or underpayment of fees found as a result of the examination of the Contractor’s records. c. The rights and obligations herein exist in addition to any quality assurance obligation in the Master Agreement requiring the Contractor to self-audit contract obligations and that permits the Lead State to review compliance with those obligations.

d. The Contractor shall allow the Purchasing Entity to audit conformance to the Master Agreement and applicable Participating Addendum terms. The purchasing entity may perform this audit or contract with a third party at its discretion and at the purchasing entity’s expense. 27. Administrative Fees: The Contractor shall pay to NASPO ValuePoint, or its assignee, a NASPO ValuePoint Administrative Fee of one-quarter of one percent (0.25% or 0.0025) no later than 60 days following the end of each calendar quarter. The NASPO ValuePoint Administrative Fee shall be submitted quarterly and is based on


sales of the Services. The NASPO ValuePoint Administrative Fee is not negotiable. This fee is to be included as part of the pricing submitted with proposal. Additionally, some states may require an additional administrative fee be paid directly to the state on purchases made by Purchasing Entities within that state. For all such requests, the fee level, payment method and schedule for such reports and payments will be incorporated into the Participating Addendum that is made a part of the Master Agreement. The Contractor may adjust the Master Agreement pricing accordingly for purchases made by Purchasing Entities within the jurisdiction of the state. All such agreements shall not affect the NASPO ValuePoint Administrative Fee percentage or the prices paid by the Purchasing Entities outside the jurisdiction of the state requesting the additional fee. The NASPO ValuePoint Administrative Fee shall be based on the gross amount of all sales at the adjusted prices (if any) in Participating Addenda. 28. System Failure or Damage: In the event of system failure or damage caused by Contractor or its Services, the Contractor agrees to use its best efforts to restore or assist in restoring the system to operational capacity. 29. Title to Product: If access to the Product requires an application program interface (API), Contractor shall convey to Purchasing Entity an irrevocable and perpetual license to use the API. 30. Data Privacy: The Contractor must comply with all applicable laws related to data privacy and security, including IRS Pub 1075. Prior to entering into a SLA with a Purchasing Entity, the Contractor and Purchasing Entity must cooperate and hold a meeting to determine the Data Categorization to determine whether the Contractor will hold, store, or process High Risk Data, Moderate Risk Data and Low Risk Data. The Contractor must document the Data Categorization in the SLA or Statement of Work. 31. Warranty: At a minimum the Contractor must warrant the following: a. Contractor has acquired any and all rights, grants, assignments, conveyances, licenses, permissions, and authorization for the Contractor to provide the Services described in this Master Agreement. b. Contractor will perform materially as described in this Master Agreement, SLA, Statement of Work, including any performance representations contained in the Contractor’s response to the Solicitation by the Lead State. c. Contractor represents and warrants that the representations contained in its response to the Solicitation by the Lead State. d. The Contractor will not interfere with a Purchasing Entity’s access to and use of the Services it acquires from this Master Agreement except in the case of unjustified non-payment or unapproved use.


e. The Services provided by the Contractor are compatible with and will operate successfully with any environment (including web browser and operating system) specified by the Contractor in its response to the Solicitation by the Lead State. f. The Contractor warrants that the Products it provides under this Master Agreement are free of malware. The Contractor must use industry-leading technology to detect and remove worms, Trojans, rootkits, rogues, dialers, spyware, etc. 32. Transition Assistance: a. The Contractor shall reasonably cooperate with other parties in connection with all Services to be delivered under this Master Agreement, including without limitation any successor service provider to whom a Purchasing Entity’s Data is transferred in connection with the termination or expiration of this Master Agreement. The Contractor shall assist a Purchasing Entity in exporting and extracting a Purchasing Entity’s Data, in a format usable without the use of the Services and as agreed by a Purchasing Entity to the Purchasing Entity. Any transition services requested by a Purchasing Entity involving additional knowledge transfer and support may be subject to a separate transition Statement of Work. b. A Purchasing Entity and the Contractor shall, when reasonable, create a Transition Plan Document identifying the transition services to be provided and including a Statement of Work if applicable. c. The Contractor must maintain the confidentiality and security of a Purchasing Entity’s Data during the transition services and thereafter as required by the Purchasing Entity. 33. Waiver of Breach: Failure of the Lead State, Participating Entity, or Purchasing Entity to declare a default or enforce any rights and remedies shall not operate as a waiver under this Master Agreement or Participating Addendum. Any waiver by the Lead State, Participating Entity, or Purchasing Entity must be in writing. Waiver by the Lead State or Participating Entity of any default, right or remedy under this Master Agreement or Participating Addendum, or by Purchasing Entity with respect to any Purchase Order, or breach of any terms or requirements of this Master Agreement, a Participating Addendum, or Purchase Order shall not be construed or operate as a waiver of any subsequent default or breach of such term or requirement, or of any other term or requirement under this Master Agreement, Participating Addendum, or Purchase Order. 34. Assignment of Antitrust Rights: Contractor irrevocably assigns to a Participating Entity who is a state any claim for relief or cause of action which the Contractor now has or which may accrue to the Contractor in the future by reason of any violation of state or federal antitrust laws (15 U.S.C. § 1-15 or a Participating Entity’s state antitrust provisions), as now in effect and as may be amended from time to time, in connection with any goods or services provided to the Contractor for the purpose of carrying out the Contractor's obligations under this Master Agreement or Participating Addendum,


including, at a Participating Entity's option, the right to control any such litigation on such claim for relief or cause of action.

35. Debarment : The Contractor certifies, to the best of its knowledge, that neither it nor its principals are presently debarred, suspended, proposed for debarment, declared ineligible, or voluntarily excluded from participation in this transaction (contract) by any governmental department or agency. This certification represents a recurring certification made at the time any Order is placed under this Master Agreement. If the Contractor cannot certify this statement, attach a written explanation for review by the Lead State.

36. Performance and Payment Time Frames that Exceed Contract Duration: All maintenance or other agreements for services entered into during the duration of an SLA and whose performance and payment time frames extend beyond the duration of this Master Agreement shall remain in effect for performance and payment purposes (limited to the time frame and services established per each written agreement). No new leases, maintenance or other agreements for services may be executed after the Master Agreement has expired. For the purposes of this section, renewals of maintenance, subscriptions, SaaS subscriptions and agreements, and other service agreements, shall not be considered as “new.”

37. Governing Law and Venue

a. The procurement, evaluation, and award of the Master Agreement shall be governed by and construed in accordance with the laws of the Lead State sponsoring and administering the procurement. The construction and effect of the Master Agreement after award shall be governed by the law of the state serving as Lead State (in most cases also the Lead State). The construction and effect of any Participating Addendum or Order against the Master Agreement shall be governed by and construed in accordance with the laws of the Participating Entity’s or Purchasing Entity’s State.

b. Unless otherwise specified in the RFP, the venue for any protest, claim, dispute or action relating to the procurement, evaluation, and award is in the Lead State. Venue for any claim, dispute or action concerning the terms of the Master Agreement shall be in the state serving as Lead State. Venue for any claim, dispute, or action concerning any Order placed against the Master Agreement or the effect of a Participating Addendum shall be in the Purchasing Entity’s State.

c. If a claim is brought in a federal forum, then it must be brought and adjudicated solely and exclusively within the United States District Court for (in decreasing order of priority): the Lead State for claims relating to the procurement, evaluation, award, or contract performance or administration if the Lead State is a party; the Participating State if a named party; the Participating Entity state if a named party; or the Purchasing Entity state if a named party. d. This section is also not a waiver by the Participating State of any form of immunity, including but not limited to sovereign immunity and immunity based on the Eleventh Amendment to the Constitution of the United States.


38. No Guarantee of Service Volumes: The Contractor acknowledges and agrees that the Lead State and NASPO ValuePoint makes no representation, warranty or condition as to the nature, timing, quality, quantity or volume of business for the Services or any other products and services that the Contractor may realize from this Master Agreement, or the compensation that may be earned by the Contractor by offering the Services. The Contractor acknowledges and agrees that it has conducted its own due diligence prior to entering into this Master Agreement as to all the foregoing matters. 39. NASPO ValuePoint eMarket Center: In July 2011, NASPO ValuePoint entered into a multi-year agreement with JAGGAER, formerly SciQuest, whereby JAGGAER will provide certain electronic catalog hosting and management services to enable eligible NASPO ValuePoint’s customers to access a central online website to view and/or shop the goods and services available from existing NASPO ValuePoint Cooperative Contracts. The central online website is referred to as the NASPO ValuePoint eMarket Center. The Contractor will have visibility in the eMarket Center through Ordering Instructions. These Ordering Instructions are available at no cost to the Contractor and provided customers information regarding the Contractors website and ordering information. At a minimum, the Contractor agrees to the following timeline: NASPO ValuePoint eMarket Center Site Admin shall provide a written request to the Contractor to begin Ordering Instruction process. The Contractor shall have thirty (30) days from receipt of written request to work with NASPO ValuePoint to provide any unique information and ordering instructions that the Contractor would like the customer to have. 40. Contract Provisions for Orders Utilizing Federal Funds: Pursuant to Appendix II to 2 Code of Federal Regulations (CFR) Part 200, Contract Provisions for Non-Federal Entity Contracts Under Federal Awards, Orders funded with federal funds may have additional contractual requirements or certifications that must be satisfied at the time the Order is placed or upon delivery. These federal requirements may be proposed by Participating Entities in Participating Addenda and Purchasing Entities for incorporation in Orders placed under this master agreement. 41. Government Support: No support, facility space, materials, special access, personnel or other obligations on behalf of the states or other Participating Entities, other than payment, are required under the Master Agreement. 42. NASPO ValuePoint Summary and Detailed Usage Reports: In addition to other reports that may be required by this solicitation, the Contractor shall provide the following NASPO ValuePoint reports. a. Summary Sales Data. The Contractor shall submit quarterly sales reports directly to NASPO ValuePoint using the NASPO ValuePoint Quarterly Sales/Administrative Fee Reporting Tool found at http://calculator.naspovaluepoint.org. Any/all sales made under the


contract shall be reported as cumulative totals by state. Even if Contractor experiences zero sales during a calendar quarter, a report is still required. Reports shall be due no later than 30 day following the end of the calendar quarter (as specified in the reporting tool). b. Detailed Sales Data. Contractor shall also report detailed sales data by: (1) state; (2) entity/customer type, e.g. local government, higher education, K12, non-profit; (3) Purchasing Entity name; (4) Purchasing Entity bill-to and ship-to locations; (4) Purchasing Entity and Contractor Purchase Order identifier/number(s); (5) Purchase Order Type (e.g. sales order, credit, return, upgrade, determined by industry practices); (6) Purchase Order date; (7) and line item description, including product number if used. The report shall be submitted in any form required by the solicitation. Reports are due on a quarterly basis and must be received by the Lead State and NASPO ValuePoint Cooperative Development Team no later than thirty (30) days after the end of the reporting period. Reports shall be delivered to the Lead State and to the NASPO ValuePoint Cooperative Development Team electronically through a designated portal, email, CD-Rom, flash drive or other method as determined by the Lead State and NASPO ValuePoint. Detailed sales data reports shall include sales information for all sales under Participating Addenda executed under this Master Agreement. The format for the detailed sales data report is in shown in Attachment H. c. Reportable sales for the summary sales data report and detailed sales data report includes sales to employees for personal use where authorized by the solicitation and the Participating Addendum. Report data for employees should be limited to ONLY the state and entity they are participating under the authority of (state and agency, city, county, school district, etc.) and the amount of sales. No personal identification numbers, e.g. names, addresses, social security numbers or any other numerical identifier, may be submitted with any report. d. Contractor shall provide the NASPO ValuePoint Cooperative Development Coordinator with an executive summary each quarter that includes, at a minimum, a list of states with an active Participating Addendum, states that Contractor is in negotiations with and any PA roll out or implementation activities and issues. NASPO ValuePoint Cooperative Development Coordinator and Contractor will determine the format and content of the executive summary. The executive summary is due 30 days after the conclusion of each calendar quarter. e. Timely submission of these reports is a material requirement of the Master Agreement. The recipient of the reports shall have exclusive ownership of the media containing the reports. The Lead State and NASPO ValuePoint shall have a perpetual, irrevocable, non-exclusive, royalty free, transferable right to display, modify, copy, and otherwise use reports, data and information provided under this section. f. If requested by a Participating Entity, the Contractor must provide detailed sales data within the Participating State.


43. NASPO ValuePoint Cooperative Program Marketing, Training, and Performance Review: a. Contractor agrees to work cooperatively with NASPO ValuePoint personnel. Contractor agrees to present plans to NASPO ValuePoint for the education of Contractor’s contract administrator(s) and sales/marketing workforce regarding the Master Agreement contract, including the competitive nature of NASPO ValuePoint procurements, the Master agreement and participating addendum process, and the manner in which qualifying entities can participate in the Master Agreement. b. Contractor agrees, as Participating Addendums become executed, if requested by ValuePoint personnel to provide plans to launch the program within the participating state. Plans will include time frames to launch the agreement and confirmation that the Contractor’s website has been updated to properly reflect the contract offer as available in the participating state. c. Contractor agrees, absent anything to the contrary outlined in a Participating Addendum, to consider customer proposed terms and conditions, as deemed important to the customer, for possible inclusion into the customer agreement. Contractor will ensure that their sales force is aware of this contracting option. d. Contractor agrees to participate in an annual contract performance review at a location selected by the Lead State and NASPO ValuePoint, which may include a discussion of marketing action plans, target strategies, marketing materials, as well as Contractor reporting and timeliness of payment of administration fees. e. Contractor acknowledges that the NASPO ValuePoint logos may not be used by Contractor in sales and marketing until a logo use agreement is executed with NASPO ValuePoint. f. The Lead State expects to evaluate the utilization of the Master Agreement at the annual performance review. Lead State may, in its discretion, terminate the Master Agreement pursuant to section 6 when Contractor utilization does not warrant further administration of the Master Agreement. The Lead State may exercise its right to not renew the Master Agreement if vendor fails to record or report revenue for three consecutive quarters, upon 60-calendar day written notice to the Contractor. This subsection does not limit the discretionary right of either the Lead State or Contractor to terminate the Master Agreement pursuant to section 7.

g. Contractor agrees, within 30 days of their effective date, to notify the Lead State and NASPO ValuePoint of any contractual most-favored-customer provisions in third-part contracts or agreements that may affect the promotion of this Master Agreements or whose terms provide for adjustments to future rates or pricing based on rates, pricing in, or Orders from this master agreement. Upon request of the Lead State or NASPO ValuePoint, Contractor shall provide a copy of any such provisions.


45. NASPO ValuePoint Cloud Offerings Search Tool: In support of the Cloud Offerings Search Tool here: http://www.naspovaluepoint.org/#/contract-details/71/search Contractor shall ensure its Cloud Offerings are accurately reported and updated to the Lead State in the format/template shown in Attachment I.

46. Entire Agreement: This Master Agreement, along with any attachment, contains the entire understanding of the parties hereto with respect to the Master Agreement unless a term is modified in a Participating Addendum with a Participating Entity. No click-through, or other end user terms and conditions or agreements required by the Contractor (“Additional Terms”) provided with any Services hereunder shall be binding on Participating Entities or Purchasing Entities, even if use of such Services requires an affirmative “acceptance” of those Additional Terms before access is permitted.

Attachment A: Exhibit 1 - Page 1 of 6

Exhibit 1 to the Master Agreement: Software-as-a-Service

1. Data Ownership: The Purchasing Entity will own all right, title and interest in its data that is related to the Services provided by this Master Agreement. The Contractor shall not access Purchasing Entity user accounts or Purchasing Entity data, except (1) in the course of data center operations, (2) in response to service or technical issues, (3) as required by the express terms of this Master Agreement, Participating Addendum, SLA, and/or other contract documents, or (4) at the Purchasing Entity’s written request.

Contractor shall not collect, access, or use user-specific Purchasing Entity Data except as strictly necessary to provide Service to the Purchasing Entity. No information regarding a Purchasing Entity’s use of the Service may be disclosed, provided, rented or sold to any third party for any reason unless required by law or regulation or by an order of a court of competent jurisdiction. This obligation shall survive and extend beyond the term of this Master Agreement.

2. Data Protection: Protection of personal privacy and data shall be an integral part of the business activities of the Contractor to ensure there is no inappropriate or unauthorized use of Purchasing Entity information at any time. To this end, the Contractor shall safeguard the confidentiality, integrity and availability of Purchasing Entity information and comply with the following conditions:

a. The Contractor shall implement and maintain appropriate administrative, technical and organizational security measures to safeguard against unauthorized access, disclosure or theft of Personal Data and Non-Public Data. Such security measures shall be in accordance with recognized industry practice and not less stringent than the measures the Contractor applies to its own Personal Data and Non-Public Data of similar kind.

b. All data obtained by the Contractor in the performance of the Master Agreement shall become and remain the property of the Purchasing Entity.

c. All Personal Data shall be encrypted at rest and in transit with controlled access. Unless otherwise stipulated, the Contractor is responsible for encryption of the Personal Data. Any stipulation of responsibilities will identify specific roles and responsibilities and shall be included in the service level agreement (SLA), or otherwise made a part of the Master Agreement.

d. Unless otherwise stipulated, the Contractor shall encrypt all Non-Public Data at rest and in transit. The Purchasing Entity shall identify data it deems as Non-Public Data to the Contractor. The level of protection and encryption for all Non-Public Data shall be identified in the SLA.

e. At no time shall any data or processes — that either belong to or are intended for the use of a Purchasing Entity or its officers, agents or employees — be copied, disclosed or retained by the Contractor or any party related to the Contractor for subsequent use in any transaction that does not include the Purchasing Entity.

f. The Contractor shall not use any information collected in connection with the Services issued from this Master Agreement for any purpose other than fulfilling the Services.


3. Data Location: The Contractor shall provide its services to the Purchasing Entity and its end users solely from data centers in the U.S. Storage of Purchasing Entity data at rest shall be located solely in data centers in the U.S. The Contractor shall not allow its personnel or contractors to store Purchasing Entity data on portable devices, including personal computers, except for devices that are used and kept only at its U.S. data centers. The Contractor shall permit its personnel and contractors to access Purchasing Entity data remotely only as required to provide technical support. The Contractor may provide technical user support on a 24/7 basis using a Follow the Sun model, unless otherwise prohibited in a Participating Addendum.

4. Security Incident or Data Breach Notification:

a. Incident Response: Contractor may need to communicate with outside parties regarding a security incident, which may include contacting law enforcement, fielding media inquiries and seeking external expertise as mutually agreed upon, defined by law or contained in the contract. Discussing security incidents with the Purchasing Entity should be handled on an urgent as-needed basis, as part of Contractor’s communication and mitigation processes as mutually agreed upon, defined by law or contained in the Master Agreement.

b. Security Incident Reporting Requirements: The Contractor shall report a security incident to the Purchasing Entity identified contact immediately as soon as possible or promptly without out reasonable delay, or as defined in the SLA.

c. Breach Reporting Requirements: If the Contractor has actual knowledge of a confirmed data breach that affects the security of any purchasing entity’s content that is subject to applicable data breach notification law, the Contractor shall (1) as soon as possible or promptly without out reasonable delay notify the Purchasing Entity, unless shorter time is required by applicable law, and (2) take commercially reasonable measures to address the data breach in a timely manner.

5. Personal Data Breach Responsibilities: This section only applies when a Data Breach occurs with respect to Personal Data within the possession or control of the Contractor.

a. The Contractor, unless stipulated otherwise, shall immediately notify the appropriate Purchasing Entity identified contact by telephone in accordance with the agreed upon security plan or security procedures if it reasonably believes there has been a security incident.

b. The Contractor, unless stipulated otherwise, shall promptly notify the appropriate Purchasing Entity identified contact within 24 hours or sooner by telephone, unless shorter time is required by applicable law, if it has confirmed that there is, or reasonably believes that there has been a Data Breach. The Contractor shall (1) cooperate with the Purchasing Entity as reasonably requested by the Purchasing Entity to investigate and resolve the Data Breach, (2) promptly implement necessary remedial measures, if necessary, and (3) document responsive actions taken related to the Data Breach, including any post-incident review of events and actions taken to make changes in business practices in providing the services, if necessary.


c. Unless otherwise stipulated, if a data breach is a direct result of Contractor’s breach of its contractual obligation to encrypt personal data or otherwise prevent its release as reasonably determined by the Purchasing Entity, the Contractor shall bear the costs associated with (1) the investigation and resolution of the data breach; (2) notifications to individuals, regulators or others required by federal and state laws or as otherwise agreed to; (3) a credit monitoring service required by state (or federal) law or as otherwise agreed to; (4) a website or a toll-free number and call center for affected individuals required by federal and state laws — all not to exceed the average per record per person cost calculated for data breaches in the United States (currently $217 per record/person) in the most recent Cost of Data Breach Study: Global Analysis published by the Ponemon Institute at the time of the data breach; and (5) complete all corrective actions as reasonably determined by Contractor based on root cause.

6. Notification of Legal Requests: The Contractor shall contact the Purchasing Entity upon receipt of any electronic discovery, litigation holds, discovery searches and expert testimonies related to the Purchasing Entity’s data under the Master Agreement, or which in any way might reasonably require access to the data of the Purchasing Entity. The Contractor shall not respond to subpoenas, service of process and other legal requests related to the Purchasing Entity without first notifying and obtaining the approval of the Purchasing Entity, unless prohibited by law from providing such notice.

7. Termination and Suspension of Service:

a. In the event of a termination of the Master Agreement or applicable Participating Addendum, the Contractor shall implement an orderly return of purchasing entity’s data in a CSV or another mutually agreeable format at a time agreed to by the parties or allow the Purchasing Entity to extract it’s data and the subsequent secure disposal of purchasing entity’s data.

b. During any period of service suspension, the Contractor shall not take any action to intentionally erase or otherwise dispose of any of the Purchasing Entity’s data.

c. In the event of termination of any services or agreement in entirety, the Contractor shall not take any action to intentionally erase purchasing entity’s data for a period of:

• 10 days after the effective date of termination, if the termination is in accordance with the contract period

• 30 days after the effective date of termination, if the termination is for convenience

• 60 days after the effective date of termination, if the termination is for cause

After such period, the Contractor shall have no obligation to maintain or provide any purchasing entity’s data and shall thereafter, unless legally prohibited, delete all purchasing entity’s data in its systems or otherwise in its possession or under its control.


d. The purchasing entity shall be entitled to any post termination assistance generally made available with respect to the services, unless a unique data retrieval arrangement has been established as part of an SLA.

e. Upon termination of the Services or the Agreement in its entirety, Contractor shall securely dispose of all Purchasing Entity’s data in all of its forms, such as disk, CD/ DVD, backup tape and paper, unless stipulated otherwise by the Purchasing Entity. Data shall be permanently deleted and shall not be recoverable, according to National Institute of Standards and Technology (NIST)-approved methods. Certificates of destruction shall be provided to the Purchasing Entity.

8. Background Checks: Upon the request of the Purchasing Entity, the Contractor shall conduct criminal background checks and not utilize any staff, including subcontractors, to fulfill the obligations of the Master Agreement who have been convicted of any crime of dishonesty, including but not limited to criminal fraud, or otherwise convicted of any felony or misdemeanor offense for which incarceration for up to 1 year is an authorized penalty. The Contractor shall promote and maintain an awareness of the importance of securing the Purchasing Entity’s information among the Contractor’s employees and agents. If any of the stated personnel providing services under a Participating Addendum is not acceptable to the Purchasing Entity in its sole opinion as a result of the background or criminal history investigation, the Purchasing Entity, in its’ sole option shall have the right to either (1) request immediate replacement of the person, or (2) immediately terminate the Participating Addendum and any related service agreement.

9. Access to Security Logs and Reports: The Contractor shall provide reports on a schedule specified in the SLA to the Purchasing Entity in a format as specified in the SLA agreed to by both the Contractor and the Purchasing Entity. Reports shall include latency statistics, user access, user access IP address, user access history and security logs for all public jurisdiction files related to this Master Agreement and applicable Participating Addendum.

10. Contract Audit: The Contractor shall allow the Purchasing Entity to audit conformance to the Master Agreement terms. The Purchasing Entity may perform this audit or contract with a third party at its discretion and at the Purchasing Entity’s expense.

11. Data Center Audit: The Contractor shall perform an independent audit of its data centers at least annually at its expense, and provide an unredacted version of the audit report upon request to a Purchasing Entity. The Contractor may remove its proprietary information from the unredacted version. A Service Organization Control (SOC) 2 audit report or approved equivalent sets the minimum level of a third-party audit.

12. Change Control and Advance Notice: The Contractor shall give a minimum forty eight (48) hour advance notice (or as determined by a Purchasing Entity and included in the SLA) to the Purchasing Entity of any upgrades (e.g., major upgrades, minor upgrades, system changes) that may impact service availability and performance. A major upgrade is a replacement of hardware, software or firmware with a newer or better version in order to bring the system up to date or to improve its characteristics. It usually includes a new version number.


Contractor will make updates and upgrades available to Purchasing Entity at no additional costs when Contractor makes such updates and upgrades generally available to its users.

No update, upgrade or other charge to the Service may decrease the Service’s functionality, adversely affect Purchasing Entity’s use of or access to the Service, or increase the cost of the Service to the Purchasing Entity.

Contractor will notify the Purchasing Entity at least sixty (60) days in advance prior to any major update or upgrade.

13. Security: As requested by a Purchasing Entity, the Contractor shall disclose its non-proprietary system security plans (SSP) or security processes and technical limitations to the Purchasing Entity such that adequate protection and flexibility can be attained between the Purchasing Entity and the Contractor. For example: virus checking and port sniffing — the Purchasing Entity and the Contractor shall understand each other’s roles and responsibilities.

14. Non-disclosure and Separation of Duties: The Contractor shall enforce separation of job duties, require commercially reasonable non-disclosure agreements, and limit staff knowledge of Purchasing Entity data to that which is absolutely necessary to perform job duties.

15. Import and Export of Data: The Purchasing Entity shall have the ability to import or export data in piecemeal or in entirety at its discretion without interference from the Contractor at any time during the term of Contractor’s contract with the Purchasing Entity. This includes the ability for the Purchasing Entity to import or export data to/from other Contractors. Contractor shall specify if Purchasing Entity is required to provide its’ own tools for this purpose, including the optional purchase of Contractors tools if Contractors applications are not able to provide this functionality directly.

16. Responsibilities and Uptime Guarantee: The Contractor shall be responsible for the acquisition and operation of all hardware, software and network support related to the services being provided. The technical and professional activities required for establishing, managing and maintaining the environments are the responsibilities of the Contractor. The system shall be available 24/7/365 (with agreed-upon maintenance downtime), and provide service to customers as defined in the SLA.

17. Subcontractor Disclosure: Contractor shall identify all of its strategic business partners related to services provided under this Master Agreement, including but not limited to all subcontractors or other entities or individuals who may be a party to a joint venture or similar agreement with the Contractor, and who shall be involved in any application development and/or operations.

18. Right to Remove Individuals: The Purchasing Entity shall have the right at any time to require that the Contractor remove from interaction with Purchasing Entity any Contractor representative who the Purchasing Entity believes is detrimental to its working relationship with the Contractor. The Purchasing Entity shall provide the Contractor with notice of its determination, and the reasons it requests the removal. If the Purchasing Entity signifies that a potential security violation exists with respect to the request, the Contractor shall immediately remove such individual. The Contractor shall not assign the


person to any aspect of the Master Agreement or future work orders without the Purchasing Entity’s consent.

19. Business Continuity and Disaster Recovery: The Contractor shall provide a business continuity and disaster recovery plan upon request and ensure that the Purchasing Entity’s recovery time objective (RTO) of XXX hours/days is met. (XXX hour/days shall be provided to Contractor by the Purchasing Entity.) Contractor must work with the Purchasing Entity to perform an annual Disaster Recovery test and take action to correct any issues detected during the test in a time frame mutually agreed between the Contractor and the Purchasing Entity.

20. Compliance with Accessibility Standards: The Contractor shall comply with and adhere to Accessibility Standards of Section 508 Amendment to the Rehabilitation Act of 1973, or any other state laws or administrative regulations identified by the Participating Entity.

21. Web Services: The Contractor shall use Web services exclusively to interface with the Purchasing Entity’s data in near real time.

22. Encryption of Data at Rest: The Contractor shall ensure hard drive encryption consistent with validated cryptography standards as referenced in FIPS 140-2, Security Requirements for Cryptographic Modules for all Personal Data, unless the Purchasing Entity approves in writing for the storage of Personal Data on a Contractor portable device in order to accomplish work as defined in the statement of work.

23. Subscription Terms: Contractor grants to a Purchasing Entity a license to: (i) access and use the Service for its business purposes; (ii) for SaaS, use underlying software as embodied or used in the Service; and (iii) view, copy, upload and download (where applicable), and use Contractor’s documentation.

No Contractor terms, including standard click through license or website terms or use of privacy policy, shall apply to Purchasing Entities unless such terms are included in this Master Agreement.

Attachment B - Page 1 of 2

Attachment B – Scope of Services Awarded to Contractor

1.1 Awarded Service Model(s).

Contractor is awarded the following Service Model:

• Software as a Service (SaaS)

1.2 Risk Categorization.*

Contractor’s offered solutions offer the ability to store and secure data under the following risk categories:

Service Model

Low Risk Data

Moderate Risk Data

High Risk Data

Deployment Models Offered

SaaS Provided, using DocFinity® SaaS solution

Provided, using DocFinity® SaaS solution


Private Cloud (two options) 1. Hosted in our secure,

HIPAA- compliant Companion Data Services Data Center in Columbia, South Carolina (USA)

2. Hosted in Amazon Web Services government-rated cloud

*Contractor may add additional OEM solutions during the life of the contract.

2.1 Deployment Models.

Contractor may provide cloud based services through the following deployment methods:

• Private cloud. The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

• Community cloud. The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.

• Public cloud. The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.

• Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound

Attachment B - Page 2 of 2

together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds)

Contractor: Companion Data Services

Pricing Notes

Cloud Service Model: Software as a Service (SaaS)Description Discount

SaaS Minimum Discount % 0.50%

(applies to all OEM's offered within this SaaS

model)

Average SaaS OEM Discount Off 0.50%

Additional Value Added Services

Item Description NVP Price Catalog Price NVP Price Catalog Price

Maintenance Services (N/A ‐ Included in rates)

Professional Services

Deployment Services 142.69$ 143.05$ 142.69$ 143.05$

Integration Services) 142.69$ 143.05$ 142.69$ 143.05$

Consulting/Advisory Services 142.69$ 143.05$ 142.69$ 143.05$

Architectural Design Services 142.69$ 143.05$ 142.69$ 143.05$

Statement of Work Services 142.69$ 143.05$ 142.69$ 143.05$

Partner Services N/A

Training Deployment Services

DocFinity 101/Core Training 7,481.16$ 7,500.00$ 7,481.16$ 7,500.00$

DocFinity BPM Core Training DCPT‐ 7,481.16$ 7,500.00$ 7,481.16$ 7,500.00$

DocFinity BPM Concepts for Manag 1,496.23$ 1,500.00$ 1,496.23$ 1,500.00$

DocFinity COLD Training 4,488.69$ 4,500.00$ 4,488.69$ 4,500.00$

DocFinity API 1,496.23$ 1,500.00$ 1,496.23$ 1,500.00$

DocFinity eForms 2,992.46$ 3,000.00$ 2,992.46$ 3,000.00$

DocFinity Records Management 1,496.23$ 1,500.00$ 1,496.23$ 1,500.00$

SQL 101 1,496.23$ 1,500.00$ 1,496.23$ 1,500.00$

DocFinity Dashboards 2,992.46$ 3,000.00$ 2,992.46$ 3,000.00$

DocFinity Intelligent Capture 4,488.69$ 4,500.00$ 4,488.69$ 4,500.00$

DocFinity Enterprise Search 1,496.23$ 1,500.00$ 1,496.23$ 1,500.00$

NVP Price Catalog Price

OCR

Enterprise Search 5,735.55$ 5,750.00$

Intelligence Capture

360,000 Pages per Year 27,568.51$ 27,637.95$

480,000 Pages per Year 32,791.11$ 32,873.71$

720,000 Pages per Year 41,438.38$ 41,542.75$

960,000 Pages per Year 50,085.64$ 50,211.80$

1,200,000 Pages per Year 56,078.80$ 56,220.05$

2,000,000 Pages per Year 86,609.63$ 86,827.79$

2,400,000 Pages per Year 91,609.64$ 91,840.39$

3,000,000 Pages per Year 114,503.48$ 114,791.90$

Barcode Recognition

50,000 Pages per Year 2,500.00$ 2,506.30$

100,000 Pages per Year 4,914.39$ 4,926.76$

200,000 Pages per Year 9,452.06$ 9,475.87$

400,000 Pages per Year 17,773.98$ 17,818.75$

800,000 Pages per Year 32,363.03$ 32,444.55$

3. Purchasing entities shall benefit from any promotional pricing offered by Contractor to similar customers. Promotional pricing shall not be cause for a

permanent price change.

Deliverable Rates

4. Contractor's price catalog include the price structures of the cloud service models, value added services (i.e., Maintenance Services, Professional Services,

Etc.), and deployment models that it intends to provide including the types of data it is able to hold under each model. Pricing shall all‐inclusive of infrastructure

and software costs and management of infrastructure, network, OS, and software.

Onsite Hourly Rate Remote Hourly Rate

Attachment C ‐ Pricing Discounts and Schedule

2. Minimum guaranteed contract discounts do not preclude an Offeror and/or its authorized resellers from providing deeper or additional, incremental

discounts at their sole discretion.

5. Contractor provides tiered pricing to accompany its named user licensing model, therefore, as user count reaches tier thresholds, unit price decreases.

1. % discounts are based on minimum discounts off Contractor's commercially published pricelists versus fixed pricing. Nonetheless, Orders will be fixed‐price or

fixed‐rate and not cost reimbursable contracts. Contractor has the ability to update and refresh its respective price catalog, as long as the agreed‐upon discounts

are fixed.

Attachment C Page 1 of 2

Contractor: Companion Data Services

Attachment C ‐ Pricing Discounts and Schedule

1,000,000 Pages per Year 40,462.35$ 40,564.27$

Digital Price 1.00$ 1.00$

Attachment C Page 2 of 2

Request for Proposal Number SK18008 National Association of State Procurement Officials (NASPO) ValuePoint NASPO ValuePoint Master Agreement for Cloud Solutions Attachment D – Response to Solicitation SK18008

February 27, 2019 The State of Utah

Division of Purchasing 3150 State Office Building | 450 North State Street

Salt Lake City, Utah 84114

This material is the product of Companion Data Services, LLC. Any unauthorized use, reproduction or transfer of these materials for purposes other than evaluation is strictly prohibited.

© 2019 copyright of Companion Data Services, LLC. All rights reserved.

Attachment D - Contractor's Response to Solicitation

Attachment D Page 1 of 177

Request for Proposal Number SK18008 National Association of State Procurement Officials (NASPO) ValuePoint NASPO ValuePoint Master Agreement for Cloud Solutions Executive Summary

July 6, 2018 The State of Utah

Division of Purchasing 3150 State Office Building | 450 North State Street

Salt Lake City, Utah 84114





Request for Proposal Number SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions

Executive Summary

Use or disclosure of the data contained on this sheet is subject to the restriction on the title page of this proposal. Copyright © 2018 Companion Data Services, LLC. All rights reserved.

7/6/2018

Page i

Table of Contents

Table of Contents ......................................................................................................................................... i

List of Figures .............................................................................................................................................. ii

Executive Summary .................................................................................................................................... 1

Our Company .................................................................................................................................... 1

Our Organization .............................................................................................................................. 1

Our Product ....................................................................................................................................... 2

Our Pricing ......................................................................................................................................... 2

Licensing and Use Options ............................................................................................................. 2

Professional Services ...................................................................................................................... 3

No Outsourcing ................................................................................................................................. 3




Executive Summary


7/6/2018

Page ii

List of Figures

Figure 1. Summary of SaaS Subscription Pricing ......................................................................................... 3




Executive Summary


7/6/2018

Page 1

Executive Summary

3.10, 5.2

Companion Data Services, LLC (CDS), a wholly owned subsidiary of BlueCross®

BlueShield® of South

Carolina (BlueCross), an independent licensee of Blue Cross and Blue Shield Association, submits this

proposal in response to the State of Utah in conjunction with NASPO ValuePoint’s Request for Proposal

for NASPO ValuePoint Master Agreement for Cloud Solutions Number SK18008 to supply services and

products in compliance with the requirements.

Our Company CDS delivers secure information technology (IT) and business process services. Our corporate structure

has annual sales of approximately $6 billion and employs more than 10,500 professionals of which

approximately 2,000 work in Information Systems. Our corporate headquarters is located in Columbia,

South Carolina, with offices in Dallas, Texas, and Baltimore, Maryland. We are a trusted government

partner holding several large-scale and medium-scale contracts at federal and state levels. Our GSA

Schedule 70 Contract Number is GS-35F-0530Y.

CDS is a privately held company. In today’s world of mergers and acquisitions, we feature a strong and

stable corporate structure to ensure our customers’ operations and stakeholders are not negatively affected

by such transactions. Our business status, financial strength and operating philosophies allow flexibility in

making long-term business decisions to best support customers and business partners without regard to:

Quarterly financial pressures of public commercial companies

Short-term financial concerns of small, start-up companies

CDS maintains strong financial ratios for cash liquidity and members’ equity. CDS has a solid history of

long-term contracts because customers continue to select us for renewals.

We have the infrastructure, systems, experience, culture, financial strength, working capital, stability and

procedures to meet or exceed your expectations.

Our Organization Service-based Approach: As a large-scale IT organization, rather than a product reseller, we can commit

to providing the best technology and solution for our customer’s business need. Our focus is to support

our valued customers with service-based solutions and operational capabilities. We establish and build

long-term, strong partnerships with all customers.

We are not new in Software as a Service (SaaS) or Cloud-based Offerings: Rather than reactively

trying to meet the requirement by placing our software in a public cloud provider’s infrastructure, we are

proactive in this market by supporting our SaaS-based DocFinity customers in our own data center that

possesses health-care-class security and alternatively in Amazon Web Services (AWS) infrastructure for

several years. Our SaaS offering is secure, cloud-based, mature and proven. All managed services,

including security and administration, are performed by our corporate employees regardless of whether

we are using our Columbia, South Carolina Data Center or AWS infrastructure.

You interact with the Actual Developer: We offer our own product, developed by our Document

Management Software Development division. All of our projects require the installation of Enterprise

Content Management (ECM)/Business Process Management (BPM) systems which include software,

implementation, data migration, training, maintenance and support performed by our corporate resources.

Our solution is built from the ground up on a modern, flexible, scalable platform, without acquiring parts




Executive Summary


7/6/2018

Page 2

from other companies and patching into the core product. We make and meet commitments in product

development and the upgrade roadmap.

Our Product We propose our high-powered, next-generation ECM and BPM suite, DocFinity

®. DocFinity is developed

and maintained by our Document Management System division, Optical Image Technology, Inc. (OIT),

also a wholly owned subsidiary of BlueCross. DocFinity is used by government entities and higher

education institutions at more than 200 installations country-wide and internationally. We use DocFinity

to process high volumes of business transactions involving many document types and highly sensitive and

confidential health care data, in support of commercial, government and military plans.

DocFinity, a commercial off-the-shelf product, provides a high degree of configurability with no source

code modification and offers sophisticated BPM and workflow features to automate functions.

Our Pricing Pricing is fixed, based on concurrent users. We offer unlimited named users defined in the system. The

number of users accessing DocFinity at the same time depends on the number of licensed concurrent

users. There are no surprises regarding our pricing:

No additional fees for the number of scanners, scanning workstations or scanning users

No additional fees for administrative users, power users or users with update capability

Options available at additional costs are identified and unit costs included in the proposed price

list

Licensing and Use Options Our recommended option is use of our service-based approach, SaaS deployment. This approach offers

the best value relative to security, operational convenience, reliability, flexibility and total cost of

ownership:

Zero capital expenditure for any server-level hardware or software.

Zero support, maintenance and update or upgrade costs for any server-level hardware or software

including the operating system, data base and DocFinity application.

Flexibility to accommodate seasonal fluctuations in use as well as a phased approach. The

number of licensed users can be increased or decreased as required by the customer, with sixty

days’ notice following implementation.

No up-front charges for the complete stand up of a computing environment in our data center.

Figure 1 depicts what we provide and what the customer provides in our simple SaaS subscription pricing

model. As shown below, CDS assumes responsibility for all solution components.




Executive Summary


7/6/2018

Page 3

Companion Data Services Provides Customer Provides

Solution Components Services for all Solution Components

Application Software – DocFinity Full Suite Provisioning

Hosting Installation Maintenance Support Upgrades Updates Warranty Repairs Operations Monitoring Physical security Data security including anti-virus protection Data backup Disaster recovery Performance tuning

Personal computers Mobile devices Scanners Printers Compatible web

browser Internet connection

Server Hardware

Server Operating System

Server Data Base

Server Data Storage (starting at one terabyte) with Input / Output requests:

Unlimited and included in subscription fees for CDS Columbia Data Center hosting

Billed as a pass-through at cost for cloud vendor (AWS) hosting

Server Application Software Storage as needed

Figure 1. Summary of SaaS Subscription Pricing

Professional Services We support our customers with professional services, using our subject matter experts with decades of

experience with large-scale implementations. Installation and implementation of ECM systems, including

software, implementation, data migration, training, maintenance and support, are always performed by

our corporate resources.

Business Knowledge: Our subject matter experts have years of experience with similar

implementations, complementing capabilities of our products and ensuring a functional fit with your

requirements.

Industry Knowledge: We have specific knowledge in the public sector. We will discuss your

business, offer best-practice alternatives and convey our experience towards a streamlined, automated

and efficient operation.

100 Percent U.S.-Based Resources: All services including compliance, security, performance and

infrastructure are performed by our corporate employees, legal residents, located in the United States.

No Outsourcing Based on the RFP requirements, we will successfully meet all contractual obligations as a prime

contractor with no need to partner with a subcontractor or any kind of onshore, near shore or off-shore

outsourcing.



July 6, 2018 Solomon Kingston Division of Purchasing 3150 State Office Building | 450 North State Street Salt Lake City, Utah 84114 Subject: Request for Proposal (RFP) SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions Dear Mr. Kingston: Companion Data Services, LLC (CDS), a wholly owned subsidiary of BlueCross® BlueShield® of South Carolina (BlueCross), an independent licensee of the Blue Cross and Blue Shield Association, submits this response to the State of Utah in conjunction with NASPO ValuePoint’s RFP for NASPO ValuePoint Master Agreement for Cloud Solutions Number SK18008 to supply services and products in compliance with the requirements. CDS’ proposed services and existing capabilities, including more than 2,000 Information Technology professionals and 8,500 operations specialists, address the requirements, goals and objectives of the State of Utah and NASPO members. We have the infrastructure, systems, experience, training, financial strength, working capital, stability and procedures to meet or exceed the NASPO members’ expectations. Ms. Lola Jordan, President of CDS, is authorized by the CDS board of directors to contractually obligate and negotiate contracts on behalf of CDS and sign and submit this RFP response. In addition, Ms. Jordan is the primary contact for all questions for clarification. Ms. Jordan’s contact information is provided below. Potential Requirement to Negotiate (5.1.1) CDS understands the potential requirement to negotiate additional terms and conditions, including additional administrative fees, with Participating Entities when executing a Participating Addendum. Staff Responsible for Writing Proposal (5.1.2) CDS and Optical Image Technology, Inc. (OIT) employees were responsible for writing the proposal. OIT is a subsidiary of BlueCross and developed our DocFinity® solution suite. Offeror Not Suspended, Debarred or Excluded (5.1.3) CDS is not currently suspended, debarred or otherwise excluded from federal or state procurement and non-procurement programs. We are a trusted government partner, holding several large-scale and medium-scale contracts at the federal and state levels. NASPO ValuePoint Administrative Fee (5.1.4) CDS acknowledges that a 0.25% NASPO ValuePoint Administrative Fee and any Participating Entity Administrative fee will apply to total sales for the Master Agreement(s) awarded from the RFP.




Attachment G – Identification of Service Models Matrix

Copyright © 2018 Companion Data Services, LLC. All rights reserved.

7/6/2018

Attachment G

Attachment G – Identification of Service Models Matrix

Offerors must complete the following form to identify the service models your firm offers under this

RFP. You may provide a list of the different SaaS, IaaS, and/or PaaS services that you offer, including the

Categorization of Risk that you have the ability to store and secure. This document is to provide

purchasing entities and eligible users a quick snap shot of the cloud solutions your firm provides.

Service Model

Low Risk Data

Moderate Risk Data

High Risk Data

Deployment Models Offered

SaaS




Private Cloud (two options) 1. Hosted in our secure, HIPAA-

compliant Companion Data Services Data Center in Columbia, South Carolina (USA)

2. Hosted in Amazon Web Services government-rated cloud

IaaS Not applicable at this time

Not applicable at this time



PaaS Not applicable at this time






Request for Proposal Number SK18008 National Association of State Procurement Officials (NASPO) ValuePoint NASPO ValuePoint Master Agreement for Cloud Solutions Mandatory Minimums Response July 6, 2018

The State of Utah Division of Purchasing

3150 State Office Building | 450 North State Street Salt Lake City, Utah 84114






Mandatory Minimums Response


7/6/2018

Page i

Table of Contents

Mandatory Minimums ................................................................................................................................ 1

1 General Requirements ...................................................................................................................... 1

1.1 Usage Report Administrator .................................................................................................. 1

1.2 Cooperation with NASPO ValuePoint and SciQuest ............................................................. 1

1.3 Cloud Security Alliance ......................................................................................................... 1

1.4 Service Level Agreement ....................................................................................................... 1

1.5 Solution Subcategories ........................................................................................................... 2

2 Recertification of Mandatory Minimums and Technical Specifications ...................................... 3






7/6/2018

Page ii

List of Figures

Figure 1. Service Level Agreement .............................................................................................................. 2






7/6/2018

Page 1

Mandatory Minimums

3.10, 5

1 General Requirements 5.3

1.1 Usage Report Administrator

5.3.1

Upon award of a contract, Companion Data Services, LLC (CDS) will provide a Usage Report

Administrator responsible for the quarterly sales reporting described in the Master Agreement Terms and

Conditions, and if applicable, Participating Addendums.

1.2 Cooperation with NASPO ValuePoint and SciQuest

5.3.2

If awarded a contract, CDS will cooperate with NASPO ValuePoint, SciQuest and any authorized agent

or successor entity to SciQuest to upload ordering instructions.

1.3 Cloud Security Alliance

5.3.3

CSA STAR Registry Self-Assessment CDS completed the CSA STAR Registry Self-Assessment. All information is accurate and current. Consensus Assessments Initiative Questionnaire Please refer to our completed Exhibit 1 to Attachment B. Cloud Controls Matrix CDS completed Exhibit 1 to Attachment B. This self-assessment document best fulfills the requirement

and provides the necessary security disclosure. 1.4 Service Level Agreement

5.3.4

Figure 1 depicts our typical response and resolution time chart for generic use in incident reporting. The

chart is provided for problem reporting only, providing an answer to a question may take a shorter time.

We will work with the customer to modify these response times or other proposed Service Level

Agreements to comply with requirements, laws or terms and conditions that are not in your best interest.






7/6/2018

Page 2

CDS Severity/Priority Levels CDS Response Time Standards

Resolution Path/Goals (Escalation)

1 – Severe

The system or major application is down or seriously impacted, users cannot log in and there is no reasonable workaround available.

CDS responds within one hour to the initial issue submission.

CDS begins continuous work on the problem; a customer resource must be available to assist with problem determination. CDS and the customer work together to determine if the problem is a product defect or environmental, network, hardware or configuration change. We will exhaust all resources to expediently determine the problem, inclusive of the use of remote support tools and deploying staff to the customer’s site. When system being down has been determined to be product defect based, we will provide our best effort for workaround or installation of a previous functioning version of product so that the system is back up and running within 48 hours. At that point, CDS and the customer will reclass the issue as a high priority and then follow the appropriate high-priority criteria detailed below.

2 – High

The system or application is moderately affected due to product defect and not product design. There is no workaround available or the workaround is cumbersome to use.

CDS responds within four business hours.

CDS will provide our best effort for a workaround or fix within 10 business days, once the problem is reproducible. We may choose to incorporate the resulting fix in a future release of the product where practical.

3 – Medium

The system or application issue is not critical. The system has not failed. The issue has been identified as product defect and not product design. The product defect does not hinder normal operation or the situation may be temporarily circumvented using an available workaround. This is a feature failure with an existing and convenient workaround.

CDS responds within 24 business hours.

CDS will provide best effort for a workaround or fix within 30 business days, once the problem is reproducible. We may choose to incorporate the resulting fix in a future release of the product where practical.

4 – Low

Noncritical issues, general questions, enhancement requests or the functionality does not match documented specifications.


Resolution of problem may appear in future release of software where practical. If the enhancement request is deemed to require custom programming, CDS will engage the customer in a process of specification, resulting in a custom programming specification document. This document will define the need, customer responsibilities, what CDS will provide as a solution and how and an estimate on the time and cost required.

Figure 1. Service Level Agreement

1.5 Solution Subcategories

5.3.5

Within the scope of this proposal, we offer our next-generation, high-powered, browser-based, highly-

configurable commercial off- the- shelf Enterprise Content Management/Business Process Management

product, DocFinity, as a service. Therefore, our proposed cloud service model is SaaS at this time.

Although the closest sub-category in the list provided within Attachment C of the Request for Proposal

(RFP) is “Electronic Records Management”, we would like to propose a new one called “Enterprise






7/6/2018

Page 3

Content Management / Business Process Management”. Appropriate generic description proposed, from

an objective and vendor-neutral perspective, would be the following:

Enterprise Content Management / Business Process Management: Enterprise Content Management,

Business Process Management, Electronic Document Management and Workflow solution utilizing a

high-powered, robust, proven, web-based, highly-configurable, commercial off-the-shelf (COTS)

application suite. Customer's government-sensitive data is hosted in a secure, compliant cloud

environment owned, operated or provisioned by the contractor. All managed services, including security,

are performed by the contractor. Contractor is responsible for the end-to-end solution including software,

server hardware, interoperability, professional services, software support and training.

2 Recertification of Mandatory Minimums and Technical Specifications 5.4

If awarded a contract under the RFP, CDS will annually certify to the Lead State that it still meets or

exceeds the technical capabilities discussed in its proposal.



Request for Proposal SK18008NASPO ValuePoint Master Agreement for Cloud Solutions

REDACTED COPY

AICPA

TSC 2009

AICPA

Trust Service Criteria (SOC 2SM Report)

AICPA

TSC

2014

BITS Shared

Assessments

AUP v5.0

BITS Shared

Assessments

SIG v6.0

BSI

GermanyCanada PIPEDA

CCM

V1.XCOBIT 4.1 COBIT 5.0 COPPA

CSA

Guidance

V3.0

ENISA IAF

95/46/EC - European

Union Data Protection

Directive

FedRAMP Security

Controls

(Final Release, Jan

2012)

--LOW IMPACT LEVEL--

FedRAMP Security Controls

(Final Release, Jan 2012)

--MODERATE IMPACT LEVEL-

-

FERPA

GAPP

(Aug

2009)

HIPAA/HITECH

(Omnibus

Rule)

ISO/IEC

27001:2005

ISO/IEC

27001:2013ITAR Jericho Forum

Mexico - Federal Law on

Protection of Personal

Data Held by Private

Parties

NERC

CIPNIST SP800-53 R3

NIST SP800-53 R4

Appendix JNZISM PCI DSS v2.0 PCI DSS v3.0

Yes NoNot

Applicable

Domain > Container

> CapabilityPublic Priv ate PA ID PA lev el

AIS-01.1 Do you use industry standards (Build Security in Maturity Model

[BSIMM] benchmarks, Open Group ACS Trusted Technology

Provider Framework, NIST, etc.) to build in security for your

Systems/Software Development Lifecycle (SDLC)?

AIS-01.2 Do you use an automated source code analysis tool to detect

security defects in code prior to production?

AIS-01.3 Do you use manual source-code analysis to detect security defects

in code prior to production?

AIS-01.4 Do you verify that all of your software suppliers adhere to industry

standards for Systems/Software Development Lifecycle (SDLC)

security?

AIS-01.5 (SaaS only) Do you review your applications for security

vulnerabilities and address any issues prior to deployment to

production?

AIS-02.1 Are all identified security, contractual and regulatory

requirements for customer access contractually addressed and

remediated prior to granting customers access to data, assets and

information systems?

AIS- 02.2 Are all requirements and trust levels for customers’ access defined

and documented?

Application &

Interface Security

Data Integrity

AIS-03 AIS-03.1 Data input and output integrity routines (i.e., reconciliation and

edit checks) shall be implemented for application interfaces and

databases to prevent manual or systematic processing errors,

corruption of data, or misuse.

Are data input and output integrity routines (i.e., reconciliation

and edit checks) implemented for application interfaces and

databases to prevent manual or systematic processing errors or

corruption of data?

S3.4 (I3.2.0) The procedures related to completeness,

accuracy, timeliness, and authorization of inputs

are consistent with the documented system

processing integrity policies.

(I3.3.0) The procedures related to completeness,

accuracy, timeliness, and authorization of system

processing, including error correction and

database management, are consistent with

documented system processing integrity policies.

(I3.4.0) The procedures related to completeness,

accuracy, timeliness, and authorization of

outputs are consistent with the documented

system processing integrity policies.

(I3.5.0) There are procedures to enable tracing

of information inputs from their source to their

final disposition and vice versa.

PI1.2PI1.3PI1.5

I.4 G.16.3, I.3 Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

SA-05 DSS06.02

DSS06.04

312.8 and 312.10 Application

Services >

Programming

Interfaces > Input

Validation

shared x Domain 10 NIST SP 800-53 R3 SI-2

NIST SP 800-53 R3 SI-3


NIST SP 800-53 R3 SI-2 (2)


NIST SP 800-53 R3 SI-3 (1)

NIST SP 800-53 R3 SI-3 (2)

NIST SP 800-53 R3 SI-3 (3)


NIST SP 800-53 R3 SI-4 (2)

NIST SP 800-53 R3 SI-4 (4)

NIST SP 800-53 R3 SI-4 (5)

NIST SP 800-53 R3 SI-4 (6)



NIST SP 800-53 R3 SI-7 (1)


NIST SP 800-53 R3 SI-10

NIST SP 800-53 R3 SI-11

1.2.6 45 CFR 164.312

(c)(1) (New)

45 CFR 164.312

(c)(2)(New)

45 CFR

164.312(e)(2)(i)(

New)

A.10.9.2

A.10.9.3

A.12.2.1

A.12.2.2

A.12.2.3

A.12.2.4

A.12.6.1

A.15.2.1

A13.2.1,

A13.2.2,

A9.1.1,

A9.4.1,

A10.1.1

A18.1.4

Commandment #1

Commandment #9

Commandment

#11

CIP-003-3 -

R4.2

SI-10

SI-11

SI-2

SI-3

SI-4

SI-6

SI-7

SI-9

AR-7 The organization

designs information

systems to support

privacy by automating

privacy controls.

14.5

14.6

PA25 GP PCI DSS v2.0

6.3.1

PCI DSS v2.0

6.3.2

6.3.1

6.3.2

Application &

Interface Security

Data Security /

Integrity

AIS-04 AIS-04.1 Policies and procedures shall be established and maintained in

support of data security to include (confidentiality, integrity and

availability) across multiple system interfaces, jurisdictions and

business functions to prevent improper disclosure, alternation, or

destruction.

Is your Data Security Architecture designed using an industry

standard (e.g., CDSA, MULITSAFE, CSA Trusted Cloud Architectural

Standard, FedRAMP, CAESARS)?

(S3.4) Procedures exist to protect against

unauthorized access to system resources.

CC5.6 B.1 G.8.2.0.2,

G.8.2.0.3,

G.12.1, G.12.4,

G.12.9,

G.12.10,

G.16.2,

G.19.2.1,

G.19.3.2,

G.9.4, G.17.2,

G.17.3, G.17.4,

G.20.1

6 (B)

26 (A+)

Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

SA-03 COBIT 4.1 DS5.11 APO09.01

APO09.02

APO09.03

APO13.01

DSS05.02

DSS06.06

MEA03.01

MEA03.02

312.8 and 312.10 BOSS > Data

Governance >

Rules for

Information

Leakage

Prevention

shared x Domain 10 6.02. (b)

6.04.03. (a)

Article 17 (1), (2),(3), (4) NIST SP 800-53 R3 AC-1

NIST SP 800-53 R3 SC-1

NIST SP 800-53 R3 SC-13

NIST SP 800-53 R3 AC-1




1.1.0

1.2.2

1.2.6

4.2.3

5.2.1

7.1.2

7.2.1

7.2.2

7.2.3

7.2.4

8.2.1

8.2.2

8.2.3

8.2.5

9.2.1

A.10.8.1

A.10.8.2

A.11.1.1

A.11.6.1

A.11.4.6

A.12.3.1

A.12.5.4

A.15.1.4

A13.2.1,

A13.2.2,

A9.1.1,

A9.4.1,

A10.1.1

A18.1.4

All AC-1

AC-4

SC-1

SC-16


designs information

systems to support


privacy controls.

16.5

16.8

17.4

PA20

PA25

PA29

GP

P

SGP

PCI DSS v2.0 2.3

PCI DSS v2.0

3.4.1,

PCI DSS v2.0 4.1

PCI DSS v2.0

4.1.1

PCI DSS v2.0 6.1

PCI DSS v2.0

6.3.2a

PCI DSS v2.0

6.5c

PCI DSS v2.0 8.3

PCI DSS v2.0

10.5.5

PCI DSS v2.0

11.5

2.3

3.4.1

4.1

4.1.1

6.1

6.3.2a

6.5c, 7.1, 7.2, 7.3,

8.1, 8.2, 8.3, 8.4,

8.5, 8.6, 8.7, 8.8

10.5.5, 10.8

11.5, 11.6

Audit Assurance &

Compliance

Audit Planning

AAC-01 AAC-01.1 Audit plans shall be developed and maintained to address business

process disruptions. Auditing plans shall focus on reviewing the

effectiveness of the implementation of security operations. All

audit activities must be agreed upon prior to executing any audits.

Do you produce audit assertions using a structured, industry

accepted format (e.g., CloudAudit/A6 URI Ontology, CloudTrust,

SCAP/CYBEX, GRC XML, ISACA's Cloud Computing Management

Audit/Assurance Program, etc.)?

S4.1.0

S4.2.0

(S4.1.0) The entity’s system security is

periodically reviewed and compared with the

defined system security policies.

(S4.2.0) There is a process to identify and address

potential impairments to the entity’s ongoing

ability to achieve its objectives in accordance

with its defined system security policies.

CC4.1 L.1, L.2, L.7,

L.9, L.11

58 (B) CO-01 COBIT 4.1 ME

2.1, ME 2.2 PO

9.5 PO 9.6

APO12.04

APO12.05

APO12.06

MEA02.01

MEA02.02

Title 16 Part 312 BOSS >

Compliance >

Audit Planning

shared x Domain 2,

4

6.01. (d) NIST SP 800-53 R3 CA-2

NIST SP 800-53 R3 CA-2

(1)



NIST SP 800-53 R3 CA-2 (1)


NIST SP 800-53 R3 CA-7 (2)

NIST SP 800-53 R3 PL-6

10.2.5 45 CFR

164.312(b)

Clause 4.2.3 e)

Clause 4.2.3b

Clause 5.1 g

Clause 6

A.15.3.1

Clauses

4.3(a),

4.3(b),

5.1(e),

5.1(f),

6.2(e),

9.1,

9.1(e),

9.2,

9.3(f),

Commandment #1

Commandment #2

Commandment #3

CA-2

CA-7

PL-6

AR-4 Privacy Auditing

and Monitoring. To

promote accountability,

organizations identify

and address gaps in

privacy compliance,

management,

operational, and

technical controls by

conducting regular

5.1, 5.3, 5.4 PA15 SGP PCI DSS v2.0

2.1.2.b

AAC-02.1 Do you allow tenants to view your SOC2/ISO 27001 or similar third-

party audit or certification reports?AAC-02.2 Do you conduct network penetration tests of your cloud service

infrastructure regularly as prescribed by industry best practices

and guidance?AAC-02.3 Do you conduct application penetration tests of your cloud

infrastructure regularly as prescribed by industry best practices

and guidance?

AAC-02.4 Do you conduct internal audits regularly as prescribed by industry

best practices and guidance?AAC-02.5 Do you conduct external audits regularly as prescribed by industry

best practices and guidance?AAC-02.6 Are the results of the penetration tests available to tenants at

their request?AAC-02.7 Are the results of internal and external audits available to tenants

at their request?AAC-02.8 Do you have an internal audit program that allows for cross-

functional audit of assessments?

AAC-03.1 Do you have the ability to logically segment or encrypt customer

data such that data may be produced for a single tenant only,

without inadvertently accessing another tenant's data?

AAC-03.2 Do you have capability to recover data for a specific customer in

the case of a failure or data loss?

AAC-03.3 Do you have the capability to restrict the storage of customer

data to specific countries or geographic locations?

AAC-03.4 Do you have a program in place that includes the ability to

monitor changes to the regulatory requirements in relevant

jurisdictions, adjust your security program for changes to legal

requirements, and ensure compliance with relevant regulatory

requirements?

BCR-01.1 Do you provide tenants with geographically resilient hosting

options?

BCR-01.2 Do you provide tenants with infrastructure service failover

capability to other providers?

Business Continuity

Management &

Operational Resilience

Business Continuity

Testing

BCR-02 BCR-02.1 Business continuity and security incident response plans shall be

subject to testing at planned intervals or upon significant

organizational or environmental changes. Incident response plans

shall involve impacted customers (tenant) and other business

relationships that represent critical intra-supply chain business

process dependencies.

Are business continuity plans subject to test at planned intervals or

upon significant organizational or environmental changes to

ensure continuing effectiveness?

A3.3 (A3.3) Procedures exist to provide for backup,

offsite storage, restoration, and disaster

recovery consistent with the entity’s defined

system availability and related security policies.

A1.2 K.1.3, K.1.4.3,

K.1.4.6,

K.1.4.7,

K.1.4.8,

K.1.4.9,

K.1.4.10,

K.1.4.11,

K.1.4.12

52 (B)

55 (A+)

RS-04 DSS04.04 BOSS >

Operational Risk

Management >

Business

Continuity

provider x Domain 7,

8

6.07.01. (b)

6.07.01. (j)

6.07.01. (l)

NIST SP800-53 R3 CP-2




NIST SP800-53 R3 CP-2 (1)

NIST SP800-53 R3 CP-2 (2)



NIST SP800-53 R3 CP-4 (1)

45 CFR 164.308

(a)(7)(ii)(D)

A.14.1.5 A17.3.1 Commandment #1

Commandment #2

Commandment #3

CP-2

CP-3

CP-4

4.4

5.2(time limit)

6.3(whenever change

occurs)

PA15 SGP PCI DSS v2.0

12.9.2

12.9.2, 12.10.2

BCR-03.1 Do you provide tenants with documentation showing the

transport route of their data between your systems?

BCR-03.2 Can tenants define how their data is transported and through

which legal jurisdictions?

Business Continuity

Management &


Documentation

BCR-04 BCR-04.1 Information system documentation (e.g., administrator and user

guides, and architecture diagrams) shall be made available to

authorized personnel to ensure the following:

• Configuring, installing, and operating the information system

• Effectively using the system’s security features

Are information system documents (e.g., administrator and user

guides, architecture diagrams, etc.) made available to authorized

personnel to ensure configuration, installation and operation of

the information system?

S3.11.0

A.2.1.0

(S3.11.0) Procedures exist to provide that

personnel responsible for the design,

development, implementation, and operation of

systems affecting security have the qualifications

and resources to fulfill their responsibilities.

(A.2.1.0) The entity has prepared an objective

description of the system and its boundaries and

communicated such description to authorized

users.

CC1.3CC1.4

CC2.1

G.1.1 56 (B)

57 (B)

Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

OP-02 COBIT 4.1 DS 9,

DS 13.1

BAI08

BAI10

DSS01.01

312.8 and 312.10 SRM > Policies

and Standards >

Job Aid Guidelines

shared x Domain 7,

8

Article 17 NIST SP 800-53 R3 CP-9

NIST SP 800-53 R3 CP-10

NIST SP 800-53 R3 SA-5

NIST SP 800-53 R3 CP-9

NIST SP 800-53 R3 CP-9 (1)

NIST SP 800-53 R3 CP-9 (3)

NIST SP 800-53 R3 CP-10

NIST SP 800-53 R3 CP-10 (2)

NIST SP 800-53 R3 CP-10 (3)


NIST SP 800-53 R3 SA-5 (1)

NIST SP 800-53 R3 SA-5 (3)

NIST SP 800-53 R3 SA-10

NIST SP 800-53 R3 SA-11

NIST SP 800-53 R3 SA-11 (1)

1.2.6 Clause 4.3.3

A.10.7.4

Clause 9.2(g) Commandment #1

Commandment #2

Commandment #4

Commandment #5

Commandment

#11

CIP-005-

3a - R1.3

CIP-007-3 -

R9

CP-9

CP-10

SA-5

SA-10

SA-11

10.5

13.5

17.1

PCI DSS v2.0

12.1

PCI DSS v2.0

12.2

PCI DSS v2.0

12.3

PCI DSS v2.0

12.4

1.1.2, 1.1.3, 2.2,

12.3

12.6

Consensus Assessment Answers Notes

4.1.1, 4.2, 4.3

11.2

11.3

6.3.2, 6.6

11.2.1, 11.2.2,

11.2.3, 11.3.1,

11.3.2, 12.1.2.b,

12.8.4

3.1

12.9.1

12.9.3

12.9.4

12.9.6

4.1, 4.1.1, 9.1, 9.2

ODCA UM: PA R2.0

PA17

PA31

SGP

BSGP

PA18 GP

PA15 SGP

14.5

14.6

9.2

6.1

1.2

2.2

3.3

5.2

6.4

10.1

10.2

10.3

10.4

10.5

10.6


designs information

systems to support


privacy controls.

AP-1 The organization

determines and

documents the legal

authority that permits

the collection, use,

maintenance, and

sharing of personally

identifiable information

(PII), either generally or

in support of a specific

program or information

system need.

AR-4. Privacy Auditing

and Monitoring. These

assessments can be self-

assessments or third

party audits that result in

reports on compliance

gaps identified in

programs, projects, and

information systems.

UL-2 INFORMATION

SHARING WITH THIRD

PARTIES - a. Shares

personally identifiable

information (PII)

externally, only for the

authorized purposes

identified in the Privacy

Act and/or described in

its notice(s) or for a

purpose that is

compatible with those

purposes; b. Where

appropriate, enters into

Memoranda of

Understanding,

Memoranda of

Agreement, Letters of

Intent, Computer

Matching Agreements,

CSA Enterprise Architecture (formerly the Trusted

Cloud Initiative)

Application

Services >

Development

Process >

Software Quality

Assurance

shared x

BOSS > Legal

Services >

Contracts

shared x

BOSS >

Compliance >

Independent

Audits

shared x

BOSS >

Compliance >

Information

System

Regulatory

Mapping

shared x

BOSS >

Operational Risk

Management >

Business

Continuity

provider x

Infra Services >

Facility Security >

Environmental

Risk

Management

312.8 and 312.10

312.3, 312.8 and

312.10

Title 16 Part 312

312.4

312.8 and 312.10

APO09.03

APO13.01

BAI03.01

BAI03.02

BAI03.03

BAI03.05

MEA03.01

MEA03.02

APO09.01

APO09.02

APO09.03

APO13.01

BAI02

DSS05

APO12.04

APO12.05

DSS05.07

MEA02.06

MEA02.07

MEA02.08

MEA03.01

APO12.01

APO12.02

APO12.03

MEA03.01

DSS04.01

DSS04.02

DSS04.03

DSS04.05

DSS01.03

DSS01.04

DSS01.05

DSS04.03

CC5.1

CC4.1

CC3.1

CC3.1

A1.2

A1.3

A1.1A1.2

A1.3

PCI DSS v2.0

3.1.1

PCI DSS v2.0 3.1

45 CFR 164.308

(a)(7)(i)

45 CFR 164.308

(a)(7)(ii)(B)

45 CFR 164.308

(a)(7)(ii)(C)

45 CFR 164.308

(a)(7)(ii)(E)

45 CFR 164.310

(a)(2)(i)

45 CFR 164.312

(a)(2)(ii)

Clause 5.1

A.6.1.2

A.14.1.3

A.14.1.4

Commandment #1

Commandment #2

Commandment #3

ISO/IEC

27001:2005

Clause 4.2.1 b)

2)

Clause 4.2.1 c) 1)

Clause 4.2.1 g)

Clause 4.2.3 d)

6)

Clause 4.3.3

Clause 5.2.1 a - f

Clause 7.3 c) 4)

A.7.2.1

A.15.1.1

A.15.1.3

A.15.1.4

A.15.1.6

Clauses

4.2(b),

4.4,

5.2(c),

5.3(ab),

6.1.2,

6.1.3,

6.1.3(b),

7.5.3(b),

7.5.3(d),

8.1,

8.3

9.2(g),

9.3,

9.3(b),

9.3(f),

10.2,

A.8.2.1,

Clause 5.1(h)

A.17.1.2

A.17.1.2

A11.2.2,

A11.2.3

CP-1

CP-2

CP-3

CP-4

CP-6

CP-7

CP-8

CP-9

CP-10

PE-17

PCI DSS v2.0

12.9.1

PCI DSS v2.0

12.9.3

PCI DSS v2.0

12.9.4

PCI DSS v2.0

12.9.6

PE-1

PE-4

PE-13

Commandment #1

Commandment #2

Commandment #3

Commandment #4

Commandment #9

Commandment

#11

Business Continuity

Management &


Power /

Telecommunications

BCR-03 Datacenter utilities services and environmental conditions (e.g.,

water, power, temperature and humidity controls,

telecommunications,and internet connectivity) shall be secured,

monitored, maintained, and tested for continual effectiveness at

planned intervals to ensure protection from unauthorized

interception or damage, and designed with automated fail-over

or other redundancies in the event of planned or unplanned

disruptions.

A3.2.0

A3.4.0

(A3.2.0) Measures to prevent or mitigate threats

have been implemented consistent with the risk

assessment when commercially practicable.

(A3.4.0) Procedures exist to protect against

unauthorized access to system resource.

F.1 F.1.6, F.1.6.1,

F.1.6.2, F.1.9.2,

F.2.10, F.2.11,

F.2.12

9 (B)

10 (B)

Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

RS-08 Domain 7,

8

6.08. (a)

6.09. (c)

6.09. (f)

6.09. (g)

Article 17 (1), (2) NIST SP800-53 R3 PE-1

NIST SP800-53 R3 PE-13


(1)


(2)


(3)




NIST SP800-53 R3 PE-13 (1)

NIST SP800-53 R3 PE-13 (2)

NIST SP800-53 R3 PE-13 (3)

provider x

6.03.01. (c) Article: 27 (3) NIST SP 800-53 R3 SC-5



NIST SP 800-53 R3 SC-12

NIST SP 800-53 R3 SC-13

NIST SP 800-53 R3 SC-14







NIST SP 800-53 R3 SC-7 (1)

NIST SP 800-53 R3 SC-7 (2)

NIST SP 800-53 R3 SC-7 (3)

NIST SP 800-53 R3 SC-7 (4)

NIST SP 800-53 R3 SC-7 (5)

NIST SP 800-53 R3 SC-7 (7)

NIST SP 800-53 R3 SC-7 (8)

NIST SP 800-53 R3 SC-7 (12)

NIST SP 800-53 R3 SC-7 (13)

NIST SP 800-53 R3 SC-7 (18)


NIST SP 800-53 R3 SC-8 (1)


NIST SP 800-53 R3 SC-9 (1)

NIST SP 800-53 R3 SC-10

NIST SP 800-53 R3 SC-11

NIST SP 800-53 R3 SC-12

NIST SP 800-53 R3 SC-12 (2)

NIST SP 800-53 R3 SC-12 (5)

NIST SP 800-53 R3 SC-13

NIST SP 800-53 R3 SC-13 (1)

NIST SP 800-53 R3 SC-14

NIST SP 800-53 R3 SC-17

NIST SP 800-53 R3 SC-18

1.2.6

Audit Assurance &

Compliance

Independent Audits

Domain 10

Business Continuity

Management &


Business Continuity

Planning

BCR-01 A consistent unified framework for business continuity planning

and plan development shall be established, documented and

adopted to ensure all business continuity plans are consistent in

addressing priorities for testing, maintenance, and information

security requirements. Requirements for business continuity plans

include the following:

• Defined purpose and scope, aligned with relevant dependencies

• Accessible to and understood by those who will use them

• Owned by a named person(s) who is responsible for their

review, update, and approval

• Defined lines of communication, roles, and responsibilities

• Detailed recovery procedures, manual work-around, and

reference information

• Method for plan invocation

A3.1.0

A3.3.0

A3.4.0

(A3.1.0) Procedures exist to (1) identify potential

threats of disruptions to systems operation that

would impair system availability commitments

and (2) assess the risks associated with the

identified threats.

(A3.3.0) Procedures exist to provide for backup,




(A3.4.0) Procedures exist to provide for the

integrity of backup data and systems maintained

to support the entity’s defined system availability

and related security policies.

K.1.2.3.

K.1.2.4,

K.1.2.5,

K.1.2.6,

K.1.2.7,

K.1.2.11,

K.1.2.13,

K.1.2.15

RS-03 Domain 7,

8

6.07. (a)

6.07. (b)

6.07. (c)

Article 17 (1), (2) NIST SP800-53 R3 CP-1








NIST SP800-53 R3 CP-2 (1)

NIST SP800-53 R3 CP-2 (2)



NIST SP800-53 R3 CP-4 (1)


NIST SP800-53 R3 CP-6 (1)

NIST SP800-53 R3 CP-6 (3)


NIST SP800-53 R3 CP-7 (1)

NIST SP800-53 R3 CP-7 (2)

NIST SP800-53 R3 CP-7 (3)

NIST SP800-53 R3 CP-7 (5)


NIST SP800-53 R3 CP-8 (1)

NIST SP800-53 R3 CP-8 (2)


NIST SP800-53 R3 CP-9 (1)

AAC-02 Independent reviews and assessments shall be performed at least

annually to ensure that the organization addresses

nonconformities of established policies, standards, procedures and

compliance obligations.

S4.1.0

S4.2.0

(S4.1.0) The entity’s system security is



(S4.2.0) There is a process to identify and address

potential impairments to the entity’s ongoing

ability to achieve its objectives in accordance

with its defined system security policies.

L.2, L.4, L.7,

L.9, L.11

58 (B)

59 (B)

61 (C+,

A+)

76 (B)

77 (B)




(1)


NIST SP 800-53 R3 RA-5

COBIT 4.1 AI2.4CC7.1

CCM v3.0.1 Compliance Mapping

6, 6.545 CFR

164.312(e)(2)(i)

A.11.5.6

A.11.6.1

A.12.2.1

A.12.2.2

A.12.2.3

A.12.2.4

A.12.5.2

A.12.5.4

A.12.5.5

A.12.6.1

A.15.2.1

Commandment #1

Commandment #2

Commandment #4

Commandment #5

Commandment

#11

CIP-007-3 -

R5.1

SC-2

SC-3

SC-4

SC-5

SC-6

SC-7

SC-8

SC-9

SC-10

SC-11

SC-12

SC-13

SC-14

SC-17

SC-18

SC-20

SC-21

SC-22

SC-23

PCI DSS v2.0 6.5

Application &

Interface Security

Customer Access

Requirements

AIS-02 Prior to granting customers access to data, assets, and

information systems, (removed all) identified security,

contractual, and regulatory requirements for customer access

shall be addressed.

Commandment #1

Commandment #2

Commandment #3

Chapter VI, Section 1

Article 39, I. and VIII.

Chapter 8

Article 59

CIP-003-3 -

R1.3 -

R4.3

CIP-004-3

R4 - R4.2

CIP-005-

3a - R1 -

R1.1 -

R1.2

CA-1

CA-2

CA-6

RA-5

PCI DSS v2.0

11.2

PCI DSS v2.0

11.3

PCI DSS v2.0 6.6

PCI DSS v2.0

12.1.2.b

COBIT 4.1 DS5.5,

ME2.5, ME 3.1

PO 9.6

Domain 2,

4

6.03. (e)

6.07.01. (m)

6.07.01. (n)

A9.4.2

A9.4.1,

8.1*Partial,

A14.2.3,

8.1*partial,

A.14.2.7

A12.6.1,

A18.2.2

A9.1.1.

Clauses

4.3(a),

4.3(b),

5.1(e),

5.1(f),

9.1,

9.2,

9.3(f),

A18.2.1

SA-01Schedule 1

(Section 5) 4.1

Accountability,

Subs. 4.1.3

Control Group CGID CID Control Specification Consensus Assessment Questions

Application &

Interface Security

Application Security

AIS-01 Applications and programming interfaces (APIs) shall be designed,

developed, deployed and tested in accordance with leading

industry standards (e.g., OWASP for web applications) and adhere

to applicable legal, statutory, or regulatory compliance

obligations.

S3.10.0 (S3.10.0) Design, acquisition, implementation,

configuration, modification, and management of

infrastructure and software are consistent with

defined system security policies to enable

authorized access and to prevent unauthorized

access.

(S3.10.0) Design, acquisition, implementation,



defined processing integrity and related security

policies.

I.4 G.16.3, I.3 Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

SA-04

C.2.1, C.2.3,

C.2.4, C.2.6.1,

H.1

10 (B)

11 (A+)

(S3.2.a) a. Logical access security measures to

restrict access to information resources not

deemed to be public.

CO-02

Audit Assurance &

Compliance

Information System

Regulatory Mapping

AAC-03 Organizations shall create and maintain a control framework

which captures standards, regulatory, legal, and statutory

requirements relevant for their business needs. The control

framework shall be reviewed at least annually to ensure changes

that could affect the business processes are reflected.

CONSENSUS ASSESSMENTS INITIATIVE

QUESTIONNAIRE v3.0.1

CA-1

CA-2

CA-5

CA-6

A.6.2.1

A.6.2.2

A.11.1.1

1.2.2

1.2.6

6.2.1

6.2.2



NIST SP 800-53 R3 CA-2 (1)






(1)



Article 17 (1), (2)Domain 10



NIST SP 800-53 R3 CA-2 (1)



NIST SP 800-53 R3 RA-5 (1)

NIST SP 800-53 R3 RA-5 (2)

NIST SP 800-53 R3 RA-5 (3)

NIST SP 800-53 R3 RA-5 (6)

NIST SP 800-53 R3 RA-5 (9)

A.9.2.2

A.9.2.3

Commandment #6

Commandment #7

Commandment #8

1.2.5

1.2.7

4.2.1

8.2.7

10.2.3

10.2.5

COBIT 4.1 ME 3.1 Domain 2,

4

S3.2a

45 CFR 164.308

(a)(8)

45 CFR

164.308(a)(1)(ii)(

D)

Clause 4.2.3e

Clause 5.1 g

Clause 5.2.1 d)

Clause 6

A.6.1.8

Blue text is CONFIDENTIAL content – See REDACTED COPY

© 2018 copyright of Companion Data Services, LLC. All rights reserved. CSA CAIQ v3.0.1 Attachment B: Exhibit 1 - Page 1 of 11




REDACTED COPY

AICPA

TSC 2009

AICPA


AICPA

TSC

2014

BITS Shared

Assessments

AUP v5.0

BITS Shared

Assessments

SIG v6.0

BSI


CCM


CSA

Guidance

V3.0

ENISA IAF

95/46/EC - European


Directive

FedRAMP Security

Controls

(Final Release, Jan

2012)





-

FERPA

GAPP

(Aug

2009)

HIPAA/HITECH

(Omnibus

Rule)

ISO/IEC

27001:2005

ISO/IEC





Parties

NERC

CIPNIST SP800-53 R3

NIST SP800-53 R4


Yes NoNot

Applicable

Domain > Container



ODCA UM: PA R2.0CSA Enterprise Architecture (formerly the Trusted

Cloud Initiative)





Business Continuity

Management &


Environmental Risks

BCR-05 BCR-05.1 Physical protection against damage from natural causes and

disasters, as well as deliberate attacks, including fire, flood,

atmospheric electrical discharge, solar induced geomagnetic

storm, wind, earthquake, tsunami, explosion, nuclear accident,

volcanic activity, biological hazard, civil unrest, mudslide, tectonic

activity, and other forms of natural or man-made disaster shall be

anticipated, designed, and have countermeasures applied.

Is physical protection against damage (e.g., natural causes,

natural disasters, deliberate attacks) anticipated and designed

with countermeasures applied?

A3.1.0

A3.2.0





identified threats.




CC3.1

A1.1A1.2

F.1 F.2.9, F.1.2.21,

F.5.1, F.1.5.2,

F.2.1, F.2.7,

F.2.8

Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

RS-05 DSS01.03

DSS01.04

DSS01.05

Infra Services >

Facility Security >

Environmental

Risk

Management


8

6.07. (d)

6.08. (a)

6.09. (a)

6.09. (b)

6.09. (d)







NIST SP800-53 R3 PE-13 (1)

NIST SP800-53 R3 PE-13 (2)

NIST SP800-53 R3 PE-13 (3)




8.2.4 45 CFR 164.308

(a)(7)(i)

45 CFR

164.310(a)(2)(ii)

(New)

A.9.1.4

A.9.2.1

A11.1.4,

A11.2.1

Commandment #1

Commandment #2

Commandment #3

CIP-004-3

R3.2

PE-1

PE-13

PE-14

PE-15

PE-18

8.1

8.4

PA15 SGP 3.5.2, 3.6.3, 3.7,

5.1, 5.2, 5.3,

6.1, 6.2,

7.1, 7.2,

9.1, 9.2, 9.3, 9.4,

9.5, 9.6,

9.7, 9.8, 9.9,

12.2

Business Continuity

Management &


Equipment Location

BCR-06 BCR-06.1 To reduce the risks from environmental threats, hazards, and

opportunities for unauthorized access, equipment shall be kept

away from locations subject to high probability environmental

risks and supplemented by redundant equipment located at a

reasonable distance.

Are any of your data centers located in places that have a high

probability/occurrence of high-impact environmental risks (floods,

tornadoes, earthquakes, hurricanes, etc.)?

A3.1.0

A3.2.0





identified threats.




CC3.1

A1.1A1.2

F.1 F.2.9, F.1.2.21,

F.5.1, F.1.5.2,

F.2.1, F.2.7,

F.2.8

53 (A+)

75 (C+,

A+)

Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

RS-06 DSS01.04

DSS01.05

312.8 and 312.10 Infra Services >

Facility Security >

Environmental

Risk

Management


8

6.07. (d)

6.08. (a)

6.09. (a)

6.09. (b)

6.09. (d)









45 CFR 164.310

(c)

A.9.2.1 A11.2.1 Commandment #1

Commandment #2

Commandment #3

PE-1

PE-5

PE-14

PE-15

PE-18

8.1 PA15 SGP PCI DSS v2.0

9.1.3

PCI DSS v2.0 9.5

PCI DSS v2.0 9.6

PCI DSS v2.0 9.9

PCI DSS v2.0

9.9.1

9.1.3

9.5

9.6

9.9

9.9.1, 12.2

BCR-07.1 If using virtual infrastructure, does your cloud solution include

independent hardware restore and recovery capabilities?

BCR-07.2 If using virtual infrastructure, do you provide tenants with a

capability to restore a Virtual Machine to a previous state in time?

BCR-07.3 If using virtual infrastructure, do you allow virtual machine images

to be downloaded and ported to a new cloud provider?

BCR-07.4 If using virtual infrastructure, are machine images made available

to the customer in a way that would allow the customer to

replicate those images in their own off-site storage location?

BCR-07.5 Does your cloud solution include software/provider independent

restore and recovery capabilities?

Business Continuity

Management &


Equipment Power

Failures

BCR-08 BCR-08.1 Protection measures shall be put into place to react to natural

and man-made threats based upon a geographically-specific

Business Impact Assessment

Are security mechanisms and redundancies implemented to

protect equipment from utility service outages (e.g., power

failures, network disruptions, etc.)?

A3.2.0 (A3.2.0) Measures to prevent or mitigate threats



A1.1A1.2

F.1 F.1.6, F.1.6.1,

F.1.6.2, F.1.9.2,

F.2.10, F.2.11,

F.2.12

54 (A+) Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

RS-07 DSS01.04

DSS01.05

DSS04.01

DSS04.02

DSS04.03


Facility Security >

Environmental

Risk

Management


8

6.08. (a)

6.09. (e)

6.09. (f)






NIST SP800-53 R3 CP-8 (1)

NIST SP800-53 R3 CP-8 (2)







NIST SP800-53 R3 PE-13 (1)

NIST SP800-53 R3 PE-13 (2)

NIST SP800-53 R3 PE-13 (3)


A.9.2.2

A.9.2.3

A 9.2.4

A.11.2.2,

A.11.2.3,

A.11.2.4

Commandment #1

Commandment #2

Commandment #3

CP-8

PE-1

PE-9

PE-10

PE-11

PE-12

PE-13

PE-14

8.1

8.2

8.3

8.4

PA15 SGP

BCR-09.1 Do you provide tenants with ongoing visibility and reporting of

your operational Service Level Agreement (SLA) performance?

BCR-09.2 Do you make standards-based information security metrics (CSA,

CAMM, etc.) available to your tenants?

BCR-09.3 Do you provide customers with ongoing visibility and reporting of

your SLA performance?

Business Continuity

Management &


Policy

BCR-10 BCR-10.1 Policies and procedures shall be established, and supporting

business processes and technical measures implemented, for

appropriate IT governance and service management to ensure

appropriate planning, delivery and support of the organization's IT

capabilities supporting business functions, workforce, and/or

customers based on industry acceptable standards (i.e., ITIL v4

and COBIT 5). Additionally, policies and procedures shall include

defined roles and responsibilities supported by regular workforce

training.

Are policies and procedures established and made available for all

personnel to adequately support services operations’ roles?

S2.3.0 (S2.3.0) Responsibility and accountability for the

entity’s system availability, confidentiality of

data, processing integrity, system security and

related security policies and changes and

updates to those policies are communicated to

entity personnel responsible for implementing

them.

CC3.2 G.1.1 45 (B) OP-01 COBIT 4.1 DS13.1 APO01

APO07.01

APO07.03

APO09.03

DSS01.01

SRM > Policies

and Standards >

Operational

Security Baselines

shared x Domain 7,

8

6.03. (c) NIST SP 800-53 R3 CM-2

NIST SP 800-53 R3 CM-4


NIST SP 800-53 R3 MA-4





NIST SP 800-53 R3 CM-2 (1)

NIST SP 800-53 R3 CM-2 (3)

NIST SP 800-53 R3 CM-2 (5)


NIST SP 800-53 R3 CM-3 (2)




NIST SP 800-53 R3 CM-6 (1)

NIST SP 800-53 R3 CM-6 (3)



NIST SP 800-53 R3 MA-4 (1)

NIST SP 800-53 R3 MA-4 (2)



NIST SP 800-53 R3 SA-4 (1)

NIST SP 800-53 R3 SA-4 (4)

NIST SP 800-53 R3 SA-4 (7)


NIST SP 800-53 R3 SA-5 (1)

NIST SP 800-53 R3 SA-5 (3)


NIST SP 800-53 R3 SA-10

NIST SP 800-53 R3 SA-11

NIST SP 800-53 R3 SA-11 (1)

NIST SP 800-53 R3 SA-12

8.2.1 Clause 5.1

A 8.1.1

A.8.2.1

A 8.2.2

A.10.1.1

Clause 5.1(h)

A.6.1.1

A.7.2.1

A.7.2.2

A.12.1.1

Commandment #1

Commandment #2

Commandment #3

Commandment #6

Commandment #7

CM-2

CM-3

CM-4

CM-5

CM-6

CM-9

MA-4

SA-3

SA-4

SA-5

SA-8

SA-10

SA-11

SA-12

PCI DSS v2.0

12.1

PCI DSS v2.0

12.2

PCI DSS v2.0

12.3

PCI DSS v2.0

12.4

4.3, 10.8,

11.1.2,

12.1

12.2

12.3

12.4

12.5, 12.5.3,

12.6, 12.6.2,

12.10

BCR-11.1 Do you have technical control capabilities to enforce tenant data

retention policies?

BCR-11.2 Do you have a documented procedure for responding to requests

for tenant data from governments or third parties?

BCR-11.4 Have you implemented backup or redundancy mechanisms to

ensure compliance with regulatory, statutory, contractual or

business requirements?

BCR-11.5 Do you test your backup or redundancy mechanisms at least

annually?

CCC-01.1 Are policies and procedures established for management

authorization for development or acquisition of new applications,

systems, databases, infrastructure, services, operations and

facilities?

CCC-01.2 Is documentation available that describes the installation,

configuration and use of products/services/features?

CCC-02.1 Do you have controls in place to ensure that standards of quality

are being met for all software development?

CCC-02.2 Do you have controls in place to detect source code security

defects for any outsourced software development activities?

CCC-03.1 Do you provide your tenants with documentation that describes

your quality assurance process?

CCC-03.2 Is documentation describing known issues with certain

products/services available?

CCC-03.3 Are there policies and procedures in place to triage and remedy

reported bugs and security vulnerabilities for product and service

offerings?

CCC-03.4 Are mechanisms in place to ensure that all debugging and test

code elements are removed from released software versions?

10.8, 11.6

3.1

3.1.a

3.2

9.9.1

9.5. 9.5.1

9.6. 9.7, 9.8

10.7, 12.10.1

6.3.2, 12.3.4

2.1, 2.2.4, 2.3, 2.5

3.3, 3.4, 3.6

4.1, 4.2

6.3.1, 6.3.2, 6.4.2,

6.4.3, 6.4.4,

6.4.5.2

6.7

7.1, 7.1.3, 7.1.4

8.3, 8.5.1, 8.7

9.1

9.1.2

9.2

10.5

11.5

12.3

12.8

6.1

6.2

6.3

6.4

6.5

6.6

6.7

PA8

PA15

BSGP

SGP

PA8

PA15

BSGP

SGP

PA17

3.3

12.1

12.5

14.5 (software)

6.4

6.4

13.1

12.1

2.2

4.1

12.1

14.1

14.2

FTC Fair Information

Principles

Integrity/Security

Security involves both

managerial and technical

measures to protect

against loss and the

unauthorized access,

destruction, use, or

disclosure of the

data.(49) Managerial

measures include

internal organizational

measures that limit

access to data and

ensure that those

individuals with access do

not utilize the data for

unauthorized purposes.

Technical security

measures to prevent

unauthorized access

include encryption in the

x

312.3

BAI03.10

BAI04.03

BAI04.04

DSS03.05

BAI06.01

BAI10.01

BAI10.02

BAI10.03

DSS04.01

DSS04.02

BAI09.01

BAI09.02

BAI09.03

DSS04.01

DSS04.02

DSS04.03

DSS04.04

DSS04.07

MEA03.01

APO01.02

APO01.06

BAI02.04

BAI06.01

APO07.06

APO09.03

APO09.04

APO10.01

APO10.04

APO10.05

APO11.01

APO11.02

APO11.04

APO11.05

APO11.01

APO11.02

APO11.04

APO11.05

BAI02.04

BAI03.06

BAI03.08

BAI07.03

BAI07.05

A1.1A1.2

CC4.1

CC3.1

A1.2

A1.3

A1.2

A1.3

I3.21

CC7.2

CC7.1

CC7.4

CC7.1

CC7.4

CC7.1CC7.1CC7.1CC7.1

CC7.4

Change Control &

Configuration

Management

Quality Testing

CCC-03 Organization shall follow a defined qualty change control and

testing process (e.g. ITIL Service Management) with established

baselines, testing and release standards which focus on system

availability, confidentiality and integrity of systems and services

ITOS > Service

Support >

Release

Management

shared x A.6.1.3

A.10.1.1

A.10.1.4

A.10.3.2

A.12.1.1

A.12.2.1

A.12.2.2

A.12.2.3

A.12.2.4

A.12.4.1

A.12.4.2

A.12.4.3

A.12.5.1

A.12.5.2

A.12.5.3

A.12.6.1

A.13.1.2

A.15.2.1

A.15.2.2

Commandment #1

Commandment #2

Commandment #3

None 6.03.01. (b)

6.03.01. (d)








NIST SP 800-53 R3 CM-2 (1)

NIST SP 800-53 R3 CM-2 (3)

NIST SP 800-53 R3 CM-2 (5)



NIST SP 800-53 R3 SA-4 (1)

NIST SP 800-53 R3 SA-4 (4)

NIST SP 800-53 R3 SA-4 (7)


NIST SP 800-53 R3 SA-5 (1)

NIST SP 800-53 R3 SA-5 (3)


NIST SP 800-53 R3 SA-10

NIST SP 800-53 R3 SA-11

NIST SP 800-53 R3 SA-11 (1)

9.1.0

9.1.1

9.2.1

9.2.2

PCI DSS v2.0

1.1.1

PCI DSS v2.0 6.1

PCI DSS v2.0 6.4

ITOS > IT

Operation >

Architecture

Governance

Commandment #1

Commandment #2

Commandment #3

SA-4

SA-5

SA-8

SA-9

SA-10

SA-11

SA-12

SA-13

PCI DSS v2.0

3.6.7

PCI DSS v2.0

6.4.5.2

PCI DSS v2.0

7.1.3

PCI DSS v2.0

8.5.1

PCI DSS v2.0 9.1

PCI DSS v2.0

9.1.2

PCI DSS v2.0

9.2b

PCI DSS v2.0

9.3.1

PCI DSS v2.0

10.5.2

PCI DSS v2.0

11.5

PCI DSS v2.0

12.3.1

PCI DSS v2.0

12.3.3

Change Control &

Configuration

Management

New Development /

Acquisition

CCC-01 Policies and procedures shall be established, and supporting

business processes and technical measures implemented, to

ensure the development and/or acquisition of new data, physical

or virtual applications, infrastructure network and systems

components, or any corporate, operations and/or datacenter

facilities have been pre-authorized by the organization's business

leadership or other accountable business role or function.

S3.12.0

S3.10.0

S3.13.0

(S3.12.0) Procedures exist to maintain system

components, including configurations consistent

with the defined system security policies.





(S3.13.0) Procedures exist to provide that only

authorized, tested, and documented changes

are made to the system.

I.2 I.1.1, I.1.2, I.2.

7.2, I.2.8, I.2.9,

I.2.10, I.2.13,

I.2.14, I.2.15,

I.2.18, I.2.22.6,

L.5

Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

RM-01 COBIT 4.1 A12, A

16.1

SGPChange Control &

Configuration

Management

Outsourced

Development

CCC-02 External business partners shall adhere to the same policies and

procedures for change management, release, and testing as

internal developers within the organization (e.g. ITIL service

management processes).

S3.10.0

S3.13




defined system availability, confidentiality of

data, processing integrity, systems security and

related security policies.

(S3.13) Procedures exist to provide that only



C.2

I.1

I.2

I.4

C.2.4, G.4, G6,

I.1, I.4.4, I.4.5,

I.2.7.2, I.2.8,

I.2.9, I.2.15,

I.2.18, I.2.22.6,

I.2.7.1, I.2.13,

I.2.14, I.2.17,

I.2.20, I.2.22.2,

I.2.22.4,

I.2.22.7,

I.2.22.8,

I.2.22.9,

I.2.22.10,

I.2.22.11,

I.2.22.12,

I.2.22.13,

I.2.22.14, I.3,

J.1.2.10, L.7,

L.9, L.10

27 (B) Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

RM-04

Chapter II

Article 11, 13

CIP-003-3 -

R4.1

CP-2

CP-6

CP-7

CP-8

CP-9

SI-12

AU-11

PCI DSS v2.0 3.1

PCI DSS v2.0

3.1.1

PCI DSS v2.0 3.2

PCI DSS v2.0

9.9.1

PCI DSS v2.0 9.5

PCI DSS v2.0 9.6

PCI DSS v2.0

10.7

None 6.03. (a) NIST SP 800-53 R3 CA-1















NIST SP 800-53 R3 SA-4 (1)

NIST SP 800-53 R3 SA-4 (4)

NIST SP 800-53 R3 SA-4 (7)

1.2.6

BOSS > Data

Governance >

Data Retention

Rules

shared x

ITOS > IT

Operation >

Architecture

Governance

shared A.14.1.1

A.12.5.1

A.14.3.1

A.9.4.5

8.1* (partial)

A.14.2.7

A.18.1.3

A.18.1.4

A18.2.1

A.15.1.2

A.12.1.4

8.1* (partial)

8.1* (partial)

A.15.2.1

8.1* (partial)

A.15.2.2

A.14.2.9

A.14.1.1

A.12.5.1

A.14.3.1

A.9.4.5

8.1* (partial)

A.14.2.2

8.1* (partial)

A.14.2.3

8.1* (partial)

A.14.2.4

8.1* (partial)

A.14.2.7

A.12.6.1

A.16.13

A.18.2.2

A.18.2.3

PCI DSS v2.0

6.3.2

None NIST SP 800-53 R3 SA-4




NIST SP 800-53 R3 SA-4 (1)

NIST SP 800-53 R3 SA-4 (4)

NIST SP 800-53 R3 SA-4 (7)


NIST SP 800-53 R3 SA-5 (1)

NIST SP 800-53 R3 SA-5 (3)



NIST SP 800-53 R3 SA-9 (1)

NIST SP 800-53 R3 SA-10

NIST SP 800-53 R3 SA-11

NIST SP 800-53 R3 SA-11 (1)

NIST SP 800-53 R3 SA-12

shared x

Business Continuity

Management &


Retention Policy

BCR-11 Policies and procedures shall be established, and supporting


defining and adhering to the retention period of any critical asset

as per established policies and procedures, as well as applicable

legal, statutory, or regulatory compliance obligations. Backup and

recovery measures shall be incorporated as part of business

continuity planning and tested accordingly for effectiveness.

A3.3.0

A3.4.0

I3.20.0

I3.21.0





(A3.4.0) Procedures exist to provide for the

integrity of backup data and systems maintained

to support the entity’s defined system availability


(I3.20.0) Procedures exist to provide for

restoration and disaster recovery consistent with

the entity’s defined processing integrity policies.

(I3.21.0) Procedures exist to provide for the

completeness, accuracy, and timeliness of

backup data and systems.

D.2.2.9 36 (B) Schedule 1

(Section 5) 4.5 -

Limiting Use,

Disclosure and

Retention, Subsec.

4.5.2

DG-04 COBIT 4.1 DS 4.1,

DS 4.2, DS 4.5,

DS 4.9, DS 11.6

Domain 5 6.03. (h)

6.07.01. (c)

Article 6(1) e NIST SP 800-53 R3 CP-2



NIST SP 800-53 R3 CP-2 (1)

NIST SP 800-53 R3 CP-2 (2)


NIST SP 800-53 R3 CP-6 (1)

NIST SP 800-53 R3 CP-6 (3)


NIST SP 800-53 R3 CP-7 (1)

NIST SP 800-53 R3 CP-7 (2)

NIST SP 800-53 R3 CP-7 (3)

NIST SP 800-53 R3 CP-7 (5)


NIST SP 800-53 R3 CP-8 (1)

NIST SP 800-53 R3 CP-8 (2)


NIST SP 800-53 R3 CP-9 (1)

NIST SP 800-53 R3 CP-9 (3)

5.1.0

5.1.1

5.2.2

8.2.6

CIP-007-3 -

R6.1 -

R6.2 -

R6.3 -

R6.4

MA-2

MA-3

MA-4

MA-5

MA-6

A11.2.4

A.17.1.1

A.17.1.2

Clauses

9.2(g)

7.5.3(b)

5.2 (c)

7.5.3(d)

5.3(a)

5.3(b)

8.1

8.3

A.12.3.1

A.8.2.3

Commandment #1

Commandment #2

Commandment #3

CA-1

CM-1

CM-9

PL-1

PL-2

SA-1

SA-3

SA-4

45 CFR 164.308

(a)(7)(ii)(E)

ISO/IEC

27001:2005

A.14.1.2

A 14.1.4

Commandment #1

Commandment #2

Commandment #3

CIP-007-3 -

R8 - R8.1 -

R8.2 -

R8.3

RA-3

A.6.1.4

A.6.2.1

A.12.1.1

A.12.4.1

A.12.4.2

A.12.4.3

A.12.5.5

A.15.1.3

A.15.1.4

45 CFR 164.308

(a)(7)(ii)(A)

45 CFR 164.310

(d)(2)(iv)

45 CFR

164.308(a)(7)(ii)(

D) (New)

45 CFR

164.316(b)(2)(i)

(New)

Clause 4.3.3

A.10.5.1

A.10.7.3

EAR 15 §

762.6

Period of

Retention

EAR 15

CFR §

786.2

Recordkee

ping

Commandment

#11

Commandment #2

Commandment #5

Commandment

#11

45 CFR 164.310

(a)(2)(iv)

A.9.2.4

BSGP

SGP

PA10

PA29


NIST SP 800-53 R3 MA-2 (1)


NIST SP 800-53 R3 MA-3 (1)

NIST SP 800-53 R3 MA-3 (2)

NIST SP 800-53 R3 MA-3 (3)


NIST SP 800-53 R3 MA-4 (1)

NIST SP 800-53 R3 MA-4 (2)



5.2.3

8.2.2

8.2.3

8.2.4

8.2.5

8.2.6

8.2.7

Business Continuity

Management &


Impact Analysis

BCR-09 There shall be a defined and documented method for determining

the impact of any disruption to the organization (cloud provider,

cloud consumer) that must incorporate the following:

• Identify critical products and services

• Identify all dependencies, including processes, applications,

business partners, and third party service providers

• Understand threats to critical products and services

A3.1.0

A3.3.0

A3.4.0





identified threats.


K.2 RS-02 Domain 7,

8

6.02. (a)

6.03.03. (c)

6.07. (a)

6.07. (b)

6.07. (c)

Article 17 (1), (2) NIST SP 800-53 R3 CP-1



Infra Services >

Equipment

Maintenance >

provider x

ITOS > Service

Delivery >

Information

Technology

Resiliency -

Resiliency

Analysis

A3.2.0

A4.1.0




(A4.1.0) The entity’s system availability and

security performance is periodically reviewed

and compared with the defined system

availability and related security policies.

F.2.19 1 (B)Business Continuity

Management &


Equipment

Maintenance

BCR-07 Policies and procedures shall be established, and supporting


equipment maintenance ensuring continuity and availability of

operations and support personnel.

OP-04

A.6.1.1

A.12.1.1

A.12.1.4

A.14.2.9

A.14.1.1

A.12.5.1

A.14.3.1

A.9.4.5

8.1* partial

A.14.2.2

8.1* partial

A.14.2.3

8.1* partial

A.14.2.4

A.12.6.1

A.16.1.3

A.18.2.2

A.18.2.3

A.6.1.8

A.6.2.1

A.6.2.3

A.10.1.4

A.10.2.1

A.10.2.2

A.10.2.3

A.10.3.2

A.12.1.1

A.12.2.1

A.12.2.2

A.12.2.3

A.12.2.4

A.12.4.1

A.12.4.2

A.12.4.3

A.12.5.1

A.12.5.2

A.12.5.3

A.12.5.5

A.12.6.1

A.13.1.2

A.15.2.1

A.15.2.2

A3.13.0

C3.16.0

I3.14.0

S3.10.0

S3.13

(A3.13.0, C3.16.0, I3.14.0, S3.10.0) Design,

acquisition, implementation, configuration,

modification, and management of infrastructure

and software are consistent with defined system

availability, confidentiality of data, processing

integrity, systems security and related security

policies.

(S3.13) Procedures exist to provide that only



C.1.7, G.1, G.6,

I.1, I.4.5,

I.2.18, I.22.1,

I.22.3, I.22.6,

I.2.23, I.2.22.2,

I.2.22.4,

I.2.22.7.

I.2.22.8,

I.2.22.9,

I.2.22.10,

I.2.22.11,

I.2.22.12,

I.2.22.13,

I.2.22.14,I.2.20

, I.2.17, I.2.7.1,

I.3, J.2.10, L.9

Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

RM-03 COBIT 4.1 PO 8.1

COBIT 4.1 A13.3 Domain 7,

8

6.09. (h) Article 17 (1) NIST SP 800-53 R3 MA-2






CM-1

CM-2

SA-3

SA-4

SA-5

SA-8

SA-10

SA-11

SA-13

xprovider






REDACTED COPY

AICPA

TSC 2009

AICPA


AICPA

TSC

2014

BITS Shared

Assessments

AUP v5.0

BITS Shared

Assessments

SIG v6.0

BSI


CCM


CSA

Guidance

V3.0

ENISA IAF

95/46/EC - European


Directive

FedRAMP Security

Controls

(Final Release, Jan

2012)





-

FERPA

GAPP

(Aug

2009)

HIPAA/HITECH

(Omnibus

Rule)

ISO/IEC

27001:2005

ISO/IEC





Parties

NERC

CIPNIST SP800-53 R3

NIST SP800-53 R4


Yes NoNot

Applicable

Domain > Container




Cloud Initiative)





Change Control &

Configuration

Management

Unauthorized Software

Installations

CCC-04 CCC-04.1 Policies and procedures shall be established, and supporting


restrict the installation of unauthorized software on

organizationally-owned or managed user end-point devices (e.g.,

issued workstations, laptops, and mobile devices) and IT

infrastructure network and systems components.

Do you have controls in place to restrict and monitor the

installation of unauthorized software onto your systems?

A3.6.0

S3.5.0

S3.13.0

(A3.6.0) Procedures exist to restrict physical

access to the defined system including, but not

limited to, facilities, backup media, and other

system components such as firewalls, routers,

and servers.

(S3.5.0) Procedures exist to protect against

infection by computer viruses, malicious code,

and unauthorized software.

(S3.13.0) Procedures exist to provide that only



CC5.5

CC5.8

CC7.4

G.1

I.2

G.2.13,

G.20.2,G.20.4,

G.20.5, G.7,

G.7.1, G.12.11,

H.2.16,

I.2.22.1,

I.2.22.3,

I.2.22.6, I.2.23

Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

RM-05 APO13.01

BAI06.01

BAI10

DSS05.03

DSS05.04

DSS05.05

DSS05.07

DSS06.03

312.8 and 312.10 ITOS > Service

Support >

Configuration

Management ->

Software

Mangement

shared x None NIST SP 800-53 R3 CM-1










NIST SP 800-53 R3 CM-2 (1)

NIST SP 800-53 R3 CM-2 (3)

NIST SP 800-53 R3 CM-2 (5)


NIST SP 800-53 R3 CM-3 (2)


NIST SP 800-53 R3 CM-5 (1)

NIST SP 800-53 R3 CM-5 (5)


NIST SP 800-53 R3 CM-7 (1)


NIST SP 800-53 R3 CM-8 (1)

NIST SP 800-53 R3 CM-8 (3)

3.2.4

8.2.2

A.10.1.3

A.10.4.1

A.11.5.4

A.11.6.1

A.12.4.1

A.12.5.3

A.6.1.2

A.12.2.1

A.9.4.4

A.9.4.1

A.12.5.1

8.1* (partial)

A.14.2.4

Commandment #1

Commandment #2

Commandment #3

Commandment #5

Commandment

#11

CM-1

CM-2

CM-3

CM-5

CM-7

CM-8

CM-9

SA-6

SA-7

SI-1

SI-3

SI-4

SI-7

FTC Fair Information

Principles

Involves both managerial

and technical measures

to protect against loss

and the unauthorized

access, destruction, use,

or disclosure of the


measures include


measures that limit

access to data and

ensure that those

14.1 1.3.3

2.1, 2.2.2

3.6

4.1

5.1, 5.2, 5.3, 5.4

6.2

7.1

9.1

9.1.1

9.1.2

9.1.3

9.2

9.3

9.4

9.4.1Change Control &

Configuration

Management

Production Changes

CCC-05 CCC-05.1 Policies and procedures shall be established for managing the risks

associated with applying changes to business-critical or customer

(tenant) impacting (physical and virtual) application and system-

system interface (API) designs and configurations, as well as

infrastructure network and systems components. Technical

measures shall be implemented to provide assurance that, prior

to deployment, all changes directly correspond to a registered

change request, business-critical or customer (tenant) , and/or

authorization by, the customer (tenant) as per agreement (SLA).

Do you provide tenants with documentation that describes your

production change management procedures and their

roles/rights/responsibilities within it?

A3.16.0

S3.13.0

(A3.16.0, S3.13.0) Procedures exist to provide

that only authorized, tested, and documented

changes are made to the system.

CC7.4CC7.4

I.2.17, I.2.20,

I.2.22

Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

RM-02 COBIT 4.1 A16.1,

A17.6

BAI06.01

BAI06.02

BAI06.03

BAI06.04

BAI07.01

BAI07.03

BAI07.04

BAI07.05

BAI07.06

ITOS > Service

Support >

Release

Management

shared x None 6.03. (a) NIST SP 800-53 R3 CA-1











NIST SP 800-53 R3 CA-7 (2)


NIST SP 800-53 R3 CM-2 (1)

NIST SP 800-53 R3 CM-2 (3)

NIST SP 800-53 R3 CM-2 (5)


NIST SP 800-53 R3 CM-3 (2)


NIST SP 800-53 R3 CM-5 (1)

NIST SP 800-53 R3 CM-5 (5)


NIST SP 800-53 R3 CM-6 (1)

NIST SP 800-53 R3 CM-6 (3)





NIST SP 800-53 R3 SI-2 (2)



NIST SP 800-53 R3 SI-7 (1)

1.2.6 45 CFR 164.308

(a)(5)(ii)(C)

45 CFR 164.312

(b)

A.10.1.4

A.12.5.1

A.12.5.2

A.12.1.4

8.1* (partial)

A.14.2.2

8.1* (partial)

A.14.2.3

Commandment #1

Commandment #2

Commandment #3

Commandment

#11

CIP-003-3 -

R6

CA-1

CA-6

CA-7

CM-2

CM-3

CM-5

CM-6

CM-9

PL-2

PL-5

SI-2

SI-6

SI-7

AR- 4. Privacy Monitoring

and Auditing.

Organizations also: (i)

implement technology to

audit for the security,

appropriate use, and loss

of PII; (ii) perform

reviews to ensure

physical security of

documents containing

PII; (iii) assess contractor

compliance with privacy

requirements; and (iv)

ensure that corrective

actions identified as part

of the assessment

process are tracked and

monitored until audit

findings are corrected.

The organization Senior

Agency Official for

Privacy (SAOP)/Chief

Privacy Officer (CPO)

coordinates monitoring

and auditing efforts with

information security

12.1

12.4

PA14 SGP PCI DSS v2.0

1.1.1

PCI DSS v2.0

6.3.2

PCI DSS v2.0 6.4

PCI DSS v2.0 6.1

1.1.1

6.3.2

6.4.5

DSI-01.1 Do you provide a capability to identify virtual machines via policy

tags/metadata (e.g., tags can be used to limit guest operating

systems from booting/instantiating/transporting data in the

wrong country)?

DSI-01.2 Do you provide a capability to identify hardware via policy

tags/metadata/hardware tags (e.g., TXT/TPM, VN-Tag, etc.)?

DSI-01.3 Do you have a capability to use system geographic location as an

authentication factor?

DSI-01.4 Can you provide the physical location/geography of storage of a

tenant’s data upon request?DSI-01.5 Can you provide the physical location/geography of storage of a

tenant's data in advance?DSI-01.6 Do you follow a structured data-labeling standard (e.g., ISO

15489, Oasis XML Catalog Specification, CSA data type guidance)?

DSI-01.7 Do you allow tenants to define acceptable geographical locations

for data routing or resource instantiation?

DSI-02.1 Do you inventory, document, and maintain data flows for data

that is resident (permanent or temporary) within the services'

applications and infrastructure network and systems?

DSI-02.2 Can you ensure that data does not migrate beyond a defined

geographical residency?

DSI-03.1 Do you provide open encryption methodologies (3.4ES, AES, etc.)

to tenants in order for them to protect their data if it is required

to move through public networks (e.g., the Internet)?

DSI-03.2 Do you utilize open encryption methodologies any time your

infrastructure components need to communicate with each other

via public networks (e.g., Internet-based replication of data from

one environment to another)?

DSI-04.1 Are policies and procedures established for labeling, handling and

the security of data and objects that contain data?

DSI-04.2 Are mechanisms for label inheritance implemented for objects

that act as aggregate containers for data?

Data Security &

Information Lifecycle

Management

Nonproduction Data

DSI-05 DSI-05.1 Production data shall not be replicated or used in non-production

environments.

Do you have procedures in place to ensure production data shall

not be replicated or used in non-production environments?

C3.5.0

S3.4.0

C3.21.0

(C3.5.0) The system procedures provide that

confidential information is disclosed to parties

only in accordance with the entity’s defined

confidentiality and related security policies.



(C3.21.0) Procedures exist to provide that

confidential information is protected during the

system development, testing, and change

processes in accordance with defined system


C1.3

CC5.6

C1.1

I.2.18 DG-06 APO01.06

BAI01.01

BAI03.07

BAI07.04

SRM > Policies

and Standards >

Technical

Standard (Data

Management

Security

Standard)

shared x Domain 5 6.03. (d) NIST SP 800-53 R3 SA-11

NIST SP 800-53 R3 SA-11 (1)

1.2.6 45 CFR

164.308(a)(4)(ii)(

B)

A.7.1.3

A.10.1.4

A.12.4.2

A.12.5.1

A.8.1.3

A.12.1.4

A.14.3.1

8.1* (partial)

A.14.2.2.

Commandment #9

Commandment

#10

Commandment

#11

CIP-003-3 -

R6

SA-11

CM-04

DM-1 Minimization of

Personally Identifiable

Information. DM-2 Data

Retention & Disposal.

DM-3 Minimization of PII

used in Testing, Training,

and Research. SE-1

INVENTORY OF

PERSONALLY

IDENTIFIABLE

INFORMATION

17.8 PCI DSS v2.0

6.4.3

6.4.3

Data Security &


Management

Ownership /

Stewardship

DSI-06 DSI-06.1 All data shall be designated with stewardship, with assigned

responsibilities defined, documented, and communicated.

Are the responsibilities regarding data stewardship defined,

assigned, documented and communicated?

S2.2.0

S2.3.0

S3.8.0

(S2.2.0) The security obligations of users and the

entity’s security commitments to users are

communicated to authorized users.

(S2.3.0) Responsibility and accountability for the

entity’s system security policies and changes and



them.

(S3.8.0) Procedures exist to classify data in

accordance with classification policies and

periodically monitor and update such

classifications as necessary

CC2.3

CC3.1

C.2.5.1,

C.2.5.2, D.1.3,

L.7

Schedule 1

(Section 5) 4.5 -

Limiting Use,

Disclosure and

Retention, Subsec.

4.1.3

DG-01 COBIT 4.1 DS5.1,

PO 2.3

APO01.06

APO03.02

APO13.01

APO13.03

312.4 BOSS > Data

Governance >

Data Ownership /

Stewardship

shared x Domain 5 Article 4 NIST SP 800-53 R3 CA-2


(1)

NIST SP 800-53 R3 PS-2




NIST SP 800-53 R3 CA-2 (1)




6.2.1 45 CFR 164.308

(a)(2)

A.6.1.3

A.7.1.2

A.15.1.4

A.6.1.1

A.8.1.2

A.18.1.4

Commandment #6

Commandment

#10

Chapter IV

Article 30

CIP-007-3 -

R1.1 -

R1.2

CA-2

PM-5

PS-2

RA-2

SA-2

AP-1 AUTHORITY TO

COLLECT. AP-2 PURPOSE

SPECIFICATION.

3.4 3.7

12.5.5

12.10.4

DSI-07.1 Do you support secure deletion (e.g., degaussing/cryptographic

wiping) of archived and backed-up data as determined by the

tenant?

DSI-07.2 Can you provide a published procedure for exiting the service

arrangement, including assurance to sanitize all computing

resources of tenant data once a customer has exited your

environment or has vacated a resource?

DCS-01.1 Do you maintain a complete inventory of all of your critical assets

that includes ownership of the asset?

DCS-01.2 Do you maintain a complete inventory of all of your critical

supplier relationships?

Datacenter Security

Controlled Access

Points

DCS-02 DCS-02.1 Physical security perimeters (e.g., fences, walls, barriers, guards,

gates, electronic surveillance, physical authentication

mechanisms, reception desks, and security patrols) shall be

implemented to safeguard sensitive data and information

systems.

Are physical security perimeters (e.g., fences, walls, barriers,

guards, gates, electronic surveillance, physical authentication

mechanisms, reception desks and security patrols) implemented?

A3.6.0 (A3.6.0) Procedures exist to restrict physical




and servers.

CC5.5 F.2 F.1.2.3, F.1.2.4,

F.1.2.5, F.1.2.6,

F.1.2.8, F.1.2.

9, F.1.2.10,

F.1.2.11,

F.1.2.12,

F.1.2.13,

F.1.2.14,

F.1.2.15,

F.1.2.24, F.1.3,

F.1.4.2, F1.4.6,

F.1.4.7, F.1.6,

F.1.7,F.1.8,

F.2.13, F.2.14,

F.2.15, F.2.16,

F.2.17, F.2.18

7 (B) Schedule 1

(Section 5), 4.7

Safeguards,

Subsec. 4.7.3

FS-03 COBIT 4.1 DS

12.3

APO13.01

DSS01.01

DSS01.05

DSS05.05

DSS06.03

DSS06.06


Facility Security >

Controlled

Physical Access

provider x Domain 8 6.08. (a)

6.09. (i)

Article 17 NIST SP 800-53 R3 PE-2

NIST SP 800-53 R3 PE-3







NIST SP 800-53 R3 PE-6 (1)


NIST SP 800-53 R3 PE-7 (1)


NIST SP 800-53 R3 PE-18

99.31.a.1.ii 8.2.3 A.9.1.1 A.11.1.1

A.11.1.2

Commandment #1

Commandment #2

Commandment #3

Commandment #5

CIP-006-3c

R1.2 -

R1.3 -

R1.4 -

R1.6 -

R1.6.1 -

R2 - R2.2

PE-2

PE-3

PE-6

PE-7

PE-8

PE-18

8.1

8.2

PA4 BSGP PCI DSS v2.0 9.1 9.1

9.1.1

9.1.2, 9.1.3

9.2, 9.3, 9.4, 9.4.1,

9.4.2, 9.4.3, 9.4.4

Datacenter Security

Equipment

Identification

DCS-03 DCS-03.1 Automated equipment identification shall be used as a method of

connection authentication. Location-aware technologies may be

used to validate connection authentication integrity based on

known equipment location.

Is automated equipment identification used as a method to

validate connection authentication integrity based on known

equipment location?

S3.2.a (S3.2.a) a. Logical access security measures to



CC5.1 D.1 D.1.1, D.1.3 Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

SA-13 COBIT 4.1 DS5.7 APO13.01

DSS05.02

DSS05.03

312.3, 312.8 and

312.10

> > Domain 8 6.05. (a) NIST SP 800-53 R3 IA-4 NIST SP 800-53 R3 IA-3

NIST SP 800-53 R3 IA-4

NIST SP 800-53 R3 IA-4 (4)

A.11.4.3 Commandment #1

Commandment #2

Commandment #3

Commandment #5

Commandment #8

IA-3

IA-4

PA22

PA33

GP

SGP

Datacenter Security

Offsite Authorization

DCS-04 DCS-04.1 Authorization must be obtained prior to relocation or transfer of

hardware, software, or data to an offsite premises.

Do you provide tenants with documentation that describes

scenarios in which data may be moved from one physical location

to another? (e.g., offsite backups, business continuity failovers,

replication)

S3.2.f

C3.9.0

(S3.2.f) f. Restriction of access to offline storage,

backup data, systems, and media.

(C3.9.0) Procedures exist to restrict physical


limited to: facilities, backup media, and other


and servers.

CC5.1

CC5.5

F.2.18, F.2.19, Schedule 1

(Section 5), 4.7

Safeguards,

Subsec. 4.7.5

FS-06 EDM05.02

APO01.02

APO03.02

BAI02.03

BAI02.04

BAI03.09

BAI06.01

312.8 and 312.10 SRM > Facility

Security > Asset

Handling


6.09. (j)

Article 17 NIST SP 800-53 R3 AC-17



NIST SP 800-53 R3 PE-16

NIST SP 800-53 R3 AC-17

NIST SP 800-53 R3 AC-17 (1)

NIST SP 800-53 R3 AC-17 (2)

NIST SP 800-53 R3 AC-17 (3)

NIST SP 800-53 R3 AC-17 (4)

NIST SP 800-53 R3 AC-17 (5)

NIST SP 800-53 R3 AC-17 (7)

NIST SP 800-53 R3 AC-17 (8)



NIST SP 800-53 R3 PE-16

NIST SP 800-53 R3 PE-17

45 CFR 164.310

(d)(1) (New)

A.9.2.7

A.10.1.2

A.11.2.6

A.11.2.7

Commandment #4

Commandment #5

Commandment

#11

AC-17

MA-1

PE-1

PE-16

PE-17

12.5

19.1

PA4 BSGP PCI DSS v2.0 9.8

PCI DSS v2.0 9.9

9.6.3

Datacenter Security

Offsite equipment

DCS-05 DCS-05.1 Policies and procedures shall be established for the secure disposal

of equipment (by asset type) used outside the organization's

premise. This shall include a wiping solution or destruction

process that renders recovery of information impossible. The

erasure shall consist of a full write of the drive to ensure that the

erased drive is released to inventory for reuse and deployment or

securely stored until it can be destroyed.

Can you provide tenants with evidence documenting your policies

and procedures governing asset management and repurposing of

equipment?

S3.4 (S3.4) Procedures exist to protect against


CC5.6 D.1 D.1.1, D.2.1.

D.2.2,

Schedule 1

(Section 5), 4.7

Safeguards,

Subsec. 4.7.5

FS-07 APO09.03

APO10.04

APO10.05

APO13.01

DSS01.02

312.8 and 312.10 BOSS > Data

Governance >

Secure Disposal

of Data


6.05. (b)

6.05. (c)

Article 17 NIST SP 800-53 R3 CM-8 NIST SP 800-53 R3 CM-8

NIST SP 800-53 R3 CM-8 (1)

NIST SP 800-53 R3 CM-8 (3)

NIST SP 800-53 R3 CM-8 (5)

NIST SP 800-53 R3 SC-30

45 CFR 164.310

(c )

45 CFR 164.310

(d)(1) (New)

45 CFR 164.310

(d)(2)(i) (New)

A.9.2.5

A.9.2.6

A.8.1.1

A.8.1.2

Commandment #6

Commandment #7

Commandment #8

CM-8 12.6 PA4 BSGP PCI DSS v2.0 9.8

PCI DSS v2.0 9.9

PCI DSS v2.0

9.10

9.8, 9.8.1, 9.8.2

12.3

3.1

9.6.1, 9.7.1

9.10

12.3

1.1.3

12.3.3

2.1.1

3.1

4.1

4.1.1

4.2

9.5, 9.5.1

9.6

9.7

9.8

9.9

3.1.1

9.8, 9.8.1, 9.8.2,

3.1

9.7.1

9.9

9.9.1

PA25

PA21

PA5

GP

GP

BSGP

PA10

PA39

PA34

PA40

BSGP

SGP

SGP

SGP

PA4

PA8

PA37

PA38

BSGP

BSGP

SGP

SGP

13.1

13.4

13.5

12.3


Personsally Identifidable





and Research.

TR-2 SYSTEM OF

RECORDS NOTICES AND

PRIVACY ACT

STATEMENTS

TR-2 SYSTEM OF

RECORDS NOTICES AND

PRIVACY ACT

STATEMENTS


Personally Identifiable





and Research. SE-1

INVENTORY OF

PERSONALLY

IDENTIFIABLE

INFORMATION

DM-2 DATA RETENTION

AND DISPOSAL

99.31.(a)(1)(ii)

shared x

ITOS > Service

Support >

Configuration

Management -

Physical

Inventory

provider x

312.3

312.8 and 312.10

312.2

312.3

APO01.06

APO03.02

APO08.01

APO09.03

APO13.01

BAI09.01

BAI09.02

BAI09.03

DSS04.07

DSS05.04

DSS05.05

DSS06.06

APO01.06

APO03.01

APO03.02

APO09.01

APO09.01

BAI06.03

BAI09.01

BAI10.01

BAI10.02

BAI10.03

BAI10.04

BAI10.05

APO01.06

APO03.02

APO08.01

APO13.01

APO13.02

DSS05

DSS06

APO01.06

APO03.02

APO08.01

APO09.03

APO13.01

BAI09.01

BAI09.02

BAI09.03

DSS04.07

DSS05.04

DSS05.05

DSS06.06

APO01.06

APO13.01

BAI09.03

DSS01.01

APO01.06

APO03.02

APO08.01

APO09.03

BAI09.01

BAI09.02

BAI09.03

DSS04.07

DSS05.04

DSS05.05

DSS06.06

CC3.1

CC3.1

CC5.7

PI1.5

CC5.1

C1.3

CC5.6

CC3.1

CC3.1

Domain 5

CIP-007-3 -

R7 - R7.1 -

R7.2 R7.3

MP-6

PE-1

PCI DSS v2.0

3.1.1

PCI DSS v2.0

9.10

PCI DSS v2.0

9.10.1

PCI DSS v2.0

9.10.2

PCI DSS v2.0 3.1

Datacenter Security

Asset Management

DCS-01 Assets must be classified in terms of business criticality, service-

level expectations, and operational continuity requirements. A

complete inventory of business-critical assets located at all sites

and/or geographical locations and their usage over time shall be

maintained and updated regularly, and assigned ownership y

defined roles and responsibilities.

S3.1.0

C3.14.0

S1.2.b-c

(S3.1.0) Procedures exist to (1) identify potential

threats of disruption to systems operation that

would impair system security commitments and

(2) assess the risks associated with the identified

threats.

(C3.14.0) Procedures exist to provide that system

data are classified in accordance with the

defined confidentiality and related security

policies.

(S1.2.b-c) b. Classifying data based on its

criticality and sensitivity and that classification is

used to define protection requirements, access

rights and access restrictions, and retention and

destruction policies.

c. Assessing risks on a periodic basis.

Schedule 1

(Section 5), 4.7

Safeguards,

Subsec. 4.7.3

FS-08 Domain 8 Article 17 45 CFR 164.310

(d)(2)(iii)

A.7.1.1

A.7.1.2

Data Security &


Management

Secure Disposal

DSI-07 Any use of customer data in non-production environments

requires explicit, documented approval from all customers whose

data is affected, and must comply with all legal and regulatory

requirements for scrubbing of sensitive data elements.

PCI DSS v2.0

9.9.1

PCI DSS v2.0

12.3.3

PCI DSS v2.0

12.3.4

NIST SP800-53 R3 CM-8

BOSS > Data

Governance >

Secure Disposal

of Data

C3.5.0

S3.4.0

(C3.5.0) The system procedures provide that

confidential information is disclosed to parties

only in accordance with the entity’s defined




D.2.2.10,

D.2.2.11,

D.2.2.14,

37 (B) Schedule 1

(Section 5) 4.5 -

Limiting Use,

Disclosure and

Retention, Subsec.

4.7.5 and 4.5.3

DG-05 COBIT 4.1 DS

11.4

Domain 5 6.03. (h) Article 16

Article 17

NIST SP 800-53 R3 MP-6



NIST SP 800-53 R3 MP-6 (4)


5.1.0

5.2.3

AC-14

AC-21

AC-22

IA-8

AU-10

SC-4

SC-8

SC-9

PCI-DSS v2.0

2.1.1

PCI-DSS v2.0

4.1

PCI-DSS v2.0

4.1.1

PCI DSS v2.0 4.2

A.7.2.2

A.10.7.1

A.10.7.3

A.10.8.1

Commandment #8

Commandment #9

Commandment

#10

Chapter II

Article 8, 9, 11, 12, 14, 18,

19, 20, 21

CIP-003-3 -

R4 - R4.1

AC-16

MP-1

MP-3

PE-16

SI-12

SC-9

PCI DSS v2.0 9.5

PCI DSS v2.0 9.6

PCI DSS v2.0

9.7.1

PCI DSS v2.0

9.7.2

PCI DSS v2.0

9.10

SRM >

Cryptographic

Services > Data in

Transit

Encryption

shared

45 CFR 164.310

(d)(2)(i)

45 CFR 164.310

(d)(2)(ii)

A.9.2.6

A.10.7.2

Commandment

#11

Data Security &


Management

Handling / Labeling /

Security Policy

DSI-04 Policies and procedures shall be established for labeling, handling,

and the security of data and objects which contain data.

Mechanisms for label inheritance shall be implemented for objects

that act as aggregate containers for data.




G.13 D.2.2 DG-03 COBIT 4.1 PO 2.3,

DS 11.6

Domain 5 6.03.05. (b) Article 22

Article 23




NIST SP 800-53 R3 PE-16


NIST SP 800-53 R3 SI-12


NIST SP 800-53 R3 AC-16



NIST SP 800-53 R3 PE-16


NIST SP 800-53 R3 SC-9 (1)


NIST SP 800-53 R3 SI-12

1.1.2

5.1.0

7.1.2

8.1.0

8.2.5

8.2.6

BOSS > Data

Governance >

Handling /

Labeling /

Security Policy

shared x

RA-2

AC-4

PCI DSS v2.0

9.7.1

PCI DSS v2.0

9.10

PCI DSS v2.0

12.3

Data Security &


Management

Data Inventory / Flows

DSI-02 Policies and procedures shall be established to inventory, document, and maintain data flows for data that is resident (permanently or temporarily) within the service's applications and infrastructure network and systems. In particular, providers shall ensure that data that is subject to geographic residency requirements not be migrated beyond its defined bounds.

Data Security &


Management

eCommerce

Transactions

DSI-03 Data related to electronic commerce (e-commerce) that

traverses public networks shall be appropriately classified and

protected from fraudulent activity, unauthorized disclosure, or

modification in such a manner to prevent contract dispute and

compromise of data.

S3.6

I13.3.a-e

(S3.6) Encryption or other equivalent security

techniques are used to protect transmissions of

user authentication and other confidential

information passed over the Internet or other

public networks.

(I13.3.a-e) The procedues related to

completeness, accuracy, timeliness, and

authorization of system processing, including

error correction and database management, are

G.4

G.11

G.16

G.18

I.3

I.4

G.19.1.1,

G.19.1.2,

G.19.1.3,

G.10.8, G.9.11,

G.14, G.15.1

Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

IS-28 COBIT 4.1 DS

5.10 5.11

Domain 2 Article 17

Data Security &


Management

Classification

DSI-01 BOSS > Data

Governance >

Data

Classification

shared x

BOSS > Data

Governance >

Handling /

Labeling /

Security Policy

x

PA10 SGP

Data and objects containing data shall be assigned a classification

by the data owner based on data type, value, sensitivity, and

criticality to the organization.

S3.8.0

C3.14.0

(S3.8.0) Procedures exist to classify data in

accordance with classification policies and

periodically monitor and update such

classifications as necessary.




policies.

D.1.3, D.2.2 DG-02 COBIT 4.1 PO 2.3,

DS 11.6

General Provisions, Article 3,

V. and VI.

CIP-003-3 -

R4 - R5

Domain 5 6.04.03. (a) Article 4 (1),

Article 12, Article 17

NIST SP 800-53 R3 RA-2 NIST SP 800-53 R3 RA-2


1.2.3

1.2.6

4.1.2

8.2.1

8.2.5

8.2.6

A.7.2.1 Commandment #9A.8.2.1

Clause

4.2

5.2,

7.5,

8.1

A.8.2.1

A.13.1.1

A.13.1.2

A.14.1.2

A.14.1.3

A.18.1.4

A.8.2.2

A.8.3.1

A.8.2.3

A.13.2.1

A.11.2.7

A.8.3.2

Annex A.8



NIST SP 800-53 R3 AC-22

NIST SP 800-53 R3 AU-1

NIST SP 800-53 R3 AC-22

NIST SP 800-53 R3 AU-10

NIST SP 800-53 R3 AU-10 (5)


NIST SP 800-53 R3 SC-8 (1)


NIST SP 800-53 R3 SC-9 (1)

3.2.4

4.2.3

7.1.2

7.2.1

7.2.2

8.2.1

8.2.5

45 CFR

164.312(e)(1)

45 CFR

164.312(e)(2)(i)

A.7.2.1

A.10.6.1

A.10.6.2

A.10.9.1

A.10.9.2

A.15.1.4

Commandment #4

Commandment #5

Commandment #9

Commandment

#10

Commandment

#11






REDACTED COPY

AICPA

TSC 2009

AICPA


AICPA

TSC

2014

BITS Shared

Assessments

AUP v5.0

BITS Shared

Assessments

SIG v6.0

BSI


CCM


CSA

Guidance

V3.0

ENISA IAF

95/46/EC - European


Directive

FedRAMP Security

Controls

(Final Release, Jan

2012)





-

FERPA

GAPP

(Aug

2009)

HIPAA/HITECH

(Omnibus

Rule)

ISO/IEC

27001:2005

ISO/IEC





Parties

NERC

CIPNIST SP800-53 R3

NIST SP800-53 R4


Yes NoNot

Applicable

Domain > Container




Cloud Initiative)





DCS-06.1 Can you provide evidence that policies, standards and procedures

have been established for maintaining a safe and secure working

environment in offices, rooms, facilities and secure areas?

DCS-06.2 Can you provide evidence that your personnel and involved third

parties have been trained regarding your documented policies,

standards and procedures?

Datacenter Security

Secure Area

Authorization

DCS-07 DCS-07.1 Ingress and egress to secure areas shall be constrained and

monitored by physical access control mechanisms to ensure that

only authorized personnel are allowed access.

Do you allow tenants to specify which of your geographic locations

their data is allowed to move into/out of (to address legal

jurisdictional considerations based on where data is stored vs.

accessed)?





and servers.

CC5.5 F.2 F.1.2.3, F.1.2.4,

F.1.2.5, F.1.2.6,

F.1.2.8, F.1.2.

9, F.1.2.10,

F.1.2.11,

F.1.2.12,

F.1.2.13,

F.1.2.14,

F.1.2.15,

F.1.2.24, F.1.3,

F.1.4.2, F1.4.6,

F.1.4.7, F.1.6,

F.1.7,F.1.8,

F.2.13, F.2.14,

F.2.15, F.2.16,

F.2.17, F.2.18

7 (B) Schedule 1

(Section 5), 4.7

Safeguards,

Subsec. 4.7.3

FS-04 DS 12.2, DS 12.3 APO13.01

APO13.02

DSS05.05


and Standards >

Information

Security Policy

(Facility Security

Policy)


6.09. (i)


NIST SP 800-53 R3 PE-16


NIST SP 800-53 R3 PE-7 (1)

NIST SP 800-53 R3 PE-16

NIST SP 800-53 R3 PE-18

99.31.a.1.ii 8.2.3 A.9.1.1

A.9.1.2


Commandment #2

Commandment #3

Commandment #5

CIP-006-3c

R1.2 -

R1.3 -

R1.4

PE-7

PE-16

PE-18

8.2

8.1

PA4 BSGP PCI DSS v2.0 9.1

PCI DSS v2.0

9.1.1

PCI DSS v2.0

9.1.2

PCI DSS v2.0

9.1.3

PCI DSS v2.0 9.2

9.1

9.1.1

9.1.3

Datacenter Security

Unauthorized Persons

Entry

DCS-08 DCS-08.1 Ingress and egress points such as service areas and other points

where unauthorized personnel may enter the premises shall be

monitored, controlled and, if possible, isolated from data storage

and processing facilities to prevent unauthorized data corruption,

compromise, and loss.

Are ingress and egress points, such as service areas and other

points where unauthorized personnel may enter the premises,

monitored, controlled and isolated from data storage and

process?





and servers.

CC5.5 G.21 F.2.18 Schedule 1

(Section 5), 4.7

Safeguards,

Subsec. 4.7.3

FS-05 COBIT 4.1 DS

12.3

APO13.01

APO13.02

DSS05.05

DSS06.03


and Standards >

Information

Security Policy

(Facility Security

Policy)


6.09. (j)

Article 17 NIST SP 800-53 R3 MA-1


NIST SP 800-53 R3 PE-16



NIST SP 800-53 R3 MA-2 (1)

NIST SP 800-53 R3 PE-16

99.31.a.1.ii 8.2.5

8.2.6

A.9.1.6 A.11.2.5

8.1* (partial)

A.12.1.2

Commandment #6

Commandment #7

MA-1

MA-2

PE-16

8.1

8.2

8.3

8.4

PA4 BSGP 9.1

9.1.1

9.1.2

9.2

9.3

9.4

9.4.1

9.4.2

9.4.3Datacenter Security

User Access

DCS-09 DCS-09.1 Physical access to information assets and functions by users and

support personnel shall be restricted.

Do you restrict physical access to information assets and functions

by users and support personnel?





and servers.

CC5.5 F.2 F.1.2.3, F.1.2.4,

F.1.2.5, F.1.2.6,

F.1.2.8, F.1.2.

9, F.1.2.10,

F.1.2.11,

F.1.2.12,

F.1.2.13,

F.1.2.14,

F.1.2.15,

F.1.2.24, F.1.3,

F.1.4.2, F1.4.6,

F.1.4.7, F.1.6,

F.1.7,F.1.8,

F.2.13, F.2.14,

F.2.15, F.2.16,

F.2.17, F.2.18

7 (B)

10 (B)

Schedule 1

(Section 5), 4.7

Safeguards,

Subsec. 4.7.3

FS-02 APO13.01

APO13.02

DSS05.04

DSS05.05

DSS06.03


Facility Security >

Domain 8 6.08. (a)

6.09. (i)







NIST SP 800-53 R3 PE-6 (1)

NIST SP 800-53 R3 PE-18

99.31.a.1.ii 8.2.3 45 CFR

164.310(a)(1)

(New)

45 CFR

164.310(a)(2)(ii)

(New)

45 CFR

164.310(b)

(New)

45 CFR 164.310 (

c) (New)

A.9.1.1

A.9.1.2


Commandment #2

Commandment #3

Commandment #5

Chapter II,

Article 19

CIP-006-3c

R1.2 -

R1.3 -

R1.4 -

R1.6 -

R1.6.1 -

R2 - R2.2

PE-2

PE-3

PE-6

PE-18

8.1

8.2

PA4

PA13

PA24

BSGP

SGP

P

PCI DSS v2.0 9.1 9.1

9.1.1

9.1.2

9.2

9.3

9.4

9.4.1

9.4.2

9.4.3

9.4.4

9.5

9.5.1

Encryption & Key

Management

Entitlement

EKM-

01

EKM-01.1 Keys must have identifiable owners (binding keys to identities) and

there shall be key management policies.

Do you have key management policies binding keys to identifiable

owners?

APO01.06

APO13.01

DSS05.04

DSS05.06

DSS06.03

SRM >

Cryptographic

Services > Key

Management

Annex

A.10.1

A.10.1.1

A.10.1.2

PA36 3.5, 7.1.3

8.1

8.1.1

8.2.2

8.5EKM-02.1 Do you have a capability to allow creation of unique encryption

keys per tenant?

EKM-02.2 Do you have a capability to manage encryption keys on behalf of

tenants?

EKM-02.3 Do you maintain key management procedures?

EKM-02.4 Do you have documented ownership for each stage of the lifecycle

of encryption keys?

EKM-02.5 Do you utilize any third party/open source/proprietary

frameworks to manage encryption keys?

EKM-03.1 Do you encrypt tenant data at rest (on disk/storage) within your

environment?

EKM-03.2 Do you leverage encryption to protect data and virtual machine

images during transport across and between networks and

hypervisor instances?

EKM-03.3 Do you support tenant-generated encryption keys or permit

tenants to encrypt data to an identity without access to a public

key certificate (e.g. identity-based encryption)?

EKM-03.4 Do you have documentation establishing and defining your

encryption management policies, procedures and guidelines?

EKM-04.1 Do you have platform and data appropriate encryption that uses

open/validated formats and standard algorithms?

EKM-04.2 Are your encryption keys maintained by the cloud consumer or a

trusted key management provider?

EKM-04.3 Do you store encryption keys in the cloud?

EKM-04.4 Do you have separate key management and key usage duties?

GRM-01.1 Do you have documented information security baselines for every

component of your infrastructure (e.g., hypervisors, operating

systems, routers, DNS servers, etc.)?

GRM-01.2 Do you have a capability to continuously monitor and report the

compliance of your infrastructure against your information

security baselines?

GRM-01.3 Do you allow your clients to provide their own trusted virtual

machine image to ensure conformance to their own internal

standards?

GRM-02.1 Do you provide security control health data in order to allow

tenants to implement industry standard Continuous Monitoring

(which allows continual tenant validation of your physical and

logical control status)?

GRM-02.2 Do you conduct risk assessments associated with data governance

requirements at least once a year?

Governance and Risk

Management

Management

Oversight

GRM-

03

GRM-03.1 Managers are responsible for maintaining awareness of, and

complying with, security policies, procedures and standards that

are relevant to their area of responsibility.

Are your technical, business, and executive managers responsible

for maintaining awareness of and compliance with security

policies, procedures, and standards for both themselves and their

employees as they pertain to the manager and employees' area of

responsibility?

S1.2.f

S2.3.0

(S1.2.f) f. Assigning responsibility and

accountability for system availability,

confidentiality, processing integrity and related

security.


entity’s system security policies and changes and



them.

CC3.2

E.1 E.4 5 (B)

65 (B)

Schedule 1

(Section 5) 4.1

Accountability; 4.7

Safeguards, Sub

4.7.4

IS-14 COBIT 4.1 DS5.3

COBIT 4.1 DS5.4

COBIT 4.1 DS5.5

APO01.03

APO01.04

APO01.08

DSS01.01

312.8 and 312.10 BOSS > Human

Resources

Security > Roles

and

Responsibilities

shared x Domain 3,

9

NIST SP 800-53 R3 AT-2














NIST SP 800-53 R3 CA-7 (2)

1.1.2

8.2.1

Clause 5.2.2

A.8.2.1

A.8.2.2

A 11.2.4

A.15.2.1

Clause 7.2(a,b)

A.7.2.1

A.7.2.2

A.9.2.5

A.18.2.2

Commandment #6

Commandment #7

Commandment #8

AT-2

AT-3

CA-1

CA-5

CA-6

CA-7

PM-10

AR-1 Governance and

Privacy Program

3.2 PCI DSS v2.0

12.6.1

PCI DSS v2.0

12.6.2

12.6, 7.3, 8.8, 9.10

GRM-04.1 An Information Security Management Program (ISMP) shall be

developed, documented, approved, and implemented that

includes administrative, technical, and physical safeguards to

protect assets and data from loss, misuse, unauthorized access,

disclosure, alteration, and destruction. The security program shall

include, but not be limited to, the following areas insofar as they

relate to the characteristics of the business:

• Risk management

• Security policy

• Organization of information security

• Asset management

• Human resources security

• Physical and environmental security

• Communications and operations management

• Access control

• Information systems acquisition, development, and

maintenance

Do you provide tenants with documentation describing your

Information Security Management Program (ISMP)?

GRM-04.2 Do you review your Information Security Management Program

(ISMP) least once a year?

Governance and Risk

Management

Management Support

/ Involvement

GRM-

05

GRM-05.1 Executive and line management shall take formal action to

support information security through clearly-documented

direction and commitment, and shall ensure the action has been

assigned.

Do you ensure your providers adhere to your information security

and privacy policies?

S1.3.0 (S1.3.0) Responsibility and accountability for

developing and maintaining the entity’s system

security policies, and changes and updates to

those policies, are assigned.

The entity has prepared an objective description

of the system and its boundaries and

communicated such description to authorized

users

The security obligations of users and the entity’s

CC1.2 C.1 5 (B) Schedule 1

(Section 5), 4.1

Safeguards,

Subsec. 4.1.1

IS-02 COBIT 4.1 DS5.1 APO01.02

APO01.03

APO01.04

APO01.08

APO13.01

APO13.02

APO13.03

312.8 and 312.10 SRM >

Governance Risk

& Compliance >

Compliance

Management

shared x Domain 2 Article 17 NIST SP 800-53 R3 CM-1 NIST SP 800-53 R3 CM-1 8.2.1 45 CFR 164.316

(b)(2)(ii)

45 CFR 164.316

(b)(2)(iii)

Clause 5

A.6.1.1

All in section 5

plus clauses

4.4

4.2(b)

6.1.2(a)(1)

6.2

6.2(a)

6.2(d)

7.1

7.4

9.3

Commandment #3

Commandment #6

Chapter VI, Section I, Article

39

CIP-003-3 -

R1 - R1.1

CM-1

PM-1

PM-11

4.1 PCI DSS v2.0

12.5

12.4

GRM-06.1 Do your information security and privacy policies align with

industry standards (ISO-27001, ISO-22307, CoBIT, etc.)?

GRM-06.2 Do you have agreements to ensure your providers adhere to your

information security and privacy policies?

GRM-06.3 Can you provide evidence of due diligence mapping of your

controls, architecture and processes to regulations and/or

9.1

9.1.1

9.1.2

9.2

9.3

9.4

9.4.1

9.4.2

9.4.3

9.4.4

3.4.1

3.5

3.5.1

3.5.2

3.6

3.6.1

3.6.2

3.6.3

3.6.4

3.6.5

3.6.6

3.6.7

3.6.8,

4.1

6.5.3

8.2.1

8.2.2

2.1.1

2.3

3.3

3.4

3.4.1

4.1

4.1.1

4.2

4.3

6.5.3

6.5.4

8.2.1

3.5.2, 3.5.3

3.6.1, 3.6.3

1.1

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

2.2

2.2.1

2.2.2

2.2.3

2.2.4

12.2

7.3, 8.8, 9.10, 12.1

12.2

PA10

PA18

BSGP

GP

PA30 BSGP

BSGP

PA4 BSGP

PA36

PA25 GP

4.2

8.1

16.2

16.1

4.4

5.1

3.3

4.3

8.4

4.2

4.3

4.4

4.5

AR-1 Governance and

Privacy Program. TR-1

PRIVACY NOTICE. TR-3

DISSEMINATION OF

PRIVACY PROGRAM

INFORMATION

SRM >

Governance Risk

& Compliance >

Technical

Standards

BOSS >

Operational Risk

Management >

Independent Risk

Management

shared x

SRM > InfoSec

Management >

Capabilitiy

Mapping

SRM > Policies

and Standards >

Information

Security Policies

shared x

SRM > Policies

and Standards >

Information

Security Policies

(Facility Security

Policy)

provider x

SRM >

Cryptographic

Services > Key

Management

shared x

SRM > Data

Protection >

Cryptographic

Services - Data-At-

Rest Encryption,

Cryptographic

Services - Data-in-

Transit

Encryption

shared x

SRM >

Cryptographic

Services > Key

Management

shared x

312.8 and 312.10

312.8 and 312.10

312.1

312.8 and 312.10

APO13.01

DSS01.04

DSS01.05

DSS04.01

DSS04.03

APO13.01

APO13.02

APO09.03

BAI06.01

BAI09.01

BAI09.02

BAI09.03

APO13.01

DSS05.02

DSS05.03

DSS06.06

APO01.06

BAI09.02

BAI09.03

APO01.06

APO03.02

APO13.01

APO13.02

BAI02.01

BAI02.03

BAI02.04

BAI06.01

BAI10.01

BAI10.02

MEA02.01

CC5.5

CC5.7

CC5.6

CC5.7

CC5.6

CC3.2

CC3.1

CC3.1

CC3.2

CC1.2

CC2.3

PCI DSS v2.0

12.1

PCI DSS v2.0

12.2

Clause 4.3

Clause 5

4.4

4.2(b)

6.1.2(a)(1)

6.2

6.2(a)

6.2(d)

7.1

7.4

9.3

10.2

7.2(a)

7.2(b)

7.2(c)

7.2(d)

7.3(b)

7.3(c)

CA-3

RA-2

RA-3

MP-8

PM-9

SI-12

PCI DSS v2.0

12.1

PCI DSS v2.0

12.1.2

EDM03.02

APO01.03

APO12.01

APO12.02

APO12.03

APO12.04

BAI09.01

AR-2 Privacy Impact and

Risk Assessment

Governance and Risk

Management

Management Program

GRM-

04

x1.2. (x1.2.) The entity’s system [availability,

processing integrity, confidentiality and related]

security policies include, but may not be limited

to, the following matters:

A.1, B.1 2 (B)

3 (B)

5 (B)

IS-01 COBIT 4.1 R2

DS5.2

COBIT 4.1 R2

DS5.5

Domain 2

Governance and Risk

Management

Policy

GRM-

06

Information security policies and procedures shall be established

and made readily available for review by all impacted personnel

and external business relationships. Information security policies

must be authorized by the organization's business leadership (or

other accountable business role or function) and supported by a

strategic business plan and an information security management

program inclusive of defined information security roles and

responsibilities for business leadership.

S1.1.0

S1.3.0

S2.3.0

(S1.1.0) The entity's security policies are

established and periodically reviewed and

approved by a designated individual or group.

(S1.3.0) Responsibility and accountability for





entity's system security policies and changes and



them.

B.1 Schedule 1

(Section 5) 4.1

Accountability,

Subsec 4.1.4

IS-03 COBIT 4.1 DS5.2 Domain 2 6.02. (e)APO01.03

APO01.04

APO13.01

APO13.02

Schedule 1

(Section 5), 4.1 -

Accountability; 4.7

Safeguards

A.12.1.1

A.15.2.2

Commandment #2

Commandment #4

Commandment #5

Commandment

#11

Chapter II, Article 19 and


39

xshared312.8 and 312.10 CM-2

SA-2

SA-4

PCI DSS v1.2 1.1

PCI DSS v1.2

1.1.1

PCI DSS v1.2

1.1.2

PCI DSS v1.2

1.1.3

PCI DSS v1.2

1.1.4

PCI DSS v1.2

1.1.5

PCI DSS v1.2

1.1.6

Governance and Risk

Management

Risk Assessments

GRM-

02

Risk assessments associated with data governance requirements

shall be conducted at planned intervals and shall consider the

following:

• Awareness of where sensitive data is stored and transmitted

across applications, databases, servers, and network

infrastructure

• Compliance with defined retention periods and end-of-life

disposal requirements

• Data classification and protection from unauthorized use,

access, loss, destruction, and falsification

S3.1.0

C3.14.0

S1.2.b-c





threats.




policies.

(S1.2.b-c) b. Classifying data based on its

criticality and sensitivity and that classification is

used to define protection requirements, access

rights and access restrictions, and retention and

destruction policies.

c. Assessing risks on a periodic basis.

L.4, L.5, L.6, L.7 34 (B) Schedule 1

(Section 5), 4.7 -

Safeguards

DG-08 COBIT 4.1 PO 9.1,

PO 9.2, PO 9.4,

DS 5.7

Domain 5 6.01. (d)

6.04.03. (a)

Article 6, Article 8, Article

17 (1)




NIST SP 800-53 R3 SI-12




NIST SP 800-53 R3 SI-12

1.2.4

8.2.1

45 CFR

164.308(a)(1)(ii)(

A) (New)

45 CFR

164.308(a)(8)

(New)

Clause 4.2.1 c) &

g)

Clause 4.2.3 d)

Clause 4.3.1 &

4.3.3

Clause 7.2 & 7.3

A.7.2

A.15.1.1

A.15.1.3

A.15.1.4

EAR 15

CFR

§736.2 (b)

Commandment #1

Commandment #2

Commandment #3

Commandment #6

Commandment #7

Commandment #9

Commandment

#10

Commandment

#11

45 CFR 164.312

(a)(2)(iv)

45 CFR 164.312

(e)(1)

45 CFR 164.312

(e)(2)(ii)

A.10.6.1

A.10.8.3

A.10.8.4

A.10.9.2

A.10.9.3

A.12.3.1

A.15.1.3

A.15.1.4

Commandment #4

Commandment #5

Commandment #9

Commandment

#10

Commandment

#11

Encryption & Key

Management

Key Generation

EKM-

02

Policies and procedures shall be established for the management

of cryptographic keys in the service's cryptosystem (e.g., lifecycle

management from key generation to revocation and

replacement, public key infrastructure, cryptographic protocol

design and algorithms used, access controls in place for secure key

generation, and exchange and storage including segregation of

keys used for encrypted data or sessions). Upon request, provider

shall inform the customer (tenant) of changes within the

cryptosystem, especially if the customer (tenant) data is used as

part of the service, and/or the customer (tenant) has some shared

responsibility over implementation of the control.

CIP-003-3 -

R4.2

AC-18

IA-3

IA-7

SC-7

SC-8

SC-9

SC-13

SC-16

SC-23

SI-8

PCI-DSS v2.0

2.1.1

PCI-DSS v2.0

3.4

PCI-DSS v2.0

3.4.1

PCI-DSS v2.0

4.1

PCI-DSS v2.0

4.1.1

PCI DSS v2.0 4.2

Encryption & Key

Management

Storage and Access

EKM-

04

Platform and data appropriate encryption (e.g., AES-256) in

open/validated formats and standard algorithms shall be

required. Keys shall not be stored in the cloud (i.e. at the cloud

provider in question), but maintained by the cloud consumer or

trusted key management provider. Key management and key

usage shall be separated duties.

Governance and Risk

Management

Baseline Requirements

GRM-

01

Baseline security requirements shall be established for developed

or acquired, organizationally-owned or managed, physical or

virtual, applications and infrastructure system and network

components that comply with applicable legal, statutory and

regulatory compliance obligations. Deviations from standard

baseline configurations must be authorized following change

management policies and procedures prior to deployment,

provisioning, or use. Compliance with security baseline

requirements must be reassessed at least annually unless an

alternate frequency has been established and established and

authorized based on business need.

S1.1.0

S1.2.0(a-i)

(S1.1.0) The entity’s security policies are



(S1.2.0(a-i)) The entity's security policies include,

but may not be limited to, the following matters:

L.2 L.2, L.5, L.7 L.8,

L.9, L.10

12 (B)

14 (B)

13 (B)

15 (B)

16 (C+,

A+)

21 (B)

Schedule 1

(Section 5), 4.7 -

Safeguards

IS-04 COBIT 4.1 AI2.1

COBIT 4.1 AI2.2

COBIT 4.1 AI3.3

COBIT 4.1 DS2.3

COBIT 4.1 DS11.6

Domain 2 6.03.01. (a)

6.03.04. (a)

6.03.04. (b)

6.03.04. (c)

6.03.04. (e)

6.07.01. (o)

Article 17 NIST SP 800-53 R3 CM-2




NIST SP 800-53 R3 CM-2 (1)

NIST SP 800-53 R3 CM-2 (3)

NIST SP 800-53 R3 CM-2 (5)



NIST SP 800-53 R3 SA-4 (1)

NIST SP 800-53 R3 SA-4 (4)

NIST SP 800-53 R3 SA-4 (7)

NIST SP 800-53 R3 SC-30

1.2.6

8.2.1

8.2.7

Encryption & Key

Management

Encryption

EKM-

03

Policies and procedures shall be established, and supporting

business processes and technical measures implemented, for the

use of encryption protocols for protection of sensitive data in

storage (e.g., file servers, databases, and end-user workstations)

and data in transmission (e.g., system interfaces, over public

networks, and electronic messaging) as per applicable legal,

statutory, and regulatory compliance obligations.

C3.12.0

S3.6.0

S3.4

(C3.12.0, S3.6.0) Encryption or other equivalent

security techniques are used to protect

transmissions of user authentication and other

confidential information passed over the Internet

or other public networks.



G.4

G.15

I.3

G.10.4, G.11.1,

G.11.2, G.12.1,

G.12.2, G.12.4,

G.12.10,

G.14.18,

G.14.19,

G.16.2,

G.16.18,

G.16.19,

G.17.16,

G.17.17,

G.18.13,

G.18.14,

G.19.1.1,

23 (B)

24 (B)

25 (B)

Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3


COBIT 4.1 DS5.10

COBIT 4.1 DS5.11

Domain 2 6.04.05. (a)

6.04.05. (c)


NIST SP 800-53 R3 AC-18




NIST SP 800-53 R3 SC-13

NIST SP 800-53 R3 AC-18

NIST SP 800-53 R3 AC-18 (1)

NIST SP 800-53 R3 AC-18 (2)



NIST SP 800-53 R3 SC-7 (4)


NIST SP 800-53 R3 SC-8 (1)


NIST SP 800-53 R3 SC-9 (1)

NIST SP 800-53 R3 SC-13

NIST SP 800-53 R3 SC-13 (1)

NIST SP 800-53 R3 SC-23

NIST SP 800-53 R3 SC-28

8.1.1

8.2.1

8.2.5

45 CFR 164.310

(a)(1)

45 CFR 164.310

(a)(2)(ii)

45 CFR

164.308(a)(3)(ii)(

A) (New)

45 CFR 164.310

(a)(2)(iii) (New)

A.5.1.1

A.9.1.3

A.9.1.5

Commandment #1

Commandment #2

Commandment #3

Commandment #5

CIP-006-3c

R1.2 -

R1.3 -

R1.4 -R2 -

R2.2

PE-2

PE-3

PE-4

PE-5

PE-6

PCI DSS v2.0 9.1

PCI DSS v2.0 9.2

PCI DSS v2.0 9.3

PCI DSS v2.0 9.4

(S3.6.0) Encryption or other equivalent security

techniques are used to protect transmissions of

user authentication and other confidential

information passed over the Internet or other

public networks.



L.6 38 (B)

39 (C+)

IS-19 COBIT 4.1 DS5.8 Domain 2 6.04.04. (a)

6.04.04. (b)

6.04.04. (c)

6.04.04. (d)

6.04.04. (e)

6.04.05. (d)

6.04.05. (e)

6.04.08.02.

(b)

Article 17 NIST SP 800-53 R3 SC-12

NIST SP 800-53 R3 SC-13

NIST SP 800-53 R3 SC-12

NIST SP 800-53 R3 SC-12 (2)

NIST SP 800-53 R3 SC-12 (5)

NIST SP 800-53 R3 SC-13

NIST SP 800-53 R3 SC-13 (1)

NIST SP 800-53 R3 SC-17

8.1.1

8.2.1

8.2.5

45 CFR 164.312

(a)(2)(iv)

45 CFR

164.312(e)(1)

(New)

Clause 4.3.3

A.10.7.3

A.12.3.2

A.15.1.6

Commandment #9

Commandment

#10

Commandment

#11

SC-12

SC-13

SC-17

SC-28

PCI-DSS v2.0

3.4.1

PCI-DSS v2.0

3.5

PCI-DSS v2.0

3.5.1

PCI-DSS v2.0

3.5.2

PCI-DSS v2.0

3.6

PCI-DSS v2.0

3.6.1

PCI-DSS v2.0

3.6.2

PCI-DSS v2.0

3.6.3

PCI-DSS v2.0

3.6.4

PCI-DSS v2.0

3.6.5

PCI-DSS v2.0

3.6.6

PCI-DSS v2.0

3.6.7

PCI-DSS v2.0

3.6.8

99.31.a.1.iiDatacenter Security

Policy

DCS-06 Policies and procedures shall be established, and supporting

business processes implemented, for maintaining a safe and

secure working environment in offices, rooms, facilities, and

secure areas.





and servers.

H.6 F.1.2.3, F.1.2.4,

F.1.2.5, F.1.2.6,

F.1.2.8, F.1.2.

9, F.1.2.10,

F.1.2.11,

F.1.2.12,

F.1.2.13,

F.1.2.14,

F.1.2.15,

F.1.2.24,

F.1.4.2, F1.4.6,

F.1.4.7, F.1.7,

F.1.8, F.2.13,

F.2.14, F.2.15,

F.2.16, F.2.17,

F.2.18

7 (B) Schedule 1

(Section 5), 4.7

Safeguards,

Subsec. 4.7.3

FS-01 COBIT 4.1 DS5.7,

DS 12.1, DS 12.4

DS 4.9

Domain 8 6.08. (a)

6.09. (i)









NIST SP 800-53 R3 PE-6 (1)

8.2.1

8.2.2

8.2.3

Domain 11

A.11.1.1

A.11.1.2

Clauses

5.2(c)

5.3(a)

5.3(b)

7.5.3(b)

7.5.3(d)

8.1

8.3

9.2(g)

A.8.2.3

A.10.1.2

A.18.1.5

A.13.1.1

A.8.3.3

A.13.2.3

A.14.1.3

A.14.1.2

A.10.1.1

A.18.1.3

A.18.1.4

Annex

A.10.1

A.10.1.1

A.10.1.2

A.14.1.1

A.18.2.3

Clauses

5.2(c)

5.3(a)

5.3(b)

6.1.2

6.1.2(a)(2)

6.1.3(b)

7.5.3(b)

7.5.3(d)

8.1

8.2

8.3

9.2(g)

A.18.1.1

A.18.1.3

A.18.1.4

A.8.2.2

APO13.01

APO13.02

APO13.03

312.8 and 312.10 shared x







NIST SP 800-53 R3 IR-1









Commandment #1

Commandment #2

Chapter II, Article 19 CIP-001-

1a - R1 -

R2

CIP-003-3 -

R1 - R1.1 -

R4

CIP-006-3c

R1

PM-1

PM-2

PM-3

PM-4

PM-5

PM-6

PM-7

PM-8

PM-9

PM-10

PM-11

AR-1 Governance and

Privacy Program

4.1 PA8Article 17 99.31.(a)(1)(ii) 8.2.1 45 CFR

164.308(a)(1)(i)

45 CFR

164.308(a)(1)(ii)(

B)

45 CFR

164.316(b)(1)(i)

45 CFR

164.308(a)(3)(i)

(New)

45 CFR

164.306(a)

(New)

Clause 4.2

Clause 5

A.6.1.1

A.6.1.2

A.6.1.3

A.6.1.4

A.6.1.5

A.6.1.6

A.6.1.7

A.6.1.8

All in sections 4,

5, 6, 7, 8, 9, 10.

A.6.1.1

A.13.2.4

A.6.1.3

A.6.1.4

A.18.2.1
















8.1.0

8.1.1

45 CFR 164.316

(a)

45 CFR 164.316

(b)(1)(i)

45 CFR 164.316

(b)(2)(ii)

45 CFR

164.308(a)(2)

(New)

Clause 4.2.1

Clause 5

A.5.1.1

A.8.2.2

Commandment #1

Commandment #2

Commandment #3


39

CIP-003-3 -

R1 -R1.1 -

R1.2 - R2 -

R2.1 -

R2.2 -

R2.3

AC-1

AT-1

AU-1

CA-1

CM-1

IA-1

IR-1

MA-1

MP-1

MP-1

PE-1

PL-1

PS-1

SA-1

SC-1

SI-1

PCI DSS v2.0

12.1

PCI DSS v2.0

12.2

12.1

12.2






REDACTED COPY

AICPA

TSC 2009

AICPA


AICPA

TSC

2014

BITS Shared

Assessments

AUP v5.0

BITS Shared

Assessments

SIG v6.0

BSI


CCM


CSA

Guidance

V3.0

ENISA IAF

95/46/EC - European


Directive

FedRAMP Security

Controls

(Final Release, Jan

2012)





-

FERPA

GAPP

(Aug

2009)

HIPAA/HITECH

(Omnibus

Rule)

ISO/IEC

27001:2005

ISO/IEC





Parties

NERC

CIPNIST SP800-53 R3

NIST SP800-53 R4


Yes NoNot

Applicable

Domain > Container




Cloud Initiative)





GRM-06.4 Do you disclose which controls, standards, certifications and/or

regulations you comply with?

GRM-07.1 Is a formal disciplinary or sanction policy established for employees

who have violated security policies and procedures?

GRM-07.2 Are employees made aware of what actions could be taken in the

event of a violation via their policies and procedures?

Governance and Risk

Management

Business / Policy

Change Impacts

GRM-

08

GRM-08.1 Risk assessment results shall include updates to security policies,

procedures, standards, and controls to ensure that they remain

relevant and effective.

Do risk assessment results include updates to security policies,

procedures, standards and controls to ensure they remain

relevant and effective?

B.2

G.21

L.2

B.1.1, B.1.2,

B.1.6, B.1.7.2,

G.2, L.9, L.10

Schedule 1

(Section 5), 4.7 -

Safeguards

RI-04 COBIT 4.1 PO 9.6 APO12

APO13.01

APO13.03

312.8 and 312.10 BOSS >

Operational Risk

Management >

Risk

Management

Framework

shared x Domain 2,

4

6.03. (a) Article 17 (1), (2) NIST SP 800-53 R3 AC-1


































Clause 4.2.3

Clause 4.2.4

Clause 4.3.1

Clause 5

Clause 7

A.5.1.2

A.10.1.2

A.10.2.3

A.14.1.2

A.15.2.1

A.15.2.2

Clause

4.2.1 a,

4.2(b)

4.3 c,

4.3(a&b)

4.4

5.1(c)

5.1(d)

5.1(e)

5.1(f)

5.1(g)

5.1(h)

5.2

5.2 e,

5.2(f)

5.3

6.1.1(e)(2),

6.1.2(a)(1)

6.2

CIP-009-3 -

R2

CP-2

RA-2

RA-3


Risk Assessment

4.3 PCI DSS v2.0

12.1.3

12.2

GRM-09.1 Do you notify your tenants when you make material changes to

your information security and/or privacy policies?

GRM-09.2 Do you perform, at minimum, annual reviews to your privacy and

security policies?

GRM-10.1 Are formal risk assessments aligned with the enterprise-wide

framework and performed at least annually, or at planned

intervals, determining the likelihood and impact of all identified

risks, using qualitative and quantitative methods?

GRM-10.2 Is the likelihood and impact associated with inherent and residual

risk determined independently, considering all risk categories

(e.g., audit results, threat and vulnerability analysis, and

regulatory compliance)?

GRM-11.1 Do you have a documented, organization-wide program in place

to manage risk?

GRM-11.2 Do you make available documentation of your organization-wide

risk management program?

HRS-01.1 Are systems in place to monitor for privacy breaches and notify

tenants expeditiously if a privacy event may have impacted their

data?

HRS-01.2 Is your Privacy Policy aligned with industry standards?

Human Resources

Background Screening

HRS-02 HRS-02.1 Pursuant to local laws, regulations, ethics, and contractual

constraints, all employment candidates, contractors, and third

parties shall be subject to background verification proportional to

the data classification to be accessed, the business requirements,

and acceptable risk.

Pursuant to local laws, regulations, ethics and contractual

constraints, are all employment candidates, contractors and

involved third parties subject to background verification?

S3.11.0 (S3.11.0) Procedures exist to help ensure that

personnel responsible for the design,

development, implementation, and operation of

systems affecting confidentiality and security

have the qualifications and resources to fulfill

their responsibilities.

CC1.3CC1.4

E.2 E.2 63 (B)

HR-01

Schedule 1

(Section 5), 4.7

Safeguards,

Subsec. 4.7.3

COBIT 4.1 PO 7.6 APO07.01

APO07.05

APO07.06

312.8 and 312.10 BOSS > Human

Resources

Security >

Background

Screening

shared x None 6.01. (a) Article 17 NIST SP 800-53 R3 PS-2




1.2.9 A.8.1.2 A.7.1.1 ITAR 22

CFR §

120.17

EAR 15

CFR

§736.2 (b)

Commandment #2

Commandment #3

Commandment #6

Commandment #9

CIP-004-3 -

R2.2

PS-2

PS-3

9.29 PA27 BSGP PCI DSS v2.0

12.7

PCI DSS v2.0

12.8.3

12.7

12.8.3

HRS-03.1 Do you specifically train your employees regarding their specific

role and the information security controls they must fulfill?

HRS-03.2 Do you document employee acknowledgment of training they

have completed?

HRS-03.3 Are all personnel required to sign NDA or Confidentiality

Agreements as a condition of employment to protect

customer/tenant information?

HRS-03.4 Is successful and timed completion of the training program

considered a prerequisite for acquiring and maintaining access to

sensitive systems?

HRS-03.5 Are personnel trained and provided with awareness programs at

least once a year?

HRS-04.1 Are documented policies, procedures and guidelines in place to

govern change in employment and/or termination?

HRS-04.2 Do the above procedures and guidelines account for timely

revocation of access and return of assets?

Human Resources

Portable / Mobile

Devices

HRS-05 HRS-05.1 Policies and procedures shall be established, and supporting


manage business risks associated with permitting mobile device

access to corporate resources and may require the

implementation of higher assurance compensating controls and

acceptable-use policies and procedures (e.g., mandated security

training, stronger identity, entitlement and access controls, and

device monitoring).

Are policies and procedures established and measures

implemented to strictly limit access to your sensitive data and

tenant data from portable and mobile devices (e.g. laptops, cell

phones and personal digital assistants (PDAs)), which are generally

higher-risk than non-portable devices (e.g., desktop computers at

the provider organization’s facilities)?



CC5.6 G.11, G12,

G.20.13,

G.20.14

Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3


COBIT 4.1 DS5.5

APO01.08

APO13.01

APO13.02

DSS05.01

DSS05.02

DSS05.03

DSS05.07

DSS06.03

DSS06.06

312.8 and 312.10 Presentation

Services >

Presentation

Platform >

Endpoints -

Mobile Devices -

Mobile Device

Management

shared x Domain 2 Article 17 NIST SP 800-53 R3 AC-17

NIST SP 800-53 R3 AC-18

NIST SP 800-53 R3 AC-19



NIST SP 800-53 R3 AC-17

NIST SP 800-53 R3 AC-17 (1)

NIST SP 800-53 R3 AC-17 (2)

NIST SP 800-53 R3 AC-17 (3)

NIST SP 800-53 R3 AC-17 (4)

NIST SP 800-53 R3 AC-17 (5)

NIST SP 800-53 R3 AC-17 (7)

NIST SP 800-53 R3 AC-17 (8)

NIST SP 800-53 R3 AC-18

NIST SP 800-53 R3 AC-18 (1)

NIST SP 800-53 R3 AC-18 (2)

NIST SP 800-53 R3 AC-19

NIST SP 800-53 R3 AC-19 (1)

NIST SP 800-53 R3 AC-19 (2)

NIST SP 800-53 R3 AC-19 (3)


NIST SP 800-53 R3 MP-2 (1)


NIST SP 800-53 R3 MP-4 (1)


NIST SP 800-53 R3 MP-6 (4)

1.2.6

3.2.4

8.2.6

45 CFR 164.310

(d)(1)

A.7.2.1

A.10.7.1

A.10.7.2

A.10.8.3

A.11.7.1

A.11.7.2

A.15.1.4

A.8.2.1

A.8.3.1

A.8.3.2

A.8.3.3

A.6.2.1

A.6.2.2

A.18.1.4

ITAR 22

CFR §

120.17

EAR 15

CFR

§736.2 (b)

All CIP-007-3 -

R7.1

AC-17

AC-18

AC-19

MP-2

MP-4

MP-6

19.1

19.2

19.3

PA33

PA34

SGP

SGP

PCI DSS v2.0 9.7

PCI DSS v2.0

9.7.2

PCI DSS v2.0 9.8

PCI DSS v2.0 9.9

PCI DSS v2.0

11.1

PCI DSS v2.0

12.3

11.1

12.3

Human Resources

Nondisclosure

Agreements

HRS-06 HRS-06.1 Requirements for non-disclosure or confidentiality agreements

reflecting the organization's needs for the protection of data and

operational details shall be identified, documented, and reviewed

at planned intervals.

Are requirements for non-disclosure or confidentiality agreements

reflecting the organization's needs for the protection of data and

operational details identified, documented and reviewed at

planned intervals?

S4.1.0 (S4.1.0) The entity’s system availability,

confidentiality, processing integrity and security

performance is periodically reviewed and

compared with the defined system availability


CC4.1 C.2.5 Schedule 1

(Section 5), 4.7 -

Safeguards

LG-01 APO01.02

APO01.03

APO01.08

APO07.06

APO09.03

APO10.04

APO13.01

APO13.03

312.8 and 312.10 BOSS >

Compliance >

Intellectual

Property

Protection

shared x Domain 3 Article 16 NIST SP 800-53 R3 PL-4






NIST SP 800-53 R3 SA-9 (1)

1.2.5 ISO/IEC

27001:2005

Annex A.6.1.5

A.13.2.4 ITAR 22

CFR §

120.17

EAR 15

CFR

§736.2 (b)

Commandment #6

Commandment #7

Commandment #8

Commandment #9

PL-4

PS-6

SA-9

DI-2 DATA INTEGRITY

AND DATA INTEGRITY

BOARD

a. Documents processes

to ensure the integrity of


information (PII) through

existing security controls;

and

PA7 BSGP PCI DSS v2.0

12.8.2

PCI DSS v2.0

12.8.3

PCI DSS v2.0

12.8.4

Human Resources

Roles / Responsibilities

HRS-07 HRS-07.1 Roles and responsibilities of contractors, employees, and third-

party users shall be documented as they relate to information

assets and security.

Do you provide tenants with a role definition document clarifying

your administrative responsibilities versus those of the tenant?

S1.2.f (S1.2.f) f. Assigning responsibility and

accountability for system availability,

confidentiality, processing integrity and related

security.

B.1 B.1.5,

D.1.1,D.1.3.3,

E.1, F.1.1,

H.1.1, K.1.2

5 (B) Schedule 1

(Section 5) 4.1

Accountability


APO01.03

APO01.08

APO07.06

APO09.03

APO10.04

APO13.01

APO13.03

312.3, 312.8 and

312.10

BOSS > Human

Resources

Security > Roles

and

Responsibilities

shared x Domain 2 Article 17 NIST SP 800-53 R3 PL-4










99.31(a)(1)(ii) 1.2.9

8.2.1

Clause 5.1 c)

A.6.1.2

A.6.1.3

A.8.1.1

Clause 5.3

A.6.1.1

A.6.1.1

Commandment #6

Commandment #7

Commandment #8

AT-3

PL-4

PM-10

PS-1

PS-6

PS-7

AR-1 GOVERNANCE AND

PRIVACY PROGRAM

Control: The

organization:

Supplemental Guidance:

The development and

implementation of a

comprehensive

governance and privacy

program demonstrates

organizational

accountability for and

commitment to the

2.2 PA9

PA24

BSGP 12.8.5

HRS-08.1 Do you provide documentation regarding how you may or access

tenant data and metadata?HRS-08.2 Do you collect or create metadata about tenant data usage

through inspection technologies (search engines, etc.)?

9.3

12.3

7.3, 8.8, 9.10, 12.1

12.2

12.1.1

12.2

12.2

PA30 BSGP

PA2

PA15

BSGP

SGP

PA27 BSGP

PA27 BSGP

2.2

9.2

2.2

5.2

4.2

4.2

4.3

4.4

4.5

4.1

6.1

1.1

3.3

5.1

5.2

5.3

5.4

7.1

12.2

17.7

18.1

18.3

3.2 (responsibility)

3.3

3.4

4.1

4.3

5.2 (residual Risk)


Risk Assessment

SRM > Policies

and Standards >

Information

Security Policies

shared x

SRM > Policies

and Standards >

Information

Security Policies

shared x

SRM >

Governance Risk

& Compliance >

shared x

SRM >

Governance Risk

& Compliance >

Policy

Management

shared x

shared x

BOSS >

Operational Risk

Management >

Risk

Management

Framework

shared x

312.8 and 312.10

312.8 and 312.10

312.8 and 312.10

APO01.03

APO01.08

APO07.04

APO12

APO13.01

APO13.03

MEA03.01

MEA03.02

APO12

EDM03.02

APO01.03

APO12

APO01.03

APO13.01

APO07.06

APO09.03

APO10.01

APO01.02

APO07.05

APO07.06

APO01.03

APO01.08

APO13.01

APO13.02

DSS05.04

DSS06.06

CC3.2

CC1.2

CC2.3

CC6.2

CC2.5

CC3.2

CC3.1

CC3.3

CC3.1

CC5.6

CC2.2CC2.3

CC5.4

CC3.2

CC6.2

Human Resources

Acceptable Use

HRS-08 Policies and procedures shall be established, and supporting


defining allowances and conditions for permitting usage of



infrastructure network and systems components. Additionally,

defining allowances and conditions to permit usage of personal

mobile devices and associated applications with access to

corporate resources (i.e., BYOD) shall be considered and

incorporated as appropriate.

S1.2

S3.9

(S1.2) The entity’s security policies include, but

may not be limited to, the following matters:

(S3.9) Procedures exist to provide that issues of

noncompliance with security policies are

promptly addressed and that corrective

measures are taken on a timely basis.

B.3 B.1.7, D.1.3.3,

E.3.2, E.3.5.1,

E.3.5.2

Schedule 1

(Section 5) 4.1

Accountability,

Subs. 4.1.4

IS-26 COBIT 4.1 DS 5.3 Domain 2 Article 5, Article 6

Article 7



NIST SP 800-53 R3 AC-20



NIST SP 800-53 R3 AC-20

NIST SP 800-53 R3 AC-20 (1)

NIST SP 800-53 R3 AC-20 (2)


8.1.0 45 CFR 164.310

(b)


Commandment #2

Commandment #3

Human Resources

Employment

Termination

HRS-04 Roles and responsibilities for performing employment termination

or change in employment procedures shall be assigned,

documented, and communicated.

AC-8

AC-20

PL-4

PCI-DSS v2.0

12.3.5

312.8 and 312.10

312.4, 312.8 and

312.10

BOSS > Human

Resources

Security > Roles

and

Responsibilities

S3.2.d

S3.8.e

(S3.2.d) Procedures exist to restrict logical access

to the system and information resources

maintained in the system including, but not

limited to, the following matters:

d. The process to make changes and updates to

user profiles

(S3.8.e) e. Procedures to prevent customers,

groups of individuals, or other entities from

accessing confidential information other than

their own

E.6 HR-03 COBIT 4.1 PO 7.8 None Article 17 NIST SP 800-53 R3 PS-2










8.2.2

10.2.5

GRM-

11

Organizations shall develop and maintain an enterprise risk

management framework to mitigate risk to an acceptable level.

45 CFR 164.308

(a)(3)(ii)(C)


Commandment #7

312.3, 312.8 and

312.10

312.3, 312.8 and

312.10

BOSS > Human

Resources

Security >

Employee

Termination

provider x

BOSS > Human

Resources

Security >

Employee Code of

Conduct

shared x

shared x

45 CFR 164.308

(a)(3)(ii)(C)

A.7.1.1

A.7.1.2

A.8.3.2

Governance and Risk

Management

Program

PS-4

Human Resources

Employment

Agreements

HRS-03 Employment agreements shall incorporate provisions and/or

terms for adherence to established information governance and

security policies and must be signed by newly hired or on-boarded

workforce personnel (e.g., full or part-time employee or

contingent staff) prior to granting workforce personnel user

access to corporate facilities, resources, and assets.

S2.2.0 (S2.2.0) The security obligations of users and the

entity's security commitments to users are

communicated to authorized users

C.1 E.3.5 66 (B) Schedule 1

(Section 5) 4.7

Safeguards,

Subsec. 4.7.4

HR-02 COBIT DS 2.1 None Article 17 NIST SP 800-53 R3 PS-1NIST SP 800-53 R3 PS-2NIST SP 800-53 R3 PS-6NIST SP 800-53 R3 PS-7

NIST SP 800-53 R3 PS-1NIST SP 800-53 R3 PS-2NIST SP 800-53 R3 PS-6NIST SP 800-53 R3 PS-7

1.2.98.2.6

45 CFR

164.310(a)(1)

(New)

45 CFR

164.308(a)(4)(i)

(New)

A.6.1.5

A.8.1.3

ITAR 22

CFR §

120.17

EAR 15

CFR

§736.2 (b)

Commandment #6

Commandment #7

PL-4

PS-6

PS-7

Human Resources

Asset Returns

HRS-01 Upon termination of workforce personnel and/or expiration of

external business relationships, all organizationally-owned assets

shall be returned within an established period.



D.1 E.6.4 Schedule 1

(Section 5) 4.5

Limiting Use,

Disclosure and

Retention; 4.7

Safeguards, Subs.

4.7.5

IS-27 Domain 2 Article 17 NIST SP 800-53 R3 PS-4 NIST SP 800-53 R3 PS-4 5.2.3

7.2.2

8.2.1

8.2.6

APO01.08

APO07.06

APO13.01

BAI09.03

CIP-002-3 -

R1.1 -

R1.2

CIP-005-

3a - R1 -

R1.2

CIP-009-3 -

R.1.1

PL-5

RA-2

RA-3

PCI DSS v2.0

12.1.2

BOSS >

Operational Risk

Management >

Risk

Management

Framework

S3.1

x3.1.0

(S3.1) Procedures exist to (1) identify potential




threats.

(x3.1.0) Procedures exist to (1) identify potential


would impair system [availability, processing

integrity, confidenitality] commitments and (2)

assess the risks associated with the identified

threats.

L.2 A.1, L.1 Schedule 1

(Section 5), 4.7 -

Safeguards

RI-01 COBIT 4.1 PO 9.1 Domain 2,

4

Article 17 (1), (2) NIST SP 800-53 R3 AC-1




















NIST SP 800-53 R3 SA-9 (1)

NIST SP 800-53 R3 SC-30


NIST SP 800-53 R3 SI-4 (2)

NIST SP 800-53 R3 SI-4 (4)

NIST SP 800-53 R3 SI-4 (5)

NIST SP 800-53 R3 SI-4 (6)


1.2.4312.8 and 312.10 45 CFR 164.308

(a)(8)

45 CFR

164.308(a)(1)(ii)(

B) (New)

Clause 4.2.1 c)

through g)

Clause 4.2.2 b)

Clause 5.1 f)

Clause 7.2 & 7.3

A.6.2.1

A.12.6.1

A.14.1.2

A.15.2.1

A.15.2.2

Chapter II

Article 19

CIP-009-3 -

R4

AC-4

CA-2

CA-6

PM-9

RA-1

PCI DSS v2.0

12.1.2

45 CFR 164.316

(b)(2)(iii)

45 CFE

164.306(e)

(New)

Clause 4.2.3 f)

A.5.1.2

Commandment #1

Commandment #2

Commandment #3

PCI DSS v2.0

12.1.3

CIP-003-3 -

R3.2 -

R3.3 -

R1.3

R3 - R3.1 -

R3.2 -

R3.3

AC-1

AT-1

AU-1

CA-1

CM-1

CP-1

IA-1

IA-5

IR-1

MA-1

MP-1

PE-1

PL-1

PM-1

PS-1

RA-1

SA-1

SC-1

SI-1

Governance and Risk

Management

Assessments

GRM-

10

Aligned with the enterprise-wide framework, formal risk

assessments shall be performed at least annually or at planned

intervals, (and in conjunction with any changes to information

systems) to determine the likelihood and impact of all identified

risks using qualitative and quantitative methods. The likelihood

and impact associated with inherent and residual risk shall be

determined independently, considering all risk categories (e.g.,

audit results, threat and vulnerability analysis, and regulatory

compliance).

S3.1

x3.1.0

S4.3.0





threats.






threats.

(S4.3.0) Environmental, regulatory, and

technological changes are monitored, and their

effect on system availability, confidentiality of

data, processing integrity, and system security is

assessed on a timely basis; policies are updated

for that assessment.

I.1

I.4

C.2.1, I.4.1, I.5,

G.15.1.3, I.3

46 (B)

74 (B)

Schedule 1

(Section 5), 4.7 -

Safeguards

RI-02 COBIT 4.1 PO 9.4 Domain 2,

4

6.03. (a)

6.08. (a)

Article 17 (1), (2) NIST SP 800-53 R3 CM-1







NIST SP 800-53 R3 SC-30

1.2.4

1.2.5

312.8 and 312.10 45 CFR 164.308

(a)(1)(ii)(A)

Clause 4.2.1 c)

through g)

Clause 4.2.3 d)

Clause 5.1 f)

Clause 7.2 & 7.3

A.6.2.1

A.12.5.2

A.12.6.1

A.14.1.2

A.15.1.1

A.15.2.1

A.15.2.2

Governance and Risk

Management

Policy Reviews

GRM-

09

The organization's business leadership (or other accountable

business role or function) shall review the information security

policy at planned intervals or as a result of changes to the

organization to ensure its continuing alignment with the security

strategy, effectiveness, accuracy, relevance, and applicability to

legal, statutory, or regulatory compliance obligations.

S1.1.0 (S1.1.0) The entity’s security policies are



B.2 B.1.33. B.1.34, IS-05 COBIT 4.1 DS 5.2

DS 5.4

Domain 2 Article 17 NIST SP 800-53 R3 AC-1









(1)



















NIST SP 800-53 R3 IA-5 (1)

NIST SP 800-53 R3 IA-5 (2)

NIST SP 800-53 R3 IA-5 (3)

NIST SP 800-53 R3 IA-5 (6)

NIST SP 800-53 R3 IA-5 (7)











1.2.1

8.2.7

10.2.3

PCI DSS v2.0

12.1

PCI DSS v2.0

12.2

Governance and Risk

Management

Policy Enforcement

GRM-

07

A formal disciplinary or sanction policy shall be established for

employees who have violated security policies and procedures.

Employees shall be made aware of what action might be taken in

the event of a violation, and disciplinary measures must be stated

in the policies and procedures.

S3.9

S2.4.0








B.1.5 Schedule 1

(Section 5) 4.1

Accountability,

Subs. 4.1.4

IS-06 COBIT 4.1 PO 7.7 Domain 2 Article 17 NIST SP 800-53 R3 PL-4






10.2.4 45 CFR 164.308

(a)(1)(ii)(C)


Commandment #7

Chapter X, Article 64 PL-4

PS-1

PS-8

99.31(a)(i)(ii)

Clause 4.3

Clause 5

4.4

4.2(b)

6.1.2(a)(1)

6.2

6.2(a)

6.2(d)

7.1

7.4

9.3

10.2

7.2(a)

7.2(b)

7.2(c)

7.2(d)

7.3(b)

7.3(c)

A7.2.3

Governance and Risk

Management

Policy

GRM-

06

Information security policies and procedures shall be established

and made readily available for review by all impacted personnel

and external business relationships. Information security policies

must be authorized by the organization's business leadership (or

other accountable business role or function) and supported by a

strategic business plan and an information security management

program inclusive of defined information security roles and

responsibilities for business leadership.

S1.1.0

S1.3.0

S2.3.0

(S1.1.0) The entity's security policies are



(S1.3.0) Responsibility and accountability for





entity's system security policies and changes and



them.

B.1 Schedule 1

(Section 5) 4.1

Accountability,

Subsec 4.1.4

IS-03 COBIT 4.1 DS5.2 Domain 2 6.02. (e)APO01.03

APO01.04

APO13.01

APO13.02

Clause 8.1

A.5.1.2

Clause

4.2(b),

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),

6.1.2(c)(2)

6.1.2(d)

6.1.2(d)(1)

6.1.2(d)(2)

6.1.2(d)(3)

6.1.2(e)

6.1.2(e)(1)

6.1.2(e)(2)

6.1.3,

6.1.3(a)

6.1.3(b)

8.1

9.3(a),

9.3(b)

9.3(b)(f)Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),

6.1.2(c)(2)

6.1.2(d)

6.1.2(d)(1)

6.1.2(d)(2)

6.1.2(d)(3)

6.1.2(e)

6.1.2(e)(1)

6.1.2(e)(2)

6.1.3,

6.1.3(a)

A.8.1.1

A.8.1.2

A.8.1.4

A.13.2.4

A.7.1.2

A.7.3.1

A.8.1.3

PCI DSS v2.0

12.4

PCI DSS v2.0

12.8.2

PS-4

PS-5































8.1.0

8.1.1

45 CFR 164.316

(a)

45 CFR 164.316

(b)(1)(i)

45 CFR 164.316

(b)(2)(ii)

45 CFR

164.308(a)(2)

(New)

Clause 4.2.1

Clause 5

A.5.1.1

A.8.2.2

Commandment #1

Commandment #2

Commandment #3


39

CIP-003-3 -

R1 -R1.1 -

R1.2 - R2 -

R2.1 -

R2.2 -

R2.3

AC-1

AT-1

AU-1

CA-1

CM-1

IA-1

IR-1

MA-1

MP-1

MP-1

PE-1

PL-1

PS-1

SA-1

SC-1

SI-1






REDACTED COPY

AICPA

TSC 2009

AICPA


AICPA

TSC

2014

BITS Shared

Assessments

AUP v5.0

BITS Shared

Assessments

SIG v6.0

BSI


CCM


CSA

Guidance

V3.0

ENISA IAF

95/46/EC - European


Directive

FedRAMP Security

Controls

(Final Release, Jan

2012)





-

FERPA

GAPP

(Aug

2009)

HIPAA/HITECH

(Omnibus

Rule)

ISO/IEC

27001:2005

ISO/IEC





Parties

NERC

CIPNIST SP800-53 R3

NIST SP800-53 R4


Yes NoNot

Applicable

Domain > Container




Cloud Initiative)





HRS-08.3 Do you allow tenants to opt out of having their data/metadata

accessed via inspection technologies?

HRS-09.1 Do you provide a formal, role-based, security awareness training

program for cloud-related access and data management issues

(e.g., multi-tenancy, nationality, cloud delivery model segregation

of duties implications and conflicts of interest) for all persons with

access to tenant data?

HRS-09.2 Are administrators and data stewards properly educated on their

legal responsibilities with regard to security and data integrity?

HRS-10.1 Are users made aware of their responsibilities for maintaining

awareness and compliance with published security policies,

procedures, standards and applicable regulatory requirements?

HRS-10.2 Are users made aware of their responsibilities for maintaining a

safe and secure working environment?

HRS-10.3 Are users made aware of their responsibilities for leaving

unattended equipment in a secure manner?

HRS-11.1 Do your data management policies and procedures address tenant

and service level conflicts of interests?

HRS-11.2 Do your data management policies and procedures include a

tamper audit or software integrity function for unauthorized

access to tenant data?

HRS-11.3 Does the virtual machine management infrastructure include a

tamper audit or software integrity function to detect changes to

the build/configuration of the virtual machine?

IAM-01.1 Do you restrict, log and monitor access to your information

security management systems? (E.g., hypervisors, firewalls,

vulnerability scanners, network sniffers, APIs, etc.)

IAM-01.2 Do you monitor and log privileged access (administrator level) to

information security management systems?

IAM-02.1 Do you have controls in place ensuring timely removal of systems

access that is no longer required for business purposes?

IAM-02.2 Do you provide metrics to track the speed with which you are able

to remove systems access that is no longer required for business

purposes?

Identity & Access

Management

Diagnostic /

Configuration Ports

Access

IAM-

03

IAM-03.1 User access to diagnostic and configuration ports shall be

restricted to authorized individuals and applications.

Do you use dedicated secure networks to provide management

access to your cloud service infrastructure?

S3.2.g (S3.2.g) g. Restriction of access to system

configurations, superuser functionality, master

passwords, powerful utilities, and security

devices (for example, firewalls).

CC5.1 H1.1, H1.2,

G.9.15

Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3


DSS05.02

DSS05.03

DSS05.05

DSS06.06

312.8 and 312.10 SRM > Privilege

Management

Infrastructure >

Privilege Usage

Management -

Resource

Protection

provider x Domain 2 NIST SP 800-53 R3 CM-7





NIST SP 800-53 R3 AC-2 (1)

NIST SP 800-53 R3 AC-2 (2)

NIST SP 800-53 R3 AC-2 (3)

NIST SP 800-53 R3 AC-2 (4)

NIST SP 800-53 R3 AC-2 (7)



NIST SP 800-53 R3 AC-6 (1)

NIST SP 800-53 R3 AC-6 (2)




NIST SP 800-53 R3 AU-6 (1)

NIST SP 800-53 R3 AU-6 (3)


NIST SP 800-53 R3 SI-4 (2)

NIST SP 800-53 R3 SI-4 (4)

NIST SP 800-53 R3 SI-4 (5)

NIST SP 800-53 R3 SI-4 (6)

8.2.2 A.10.6.1

A.11.1.1

A.11.4.4

A.11.5.4

A.13.1.1

A.9.1.1

A.9.4.4

Commandment #3

Commandment #4

Commandment #5

Commandment #6

Commandment #7

Commandment #8

CIP-007-3 -

R2

CM-7

MA-3

MA-4

MA-5

15.4 PCI-DSS v2.0

9.1.2

1.2.2

7.1

7.1.2

7.1.3

7.2

7.2.3

9.1.2

9.1.3

IAM-04.1 Do you manage and store the identity of all personnel who have

access to the IT infrastructure, including their level of access?

IAM-04.2 Do you manage and store the user identity of all personnel who

have network access, including their level of access?

Identity & Access

Management

Segregation of Duties

IAM-

05

IAM-05.1 User access policies and procedures shall be established, and

supporting business processes and technical measures

implemented, for restricting user access as per defined

segregation of duties to address business risks associated with a

user-role conflict of interest.

Do you provide tenants with documentation on how you maintain

segregation of duties within your cloud service offering?




CC5.1 Schedule 1

(Section 5) 4.7

Safeguards, Subs.

4.7.3(b)

IS-15 COBIT 4.1 DS 5.4 APO01.03

APO01.08

APO13.02

DSS05.04

DSS06.03

312.8 and 312.10 ITOS > Resource

Management >

Segregation of

Duties

shared x Domain 2 6.04.01. (d)

6.04.08.02.

(a)








NIST SP 800-53 R3 AC-2 (1)

NIST SP 800-53 R3 AC-2 (2)

NIST SP 800-53 R3 AC-2 (3)

NIST SP 800-53 R3 AC-2 (4)

NIST SP 800-53 R3 AC-2 (7)



NIST SP 800-53 R3 AC-6 (1)

NIST SP 800-53 R3 AC-6 (2)




NIST SP 800-53 R3 AU-6 (1)

NIST SP 800-53 R3 AU-6 (3)


NIST SP 800-53 R3 SI-4 (2)

NIST SP 800-53 R3 SI-4 (4)

NIST SP 800-53 R3 SI-4 (5)

NIST SP 800-53 R3 SI-4 (6)

99.31(a)(1)(ii) 8.2.2 45 CFR 164.308

(a)(1)(ii)(D)

45 CFR 164.308

(a)(3)(ii)(A)

45 CFR

164.308(a)(4)(ii)(

A) (New)

45 CFR 164.308

(a)(5)(ii)(C)

45 CFR 164.312

(b)

A.10.1.3 A.6.1.2 Commandment #6

Commandment #7

Commandment #8

Commandment

#10

CIP-007-3

R5.1.1

AC-1

AC-2

AC-5

AC-6

AU-1

AU-6

SI-1

SI-4

3.0

3.1

3.2

3.3

3.4

3.5

PA24 P PCI DSS v2.0

6.4.2

6.4.2, 7.3

8.8

9.10

IAM-06.1 Are controls in place to prevent unauthorized access to your

application, program or object source code, and assure it is

restricted to authorized personnel only?

IAM-06.2 Are controls in place to prevent unauthorized access to tenant

application, program or object source code, and assure it is

restricted to authorized personnel only?

12.3

12.6

12.4

8.1.8

10.5

7.1.2

7.1.4

7.2

8.1

8.1.5

8.5

3.5.1, 7.0

8.0

12.5.4

7.3

8.8

9.10

6.4.1

6.4.2, 7.1

7.1.1

7.1.2

7.1.3

7.1.4

7.2

7.2.2

7.3

PA28 BSGP

2.2

5.2

4.2

9.1

9.1

8.1

15.4

15.1

15.2

9.4

14.1

14.2

19.1

AR-5 PRIVACY

AWARENESS AND

TRAINING

Control: The

organization:

a. Develops, implements,

and updates a

comprehensive training

and awareness strategy

aimed at ensuring that

personnel understand

privacy responsibilities

and procedures;

b. Administers basic

privacy training

[Assignment:

organization-defined

frequency, at least

annually] and targeted,

role-based privacy

training for personnel

having responsibility for


information (PII) or for

activities that involve PII

[Assignment:

organization-defined

frequency, at least

annually]; and

c. Ensures that personnel

certify (manually or

electronically)

acceptance of

responsibilities for UL-1 INTERNAL USE

Control: The organization

uses personally


(PII) internally only for

the authorized

purpose(s) identified in

the Privacy Act and/or in

public notices.

99.31(a)(1)(ii)

ITOS > Service

Support >

Release

Management -

Source Code

Management

shared x

SRM > Policies

and Standards >

Information

Security Policies

shared x

SRM > Privilege

Management

Infrastructure >

Privilege Usage

Management

shared x

SRM > Policies

and Standards >

shared x

BOSS > Human

Resources

Security >

Employee

Awareness

shared x

BOSS > Data

Governance >

Clear Desk Policy

shared x

SRM > Policies

and Standards >

Information

Security Policies

312.8 and 312.10

312.8 and 312.10

APO01.02

APO01.03

APO01.08

APO13.01

APO13.02

DSS05.04

DSS05.05

DSS05.06

DSS06.03

DSS06.06

APO01.03

APO01.08

APO13.01

APO13.02

DSS05.02

DSS05.04

DSS06.06

APO01.03

APO01.08

APO13.02

DSS05.04

DSS06.03

APO01.03

APO01.08

APO13.01

APO13.02

DSS05.04

DSS06.06

APO01.03

APO01.08

APO13.01

APO13.02

DSS05.03

DSS05.05

CC3.2

CC6.2

CC2.2CC2.3

CC5.1

CC7.4 Clause 4.3.3

A.12.4.3

A.15.1.3

ITAR 22

CFR §

120.17

EAR 15

CFR

§736.2 (b)

Commandment #6

Commandment #7

Commandment #9

Commandment

#10

CM-5

CM-6

PCI-DSS v2.0

6.4.1

PCI-DSS v2.0

6.4.2

45 CFR 164.308

(a)(3)(i)

45 CFR 164.312

(a)(1)

45 CFR 164.312

(a)(2)(ii)

45 CFR

164.308(a)(4)(ii)(

B) (New)

45 CFR

164.308(a)(4)(ii)(

c ) (New)

A.11.1.1

A.11.2.1

A.11.2.4

A.11.4.1

A.11.5.2

A.11.6.1

S3.2.g Commandment #6

Commandment #7

Commandment #8

CIP-007-3 -

R5.1 -

R5.1.2

AC-1

IA-1

PCI DSS v2.0

3.5.1

PCI DSS v2.0

8.5.1

PCI DSS v2.0

12.5.4

Identity & Access

Management

Policies and Procedures

IAM-

04

Policies and procedures shall be established to store and manage

identity information about every person who accesses IT

infrastructure and to determine their level of access. Policies shall

also be developed to control access to network resources based

on user identity.

Identity & Access

Management

Source Code Access

Restriction

IAM-

06

Access to the organization's own developed applications,

program, or object source code, or any other form of intellectual

property (IP), and use of proprietary software shall be

appropriately restricted following the rule of least privilege based

on job function as per established user access policies and

procedures.

S3.13.0 (S3.13.0) Procedures exist to provide that only



I.2.7.2, I.2.9,

I.2.10, I.2.15

Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

IS-33 Domain 2 Article 17

Identity & Access

Management

User Access Policy


NIST SP 800-53 R3 CM-5 (1)

NIST SP 800-53 R3 CM-5 (5)

1.2.6

6.2.1

IAM-

02

User access policies and procedures shall be established, and

supporting business processes and technical measures

implemented, for ensuring appropriate identity, entitlement, and

access management for all internal corporate and customer

(tenant) users with access to data and organizationally-owned or

managed (physical and virtual) application interfaces and

infrastructure network and systems components. These policies,

procedures, processes, and measures must incorporate the

following:

• Procedures and supporting roles and responsibilities for

provisioning and de-provisioning user account entitlements

following the rule of least privilege based on job function (e.g.,

internal employee and contingent staff personnel changes,

customer-controlled access, suppliers' business relationships, or

other third-party business relationships)

• Business case considerations for higher levels of assurance and

multi-factor authentication secrets (e.g., management interfaces,

key generation, remote access, segregation of duties, emergency

access, large-scale provisioning or geographically-distributed

deployments, and personnel redundancy for critical systems)

• Access segmentation to sessions and data in multi-tenant

architectures by any third party (e.g., provider and/or other

customer (tenant))

• Identity trust verification and service-to-service application

(API) and information processing interoperability (e.g., SSO and

federation)

• Account credential lifecycle management from instantiation

through revocation

• Account credential and/or identity store minimization or re-use

when feasible

• Authentication, authorization, and accounting (AAA) rules for

access to data and sessions (e.g., encryption and strong/multi-

factor, expireable, non-shared authentication secrets)

• Permissions and supporting capabilities for customer (tenant)

controls over authentication, authorization, and accounting (AAA)

rules for access to data and sessions

• Adherence to applicable legal, statutory, or regulatory

compliance requirements

S3.2.0 (S3.2.0) Procedures exist to restrict logical access

to the defined system including, but not limited


c. Registration and authorization of new users.

d. The process to make changes to user profiles.

g. Restriction of access to system configurations,

superuser functionality, master passwords,

powerful utilities, and security devices (for

example, firewalls).

B.1 B.1.8, B.1.21,

B.1.28, E.6.2,

H.1.1, K.1.4.5,

8 (B)

40 (B)

41 (B)

42 (B)

43 (B)

44 (C+)

Schedule 1

(Section 5) 4.1

Accountability,

Subs. 4.1.4; 4.7

Safeguards, Subs.

4.7.4

IS-07 COBIT 4.1 DS 5.4 Domain 2 6.01. (b)

6.01. (d)

6.02. (e)

6.03. (b)

6.03.04. (b)

6.03.04. (c)

6.03.05. (b)

6.03.05. (d)

6.03.06. (b)

6.04.01. (c)

6.04.01. (f)

6.04.02. (a)

6.04.02. (b)

6.04.02. (c)

6.04.03. (b)

6.04.06. (a)

6.04.08. (a)

6.04.08. (b)

6.04.08. (c)

6.04.08.03.

(a)

6.04.08.03.

(b)



NIST SP 800-53 R3 AC-14


Identity & Access

Management

Audit Tools Access

IAM-

01

Access to, and use of, audit tools that interact with the

organization's information systems shall be appropriately

segmented and restricted to prevent compromise and misuse of

log data.





Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

IS-29 COBIT 4.1 DS 5.7 Domain 2 6.03. (i)

6.03. (j)




NIST SP 800-53 R3 AC-10

NIST SP 800-53 R3 AC-14


8.1.0


NIST SP 800-53 R3 AU-9 (2)

8.2.1 A.15.3.2 Commandment #2

Commandment #5

Commandment

#11

CIP-003-3 -

R5.2

AU-9

AU-11

AU-14

PCI DSS v2.0

10.5.5

AT-2

AT-3

AT-4

PL-4

PCI DSS v2.0

8.5.7

PCI DSS v2.0

12.6.1

Human Resources

Workspace

HRS-11 Policies and procedures shall be established to require that

unattended workspaces do not have openly visible (e.g., on a

desktop) sensitive documents and user computing sessions had

been disabled after an established period of inactivity.

S3.3.0

S3.4.0

(S3.3.0) Procedures exist to restrict physical




and servers.



E.1 E.4 Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

IS-17 Domain 2 NIST SP 800-53 R3 MP-1


8.2.3 Clause 5.2.2

A.8.2.2

A.9.1.5

A.11.3.1

A.11.3.2

A.11.3.3

ITAR 22

CFR §

120.17

EAR 15

CFR

§736.2 (b)

Commandment #5

Commandment #6

Commandment #7

Commandment

#11

Human Resources

User Responsibility

HRS-10 All personnel shall be made aware of their roles and

responsibilities for:

• Maintaining awareness and compliance with established

policies and procedures and applicable legal, statutory, or

regulatory compliance obligations.

• Maintaining a safe and secure working environment

S2.3.0 (S2.3.0) Responsibility and accountability for the

entity’s system availability, confidentiality,

processing integrity and security policies and

changes and updates to those policies are

communicated to entity personnel responsible

for implementing them.

E.1 E.4 65 (B)

66 (B)

Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.4

IS-16 COBIT 4.1 PO 4.6 Domain 2 Article 17 NIST SP 800-53 R3 AT-2








NIST SP 800-53 R3 AC-11



NIST SP 800-53 R3 MP-2 (1)



NIST SP 800-53 R3 MP-4 (1)

CC3.2 APO01.02

APO01.03

APO01.08

APO07.03

APO07.06

APO13.01

APO13.03

APO01.02

APO01.03

APO01.08

APO07.03

APO07.06

APO13.01

APO13.03

DSS05.03

DSS06.06

312.8 and 312.10

312.8 and 312.10CC5.5

CC5.6

45 CFR 164.308

(a)(5)(i)

45 CFR 164.308

(a)(5)(ii)(A)

Clause 5.2.2

A.8.2.2

Commandment #3

Commandment #6

SRM > GRC > shared x

AC-11

MP-2

MP-3

MP-4


39 and Chapyer VI, Section II,

Article 41

CIP-004-3 -

R1 - R2 -

R2.1

AT-1

AT-2

AT-3

AT-4

PCI DSS v2.0

12.6

PCI DSS v2.0

12.6.1

PCI DSS v2.0

12.6.2

1.2.10

8.2.1

45 CFR 164.308

(a)(5)(ii)(D)

Clause 5.2.2

A.8.2.2

A.11.3.1

A.11.3.2

Commandment #5

Commandment #6

Commandment #7


39 and Chapter VI, Section II,

Article 41

Human Resources

Training / Awareness

HRS-09 A security awareness training program shall be established for all

contractors, third-party users, and employees of the organization

and mandated when appropriate. All individuals with access to

organizational data shall receive appropriate awareness training

and regular updates in organizational procedures, processes, and

policies relating to their professional function relative to the

organization.

S1.2.k

S2.2.0

(S1.2.k) The entity's security policies include, but


k. Providing for training and other resources

to support its system security policies




E.1 E.4 65 (B) Schedule 1

(Section 5) 4.1

Accountability,

Subs. 4.1.4; 4.7

Safeguards, Subs.

4.7.4

IS-11 COBIT 4.1 PO 7.4 Domain 2 6.01. (c)

6.02. (e)









1.2.10

8.2.1

APO01.03

APO01.08

APO07.03

APO07.06

APO13.01

APO13.03

312.8 and 312.10

Human Resources

Acceptable Use

HRS-08 Policies and procedures shall be established, and supporting


defining allowances and conditions for permitting usage of



infrastructure network and systems components. Additionally,

defining allowances and conditions to permit usage of personal

mobile devices and associated applications with access to

corporate resources (i.e., BYOD) shall be considered and

incorporated as appropriate.

S1.2

S3.9

(S1.2) The entity’s security policies include, but






B.3 B.1.7, D.1.3.3,

E.3.2, E.3.5.1,

E.3.5.2

Schedule 1

(Section 5) 4.1

Accountability,

Subs. 4.1.4

IS-26 COBIT 4.1 DS 5.3 Domain 2 Article 5, Article 6

Article 7



NIST SP 800-53 R3 AC-20



NIST SP 800-53 R3 AC-20

NIST SP 800-53 R3 AC-20 (1)

NIST SP 800-53 R3 AC-20 (2)


8.1.0 45 CFR 164.310

(b)


Commandment #2

Commandment #3

AC-8

AC-20

PL-4

PCI-DSS v2.0

12.3.5

312.4, 312.8 and

312.10

A.8.1.3

Clause 7.2(a),

7.2(b)

A.7.2.2

Clause 7.2(a),

7.2(b)

A.7.2.2

A.9.3.1

A.11.2.8

Clause 7.2(a),

7.2(b)

A.7.2.2

A.11.1.5

A.9.3.1

A.11.2.8

A.11.2.9

A.9.1.1

A.9.2.1,

A.9.2.2

A.9.2.5

A.9.1.2

A.9.4.1

Annex

A.9.2

A.9.2.1

A.9.2.2

A.9.2.3,

A.9.2.4,

A.9.2.5,

A.9.2.6

Clause

5.2(c)

5.3(a),

5.3(b),

7.5.3(b)

7.5.3(d)

8.1,

8.3

9.2(g)

Domain 12






REDACTED COPY

AICPA

TSC 2009

AICPA


AICPA

TSC

2014

BITS Shared

Assessments

AUP v5.0

BITS Shared

Assessments

SIG v6.0

BSI


CCM


CSA

Guidance

V3.0

ENISA IAF

95/46/EC - European


Directive

FedRAMP Security

Controls

(Final Release, Jan

2012)





-

FERPA

GAPP

(Aug

2009)

HIPAA/HITECH

(Omnibus

Rule)

ISO/IEC

27001:2005

ISO/IEC





Parties

NERC

CIPNIST SP800-53 R3

NIST SP800-53 R4


Yes NoNot

Applicable

Domain > Container




Cloud Initiative)





IAM-07.1 Do you provide multi-failure disaster recovery capability?

IAM-07.2 Do you monitor service continuity with upstream providers in the

event of provider failure?

IAM-07.3 Do you have more than one provider for each service you depend

on?

IAM-07.4 Do you provide access to operational redundancy and continuity

summaries, including the services you depend on?

IAM-07.5 Do you provide the tenant the ability to declare a disaster?

IAM-07.6 Do you provided a tenant-triggered failover option?

IAM-07.7 Do you share your business continuity and redundancy plans with

your tenants?

IAM-08.1 Do you document how you grant and approve access to tenant

data?

IAM-08.2 Do you have a method of aligning provider and tenant data

classification methodologies for access control purposes?

IAM-09.1 Does your management provision the authorization and

restrictions for user access (e.g. employees, contractors,

customers (tenants), business partners and/or suppliers) prior to

their access to data and any owned or managed (physical and

virtual) applications, infrastructure systems and network

components?

IAM-09.2 Do your provide upon request user access (e.g. employees,

contractors, customers (tenants), business partners and/or

suppliers) to data and any owned or managed (physical and

virtual) applications, infrastructure systems and network

components?

IAM-10.1 Do you require at least annual certification of entitlements for all

system users and administrators (exclusive of users maintained by

your tenants)?

IAM-10.2 If users are found to have inappropriate entitlements, are all

remediation and certification actions recorded?

IAM-10.3 Will you share user entitlement remediation and certification

reports with your tenants, if inappropriate access may have been

allowed to tenant data?

IAM-11.1 Is timely deprovisioning, revocation or modification of user access

to the organizations systems, information assets and data

implemented upon any change in status of employees,

contractors, customers, business partners or involved third

parties?

IAM-11.2 Is any change in user access status intended to include termination

of employment, contract or agreement, change of employment or

transfer within the organization?

IAM-12.1 Do you support use of, or integration with, existing customer-

based Single Sign On (SSO) solutions to your service?

IAM-12.2 Do you use open standards to delegate authentication capabilities

to your tenants?

IAM-12.3 Do you support identity federation standards (SAML, SPML, WS-

Federation, etc.) as a means of authenticating/authorizing users?

IAM-12.4 Do you have a Policy Enforcement Point capability (e.g., XACML)

to enforce regional legal and policy constraints on user access?

IAM-12.5 Do you have an identity management system (enabling

classification of data for a tenant) in place to enable both role-

based and context-based entitlement to data?

IAM-12.6 Do you provide tenants with strong (multifactor) authentication

options (digital certs, tokens, biometrics, etc.) for user access?

IAM-12.7 Do you allow tenants to use third-party identity assurance

services?

IAM-12.8 Do you support password (minimum length, age, history,

complexity) and account lockout (lockout threshold, lockout

duration) policy enforcement?

IAM-12.9 Do you allow tenants/customers to define password and account

lockout policies for their accounts?

IAM-

12.10

Do you support the ability to force password changes upon first

logon?

IAM-

12.11

Do you have mechanisms in place for unlocking accounts that have

been locked out (e.g., self-service via email, defined challenge

questions, manual unlock)?

IAM-13.1 Are utilities that can significantly manage virtualized partitions

(e.g., shutdown, clone, etc.) appropriately restricted and

monitored?

IAM-13.2 Do you have a capability to detect attacks that target the virtual

infrastructure directly (e.g., shimming, Blue Pill, Hyper jumping,

etc.)?

IAM-13.3 Are attacks that target the virtual infrastructure prevented with

technical controls?

IVS-01.1 Are file integrity (host) and network intrusion detection (IDS) tools

implemented to help facilitate timely detection, investigation by

root cause analysis and response to incidents?

IVS-01.2 Is physical and logical user access to audit logs restricted to

authorized personnel?

IVS-01.3 Can you provide evidence that due diligence mapping of

regulations and standards to your controls/architecture/processes

has been done?

IVS-01.4 Are audit logs centrally stored and retained?

IVS-01.5 Are audit logs reviewed on a regular basis for security events (e.g.,

with automated tools)?

IVS-02.1 Do you log and alert any changes made to virtual machine images

regardless of their running state (e.g. dormant, off or running)?

IVS-02.2 Are changes made to virtual machines, or moving of an image and

subsequent validation of the image's integrity, made immediately

available to customers through electronic methods (e.g. portals or

alerts)?

Infrastructure &

Virtualization Security

Clock Synchronization

IVS-03 IVS-03.1 A reliable and mutually agreed upon external time source shall be

used to synchronize the system clocks of all relevant information

processing systems to facilitate tracing and reconstitution of

activity timelines.

Do you use a synchronized time-service protocol (e.g., NTP) to

ensure all systems have a common time reference?

S3.7 (S3.7) Procedures exist to identify, report, and

act upon system security breaches and other

incidents.

CC6.2 G.7

G.8

G.13, G.14.8,

G.15.5, G.16.8,

G.17.6, G.18.3,

G.19.2.6,

G.19.3.1

20 (B)

28 (B)

30 (B)

35 (B)

Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

SA-12 COBIT 4.1 DS5.7 APO01.08

APO13.01

APO13.02

BAI03.05

DSS01.01


Network Services

> Authoritative

Time Source

provider x Domain 10 6.03. (k) NIST SP 800-53 R3 AU-1




NIST SP 800-53 R3 AU-8 (1)

A.10.10.1

A.10.10.6

A.12.4.1

A.12.4.4

AU-1

AU-8

PCI DSS v2.0

10.4

10.4

IVS-04.1 Do you provide documentation regarding what levels of system

(network, storage, memory, I/O, etc.) oversubscription you

maintain and under what circumstances/scenarios?

IVS-04.2 Do you restrict use of the memory oversubscription capabilities

present in the hypervisor?

IVS-04.3 Do your system capacity requirements take into account current,

projected and anticipated capacity needs for all systems used to

provide services to the tenants?

IVS-04.4 Is system performance monitored and tuned in order to

continuously meet regulatory, contractual and business

requirements for all the systems used to provide services to the

tenants?

Infrastructure &


Management -

Vulnerability

Management

IVS-05 IVS-05.1 Implementers shall ensure that the security vulnerability assessment tools or services accommodate the virtualization technologies used (e.g. virtualization aware).

Do security vulnerability assessment tools or services

accommodate the virtualization technologies being used (e.g.

virtualization aware)?

APO01.08

APO04.02

APO04.03

APO04.04

DSS05.03

DSS06.06

SRM > Threat

and Vulnerability

Management >

Vulnerability

Management


13

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

PA36 6.1

IVS-06.1 For your IaaS offering, do you provide customers with guidance on

how to create a layered security architecture equivalence using

your virtualized solution?

IVS-06.2 Do you regularly update network architecture diagrams that

include data flows between security domains/zones?

IVS-06.3 Do you regularly review for appropriateness the allowed

access/connectivity (e.g., firewall rules) between security

domains/zones within the network?

IVS-06.4 Are all firewall access control lists documented with business

justification?

Infrastructure &


OS Hardening and Base

Conrols

IVS-07 IVS-07.1 Each operating system shall be hardened to provide only

necessary ports, protocols, and services to meet business needs

and have in place supporting technical controls such as: antivirus,

file integrity monitoring, and logging as part of their baseline

operating build standard or template.

Are operating systems hardened to provide only the necessary

ports, protocols and services to meet business needs using

technical controls (i.e antivirus, file integrity monitoring and

logging) as part of their baseline build standard or template?

APO13.01

APO13.02

BAI02.01

BAI03.02

BAI03.03

BAI03.04

BAI03.05

DSS05.01

DSS05.03

DSS06.06

SRM > Policies

and Standards >

Operational

Security Baselines

shared x Annex

A.12.1.4

A.12.2.1

A.12.4.1

A.12.6.1

2.1

2.2

2.5

5.1

IVS-08.1 For your SaaS or PaaS offering, do you provide tenants with

separate environments for production and test processes?

5.0

7.1

7.1.2

7.2

10.1

10.2

10.3

10.4

10.5

10.6

10.7, 10.8

11.4, 11.5, 11.6

12.5.2

10.5.5, 12.10.5

1.1

1.1.2

1.1.3

1.1.5

1.1.6

1.2

1.2.1

1.2.2

1.2.3

1.3

2.2.2

2.2.3

2.2.4

2.5

4.1

6.4.1

6.4.2

12.8

12.2

7.1

7.1.1

7.1.2

7.1.3

7.1

7.1.1

7.1.2

7.1.3

7.1.4

12.5.4

8.1.4

8.1.3

8.1.4

8.1.5, 12.5.4

8.0

10.1,

12.3

BSGP

BSGP

P

GP

PA11

PA12

PA13

PA24

BSGP

SGP

SGP

P

PA16 SGP

PA3

PA5

PA16

PA19

PA18

BSGP

BSGP

SGP

GP

SGP

PA3 BSGP

PA24 GP

17.1

17.2

14.5

2.2

4.3

3.2

9.2

15.2

9.2

15.2

9.2

12.2

14.2

17.6

"FTC Fair Information

Principles

Integrity/Security



measures to protect




disclosure of the


measures include


measures that limit

access to data and

ensure that those




Technical security

measures to prevent

unauthorized access


transmission and storage

of data; limits on access

through use of

passwords; and the

storage of data on secure

servers or computers . -

http://www.ftc.gov/repo

rts/privacy3/fairinfo.sht

AP-1 The organization

determines and

documents the legal

authority that permits

the collection, use,

maintenance, and

sharing of personally


(PII), either generally or

in support of a specific

program or information


Principles

Integrity/Security



measures to protect




Principles

Integrity/Security



measures to protect




disclosure of the


measures include


measures that limit

access to data and

ensure that those




Technical security

measures to prevent

unauthorized access


transmission and storage

of data; limits on access

through use of

passwords; and the

storage of data on secure

servers or computers . -

http://www.ftc.gov/repo

rts/privacy3/fairinfo.sht

m"

99.31(a)(1)(ii)

SRM >

Governance Risk

& Compliance >

Vendor

Management

shared x

Information

Services > User

Directory

Services > Active

shared x

SRM > Policies

and Standards >

Technical

Security

Standards

shared x

SRM > Privilege

Management

Infrastructure >

Privilege Usage

Management -

Resource

Protection

shared x

312.8 and 312.10

312.8 and 312.10

312.8 and 312.10

312.8 and 312.10

312.8 and 312.10

312.8 and 312.10

APO01.03

APO01.08

APO07.06

APO10.04

APO13.02

DSS05.04

DSS05.07

DSS06.03

DSS06.06

APO01.03

APO01.08

APO10.04

APO13.02

APO01.03

APO01.08

APO13.02

DSS05.04

DSS06.03

DSS06.06

MEA01.03

APO13.01

APO13.02

DSS05.05

APO13.01

APO13.02

BAI10.01

BAI10.02

BAI10.03

DSS01.03

DSS02.01

DSS05.07

DSS06.05

APO08.04

APO13.01

BAI06.01

BAI06.02

BAI10.03

BAI10.04

APO01.03

APO01.08

BAI04.01

BAI04.04

BAI04.05

BAI10.01

BAI10.02

CC3.1

CC3.3

CC5.3

CC5.1

CC6.2

A1.1A1.2

CC4.1

CC5.6

CC5.6

Commandment #6

Commandment #7

Commandment

#11

CIP-007-3 -

R6.5

AU-1

AU-2

AU-3

AU-4

AU-5

AU-6

AU-7

AU-9

AU-11

AU-12

AU-14

SI-4

PCI DSS v2.0

10.1 PCI DSS

v2.0 10.2

PCI DSS

v2.010.3

PCI DSS v2.0

10.5

PCI DSS

v2.010.6

PCI DSS v2.0

10.7

PCI DSS v2.0

11.4

PCI DSS v2.0

12.5.2 PCI DSS

v2.0 12.9.5

IVS-02 The provider shall ensure the integrity of all virtual machine

images at all times. Any changes made to virtual machine images

must be logged and an alert raised regardless of their running

state (e.g. dormant, off, or running). The results of a change or

move of an image and the subsequent validation of the image's

integrity must be immediately available to customers through

electronic methods (e.g. portals or alerts).

45 CFR 164.308

(a)(1)(ii)(D)

45 CFR 164.312

(b)

45 CFR

164.308(a)(5)(ii)(

c) (New)

A.10.10.1

A.10.10.2

A.10.10.3

A.10.10.4

A.10.10.5

A.11.2.2

A.11.5.4

A.11.6.1

A.13.1.1

A.13.2.3

A.15.2.2

A.15.1.3

Infrastructure &


Change Detection

Infrastructure &


Network Security

A.10.1.4

A.10.3.2

A.11.1.1

A.12.5.1

A.12.5.2

A.12.5.3

Commandment #1

Commandment

#10

Commandment

#11

SC-2 PCI DSS v2.0

6.4.1

PCI DSS v2.0

6.4.2

Infrastructure &


Production /

Nonproduction

Environments

IVS-08 Production and non-production environments shall be separated

to prevent unauthorized access or changes to information assets.

Separation of the environments may include: stateful inspection

firewalls, domain/realm authentication sources, and clear

segregation of duties for personnel accessing these environments

as part of their job duties.



B.1 I.2.7.1, I.2.20,

I.2.17, I.2.22.2,

I.2.22.4,

I.2.22.10-14,

H.1.1

22 (B) Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

SA-06 COBIT 4.1 DS5.7 Domain 10 6.03. (d) NIST SP 800-53 R3 SC-2 1.2.6Information

Services > Data

Governance >

Data Segregation

shared xAPO03.01

APO03.02

APO13.01

APO13.02

DSS05.02

DSS05.05

DSS06.06

312.8 and 312.10

IVS-06 Network environments and virtual instances shall be designed and

configured to restrict and monitor traffic between trusted and

untrusted connections, these configurations shall be reviewed at

least annually, and supported by a documented justification for

use for all allowed services, protocols, and ports, and

compensating controls.



G.2

G.4

G.15

G.16

G.17

G.18

I.3

G.9.17, G.9.7,

G.10, G.9.11,

G.14.1, G.15.1,

G.9.2, G.9.3,

G.9.13

Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

SA-08 Domain 10 6.03.03. (a)

6.03.03. (d)

6.03.04. (d)

6.04.07. (a)

6.07.01. (c)



NIST SP 800-53 R3 SC-20

(1)


NIST SP 800-53 R3 CM-7 (1)


NIST SP 800-53 R3 SC-7 (1)

NIST SP 800-53 R3 SC-7 (2)

NIST SP 800-53 R3 SC-7 (3)

NIST SP 800-53 R3 SC-7 (4)

NIST SP 800-53 R3 SC-7 (5)

NIST SP 800-53 R3 SC-7 (7)

NIST SP 800-53 R3 SC-7 (8)

NIST SP 800-53 R3 SC-7 (12)

NIST SP 800-53 R3 SC-7 (13)

NIST SP 800-53 R3 SC-7 (18)

NIST SP 800-53 R3 SC-20 (1)

NIST SP 800-53 R3 SC-21

NIST SP 800-53 R3 SC-22

NIST SP 800-53 R3 SC-30

NIST SP 800-53 R3 SC-32

8.2.5312.8 and 312.10 SRM >

Infrastructure

Protection

Services >

Network

provider x

Infrastructure &


Capacity / Resource

Planning

IVS-04 The availability, quality, and adequate capacity and resources shall be planned, prepared, and measured to deliver the required system performance in accordance with legal, statutory, and regulatory compliance obligations. Projections of future capacity requirements shall be made to mitigate the risk of system overload.

A3.2.0

A4.1.0




(A4.1.0) The entity’s system availability and

security performance is periodically reviewed

and compared with the defined system

availability and related security policies.

G.5 OP-03 COBIT 4.1 DS 3 Domain 7,

8

6.03.07. (a)

6.03.07. (b)

6.03.07. (c)

6.03.07. (d)

Article 17 (1) NIST SP 800-53 R3 SA-4 NIST SP 800-53 R3 SA-4

NIST SP 800-53 R3 SA-4 (1)

NIST SP 800-53 R3 SA-4 (4)

NIST SP 800-53 R3 SA-4 (7)

1.2.4312.8 and 312.10 ITOS > Service

Delivery >

Information

Technology

Resiliency -

Capacity Planning

provider x

PCI DSS v2.0

7.1.2

Infrastructure &


Audit Logging /

Intrusion Detection

IVS-01 Higher levels of assurance are required for protection, retention,

and lifecyle management of audit logs, adhering to applicable

legal, statutory or regulatory compliance obligations and

providing unique user access accountability to detect potentially

suspicious network behaviors and/or file integrity anomalies, and

to support forensic investigative capabilities in the event of a

security breach.

S3.7 (S3.7) Procedures exist to identify, report, and


incidents.

G.7

G.8

G.9

J.1

L.2

G.14.7, G.14.8,

G.14.9,

G.14.10,G.14.1

1, G.14.12,

G.15.5, G.15.7,

G.15.8, G.16.8,

G.16.9,

G.16.10,

G.15.9, G.17.5,

G.17.7, G.17.8,

G.17.6, G.17.9,

G.18.2, G.18.3,

G.18.5, G.18.6,

G.19.2.6,

G.19.3.1,

G.9.6.2,

G.9.6.3,

G.9.6.4,

G.9.19, H.2.16,

H.3.3, J.1, J.2,

L.5, L.9, L.10

Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

SA-14 COBIT 4.1 DS5.5

COBIT 4.1 DS5.6

COBIT 4.1 DS9.2

Domain 10 6.03. (i)

6.03. (j)

6.03.03. (a)

6.03.03. (d)

6.03.04. (e)

6.04.07. (a)

6.07.01. (a)

6.07.01. (c)

Article 17 NIST SP 800-53 R3 AU-1







NIST SP 800-53 R3 AU-11

NIST SP 800-53 R3 AU-12





NIST SP 800-53 R3 AU-8 (1)

8.2.1

8.2.2

312.8 and 312.10

312.3, 312.8 and

312.10

BOSS > Security

Monitoring

Services > SIEM

shared x

Identity & Access

Management

Utility Programs Access

IAM-

13

Utility programs capable of potentially overriding system, object,

network, virtual machine, and application controls shall be

restricted.





H.2.16 Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

IS-34 COBIT 4.1 DS5.7 Domain 2 NIST SP 800-53 R3 CM-7 NIST SP 800-53 R3 AC-6

NIST SP 800-53 R3 AC-6 (1)

NIST SP 800-53 R3 AC-6 (2)


NIST SP 800-53 R3 CM-7 (1)

CIP-004-3

R2.2.3

CIP-007-3 -

R5.1.3 -

R5.2.1 -

R5.2.3

AC-2

PS-4

PS-5

A.11.4.1

A 11.4.4

A.11.5.4

Commandment #1

Commandment #5

Commandment #6

Commandment #7

CIP-007-3 -

R2.1 -

R2.2 -

R2.3

AC-5

AC-6

CM-7

SC-3

SC-19

99.31(a)(1)(ii)

99.3

99.31(a)(1)(ii)

PCI DSS v2.0

8.5.4

PCI DSS v2.0

8.5.5

Identity & Access

Management

User ID Credentials

IAM-

12

Internal corporate or customer (tenant) user account credentials

shall be restricted as per the following, ensuring appropriate

identity, entitlement, and access management and in accordance

with established policies and procedures:

• Identity trust verification and service-to-service application

(API) and information processing interoperability (e.g., SSO and

Federation)

• Account credential lifecycle management from instantiation

through revocation

• Account credential and/or identity store minimization or re-use

when feasible

• Adherence to industry acceptable and/or regulatory compliant

authentication, authorization, and accounting (AAA) rules (e.g.,

strong/multi-factor, expireable, non-shared authentication

secrets)

S3.2.b (S3.2.b) b. Identification and authentication of

users.

B.1

H.5

E.6.2, E.6.3,

H.1.1, H.1.2,

H.2, H.3.2, H.4,

H.4.1, H.4.5,

H.4.8

6 (B) Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3


COBIT 4.1 DS5.4

Domain 10 6.03.04. (b)

6.03.04. (c)

6.03.05. (d)

6.04.05. (b)





NIST SP 800-53 R3 AU-11




(1)



(1)






NIST SP 800-53 R3 AC-11

NIST SP 800-53 R3 AC-11 (1)


NIST SP 800-53 R3 AU-2 (3)

NIST SP 800-53 R3 AU-2 (4)

NIST SP 800-53 R3 AU-11



NIST SP 800-53 R3 IA-2 (1)

NIST SP 800-53 R3 IA-2 (2)

NIST SP 800-53 R3 IA-2 (3)

NIST SP 800-53 R3 IA-2 (8)


NIST SP 800-53 R3 IA-5 (1)

NIST SP 800-53 R3 IA-5 (2)

NIST SP 800-53 R3 IA-5 (3)

NIST SP 800-53 R3 IA-5 (6)

NIST SP 800-53 R3 IA-5 (7)



NIST SP 800-53 R3 SC-10

45 CFR

164.308(a)(5)(ii)(

c) (New)

45 CFR 164.308

(a)(5)(ii)(D)

45 CFR 164.312

(a)(2)(i)

45 CFR 164.312

(a)(2)(iii)

45 CFR 164.312

(d)

A.8.3.3

A.11.1.1

A.11.2.1

A.11.2.3

A.11.2.4

A.11.5.5

Commandment #6

Commandment #7

Commandment #8

Commandment #9

CIP-004-3

R2.2.3

CIP-007-3 -

R5.2 -

R5.3.1 -

R5.3.2 -

R5.3.3

AC-1

AC-2

AC-3

AC-11

AU-2

AU-11

IA-1

IA-2

IA-5

IA-6

IA-8

SC-10

PCI DSS v2.0 8.1

PCI DSS v2.0

8.2,

PCI DSS v2.0 8.3

PCI DSS v2.0 8.4

PCI DSS v2.0 8.5

PCI DSS v2.0

10.1,

PCI DSS v2.0

12.2,

PCI DSS v2.0

12.3.8

SRM > Privilege

Management

Infrastructure >

Identity

Management -

Identity

Provisioning

shared x 9.2

15.1

15.2

PA9

PA6

PA24

PA22

8.2.1

8.2.7

45 CFR 164.308

(a)(3)(ii)(B)

45 CFR 164.308

(a)(4)(ii)(C)


Commandment #7

Commandment #8

Commandment

#10

CIP-004-3

R2.2.2

CIP-007-3 -

R5 - R.1.3

AC-2

AU-6

PM-10

PS-6

PS-7

Identity & Access

Management

User Access

Revocation

IAM-

11

Timely de-provisioning (revocation or modification) of user access

to data and organizationally-owned or managed (physical and

virtual) applications, infrastructure systems, and network

components, shall be implemented as per established policies and

procedures and based on user's change in status (e.g.,

termination of employment or other business relationship, job

change or transfer). Upon request, provider shall inform customer

(tenant) of these changes, especially if customer (tenant) data is









H.2 E.6.2, E.6.3 Schedule 1

(Section 5), 4.7 -

Safeguards

IS-09 COBIT 4.1 DS 5.4 Domain 2 6.03.04. (b)

6.03.04. (c)

6.03.05. (d)

6.03.06. (a)

6.04.02. (b)





NIST SP 800-53 R3 AC-2 (1)

NIST SP 800-53 R3 AC-2 (2)

NIST SP 800-53 R3 AC-2 (3)

NIST SP 800-53 R3 AC-2 (4)

NIST SP 800-53 R3 AC-2 (7)



8.2.1 45 CFR

164.308(a)(3)(ii)(

C)

ISO/IEC

27001:2005

A.8.3.3

A.11.1.1

A.11.2.1

A.11.2.2

ITAR 22

CFR §

120.17

EAR 15

CFR

§736.2 (b)

APO01.03

APO01.08

APO13.02

DSS05.04

DSS06.03

DSS06.06

MEA01.03

APO01.03

APO01.08

APO13.02

DSS05.04

DSS06.03

DSS06.06

MEA01.03

Commandment #6

Commandment #7

Commandment #8

Identity & Access

Management

User Access

Authorization

IAM-

09

Provisioning user access (e.g., employees, contractors, customers

(tenants), business partners and/or supplier relationships) to data

and organizationally-owned or managed (physical and virtual)

applications, infrastructure systems, and network components

shall be authorized by the organization's management prior to

access being granted and appropriately restricted as per

established policies and procedures. Upon request, provider shall

inform customer (tenant) of this user access, especially if

customer (tenant) data is used as part of the service and/or

customer (tenant) has some shared responsibility over

implementation of control.

Identity & Access

Management

User Access Reviews

IAM-

10

User access shall be authorized and revalidated for entitlement

appropriateness, at planned intervals, by the organization's

business leadership or other accountable business role or function

supported by evidence to demonstrate the organization is

adhering to the rule of least privilege based on job function. For

identified access violations, remediation must follow established

user access policies and procedures.









H.2.6, H.2.7,

H.2.9,

41 (B) Schedule 1

(Section 5), 4.7 -

Safeguards


COBIT 4.1 DS5.4

45 CFR 164.308

(a)(3)(i)

45 CFR 164.308

(a)(3)(ii)(A)

A.11.2.1

A.11.2.2

A.11.4.1

A 11.4.2

Identity & Access

Management

User Access Restriction

/ Authorization

IAM-

08

Policies and procedures are established for permissible storage

and access of identities used for authentication to ensure

identities are only accessible based on rules of least privilege and

replication limitation only to users explicitly defined as business

IS-08

IS-12

COBIT 4.1 DS5.4 Domain 12

ITAR 22

CFR §

120.17

EAR 15

CFR

§736.2 (b)

NIST SP800-53 R3 AC-3



NIST SP800-53 R3 IA-2

PCI DSS v2.0 7.1

PCI DSS v2.0

7.1.1

PCI DSS v2.0


Principles

Integrity/Security


Domain 2 Article 17










H.2.4, H.2.5, 35 (B)

40 (B)

41 (B)

42 (B)

44 (C+)

Schedule 1

(Section 5)

Safeguards, Subs.

4.7.2 and 4.7.3

IS-08 DS5.4 Domain 2 6.03.04. (b)

6.03.04. (c)

6.03.05. (d)

6.03.06. (a)

6.03.06. (b)

6.04.01. (a)

6.04.01. (b)

6.04.01. (d)

6.04.01. (e)

6.04.01. (g)

6.04.03. (c)

Article 17APO01.03

APO01.08

APO07.06

APO10.04

APO13.02

DSS05.04

DSS06.03

DSS06.06

SRM > Privilege

Management

Infrastructure >

Identity

Management -

Identity

Provisioning

shared x

SRM > Privilege

Management

Infrastructure >

Authorization

Services -

Entitlement

Review

shared x NIST SP 800-53 R3 AC-2





NIST SP 800-53 R3 AC-2 (1)

NIST SP 800-53 R3 AC-2 (2)

NIST SP 800-53 R3 AC-2 (3)

NIST SP 800-53 R3 AC-2 (4)

NIST SP 800-53 R3 AC-2 (7)


NIST SP 800-53 R3 AU-6 (1)

NIST SP 800-53 R3 AU-6 (3)







Identity & Access

Management

Third Party Access

IAM-

07

The identification, assessment, and prioritization of risks posed by

business processes requiring third-party access to the

organization's information systems and data shall be followed by

coordinated application of resources to minimize, monitor, and

measure likelihood and impact of unauthorized or inappropriate

access. Compensating controls derived from the risk analysis shall

be implemented prior to provisioning access.

S3.1

x3.1.0





threats.






threats.

B.1

H.2

B.1.1, B.1.2,

D.1.1, E.1,

F.1.1, H.1.1,

K.1.1, E.6.2,

E.6.3

Schedule 1

(Section 5), 4.7 -

Safeguards

RI-05 COBIT 4.1 DS 2.3 Domain 2,

4

6.02. (a)

6.02. (b)

6.03. (a)










(1)




















NIST SP 800-53 R3 IA-5 (1)

NIST SP 800-53 R3 IA-5 (2)

NIST SP 800-53 R3 IA-5 (3)

NIST SP 800-53 R3 IA-5 (6)

NIST SP 800-53 R3 IA-5 (7)












7.1.1

7.1.2

7.2.1

7.2.2

7.2.3

7.2.4

A.6.2.1

A.8.3.3

A.11.1.1

A.11.2.1

A.11.2.4

CA-3

MA-4

RA-3

PCI DSS v2.0

12.8.1

PCI DSS v2.0

12.8.2

PCI DSS v2.0

12.8.3

PCI DSS v2.0

12.8.4




(1)




(1)




7.1

7.1.1

7.1.2

7.1.3

7.2.1

7.2.2

8.5.1

12.5.4

AC-3

AC-5

AC-6

IA-2

IA-4

IA-5

IA-8

MA-5

PS-6

SA-7

SI-9

CIP-003-3 -

R5.1.1 -

R5.3

CIP-004-3

R2.3

CIP-007-3

R5.1 -

R5.1.2

A.11.2.1

A.11.2.2

A.11.4.1

A 11.4.2

A.11.6.1

45 CFR 164.308

(a)(3)(i)

45 CFR 164.308

(a)(3)(ii)(A)

45 CFR 164.308

(a)(4)(i)

45 CFR 164.308

(a)(4)(ii)(B)

45 CFR 164.308

(a)(4)(ii)(C)

45 CFR 164.312

8.2.2NIST SP 800-53 R3 AC-3

NIST SP 800-53 R3 AC-3 (3)



NIST SP 800-53 R3 AC-6 (1)

NIST SP 800-53 R3 AC-6 (2)


NIST SP 800-53 R3 IA-2 (1)

NIST SP 800-53 R3 IA-2 (2)

NIST SP 800-53 R3 IA-2 (3)

NIST SP 800-53 R3 IA-2 (8)

A.13.1.1

A.13.1.2

A.14.1.2

A.12.4.1

A.9.1.2

A.13.1.3

A.18.1.4

A.12.1.4

A.14.2.9

A.9.1.1

8.1,partial,

A.14.2.2

8.1,partial,

A.14.2.3

8.1,partial,

A.14.2.4

A.9.2.6

A.9.1.1

A.9.2.1, A.9.2.2

A.9.2.5

Annex

A.9.2,

A.9.2.1,

A.9.2.2,

A.9.2.1, A.9.2.2

A.9.2.3

A.9.1.2

A.9.4.1

A.9.2.5

Annex A

A.9.2.6

A.9.1.1

A.9.2.1, A.9.2.2

A.9.2.3

A.9.2.6

A.9.1.1

A.9.2.1, A.9.2.2

A.9.2.4

A.9.2.5

A.9.4.2

A.9.1.2

Deleted

A.9.4.4

A.12.4.1

A.12.4.1

A.12.4.2,

A.12.4.3

A.12.4.3

A.12.4.1

A.9.2.3

A.9.4.4

A.9.4.1

A.16.1.2

A.16.1.7

A.18.2.3

A.18.1.3

Annex

A.12.1.2

A.12.4,

A.12.4.1,

A.12.4.2,

A.12.4.3,

A.12.6.1,

A.12.6.2,

A.16.1.1,

A.16.1.2,

A.16.1.3,

A.16.1.4,

A.16.1.5,

A.16.1.6,

A.12.1.3

SRM > Privilege

Management

Infrastructure >

Privileged Usage

Management ->

Hypervisor

Governance and

Compliance

PA35 GP

SA-4 3.3

A.10.6.1

A.10.6.2

A.10.9.1

A.10.10.2

A.11.4.1

A.11.4.5

A.11.4.6

A.11.4.7

A.15.1.4

Commandment #1

Commandment #2

Commandment #3

Commandment #9

Commandment

#10

Commandment

#11

CIP-004-3

R2.2.4

SC-7 PCI DSS v2.0 1.1

PCI DSS v2.0

1.1.2

PCI DSS v2.0

1.1.3

PCI DSS v2.0

1.1.5

PCI DSS v2.0

1.1.6

PCI DSS v2.0 1.2

PCI DSS v2.0

1.2.1

PCI DSS v2.0

2.2.2, PCI DSS

v2.0 2.2.3


Commandment #2

Commandment #3

APO03.01

APO03.02

APO13.01

APO13.02

BAI02.01

BAI03.02

BAI03.03

BAI03.04

BAI03.05

DSS05.02

DSS06.06






REDACTED COPY

AICPA

TSC 2009

AICPA


AICPA

TSC

2014

BITS Shared

Assessments

AUP v5.0

BITS Shared

Assessments

SIG v6.0

BSI


CCM


CSA

Guidance

V3.0

ENISA IAF

95/46/EC - European


Directive

FedRAMP Security

Controls

(Final Release, Jan

2012)





-

FERPA

GAPP

(Aug

2009)

HIPAA/HITECH

(Omnibus

Rule)

ISO/IEC

27001:2005

ISO/IEC





Parties

NERC

CIPNIST SP800-53 R3

NIST SP800-53 R4


Yes NoNot

Applicable

Domain > Container




Cloud Initiative)





IVS-08.2 For your IaaS offering, do you provide tenants with guidance on

how to create suitable production and test environments?

IVS-08.3 Do you logically and physically segregate production and non-

production environments?

IVS-09.1 Are system and network environments protected by a firewall or

virtual firewall to ensure business and customer security


virtual firewall to ensure compliance with legislative, regulatory

and contractual requirements?


virtual firewall to ensure separation of production and non-

production environments?


virtual firewall to ensure protection and isolation of sensitive data?

IVS-10.1 Are secured and encrypted communication channels used when

migrating physical servers, applications or data to virtual servers?

IVS-10.2 Do you use a network segregated from production-level networks

when migrating physical servers, applications or data to virtual

servers?

Infrastructure &


VMM Security -

Hypervisor Hardening

IVS-11 IVS-11.1 Access to all hypervisor management functions or administrative

consoles for systems hosting virtualized systems shall be restricted

to personnel based upon the principle of least privilege and

supported through technical controls (e.g., two-factor

authentication, audit trails, IP address filtering, firewalls, and TLS

encapsulated communications to the administrative consoles).

Do you restrict personnel access to all hypervisor management

functions or administrative consoles for systems hosting virtualized

systems based on the principle of least privilege and supported

through technical controls (e.g. two-factor authentication, audit

trails, IP address filtering, firewalls and TLS-encapsulated

communications to the administrative consoles)?

APO13.01

APO13.02

DSS05.02

DSS05.04

DSS06.03

DSS06.06

SRM > Privilege

Management

Infrastructure >

Privilege Use

Management -

Hypervisor

Governance and

Compliance

provider X Domain 1,

13

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),

6.1.2(c)(2)

3.5.1, 3.6.6

IVS-12.1 Are policies and procedures established and mechanisms

configured and implemented to protect the wireless network

environment perimeter and to restrict unauthorized wireless

traffic?


implemented to ensure wireless security settings are enabled with

strong encryption for authentication and transmission, replacing

vendor default settings? (e.g., encryption keys, passwords, SNMP

community strings)


implemented to protect wireless network environments and

detect the presence of unauthorized (rogue) network devices for a

timely disconnect from the network?

IVS-13.1 Do your network architecture diagrams clearly identify high-risk

environments and data flows that may have legal compliance

impacts?

IVS-13.2 Do you implement technical measures and apply defense-in-depth

techniques (e.g., deep packet analysis, traffic throttling and black-

holing) for detection and timely response to network-based

attacks associated with anomalous ingress or egress traffic

patterns (e.g., MAC spoofing and ARP poisoning attacks) and/or

distributed denial-of-service (DDoS) attacks?

Interoperability &

Portability

APIs

IPY-01 IPY-01 The provider shall use open and published APIs to ensure support

for interoperability between components and to facilitate

migrating applications.

Do you publish a list of all APIs available in the service and indicate

which are standard and which are customized?

- BAI02.04

BAI03.01

BAI03.02

BAI03.03

BAI03.04

BAI03.05

Application

Services >

Programming

Interfaces >

provider X Domain 6 Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),Interoperability &

Portability

Data Request

IPY-02 IPY-02 All structured and unstructured data shall be available to the

customer and provided to them upon request in an industry-

standard format (e.g., .doc, .xls, .pdf, logs, and flat files)

Is unstructured customer data available on request in an industry-

standard format (e.g., .doc, .xls, or .pdf)?

- APO01.03

APO01.06

APO03.01

APO08.01

APO09.03

DSS04.07

Information

Services >

Reporting

Services >

provider Domain 6 Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)IPY-03.1 Do you provide policies and procedures (i.e. service level

agreements) governing the use of APIs for interoperability

between your service and third-party applications?

IPY-03.2 Do you provide policies and procedures (i.e. service level

agreements) governing the migration of application data to and

from your service?

IPY-04.1 Can data import, data export and service management be

conducted over secure (e.g., non-clear text and authenticated),

industry accepted standardized network protocols?

IPY-04.2 Do you provide consumers (tenants) with documentation detailing

the relevant interoperability and portability network protocol

standards that are involved?

IPY-05.1 Do you use an industry-recognized virtualization platform and

standard virtualization formats (e,g., OVF) to help ensure

interoperability?

IPY-05.2 Do you have documented custom changes made to any hypervisor

in use, and all solution-specific virtualization hooks available for

customer review?

Mobile Security

Anti-Malware

MOS-

01

MOS-01 Anti-malware awareness training, specific to mobile devices, shall

be included in the provider's information security awareness

training.

Do you provide anti-malware training specific to mobile devices as

part of your information security awareness training?

- APO01.03

APO13.01

APO07.03

APO07.06

APO09.03

SRM >

Governance Risk

& Compliance >

Technical

Awareness and

provider X None

(Mobile

Guidance)

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)Mobile Security

Application Stores

MOS-

02

MOS-02 A documented list of approved application stores has been

communicated as acceptable for mobile devices accessing or

storing provider managed data.

Do you document and make available lists of approved application

stores for mobile devices accessing or storing company data

and/or company systems?

- APO01.04

APO01.08

APO04.02

APO13.01

APO13.02

APO13.03

SRM > Policies

and Standards >

Technical

Securitry

Standards

provider X None

(Mobile

Guidance)

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),

6.1.2(c)(2)

4.1.1

Mobile Security

Approved Applications

MOS-

03

MOS-03 The company shall have a documented policy prohibiting the

installation of non-approved applications or approved applications

not obtained through a pre-identified application store.

Do you have a policy enforcement capability (e.g., XACML) to

ensure that only approved applications and those from approved

application stores be loaded onto a mobile device?

- APO01.03

APO01.08

APO13.01

APO13.02

APO13.03

ITOS > Service

Support >

Configuration

Management -

Software

Management

provider X None

(Mobile

Guidance)

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),

6.1.2(c)(2)

6.1.2(d)Mobile Security

Approved Software for

BYOD

MOS-

04

MOS-04 The BYOD policy and supporting awareness training clearly states

the approved applications, application stores, and application

extensions and plugins that may be used for BYOD usage.

Does your BYOD policy and training clearly state which

applications and applications stores are approved for use on BYOD

devices?

- APO01.03

APO01.08

APO13.01

APO13.02

APO13.03

SRM > Policies

and Standards >

Technical

Securitry

Standards

provider X None

(Mobile

Guidance)

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),

6.1.2(c)(2)Mobile Security

Awareness and

Training

MOS-

05

MOS-05 The provider shall have a documented mobile device policy that

includes a documented definition for mobile devices and the

acceptable usage and requirements for all mobile devices. The

provider shall post and communicate the policy and requirements

through the company's security awareness and training program.

Do you have a documented mobile device policy in your employee

training that clearly defines mobile devices and the accepted

usage and requirements for mobile devices?

- APO01.03

APO01.08

APO13.01

APO13.02

APO13.03

SRM > Policies

and Standards >

Technical

Securitry

Standards

provider X None

(Mobile

Guidance)

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),

6.1.2(c)(2)

4.3

Mobile Security

Cloud Based Services

MOS-

06

MOS-06 All cloud-based services used by the company's mobile devices or

BYOD shall be pre-approved for usage and the storage of

company business data.

Do you have a documented list of pre-approved cloud based

services that are allowed to be used for use and storage of

company business data via a mobile device?

- APO01.03

APO01.08

APO13.01

APO13.02

APO13.03

SRM >

Governance Risk

& Compliance >

Vendor

Management

provider X None

(Mobile

Guidance)

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),


Compatibility

MOS-

07

MOS-07 The company shall have a documented application validation

process to test for mobile device, operating system, and

application compatibility issues.

Do you have a documented application validation process for

testing device, operating system and application compatibility

issues?

- APO01.03

APO01.08

APO13.01

APO13.02

BAI03.07

BAI03.08

ITOS > Service

Support >

Configuration

Management -

Software

Management

provider X None

(Mobile

Guidance)

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),


Device Eligibility

MOS-

08

MOS-08 The BYOD policy shall define the device and eligibility

requirements to allow for BYOD usage.

Do you have a BYOD policy that defines the device(s) and eligibility

requirements allowed for BYOD usage?

- APO01.03

APO01.08

APO13.01

APO13.02

BAI02.01

BAI02.04

SRM > Policies

and Standards >

Information

Security Policies

provider X None

(Mobile

Guidance)

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),

6.1.2(c)(2)

6.4.1

6.4.2

1.1

1.2

1.2.1

1.2.3

1.3

1.4

2.1.1

2.2.3

2.2.4

2.3

4.1

1.2.3

2.1.1

4.1

4.1.1

11.1, 11.1.a,

11.1.b, 11.1.c,

11.1.d, 11.1.1,

11.1.2

9.1.3

1.11.1.21.1.31.1.51.1.61.21.2.11.2.21.2.31.32.2.22.2.32.2.42.54.1

4.1

PA3 BSGP

PA3

PA5

PA16

PA20

BSGP

BSGP

SGP

GP

PA3PA5PA16PA19PA18

BSGPBSGPSGPGPSGP

PA3

PA6

PA16

PA20

PA25

PA32

PA33

BSGP

BSGP

SGP

GP

P

BSGP

SGP

14.5

17.6

18.1

18.4

11.1

17.3

17.117.2

SRM > Data

Protection >

Cryptographic

Services - Data-In-

Transit

Encryption

provider x

provider

SRM >

Infrastructure

Protection

Services >

Network -

Firewall

provider x

SRM >

Cryptographic

Services > Data-in-

transit Encryption

Infrastructure

Services > Virtual

Infrastructure >

Server

Virtualization

provider X

X

SRM >

Infrastructure

Protection

Services >

Network -

Wireless

Protection

provider X312.8 and 312.10

312.8 and 312.10

312.8 and 312.10

APO01.08

APO13.01

APO13.02

DSS02.02

DSS05.02

DSS05.03

DSS05.04

DSS05.05

DSS05.07

DSS06.03

DSS06.06

APO03.01APO03.02APO13.01APO13.02BAI02.01BAI03.02BAI03.03BAI03.04BAI03.05DSS05.02DSS06.06

APO01.08

APO02.05

APO03.01

APO03.02

APO04.02

BAI02.01

BAI02.04

APO01.08

APO02.05

APO03.01

APO03.02

APO04.02

BAI02.01

BAI02.04

APO09.03

APO03.01

APO03.02

APO03.04

APO13.01

APO13.02

DSS05.02

DSS05.05

DSS06.06

CC5.6

CC5.6

CC5.6

CC5.6Infrastructure &


Network Architecture

IVS-13 Network architecture diagrams shall clearly identify high-risk

environments and data flows that may have legal compliance

impacts. Technical measures shall be implemented and shall apply

defense-in-depth techniques (e.g., deep packet analysis, traffic

throttling, and black-holing) for detection and timely response to

network-based attacks associated with anomalous ingress or

egress traffic patterns (e.g., MAC spoofing and ARP poisoning

attacks) and/or distributed denial-of-service (DDoS) attacks.

Infrastructure &


VM Security - vMotion

Data Protection

IVS-10 Secured and encrypted communication channels shall be used

when migrating physical servers, applications, or data to

virtualized servers and, where possible, shall use a network

segregated from production-level networks for such migrations.

PCI DSS v2.0

1.2.3

PCI DSS v2.0

2.1.1

PCI DSS v2.0 4.1

PCI DSS v2.0

4.1.1

PCI DSS

v2.011.1

PCI DSS v2.0

9.1.3

Interoperability &

Portability

Policy & Legal

IPY-03 Policies, procedures, and mutually-agreed upon provisions and/or

terms shall be established to satisfy customer (tenant)

requirements for service-to-service application (API) and

information processing interoperability, and portability for

application development and information exchange, usage and

integrity persistence.

Interoperability &

Portability

Standardized Network

Protocols

IPY-04 The provider shall use secure (e.g., non-clear text and

authenticated) standardized network protocols for the import and

export of data and to manage the service, and shall make

available a document to consumers (tenants) detailing the

relevant interoperability and portability standards that are

involved.

Interoperability &

Portability

Virtualization

IPY-05 The provider shall use an industry-recognized virtualization

platform and standard virtualization formats (e.g., OVF) to help

ensure interoperability, and shall have documented custom

changes made to any hypervisor in use, and all solution-specific

virtualization hooks, available for customer review.

CIP-004-3

R3

AC-4

SC-2

SC-3

SC-7

PCI DSS v2.0 1.1

PCI DSS v2.0 1.2

PCI DSS v2.0

1.2.1

PCI DSS v2.0 1.3

PCI DSS v2.0 1.4

Infrastructure &


Wireless Security

IVS-12 Policies and procedures shall be established, and supporting


protect wireless network environments, including the following:

• Perimeter firewalls implemented and configured to restrict

unauthorized traffic

• Security settings enabled with strong encryption for

authentication and transmission, replacing vendor default settings

(e.g., encryption keys, passwords, and SNMP community strings)

• User access to wireless network devices restricted to

authorized personnel

• The capability to detect the presence of unauthorized (rogue)

wireless network devices for a timely disconnect from the network



D.1

B.3

F.1

G.4

G.15

G.17

G.18

E.3.1, F.1.2.4,

F.1.2.5, F.1.2.6,

F.1.2.8, F.1.2.

9, F.1.2.10,

F.1.2.11,

F.1.2.12,

F.1.2.13,

F.1.2.14,

F.1.2.15,

F.1.2.24, F.1.3,

F.1.4.2, F1.4.6,

F.1.4.7, F.1.6,

F.1.7,F.1.8,

F.2.13, F.2.14,

F.2.15, F.2.16,

F.2.17, F.2.18

G.9.17, G.9.7,

G.10, G.9.11,

G.14.1, G.15.1,

G.9.2, G.9.3,

G.9.13

40 (B)

44 (C+)

Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3


COBIT 4.1 DS5.7

COBIT 4.1 DS5.8

COBIT 4.1 DS5.10

Domain 10 Article 17 NIST SP 800-53 R3 AC-1

NIST SP 800-53 R3 AC-18




NIST SP 800-53 R3 AC-18

NIST SP 800-53 R3 AC-18 (1)

NIST SP 800-53 R3 AC-18 (2)


NIST SP 800-53 R3 CM-6 (1)

NIST SP 800-53 R3 CM-6 (3)



NIST SP 800-53 R3 SC-7 (1)

NIST SP 800-53 R3 SC-7 (2)

NIST SP 800-53 R3 SC-7 (3)

NIST SP 800-53 R3 SC-7 (4)

NIST SP 800-53 R3 SC-7 (5)

NIST SP 800-53 R3 SC-7 (7)

NIST SP 800-53 R3 SC-7 (8)

NIST SP 800-53 R3 SC-7 (12)

NIST SP 800-53 R3 SC-7 (13)

NIST SP 800-53 R3 SC-7 (18)

8.2.5 45 CFR 164.312

(e)(1)(2)(ii)

45 CFR

164.308(a)(5)(ii)(

D) (New)

45 CFR

164.312(e)(1)

(New)

45 CFR

164.312(e)(2)(ii)

(New)

A.7.1.1

A.7.1.2

A.7.1.3

A.9.2.1

A.9.2.4

A.10.6.1

A.10.6.2

A.10.8.1

A.10.8.3

A.10.8.5

A.10.10.2

A.11.2.1

A.11.4.3

A.11.4.5

A.11.4.6

A.11.4.7

A.12.3.1

A.12.3.2

Commandment #1

Commandment #2

Commandment #3

Commandment #4

Commandment #5

Commandment #9

Commandment

#10

Commandment

#11

CIP-004-3

R3

CIP-007-3 -

R6.1

AC-1

AC-18

CM-6

PE-4

SC-3

SC-7

A.8.1.1

A.8.1.2

A.8.1.3

A.11.2.1

A.11.2.4

A.13.1.1

A.13.1.2

A.13.2.1

A.8.3.3

A.12.4.1

A.9.2.1, A.9.2.2

A.13.1.3

A.10.1.1

A.10.1.2

A.10.1.4

A.10.3.2

A.11.1.1

A.12.5.1

A.12.5.2

A.12.5.3

Commandment #1

Commandment

#10

Commandment

#11

SC-2 PCI DSS v2.0

6.4.1

PCI DSS v2.0

6.4.2

Infrastructure &


Segmentation

IVS-09 Multi-tenant organizationally-owned or managed (physical and

virtual) applications, and infrastructure system and network

components, shall be designed, developed, deployed and

configured such that provider and customer (tenant) user access is

appropriately segmented from other tenant users, based on the

following considerations:

• Established policies and procedures

• Isolation of business critical assets and/or sensitive user data

and sessions that mandate stronger internal controls and high

levels of assurance

• Compliance with legal, statutory and regulatory compliance

obligations



G.17 G.9.2, G.9.3,

G.9.13

Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

SA-09 COBIT 4.1 DS5.10 Domain 10 6.03.03. (b)

6.03.05. (a)

6.03.05. (b)

6.04.01. (a)

6.04.01. (g)

6.04.03. (c)

6.04.08.02.

(a)

6.04.08.02.

(b)

6.05. (c)

Article 17 NIST SP 800-53 R3 SC-7 NIST SP 800-53 R3 AC-4



NIST SP 800-53 R3 SC-7 (1)

NIST SP 800-53 R3 SC-7 (2)

NIST SP 800-53 R3 SC-7 (3)

NIST SP 800-53 R3 SC-7 (4)

NIST SP 800-53 R3 SC-7 (5)

NIST SP 800-53 R3 SC-7 (7)

NIST SP 800-53 R3 SC-7 (8)

NIST SP 800-53 R3 SC-7 (12)

NIST SP 800-53 R3 SC-7 (13)

NIST SP 800-53 R3 SC-7 (18)

45 CFR 164.308

(a)(4)(ii)(A)

A.11.4.5

A.11.6.1

A.11.6.2

A.15.1.4

Commandment #1

Commandment #2

Commandment #3

Commandment #9

Commandment

#10

Commandment

#11

Infrastructure &


Production /

Nonproduction

Environments

IVS-08 Production and non-production environments shall be separated

to prevent unauthorized access or changes to information assets.

Separation of the environments may include: stateful inspection

firewalls, domain/realm authentication sources, and clear

segregation of duties for personnel accessing these environments

as part of their job duties.



B.1 I.2.7.1, I.2.20,

I.2.17, I.2.22.2,

I.2.22.4,

I.2.22.10-14,

H.1.1

22 (B) Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

SA-06 COBIT 4.1 DS5.7 Domain 10 6.03. (d) NIST SP 800-53 R3 SC-2 1.2.6Information

Services > Data

Governance >

Data Segregation

shared xAPO03.01

APO03.02

APO13.01

APO13.02

DSS05.02

DSS05.05

DSS06.06

312.8 and 312.10

- Domain 6

- Domain 6



G.2

G.4

G.15

G.16

G.17

G.18

I.3

G.9.17, G.9.7,

G.10, G.9.11,

G.14.1, G.15.1,

G.9.2, G.9.3,

G.9.13

Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

SA-08 Domain 10 6.03.03. (a)

6.03.03. (d)

6.03.04. (d)

6.04.07. (a)

6.07.01. ©



NIST SP 800-53 R3 SC-20

(1)


NIST SP 800-53 R3 CM-7 (1)


NIST SP 800-53 R3 SC-7 (1)

NIST SP 800-53 R3 SC-7 (2)

NIST SP 800-53 R3 SC-7 (3)

NIST SP 800-53 R3 SC-7 (4)

NIST SP 800-53 R3 SC-7 (5)

NIST SP 800-53 R3 SC-7 (7)

NIST SP 800-53 R3 SC-7 (8)

NIST SP 800-53 R3 SC-7 (12)

NIST SP 800-53 R3 SC-7 (13)

NIST SP 800-53 R3 SC-7 (18)

NIST SP 800-53 R3 SC-20 (1)

NIST SP 800-53 R3 SC-21

NIST SP 800-53 R3 SC-22

NIST SP 800-53 R3 SC-30

NIST SP 800-53 R3 SC-32

8.2.5

6.04.03. (b)

6.04.08. (a)

6.04.08. (b)

6.06. (a)

6.06. (b)

6.06. (c)

6.06. (d)

6.06. (e)

6.06. (f)

Domain 3providerAPO01.08

APO02.05

APO03.01

APO03.02

APO04.02

BAI02.01

BAI02.04

APO09.03

SRM >

Infrastructure

Protection

Services >

Network

provider x

Information

Technology

Operation

Services > Service

Delivery > Service

Level

Management -

External SLA's

A.10.6.1

A.10.6.2

A.10.9.1

A.10.10.2

A.11.4.1

A.11.4.5

A.11.4.6

A.11.4.7

A.15.1.4

Commandment #1

Commandment #2

Commandment #3

Commandment #9

Commandment

#10

Commandment

#11

A.12.1.4

A.14.2.9

A.9.1.1

8.1,partial,

A.14.2.2

8.1,partial,

A.14.2.3

8.1,partial,

A.14.2.4

A.13.1.3

A.9.4.1

A.18.1.4

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),

CIP-004-3

R2.2.4

1.1

1.1.2

1.1.3

1.1.5

1.1.6

1.2

1.2.1

2.2.2

2.2.3

Domain 1,

13

APO03.01

APO03.02

APO13.01

APO13.02

DSS05.02

DSS05.05

DSS06.06

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),

6.1.2(c)(2)

6.1.2(d)

6.1.2(d)(1)

A.13.1.1A.13.1.2A.14.1.2A.12.4.1A.9.1.2A.13.1.3A.18.1.4

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

-

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),






REDACTED COPY

AICPA

TSC 2009

AICPA


AICPA

TSC

2014

BITS Shared

Assessments

AUP v5.0

BITS Shared

Assessments

SIG v6.0

BSI


CCM


CSA

Guidance

V3.0

ENISA IAF

95/46/EC - European


Directive

FedRAMP Security

Controls

(Final Release, Jan

2012)





-

FERPA

GAPP

(Aug

2009)

HIPAA/HITECH

(Omnibus

Rule)

ISO/IEC

27001:2005

ISO/IEC





Parties

NERC

CIPNIST SP800-53 R3

NIST SP800-53 R4


Yes NoNot

Applicable

Domain > Container




Cloud Initiative)





Mobile Security

Device Inventory

MOS-

09

MOS-09 An inventory of all mobile devices used to store and access

company data shall be kept and maintained. All changes to the

status of these devices, (i.e., operating system and patch levels,

lost or decommissioned status, and to whom the device is

assigned or approved for usage (BYOD), will be included for each

device in the inventory.

Do you maintain an inventory of all mobile devices storing and

accessing company data which includes device status (os system

and patch levels, lost or decommissioned, device assignee)?

- BAI06.01

BAI06.02

BAI06.04

BAI10.01

BAI10.02

BAI10.03

SRM >

Infrastructure

Protection

Services > End

Point - Inventory

Control

provider X None

(Mobile

Guidance)

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),


Device Management

MOS-

10

MOS-10 A centralized, mobile device management solution shall be

deployed to all mobile devices permitted to store, transmit, or

process customer data.

Do you have a centralized mobile device management solution

deployed to all mobile devices that are permitted to store,

transmit, or process company data?

- APO03.01

APO03.02

APO04.02

APO13.01

APO13.02

BAI02.01

BAI03.03

BAI03.04

BAI03.10

Presentation

Services >

Presentation

Platform > End-

Points-Mobile

Devices-Mobile

Device

Management

provider X None

(Mobile

Guidance)

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),


Encryption

MOS-

11

MOS-11 The mobile device policy shall require the use of encryption either

for the entire device or for data identified as sensitive on all

mobile devices and shall be enforced through technology controls.

Does your mobile device policy require the use of encryption for

either the entire device or for data identified as sensitive

enforceable through technology controls for all mobile devices?

- APO01.03

APO13.01

APO13.02

DSS05.03

DSS05.05

DSS06.06

SRM > Data

Protection >

Cryptographic

Services - Data-At-

Rest Encryption

provider X None

(Mobile

Guidance)

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),

6.1.2(c)(2)

PA32 BSGP 4.1

MOS-12.1 Does your mobile device policy prohibit the circumvention of built-

in security controls on mobile devices (e.g., jailbreaking or

rooting)?

MOS-12.2 Do you have detective and preventative controls on the device or

via a centralized device management system which prohibit the

circumvention of built-in security controls?

MOS-13.1 Does your BYOD policy clearly define the expectation of privacy,

requirements for litigation, e-discovery and legal holds?

MOS-13.2 Do you have detective and preventative controls on the device or

via a centralized device management system which prohibit the

circumvention of built-in security controls?

Mobile Security

Lockout Screen

MOS-

14

MOS-14 BYOD and/or company owned devices are configured to require

an automatic lockout screen, and the requirement shall be

enforced through technical controls.

Do you require and enforce via technical controls an automatic

lockout screen for BYOD and company owned devices?

- DSS05.03

DSS05.05

Presentation

Services >

Presentation

Platform > End-

Points-Mobile

Devices-Mobile

Device

Management

shared X None

(Mobile

Guidance)

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),


Operating Systems

MOS-

15

MOS-15 Changes to mobile device operating systems, patch levels, and/or

applications shall be managed through the company's change

management processes.

Do you manage all changes to mobile device operating systems,

patch levels and applications via your company's change

management processes?

- APO01.03

APO13.01

APO13.02

BAI06

ITOS > Service

Support -Change

Management >

Planned Changes

shared X None

(Mobile

Guidance)

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),

6.1.2(c)(2)MOS-16.1 Do you have password policies for enterprise issued mobile devices

and/or BYOD mobile devices?

MOS-16.2 Are your password policies enforced through technical controls

(i.e. MDM)?

MOS-16.3 Do your password policies prohibit the changing of authentication

requirements (i.e. password/PIN length) via a mobile device?

MOS-17.1 Do you have a policy that requires BYOD users to perform backups

of specified corporate data?

MOS-17.2 Do you have a policy that requires BYOD users to prohibit the

usage of unapproved application stores?

MOS-17.3 Do you have a policy that requires BYOD users to use anti-

malware software (where supported)?

MOS-18.1 Does your IT provide remote wipe or corporate data wipe for all

company-accepted BYOD devices?

MOS-18.2 Does your IT provide remote wipe or corporate data wipe for all

company-assigned mobile devices?

MOS-19.1 Do your mobile devices have the latest available security-related

patches installed upon general release by the device manufacturer

or carrier?

MOS-19.2 Do your mobile devices allow for remote validation to download

the latest security patches by company IT personnel?

MOS-20.1 Does your BYOD policy clarify the systems and servers allowed for

use or access on the BYOD-enabled device?

MOS-20.2 Does your BYOD policy specify the user roles that are allowed

access via a BYOD-enabled device?

Security Incident

Management, E-

Discovery & Cloud

Forensics

Contact / Authority

Maintenance

SEF-01 SEF-01.1 Points of contact for applicable regulation authorities, national

and local law enforcement, and other legal jurisdictional

authorities shall be maintained and regularly updated (e.g.,

change in impacted-scope and/or a change in any compliance

obligation) to ensure direct compliance liaisons have been

established and to be prepared for a forensic investigation

requiring rapid engagement with law enforcement.

Do you maintain liaisons and points of contact with local

authorities in accordance with contracts and appropriate

regulations?

CC3.3 APO01.01

APO01.02

APO01.03

APO01.08

MEA03.01

MEA03.02

MEA03.03

312.4 BOSS >

Compliance >

Contact/Authorit

y Maintenance

shared x A.6.1.6

A.6.1.7

A.6.1.3

A.6.1.4

Chapter VI,

Article 44.

Chapter II,

Article 16, part I

3.2 12.5.3

12.10.1

SEF-02.1 Do you have a documented security incident response plan?

SEF-02.2 Do you integrate customized tenant requirements into your

security incident response plans?

SEF-02.3 Do you publish a roles and responsibilities document specifying

what you vs. your tenants are responsible for during security

incidents?

12.1PA8

PA11

BSGP

SGP

4.1

4.2

4.6

7.1

IP-4 COMPLAINT

MANAGEMENT. SE-2

PRIVACY INCIDENT

RESPONSE

ITOS > Service

Support >

Security Incident

Management

shared x

shared

shared X

X

Presentation

Services >

Presentation

Platform > End-

Points-Mobile

Devices-Mobile

Device

Management

shared X

SRM >

Infrastructure

Protection

Services-

>Network > Link

Layer Network

Security

shared X

SRM > Policies

and Standards >

Technical

Security

Standards

shared X

312.8 and 312.10

APO01.03

APO13.01

APO13.02

DSS05.03

APO01.03

APO13.01

APO13.02

APO01.03

APO13.01

APO13.02

DSS05.01

DSS05.03

APO01.03

APO13.01

APO13.02

DSS05.03

DSS05.05

DSS05.06

APO01.03

APO13.01

APO13.02

APO01.03

APO13.01

APO13.02

DSS01.03

DSS02.01

DSS02.02

DSS02.04

DSS02.05

DSS02.06

CC5.5

CC6.2

Commandment #2

Commandment #6

Commandment #8

Chapter II, Article 20 CIP-007-3 -

R6.1

CIP-008-3 -

R1

IR-1

IR-2

IR-3

IR-4

IR-5

IR-7

IR-8

PCI-DSS v2.0

12.9

PCI-DSS v2.0

12.9.1

PCI-DSS v2.0

12.9.2

PCI-DSS v2.0

12.9.3

PCI-DSS v2.0

12.9.4

PCI-DSS v2.0

12.9.5

PCI-DSS v2.0

12.9.6

IS3.7.0

S3.9.0

(IS3.7.0) Procedures exist to identify, report, and


incidents.

(S3.9.0) Procedures exist to provide that issues of

noncompliance with system availability,

confidentiality of data, processing integrity and

related security policies are promptly addressed

and that corrective measures are taken on a

timely basis.

J.1 J.1.1, J.1.2 1.2.4

1.2.7

7.1.2

7.2.2

7.2.4

10.2.1

10.2.4

45 CFR 164.308

(a)(1)(i)

45 CFR 164.308

(a)(6)(i)

Clause 4.3.3

A.13.1.1

A.13.2.1

ITAR 22

CFR §

127.12

Mobile Security

Passwords

MOS-

16

Password policies, applicable to mobile devices, shall be

documented and enforced through technical controls on all

company devices or devices approved for BYOD usage, and shall

prohibit the changing of password/PIN lengths and authentication

requirements.

Mobile Security

Policy

MOS-

17

The mobile device policy shall require the BYOD user to perform

backups of data, prohibit the usage of unapproved application

stores, and require the use of anti-malware software (where

supported).

Mobile Security

Remote Wipe

MOS-

18

All mobile devices permitted for use through the company BYOD

program or a company-assigned mobile device shall allow for

remote wipe by the company's corporate IT or shall have all

company-provided data wiped by the company's corporate IT.

Mobile Security

Security Patches

MOS-

19

Mobile devices connecting to corporate networks or storing and

accessing company information shall allow for remote software

version/patch validation. All mobile devices shall have the latest

available security-related patches installed upon general release

by the device manufacturer or carrier and authorized IT personnel

shall be able to perform these updates remotely.

Mobile Security

Users

MOS-

20

The BYOD policy shall clarify the systems and servers allowed for

use or access on a BYOD-enabled device.

Security Incident

Management, E-

Discovery & Cloud

Forensics

Incident Management

SEF-02 Policies and procedures shall be established, and supporting


triage security-related events and ensure timely and thorough

incident management, as per established IT service management

policies and procedures.

Mobile Security

Jailbreaking and

Rooting

MOS-

12

The mobile device policy shall prohibit the circumvention of built-

in security controls on mobile devices (e.g. jailbreaking or rooting)

and isenforced through detective and preventative controls on

the device or through a centralized device management system

(e.g. mobile device management).

Mobile Security

Legal

MOS-

13

The BYOD policy includes clarifying language for the expectation

of privacy, requirements for litigation, e-discovery, and legal

holds. The BYOD policy shall clearly state the expectations over

the loss of non-company data in the case a wipe of the device is

required.

46 (B) Schedule 1

(Section 5) 4.1

Accountability,

Subs. 4.1.4; 4.8

Openness, Subs.

4.8.2

IS-22 COBIT 4.1 DS5.6 Domain 2 6.04.07. (b)

6.07.01. (a)

6.07.01. (d)

6.07.01. (e)

6.07.01. (f)

6.07.01. (g)

6.07.01. (h)

Article 17 NIST SP 800-53 R3 IR-1










NIST SP 800-53 R3 IR-4 (1)



NIST SP 800-53 R3 IR-7 (1)

NIST SP 800-53 R3 IR-7 (2)


- None

(Mobile

Guidance)

None

(Mobile

Guidance)

BOSS > Data

Governance >

Secure Disposal

of Data

- None

(Mobile

Guidance)

APO01.03

APO13.01

APO13.02

DSS05.03

- None

(Mobile

Guidance)

APO01.03

APO13.01

APO13.02

DSS05.03

DSS05.05

DSS05.06

PA34

SRM > Policies

and Standards >

Technical

Security

Standards

shared X

None

(Mobile

Guidance)

None

(Mobile

Guidance)

- None

(Mobile

Guidance)

Presentation

Services >

Presentation

Platform > End-

Points-Mobile

Devices-Mobile

Device

Management

provider X

SRM > Policies

and Standards >

Information

Security Services

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),

6.1.2(c)(2)

6.1.2(d)

6.1.2(d)(1)

6.1.2(d)(2)

6.1.2(d)(3)

6.1.2(e)

6.1.2(e)(1)

6.1.2(e)(2)

6.1.3,

6.1.3(a)

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),

6.1.2(c)(2)

6.1.2(d)

6.1.2(d)(1)

6.1.2(d)(2)

6.1.2(d)(3)

6.1.2(e)

6.1.2(e)(1)

6.1.2(e)(2)

6.1.3,

6.1.3(a)

6.1.3(b)

8.1

8.3

9.3(a),

9.3(b)

9.3(b)(f)

9.3(c)

9.3(c)(1)

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),

6.1.2(c)(2)

6.1.2(d)

6.1.2(d)(1)

6.1.2(d)(2)

6.1.2(d)(3)

6.1.2(e)

6.1.2(e)(1)

6.1.2(e)(2)

6.1.3,

6.1.3(a)

6.1.3(b)

8.1

8.3

9.3(a),

9.3(b)

9.3(b)(f)

9.3(c)

9.3(c)(1)

9.3(c)(2)

9.3(c)(3)

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),

6.1.2(c)(2)

6.1.2(d)

6.1.2(d)(1)

6.1.2(d)(2)

6.1.2(d)(3)

6.1.2(e)

6.1.2(e)(1)

6.1.2(e)(2)

6.1.3,

6.1.3(a)

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),

6.1.2(c)(2)

6.1.2(d)

6.1.2(d)(1)

6.1.2(d)(2)

6.1.2(d)(3)

6.1.2(e)

6.1.2(e)(1)

6.1.2(e)(2)

6.1.3,

6.1.3(a)

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),

6.1.2(c)(2)

6.1.2(d)

6.1.2(d)(1)

6.1.2(d)(2)

6.1.2(d)(3)

6.1.2(e)

6.1.2(e)(1)

6.1.2(e)(2)

6.1.3,

6.1.3(a)

6.1.3(b)

Clause

5.3 (a),

5.3 (b),

7.5.3(b),

5.2 (c),

7.5.3(d),

8.1,

8.3,

9.2(g),

Annex

A.16.1.1

A.16.1.2






REDACTED COPY

AICPA

TSC 2009

AICPA


AICPA

TSC

2014

BITS Shared

Assessments

AUP v5.0

BITS Shared

Assessments

SIG v6.0

BSI


CCM


CSA

Guidance

V3.0

ENISA IAF

95/46/EC - European


Directive

FedRAMP Security

Controls

(Final Release, Jan

2012)





-

FERPA

GAPP

(Aug

2009)

HIPAA/HITECH

(Omnibus

Rule)

ISO/IEC

27001:2005

ISO/IEC





Parties

NERC

CIPNIST SP800-53 R3

NIST SP800-53 R4


Yes NoNot

Applicable

Domain > Container




Cloud Initiative)





SEF-02.4 Have you tested your security incident response plans in the last

year?

SEF-03.1 Does your security information and event management (SIEM)

system merge data sources (app logs, firewall logs, IDS logs,

physical access logs, etc.) for granular analysis and alerting?

SEF-03.2 Does your logging and monitoring framework allow isolation of an

incident to specific tenants?

SEF-04.1 Does your incident response plan comply with industry standards

for legally admissible chain-of-custody management processes and

controls?

SEF-04.2 Does your incident response capability include the use of legally

admissible forensic data collection and analysis techniques?

SEF-04.3 Are you capable of supporting litigation holds (freeze of data from

a specific point in time) for a specific tenant without freezing other

tenant data?

SEF-04.4 Do you enforce and attest to tenant data separation when

producing data in response to legal subpoenas?

SEF-05.1 Do you monitor and quantify the types, volumes and impacts on all

information security incidents?

SEF-05.2 Will you share statistical information for security incident data

with your tenants upon request?

STA-01.1 Do you inspect and account for data quality errors and associated

risks, and work with your cloud supply-chain partners to correct

them?

STA-01.2 Do you design and implement controls to mitigate and contain

data security risks through proper separation of duties, role-based

access, and least-privileged access for all personnel within your

supply chain?

Supply Chain

Management,

Transparency and

Accountability

Incident Reporting

STA-02 STA-02.1 The provider shall make security incident information available to

all affected customers and providers periodically through

electronic methods (e.g. portals).

Do you make security incident information available to all affected

customers and providers periodically through electronic methods

(e.g. portals)?

APO09.03

APO09.04

APO10.04

APO10.05

DSS02.07

ITOS > Service

Support ->

Incident

Management >

Cross Cloud

Incident

Response

provider Domain 2 Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)STA-03.1 Do you collect capacity and use data for all relevant components

of your cloud service offering?

STA-03.2 Do you provide tenants with capacity planning and use reports?

Supply Chain

Management,

Transparency and

Accountability

Provider Internal

Assessments

STA-04 STA-04.1 The provider shall perform annual internal assessments of

conformance and effectiveness of its policies, procedures, and

supporting measures and metrics.

Do you perform annual internal assessments of conformance and

effectiveness of your policies, procedures, and supporting

measures and metrics?

MEA01

MEA02

SRM >

Governance Risk

& Compliance >

Vendor

Management

provider x Domain 2 Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

12.1.1

STA-05.1 Do you select and monitor outsourced providers in compliance

with laws in the country where the data is processed, stored and

transmitted?

STA-05.2 Do you select and monitor outsourced providers in compliance

with laws in the country where the data originates?

STA-05.3 Does legal counsel review all third-party agreements?

STA-05.4 Do third-party agreements include provision for the security and

protection of information and assets?

STA-05.5 Do you provide the client with a list and copies of all subprocessing

agreements and keep this updated?

Supply Chain

Management,

Transparency and

Accountability

Supply Chain

Governance Reviews

STA-06 STA-06.1 Providers shall review the risk management and governance

processes of their partners so that practices are consistent and

aligned to account for risks inherited from other members of that

partner's cloud supply chain.

Do you review the risk management and governanced processes

of partners to account for risks inherited from other members of

that partner's supply chain?

APO10.04

APO10.05

MEA01

SRM >

Governance Risk

& Compliance >

Vendor

Management

provider x Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),

6.1.2(c)(2)

6.1.2(d)

6.1.2(d)(1)

6.1.2(d)(2)

12.8.4

STA-07.1 Are policies and procedures established, and supporting business

processes and technical measures implemented, for maintaining

complete, accurate and relevant agreements (e.g., SLAs) between

providers and customers (tenants)?

STA-07.2 Do you have the ability to measure and address non-conformance

of provisions and/or terms across the entire supply chain

(upstream/downstream)?

STA-07.3 Can you manage service-level conflicts or inconsistencies resulting

from disparate supplier relationships?

STA-07.4 Do you review all agreements, policies and processes at least

annually?

Supply Chain

Management,

Transparency and

Accountability

Third Party Assessment

STA-08 STA-08.1 Providers shall assure reasonable information security across their

information supply chain by performing an annual review. The

review shall include all partners/third party providers upon which

their information supply chain depends on.

Do you assure reasonable information security across your

information supply chain by performing an annual review?

STA-8.2 Does your annual review include all partners/third-party providers

upon which your information supply chain depends?

STA-09.1 Do you permit tenants to perform independent vulnerability

assessments?

2.4

12.8.2

2.4

12.8.2

12.8.3

12.8.4

Appendix A

12.1

12.10.1

PA8

PA11

BSGP

PA8 BSGP

PA3

PA8

PA16

BSGP

BSGP

SGP

7.2

7.3

7.2

7.3

17.1

5.2

2.2

5.4

4.1

4.2

4.6

7.1

IP-4 COMPLAINT

MANAGEMENT. SE-2

PRIVACY INCIDENT

RESPONSE

IP-4 COMPLAINT

MANAGEMENT. SE-2

PRIVACY INCIDENT

RESPONSE

99.31(a)(1)(i)

34 CFR 99.32(a)

ITOS > Service

Delivery > Service

Level

Management -

Vendor

Management

provider x

SRM >

Governance Risk

& Compliance >

Vendor

Management

provider x

BOSS >

Compliance >

Third-Party

Audits

shared x

ITOS > Service

Support >

Security Incident

Management

shared x

BOSS >

Operational Risk

Management >

Key Risk

Indicators

shared x

SRM >

Governance Risk

& Compliance >

Vendor

Management

provider X

provider x

BOSS > Legal

Services >

Contracts

shared x

312.8 and 312.10

312.3, 312.8 and

312.10

312.8 and 312.10

312.8 and 312.10

312.8 and 312.10

312.2(a) and

312.3 (Prohibition

on Disclosure)

APO01.03

APO09.03

APO09.04

APO09.05

APO10.01

APO10.03

APO10.04

APO09.03

MEA01

MEA02

APO01.08

APO10.05

MEA02.01

APO09.03

APO09.05

APO01.03

APO13.01

APO13.02

DSS01.03

DSS02.01

DSS02.02

DSS02.04

DSS02.05

DSS02.06

CC5.5

CC6.2

CC2.3

CC2.5

C1.4C1.5

CC2.5

CC6.2

CC6.2

CC4.1

CC2.2CC2.3

CC2.2CC2.3

CC5.5

C1.4C1.5

AC-1

AT-1

AU-1

CA-1

CM-1

CP-1

IA-1

IA-7

IR-1

MA-1

MP-1

PE-1

PL-1

PM-1

PS-1

RA-1

RA-2

SA-1

SA-6

SC-1

SC-13

SI-1

PCI DSS v2.0 2.4

PCI DSS v2.0

12.8.2

PCI DSS v2.0

12.8.3

PCI DSS v2.0

12.8.4

Appendix A

A.15.1.2

8.1* partial,

8.1* partial,

A.15.2.1

A.13.1.2

CC2.2CC2.3

C1.4C1.5

Commandment #1

Commandment #4

Commandment #5

Commandment #6

Commandment #7

Commandment #8

Chapter II

Article 14.

CA-3

MP-5

PS-7

SA-6

SA-7

SA-9

PCI DSS v2.0 2.4

PCI DSS v2.0

12.8.2

Supply Chain

Management,

Transparency and

Accountability

Supply Chain Metrics

STA-07 Policies and procedures shall be implemented to ensure the

consistent review of service agreements (e.g., SLAs) between

providers and customers (tenants) across the relevant supply

chain (upstream/downstream).

Reviews shall performed at least annually and identity non-

conformance to established agreements. The reviews should

result in actions to address service-level conflicts or inconsistencies

resulting from disparate supplier relationships.

Supply Chain

Management,

Transparency and

Accountability

Third Party Audits

STA-09 Third-party service providers shall demonstrate compliance with

information security and confidentiality, access control, service

definitions, and delivery level agreements included in third-party

contracts. Third-party reports, records, and services shall undergo

audit and review at least annually to govern and maintain

compliance with the service delivery agreements.

S3.1.0

x3.1.0





threats.


threats of disruptions to systems operations that


integrity, confidentiality] commitments and (2)


threats.

L.1, L.2, L.4,

L.7, L.9

76 (B)

77 (B)

78 (B)

83 (B)

84 (B)

85 (B)

CO-05 COBIT 4.1 ME

2.6, DS 2.1, DS

2.4

Domain 2,

4

6.10. (a)

6.10. (b)

6.10. (c)

6.10. (d)

6.10. (e)

6.10. (f)

6.10. (g)

6.10. (h)

6.10. (i)




















NIST SP 800-53 R3 SC-13





















NIST SP 800-53 R3 SC-13

NIST SP 800-53 R3 SC-13 (1)

NIST SP 800-53 R3 SC-30


1.2.2

1.2.4

1.2.6

1.2.11

3.2.4

5.2.1

45 CFR

164.308(b)(1)

(New)

45 CFR 164.308

(b)(4)

A.6.2.3

A.10.2.1

A.10.2.2

A.10.6.2

Commandment #1

Commandment #2

Commandment #3

Chapter II

Article 14, 21

Chapter III

Article 25

Chapter V

Article 36

A.6.2.3

A.10.6.2

Security Incident

Management, E-

Discovery & Cloud

Forensics

Incident Response

Metrics

SEF-05

Commandment #6

Commandment #7

Commandment #8

SC-20

SC-21

SC-22

SC-23

SC-24

ITOS > Service

Delivery > Service

Level

Management

Supply Chain

Management,

Transparency and

Accountability

Third Party

Agreements

STA-05 Supply chain agreements (e.g., SLAs) between providers and

customers (tenants) shall incorporate at least the following

mutually-agreed upon provisions and/or terms:

• Scope of business relationship and services offered (e.g.,

customer (tenant) data acquisition, exchange and usage, feature

sets and functionality, personnel and infrastructure network and

systems components for service delivery and support, roles and

responsibilities of provider and customer (tenant) and any

subcontracted or outsourced business relationships, physical

geographical location of hosted services, and any known

regulatory compliance considerations)

• Information security requirements, provider and customer

(tenant) primary points of contact for the duration of the business

relationship, and references to detailed supporting and relevant

business processes and technical measures implemented to

enable effectively governance, risk management, assurance and

legal, statutory and regulatory compliance obligations by all

impacted business relationships

• Notification and/or pre-authorization of any changes controlled

by the provider with customer (tenant) impacts

• Timely notification of a security incident (or confirmed breach)

to all customers (tenants) and other business relationships

impacted (i.e., up- and down-stream impacted supply chain)

• Assessment and independent verification of compliance with

agreement provisions and/or terms (e.g., industry-acceptable

certification, attestation audit report, or equivalent forms of

assurance) without posing an unacceptable business risk of

exposure to the organization being assessed

• Expiration of the business relationship and treatment of

customer (tenant) data impacted

• Customer (tenant) service-to-service application (API) and data

interoperability and portability requirements for application

development and information exchange, usage, and integrity

persistence

S2.2.0

A3.6.0

C3.6.0

(S2.2.0) The availability, confidentiality of data,

processing integrity, system security and related

security obligations of users and the entity’s

availability and related security commitments to

users are communicated to authorized users.

(A3.6.0) Procedures exist to restrict physical




and servers.

(C3.6.0) The entity has procedures to obtain

assurance or representation that the

confidentiality policies of third parties to whom

information is transferred and upon which the

entity relies are in conformity with the entity’s

defined system confidentiality and related

security policies and that the third party is in

compliance with its policies.

C.2 C.2.4, C.2.6,

G.4.1, G.16.3

74 (B)

75 (C+,

A+)

45 (B)

75 (C+,

A+)

79 (B)

4 (C+, A+)

Schedule 1

(Section 5) 4.1

Accountability,

Subs. 4.1.3

LG-02 COBIT 4.1 DS5.11 Domain 3 6.02. (e)

6.10. (h)

6.10. (i)

Article 17 (3) NIST SP 800-53 R3 CA-3







NIST SP 800-53 R3 MP-5 (2)

NIST SP 800-53 R3 MP-5 (4)





NIST SP 800-53 R3 SA-9 (1)

1.2.5312.3, 312.8 and

312.10

A.6.2.3

A10.2.1

A.10.8.2

A.11.4.6

A.11.6.1

A.12.3.1

A.12.5.4

ITAR 22

CFR §

120.17

EAR 15

CFR

§736.2 (b)

Supply Chain

Management,

Transparency and

Accountability

Network /

Infrastructure Services

STA-03 Business-critical or customer (tenant) impacting (physical and

virtual) application and system-system interface (API) designs and

configurations, and infrastructure network and systems

components, shall be designed, developed, and deployed in

accordance with mutually agreed-upon service and capacity-level

expectations, as well as IT governance and service management


C2.2.0 (C2.2.0) The system security, availability, system

integrity, and confidentiality and related security

obligations of users and the entity’s system

security, availability, system integrity, and

confidentiality and related security commitments

to users are communicated to authorized users.

C.2 C.2.6, G.9.9 45 (B)

74 (B)

Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

IS-31 COBIT 4.1 DS5.10 Domain 2 6.02. (c)

6.03.07. (a)

6.03.07. (b)

6.03.07. (c)

6.03.07. (d)

Article 17 NIST SP 800-53 R3 CA-3




NIST SP 800-53 R3 CP-6 (1)

NIST SP 800-53 R3 CP-6 (3)


NIST SP 800-53 R3 CP-7 (1)

NIST SP 800-53 R3 CP-7 (2)

NIST SP 800-53 R3 CP-7 (3)

NIST SP 800-53 R3 CP-7 (5)


NIST SP 800-53 R3 CP-8 (1)

NIST SP 800-53 R3 CP-8 (2)


8.2.2

8.2.5

APO01.03

APO03.01

APO03.02

APO09.03

BAI02.01

BAI02.04

BAI07.05

Domain 2 6.07.01. (a)

6.07.01. (i)





NIST SP 800-53 R3 IR-4 (1)



1.2.7

1.2.10

IR-2

IR-6

IR-7

SI-4

SI-5

45 CFR 164.308

(a)(1)(ii)(D)

A.13.2.2 CIP-008-3 -

R1.1

IR-4

IR-5

IR-8

PCI DSS v2.0

12.9.6

Supply Chain

Management,

Transparency and

Accountability

Data Quality and

Integrity

STA-01 Providers shall inspect, account for, and work with their cloud

supply-chain partners to correct data quality errors and

associated risks. Providers shall design and implement controls to

mitigate and contain data security risks through proper

separation of duties, role-based access, and least-privilege access

for all personnel within their supply chain.

APO01.03

APO07.06

APO07.03

APO13.01

APO13.02

DSS02.01

APO01.03

APO13.01

APO13.02

DSS01.03

DSS02.01

DSS02.02

DSS02.04

DSS02.05

DSS02.06

DSS04.07

APO10

APO11

DSS05.04

DSS06.03

DSS06.06

PA11 BSGP

PA11 BSGP

PCI-DSS v2.0

12.5.2

PCI-DSS v2.0

12.5.3

Security Incident

Management, E-

Discovery & Cloud

Forensics

Incident Response

Legal Preparation

SEF-04 Proper forensic procedures, including chain of custody, are

required for the presentation of evidence to support potential

legal action subject to the relevant jurisdiction after an

information security incident. Upon notification, customers

and/or other external business partners impacted by a security

breach shall be given the opportunity to participate as is legally

permissible in the forensic investigation.

S2.4.0

C3.15.0

(S2.4.0) The process for informing the entity

about system availability issues, confidentiality

issues, processing integrity issues, security issues

and breaches of the system security and for

submitting complaints is communicated to

authorized users.

(C3.15.0) Procedures exist to provide that issues

of noncompliance with defined confidentiality

and related security policies are promptly

addressed and that corrective measures are

taken on a timely basis.

J.1

E.1

J.1.1, J.1.2, E.4 IS-24 COBIT 4.1 DS5.6 Domain 2 6.04.07. (b)

6.07.01. (f)

6.07.01. (h)



NIST SP 800-53 R3 AU-11





NIST SP 800-53 R3 AU-6 (1)

NIST SP 800-53 R3 AU-6 (3)


NIST SP 800-53 R3 AU-7 (1)


NIST SP 800-53 R3 AU-9 (2)

NIST SP 800-53 R3 AU-10

NIST SP 800-53 R3 AU-10 (5)

NIST SP 800-53 R3 AU-11



NIST SP 800-53 R3 IR-7 (1)

NIST SP 800-53 R3 IR-7 (2)



NIST SP 800-53 R3 MP-5 (2)

NIST SP 800-53 R3 MP-5 (4)

1.2.7 45 CFR 164.308

(a)(6)(ii)

Clause 4.3.3

Clause 5.2.2

A.8.2.2

A.8.2.3

A.13.2.3

A.15.1.3

BOSS > Legal

Services >

Incident

Response Legal

Preparation

shared x CIP-004-3

R3.3

AU-6

AU-7

AU-9

AU-11

IR-5

IR-7

IR-8

BOSS > Human

Resources

Security >

Employee

Awareness

shared x

Commandment #2

Commandment #6

Commandment #8


R6.1

CIP-008-3 -

R1

IR-1

IR-2

IR-3

IR-4

IR-5

IR-7

IR-8

PCI-DSS v2.0

12.9

PCI-DSS v2.0

12.9.1

PCI-DSS v2.0

12.9.2

PCI-DSS v2.0

12.9.3

PCI-DSS v2.0

12.9.4

PCI-DSS v2.0

12.9.5

PCI-DSS v2.0

12.9.6

Security Incident

Management, E-

Discovery & Cloud

Forensics

Incident Reporting

SEF-03 Workforce personnel and external business relationships shall be

informed of their responsibility and, if required, shall consent

and/or contractually agree to report all information security

events in a timely manner. Information security events shall be

reported through predefined communications channels in a timely

manner adhering to applicable legal, statutory, or regulatory

compliance obligations.

A2.3.0

C2.3.0

I2.3.0

S2.3.0

S2.4

(A2.3.0, C2.3.0, I2.3.0, S2.3.0) Responsibility and

accountability for the entity’s system availability,


related security policies and changes and



them.

(S2.4) The process for informing the entity about

J.1

E.1

J.1.1, E.4 5 (B)

46 (B)

48 (A+)

49 (B)

50 (B)

Schedule 1

(Section 5) 4.1

Accountability,

Subs. 4.1.3

IS-23 COBIT 4.1 DS5.6 Domain 2 6.07.01. (a) Article 17 NIST SP 800-53 R3 IR-2






NIST SP 800-53 R3 IR-6 (1)


NIST SP 800-53 R3 IR-7 (1)

NIST SP 800-53 R3 IR-7 (2)


NIST SP 800-53 R3 SI-4 (2)

NIST SP 800-53 R3 SI-4 (4)

1.2.7

1.2.10

7.1.2

7.2.2

7.2.4

10.2.4

45 CFR 164.312

(a)(6)(ii)

16 CFR 318.3 (a)

(New)

16 CFR 318.5 (a)

(New)

45 CFR 160.410

(a)(1) (New)

Clause 4.3.3

Clause 5.2.2

A.6.1.3

A.8.2.1

A.8.2.2

A.13.1.1

A.13.1.2

A.13.2.1

ITAR 22

CFR §

127.12

Commandment #2

Commandment #6

Commandment #8


R4.1

CIP-004-3

R3.3

IS3.7.0

S3.9.0

(IS3.7.0) Procedures exist to identify, report, and


incidents.


noncompliance with system availability,


related security policies are promptly addressed

and that corrective measures are taken on a

timely basis.

J.1 J.1.1, J.1.2 1.2.4

1.2.7

7.1.2

7.2.2

7.2.4

10.2.1

10.2.4

45 CFR 164.308

(a)(1)(i)

45 CFR 164.308

(a)(6)(i)

Clause 4.3.3

A.13.1.1

A.13.2.1

ITAR 22

CFR §

127.12

Security Incident

Management, E-

Discovery & Cloud

Forensics

Incident Management

SEF-02 Policies and procedures shall be established, and supporting


triage security-related events and ensure timely and thorough

incident management, as per established IT service management


IS-25

46 (B) Schedule 1

(Section 5) 4.1

Accountability,

Subs. 4.1.4; 4.8

Openness, Subs.

4.8.2

IS-22 COBIT 4.1 DS5.6 Domain 2 6.04.07. (b)

6.07.01. (a)

6.07.01. (d)

6.07.01. (e)

6.07.01. (f)

6.07.01. (g)

6.07.01. (h)

Article 17 NIST SP 800-53 R3 IR-1










NIST SP 800-53 R3 IR-4 (1)



NIST SP 800-53 R3 IR-7 (1)

NIST SP 800-53 R3 IR-7 (2)


Mechanisms shall be put in place to monitor and quantify the

types, volumes, and costs of information security incidents.

S3.9.0

C4.1.0





(C4.1.0) The entity’s system security, availability,

system integrity, and confidentiality is


defined system security, availability, system

integrity, and confidentiality policies.

J.1.2 47 (B) COBIT 4.1 DS 4.9

Domain 2

51 (B) Domain 3 6.02. (c)

6.02. (d)

6.07.01. (k)

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),

6.1.2(c)(2)

6.1.2(d)

6.1.2(d)(1)

6.1.2(d)(2)

6.1.2(d)(3)

6.1.2(e)

6.1.2(e)(1)

6.1.2(e)(2)

6.1.3,

6.1.3(a)

6.1.3(b)

8.1

8.3

9.3(a),

9.3(b)

9.3(b)(f)

9.3(c)

9.3(c)(1)

9.3(c)(2)

9.3(c)(3)

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),

6.1.2(c)(2)

6.1.2(d)

6.1.2(d)(1)

6.1.2(d)(2)

6.1.2(d)(3)

6.1.2(e)

6.1.2(e)(1)

6.1.2(e)(2)

6.1.3,

6.1.3(a)

6.1.3(b)

8.1

8.3

9.3(a),

9.3(b)

9.3(b)(f)

9.3(c)

A.15.1.2

A.13.1.2

A.15.1.2,

8.1* partial,

A.13.2.2,

A.9.4.1

A.10.1.1

Domain 2

Clause

5.3 (a),

5.3 (b),

7.5.3(b),

5.2 (c),

7.5.3(d),

8.1,

8.3,

9.2(g),

Annex

A.16.1.1

A.16.1.2

Clause

5.2 (c),

5.3 (a),

5.3 (b),

7.2(a),

7.2(b),

7.2(c),

7.2(d),

7.3(b),Clause

5.2 (c),

5.3 (a),

5.3 (b),

7.2(a),

7.2(b),

7.2(c),

7.2(d),

7.3(b),

7.3(c)

7.5.3(b),

7.5.3(d),

8.1,

8.3,

9.2(g)

Annex

A.7.2.2,

A.7.2.3,

A.16.1.7,

A.18.1.3

A.16.1.6

Clause

6.1.1,

6.1.1(e)(2)

6.1.2

6.1.2(a)(1)

6.1.2(a)(2),

6.1.2(b)

6.1.2 (c)

6.1.2(c)(1),

RBlue text is CONFIDENTIAL content – See REDACTED COPY





REDACTED COPY

AICPA

TSC 2009

AICPA


AICPA

TSC

2014

BITS Shared

Assessments

AUP v5.0

BITS Shared

Assessments

SIG v6.0

BSI


CCM


CSA

Guidance

V3.0

ENISA IAF

95/46/EC - European


Directive

FedRAMP Security

Controls

(Final Release, Jan

2012)





-

FERPA

GAPP

(Aug

2009)

HIPAA/HITECH

(Omnibus

Rule)

ISO/IEC

27001:2005

ISO/IEC





Parties

NERC

CIPNIST SP800-53 R3

NIST SP800-53 R4


Yes NoNot

Applicable

Domain > Container




Cloud Initiative)





STA-09.2 Do you have external third party services conduct vulnerability

scans and periodic penetration tests on your applications and

networks?

TVM-01.1 Do you have anti-malware programs that support or connect to

your cloud service offerings installed on all of your systems?

TVM-01.2 Do you ensure that security threat detection systems using

signatures, lists or behavioral patterns are updated across all

infrastructure components within industry accepted time frames?

TVM-02.1 Do you conduct network-layer vulnerability scans regularly as

prescribed by industry best practices?

TVM-02.2 Do you conduct application-layer vulnerability scans regularly as

prescribed by industry best practices?

TVM-02.3 Do you conduct local operating system-layer vulnerability scans

regularly as prescribed by industry best practices?

TVM-02.4 Will you make the results of vulnerability scans available to tenants

at their request?

TVM-02.5 Do you have a capability to rapidly patch vulnerabilities across all

of your computing devices, applications and systems?

TVM-02.6 Will you provide your risk-based systems patching time frames to

your tenants upon request?

TVM-03.1 Is mobile code authorized before its installation and use, and the

code configuration checked, to ensure that the authorized mobile

code operates according to a clearly defined security policy?

TVM-03.2 Is all unauthorized mobile code prevented from executing?

2.4

12.8.2

12.8.3

12.8.4

Appendix A

1.4, 5.0

2.2

6.1

6.2

6.3.2

6.4.5

6.5

6.6

11.2

11.2.1

11.2.2

11.2.3

PA2

PA8

BSGP

PA1 BSGP

5.4

14.1

17.6

12.4

14.1

3

3.1

3.2

3.3

3.4

3.5

BOSS >

Compliance >

Third-Party

Audits

shared x

SRM >

Infrastructure

Protection

Services > Anti-

Virus

shared x

SRM > Threat

and Vulnerability

Management >

Vulnerability

Management

shared x

SRM >

Infrastructure

Protection

Services > End

Point - White

Listing

shared x

312.2(a) and

312.3 (Prohibition

on Disclosure)

312.8 and 312.10

312.8 and 312.10

312.8 and 312.10

APO01.08

APO10.05

MEA02.01

APO01.03

APO13.01

APO13.02

DSS05.01

APO01.03

APO13.01

APO13.02

BAI06.01

BAI06.02

BAI06.03

BAI06.04

DSS01.01

DSS01.02

DSS01.03

DSS03.05

DSS05.01

DSS05.03

DSS05.07

APO01.03

APO13.01

APO13.02

DSS05.01

DSS05.02

DSS05.03

DSS05.04

CC5.6

CC7.1

CC7.1 CM-3

CM-4

CP-10

RA-5

SA-7

SI-1

SI-2

SI-5

PCI-DSS v2.0

2.2

PCI-DSS v2.0

6.1

PCI-DSS v2.0

6.2

PCI-DSS v2.0

6.3.2

PCI-DSS v2.0

6.4.5

PCI-DSS v2.0

6.5.X

PCI-DSS v2.0

6.6

PCI-DSS v2.0

11.2

PCI-DSS v2.0

11.2.1

PCI-DSS v2.0

11.2.2

PCI-DSS v2.0

11.2.3

Threat and

Vulnerbility

Management

Mobile Code

TVM-

03



prevent the execution of unauthorized mobile code, defined as

software transferred between systems over a trusted or

untrusted network and executed on a local system without

explicit installation or execution by the recipient, on



infrastructure network and systems components.

S3.4.0

S3.10.0


infection by computer viruses, malicious code,







access.

G.20.12, I.2.5 SA-15 Domain 10 6.03. (g) Article 17 A.10.4.2

A.12.2.2

A.12.5.1

A.12.5.2

A.12.6.1

Commandment #4

Commandment #5

Commandment #1

Commandment #2

Commandment #3

Commandment #5

Commandment

#11

SC-18

CIP-007-3 -

R4 - R4.1 -

R4.2

SA-7

SC-5

SI-3

SI-5

SI-7

SI-8

PCI-DSS v2.0

5.1

PCI-DSS v2.0

5.1.1

PCI-DSS v2.0

5.2

Threat and

Vulnerbility

Management

Vulnerability / Patch

Management

TVM-

02


processes and technical measures implemented, for timely

detection of vulnerabilities within organizationally-owned or

managed applications, infrastructure network and system

components (e.g. network vulnerability assessment, penetration

testing) to ensure the efficiency of implemented security controls.

A risk-based model for prioritizing remediation of identified

vulnerabilities shall be used. Changes shall be managed through a

change management process for all vendor-supplied patches,

configuration changes, or changes to the organization's internally

developed software. Upon request, the provider informs customer

(tenant) of policies and procedures and identified weaknesses

especially if customer (tenant) data is used as part the service

and/or customer (tenant) has some shared responsibility over

implementation of control.

S3.10.0 (S3.10.0) Design, acquisition, implementation,





access.

I.4 G.15.2, I.3 32 (B)

33 (B)

Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

IS-20 COBIT 4.1 AI6.1

COBIT 4.1 AI3.3

COBIT 4.1 DS5.9

Domain 2 6.03.02. (a)

6.03.02. (b)

6.03.05. (c)

6.07.01. (o)







NIST SP 800-53 R3 CM-3 (2)



NIST SP 800-53 R3 RA-5 (1)

NIST SP 800-53 R3 RA-5 (2)

NIST SP 800-53 R3 RA-5 (3)

NIST SP 800-53 R3 RA-5 (6)

NIST SP 800-53 R3 RA-5 (9)

NIST SP 800-53 R3 SC-30



NIST SP 800-53 R3 SI-2 (2)



45 CFR 164.308

(a)(1)(i)(ii)(A)

45 CFR 164.308

(a)(1)(i)(ii)(B)

45 CFR 164.308

(a)(5)(i)(ii)(B)

CIP-004-3

R4 - 4.1 -

4.2

CIP-005-

3a - R1 -

R1.1

CIP-007-3 -

R3 - R3.1 -

R8.4

1.2.6

8.2.7

8.1*partial,

A.14.2.2,

8.1*partial,

A.14.2.3

A.12.6.1

A.12.2.1

AC-1

AT-1

AU-1

CA-1

CM-1

CP-1

IA-1

IA-7

IR-1

MA-1

MP-1

PE-1

PL-1

PM-1

PS-1

RA-1

RA-2

SA-1

SA-6

SC-1

SC-13

SI-1

PCI DSS v2.0 2.4

PCI DSS v2.0

12.8.2

PCI DSS v2.0

12.8.3

PCI DSS v2.0

12.8.4

Appendix A

8.2.2 45 CFR 164.308

(a)(5)(ii)(B)


Commandment #5

Threat and

Vulnerbility

Management

Antivirus / Malicious

Software

TVM-

01



prevent the execution of malware on organizationally-owned or

managed user end-point devices (i.e., issued workstations,

laptops, and mobile devices) and IT infrastructure network and

systems components.

S3.5.0 (S3.5.0) Procedures exist to protect against

infection by computer viruses, malicious codes,


G.7 17 (B) Schedule 1

(Section 5), 4.7 -

Safeguards,

Subsec. 4.7.3

IS-21 COBIT 4.1 DS5.9 Domain 2 6.03. (f) Article 17 NIST SP 800-53 R3 SC-5





NIST SP 800-53 R3 SI-3 (1)

NIST SP 800-53 R3 SI-3 (2)

NIST SP 800-53 R3 SI-3 (3)



NIST SP 800-53 R3 SI-7 (1)


A.15.1.2

8.1* partial,

8.1* partial,

A.15.2.1

A.13.1.2

A.12.2.1

CC2.2CC2.3

C1.4C1.5

CC5.8

Supply Chain

Management,

Transparency and

Accountability

Third Party Audits

STA-09 Third-party service providers shall demonstrate compliance with

information security and confidentiality, access control, service

definitions, and delivery level agreements included in third-party

contracts. Third-party reports, records, and services shall undergo

audit and review at least annually to govern and maintain

compliance with the service delivery agreements.

S3.1.0

x3.1.0





threats.


threats of disruptions to systems operations that


integrity, confidentiality] commitments and (2)


threats.

L.1, L.2, L.4,

L.7, L.9

76 (B)

77 (B)

78 (B)

83 (B)

84 (B)

85 (B)

CO-05 COBIT 4.1 ME

2.6, DS 2.1, DS

2.4

Domain 2,

4

6.10. (a)

6.10. (b)

6.10. (c)

6.10. (d)

6.10. (e)

6.10. (f)

6.10. (g)

6.10. (h)

6.10. (i)




















NIST SP 800-53 R3 SC-13





















NIST SP 800-53 R3 SC-13

NIST SP 800-53 R3 SC-13 (1)

NIST SP 800-53 R3 SC-30


1.2.2

1.2.4

1.2.6

1.2.11

3.2.4

5.2.1

45 CFR

164.308(b)(1)

(New)

45 CFR 164.308

(b)(4)

A.6.2.3

A.10.2.1

A.10.2.2

A.10.6.2

Commandment #1

Commandment #2

Commandment #3

Chapter II

Article 14, 21

Chapter III

Article 25

Chapter V

Article 36

© Copyright 2014 Cloud Security Alliance - All rights reserved. You may download, store, display on your

computer, view, print, and link to the Cloud Security Alliance “Consensus Assessments Initiative Questionnaire

CAIQ Version 3.0.1” at http://www.cloudsecurityalliance.org subject to the following: (a) the Consensus

Assessments Initiative Questionnaire v3.0.1 may be used solely for your personal, informational, non-commercial

use; (b) the Consensus Assessments Initiative Questionnaire v3.0.1 may not be modified or altered in any way; (c)

the Consensus Assessments Initiative Questionnaire v3.0.1 may not be redistributed; and (d) the trademark,

copyright or other notices may not be removed. You may quote portions of the Consensus Assessments Initiative

Questionnaire v3.0.1 as permitted by the Fair Use provisions of the United States Copyright Act, provided that

you attribute the portions to the Cloud Security Alliance Cloud Consensus Assessments Initiative Questionnaire

3.0.1 (2014). If you are interested in obtaining a license to this material for other usages not addresses in the

copyright notice, please contact [email protected].

R

E

D

A

C

T

E

D





Request for Proposal Number SK18008 National Association of State Procurement Officials (NASPO) ValuePoint NASPO ValuePoint Master Agreement for Cloud Solutions REDACTED COPY - Business Information July 6, 2018








REDACTED COPY - Business Information


7/6/2018

Page i

Table of Contents


List of Figures .............................................................................................................................................. ii

Acronyms .................................................................................................................................................... iii

Business Information .................................................................................................................................. 1

1 Business Profile.................................................................................................................................. 1

2 Scope of Experience .......................................................................................................................... 2

3 Financials ........................................................................................................................................... 3

4 General Information ......................................................................................................................... 3

4.1 Auditing Capabilities ............................................................................................................. 3

5 Billing and Pricing Practices ............................................................................................................ 4

5.1 Typical Cost Impacts.............................................................................................................. 4

5.2 NIST Compliant Solution ...................................................................................................... 5

6 Best Practices ..................................................................................................................................... 7

Appendix A – Audited Financial Statements [REDACTED] ............................................................... 10






7/6/2018

Page ii

List of Figures

Figure 1. CDS’ Five Largest Contracts ......................................................................................................... 3






7/6/2018

Page iii

Acronyms

API Application Programming Interface

ATO Authority to Operate

BlueCross BlueCross® BlueShield

® of South Carolina

BPM Business Process Management

CDS Companion Data Services, LLC

CMS Centers for Medicare and Medicaid

COTS Commercial Off-the-Shelf

ECM Enterprise Content Management

FIPS Federal Information Processing Standard

FISMA Federal Information Security Management Act

HIPAA Health Insurance Portability and Accountability Act of 1996

ISO International Organization for Standardization

IT Information Technology

NAIC MAR National Association of Insurance Commissioners Model Audit Rule

OIT Optical Image Technology

PCI Payment Card Industry

SaaS Software as a Service

SSAE Statement on Standards for Attestation Engagements



Request for Proposal SK18008 NASPO ValuePoint Master Agreement for Cloud Solutions



7/6/2018

Page 1

Business Information

3.10, 6

1 Business Profile 6.1

Companion Data Services, LLC (CDS), a wholly owned subsidiary of BlueCross® BlueShield

® of South

Carolina (BlueCross), an independent licensee of Blue Cross and Blue Shield Association, delivers secure

Information Technology (IT) and business process services. Products and solutions include:

Enterprise Content Management (ECM), Business Process Management (BPM) and Records

Management solutions powered by DocFinity®

Secure hosting, cloud and managed IT services

Value-added services including disaster recovery, Technology Support Center, privacy and

security, mainframe elimination, data center replacement and alternate site

Enterprise health care claims processing services powered by Companion Data Services

Healthcare Payer SuiteSM

The DocFinity solution suite is developed by Optical Image Technology, Inc. (OIT), our Document

Management Software Development division. CDS and OIT have been in a continual business

relationship since CDS’ inception in 2005.

CDS, a wholly owned subsidiary of BlueCross, in business since 2005

OIT, a wholly owned subsidiary of BlueCross, in business since 1986

CDS’ and OIT’s shared corporate parent, BlueCross, in business since 1946

Our organizational structure includes our Principal Officers:

Lola Jordan, President, CDS

Ron Prichard, President, OIT

Lane Dundee, Vice President and Chief Financial Officer, CDS

Roger A. Arguello, Vice President and Chief Operating Officer, CDS

William F. (Fred) Rowell, Vice President and Chief Technology Officer, CDS

Suzanne R Fuller, Vice President, Business Development, CDS

CDS maintains strong financial ratios for cash liquidity and members’ equity. CDS enjoys a solid history

of long-term contracts and customers continue to select us for renewals. The financial stability of our

parent company, BlueCross is on record. In December 2017, A.M. Best reaffirmed our A.M. Best rating

of A+ (Superior). One of the few companies nationwide to achieve this distinction, this year marks the

sixteenth consecutive year that BlueCross met this high standard. Best's Financial Strength Ratings

represent the company's assessment of an insurer's ability to meet its obligations to policyholders. The

rating process involves quantitative and qualitative reviews of a company's balance sheet, operating

performance and business profile, including comparisons to peers and industry standards and assessments

of an insurer's operating plans, philosophy and management.

We have controlled, stable growth strategy through excellent implementations resulting in unsurpassed

customer satisfaction. Since our corporate parent is a mutual insurance company, we are effective in our

investments and growth plans to maintain safe levels of member equity. As is the case with our DocFinity

product and government customers, we provide unparalleled operational efficiency at competitive price






7/6/2018

Page 2

levels towards the best usage of their tax dollars, resulting in reasonable profit margins to maintain and

improve member equity.

Our client base consists of the federal government, state and local governments, as well as commercial

companies. Within the last few years, we have diversified our client base instead of primarily depending

on federal contracts.

Demonstrating CDS’ growth, our overall annual sales figures for the last three years are as follows:

2015 – $105.7 million

2016 – $105.3 million

2017 – $95.6 million

Please note that the figures above reflect CDS sales figures only. Our corporate annual sales figures are

typically close to $6 billion.

Overall public-sector sales, excluding federal Government, for last three years:

2015: $10.1 million

2016: $9.7 million

2017: $14.4 million

Our corporate structure has approximately 10,500 employees; more than 90 percent are located in South

Carolina. Approximately 2,000 employees work for the Information Systems division. We have a stable,

diverse workforce with an average 12 years of tenure with the company, exemplifying our employee

retention rate of 70 percent.

CDS’ largest contracts, with particular emphasis on government, are listed in the next section, “Scope of

Experience”. In addition, a comprehensive list of select DocFinity government users is available upon

request.

2 Scope of Experience 6.2

We are and will continue to be the vendor of choice for customers requiring high levels of security,

reliability, availability and compliance, such as government entities, as well as health care payers and

providers.

The most significant government experience similar to the Master Agreement is CDS’ Center for

Medicare and Medicaid’s (CMS’) Virtual Data Center contract. Within the scope of that contract, the

CDS Columbia Data Center is used as a virtual data center that processes approximately 50% of the entire

nation’s Medicare Part A and B claims since 2005. The CDS Columbia Data Center is owned, secured

and operated by us.

Approximate dollar values of our five largest contracts are provided in Figure 1.

Customer Project User Annual Revenue ($,

Approximately)

Centers for Medicare and Medicaid Services Virtual Data Center Federal

Government $66 million

Federal Employee Application Hosting Federal $13 million






7/6/2018

Page 3

Customer Project User Annual Revenue ($,

Approximately)

Program Government

Palmetto GBA Medicare Application Hosting

Federal Government $1.7 million

Avalon Healthcare Solutions

Data Center Hosting and Business Process Outsourcing

Commercial Health Insurance $8 million

BlueCross BlueShield Association Hosting Services Commercial Health

Insurance Plans $5 million

Figure 1. CDS’ Five Largest Contracts

3 Financials 6.3

CDS’s corporate parent, BlueCross, has achieved an A+ (Superior) A.M. Best rating for 16 consecutive

years. A.M. Best’s credit ratings are recognized as a benchmark for assessing a rated organization’s

financial strength, as well as the credit quality of its obligations.

Please refer to Appendix A for our audited financial statements of the last two years.

4 General Information 6.4, 6.4.1

At this time, we are only proposing the Software as a Service (SaaS) model compliant with NIST

requirements and standards. Our own ECM/BPM software product, DocFinity, our hosting environments

and managed services, including security, have the ability to store and secure low risk, medium risk and

high risk data per the Federal Information Processing Standard (FIPS) PUB 199. We perform cloud and

hosting services for processing, securing and storing health care data, supporting federal government and

military health plans.

DocFinity is specifically designed for the cloud from ground up; it is a 100 percent browser-based product

with no client software needed. However, we have not released DocFinity to be available in an

environment like a “market place” for public cloud customers. Although DocFinity is a commercial off-

the-shelf (COTS) product with a very high degree of configurability and integration with no source code

modification, we strongly recommend our customers take advantage of our professional services that

ensures a successful implementation to meet their business needs.

4.1 Auditing Capabilities 6.4.2

CDS has taken necessary measures to comply with Health Insurance Portability and Accountability Act of

1996 (HIPAA) rules and regulations. We are routinely audited for compliance with various information

privacy and security rules and regulations, including HIPAA. CDS is routinely audited by the federal

government for compliance in information privacy and security rules and regulations due to our ongoing

authority to operate (ATO) issued by Medicare. CDS is subject to the Statement on Standards for

Attestation Engagements 16 (SSAE16) audit on a yearly basis. We are International Organization for

Standardization (ISO) certified and have an ATO from CMS as a Federal Information Security

Management Act (FISMA) high system.

We are continually assessed as part of internal and external requirements. We conduct numerous security

and confidentiality measures including compliance with federal privacy and information security

standards such as NIST, HIPAA, Payment Card Industry (PCI), National Association of Insurance

Commissioners Model Audit Rule (NAIC MAR) and our internal Information Systems Standards






7/6/2018

Page 4

Manual and procedures. We are measured internally by our Governance organization’s Quality Assurance

department-level measures and self-audits. These self-audits prepare us to be formally and objectively

measured by a risk-ranked variety of corporate audits such as our Corporate Compliance Group’s NAIC

MAR audits and externally conducted SSAE16 and PCI audits. The Corporate Data Center has

maintained an uninterrupted ISO 9001:2015 certification since Dec 2009.

The following is a list of external audits to the relevant environment. These are current audits that take

place and are expected to continue for the foreseeable future.

SSAE16 SOC 2 for hosting contract

SSAE SOC 1, SOC 2 and SOC 3 for annual review of CDS’ data center solution

SSAE SOC 1 for biennial review of our Medicaid Administrative Services Contract

SSAE SOC 1 for biennial review of our Medicaid Third Party Liability Contract

AICPA SOC 2 for hosting contract

AICPA SOC 1 (SSAE 16) for annual review of our Corporate environment

AICPA SOC 1 (SSAE 16) for annual review of our Tricare environment

AICPA SOC 1 (SSAE 16) for biennial review of our Medicaid Administrative Services Contract

AICPA SOC 1 (SSAE 16) for biennial review of our Medicaid Third Party Liability Contract

NAIC MAR for annual review of enterprise controls

Payment Card Industry Data Security Standards Assessment

5 Billing and Pricing Practices 6.5, 6.5.1

The CDS accounting system allows for accurate and timely tracking of company expenses and their

related fluctuations in the face of periodic technology changes. We will foster and maintain close

communication with NASPO and applicable Purchasing Entities to ensure proper awareness of changes to

our commercially published price lists in response to the impact of major technology changes on market

conditions. CDS is fully aware of the requirement to honor discount percentages as agreed-upon in the

pending master agreement.

5.1 Typical Cost Impacts 6.5.2

In our model, the purchasing entity provides only the following:

Personal computers

Mobile devices

Scanners

Printers

Compatible web browser

Internet connection

Extremely likely, these components already exist and are in use by the purchasing entity. Therefore, no

cost impact is expected other than monthly SaaS subscription fees and implementation-related

professional services like consulting, training, business analysis, etc.






7/6/2018

Page 5

This model totally eliminates numerous hidden costs as all of the other components of the solution are

provided by us and included in the monthly SaaS subscription fees. We would like to approach this

requirement from three different perspectives:

Nature of SaaS-based Deployment Due to the nature of the SaaS model, there are no hidden costs of server hardware, server software,

maintenance, upgrades, administration, life-cycle management, performance tuning, security and more.

We are responsible for all server-level components of our solution.

Our SaaS Subscription Pricing Philosophy Our flexible billing practices accommodate seasonal fluctuations in use as well as a phased approach. The

number of licensed users can be increased or decreased as required by the customer with sixty days’

notice following implementation.

There is no up-front charge for the complete stand up of a computing environment.

SaaS customers have access to “Full DocFinity Suite”, including sophisticated modules like

Records Management, eForms, Business Process Management and more.

DocFinity software maintenance including version upgrades is also included in the monthly SaaS

subscription fees.

Our Product Pricing Philosophy

Within the scope of this proposal, we only offer DocFinity SaaS. However, from a product perspective, in

any type of deployment (either On Premise or SaaS), DocFinity pricing is fixed, based on concurrent

users. We offer unlimited named users defined in the system. The number of users accessing DocFinity at

the same time depends on the number of licensed concurrent users. There are no surprises regarding our

pricing:

No additional fees for the number of scanners, scanning workstations or scanning users

No additional fees for administrative users, power users or users with update capability

No additional fees for mobile users

No additional fees for integration features like application programming interface, data

dictionary, etc.

Options available at additional costs are identified and unit costs included in the proposed price

list

5.2 NIST Compliant Solution 6.5.3

CDS’ capabilities of deploying, maintaining and servicing our SaaS subscription include the following

characteristics of the NIST 800-145 Service Model:

On-demand Self-Service

Our SaaS offering is all encompassing. Though possible, there is no need for the consumer to allocate or

provision compute resources. We manage and monitor computing resources and proactively provision

server time and network resources when necessary, based on the needs of the customer. We provide one

terabyte of storage that is proactively managed and monitored. If the purchasing agency begins to exceed

this threshold, we will notify them in advance to plan ahead for the purchase of additional capacity. Most

modules are included with your monthly payment and maintenance is managed by our internal DocFinity

support team.






7/6/2018

Page 6

Broad Network Access

DocFinity is 100 percent web based and accessible by mobile devices and desktops. This includes all

administrative functions and system configuration panels. The user interface adapts and scales to the

device. No application is required. The user accesses DocFinity through a device browser, and DocFinity

runs in the browser. This provides mobile functionality without the overhead of downloading an

application. This feature meets the requirement to be available over the network and accessed through

standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile

phones, tablets, laptops and workstations).

Resource Pooling

In our SaaS environment we use the capability of our private cloud to provide computing and storage

resources. Our private cloud offers two hosting options in government-rated data centers:

1. Our secure, HIPAA-compliant CDS Data Center located in Columbia, South Carolina

2. Amazon Web Services facilities located in the USA

The customer, based on the features and cost, chooses the data center to use.

Rapid Elasticity Our SaaS offering is all encompassing. Though possible, there is no need in our SaaS solution for the

consumer to elastically provision or release capabilities, or scale rapidly outward and inward

commensurate with demand. Please refer to our response for “On-demand Self-Service” above for our

proactive approach.

We also offer flexibility in the number of concurrent users (i.e. user licenses) throughout the course of the

project. The number of subscribed users can be increased or decreased as required by the customer with

sixty days’ notice following implementation. This allows NASPO members to lower the number of

licensed users during periods of less activity for a savings in license costs. CDS will ask for a nominal

minimum commitment of licensed users. Our model is based on concurrent users. We offer unlimited

named users in the system.

What is the business benefit for the customer?

Accommodate seasonality in terms of software licenses

No need to pay for unused software licenses

No need to commit on a fixed number of software user licenses for

the entire year

Measured Service

Our SaaS offering provides a proactive approach to monitoring, controlling and reporting of our systems

to ensure transparency for our customers. Please refer to our response under “On-demand Self-Service”

above for our proactive approach.

Since this is a SaaS offer, we perform metering capabilities to control and optimize resources. Our

application software, DocFinity, includes monitoring features to effectively manage your business

processes at the management level:

BPM/Workflow that allows you to model, automate, execute, control, measure, optimize and

monitor your business processes.






7/6/2018

Page 7

Dashboards allow you to visually see how your business is running, enabling you to proactively

avoid bottlenecks and productivity losses. Dashboards allow you to monitor DocFinity and other

business systems in real-time.

Please refer to section 20 of the Technical Response document under “Reporting and Analytical

Capabilities” for details about the monitoring features of our application software, DocFinity, that

effectively manage your business processes at the management level.

Our SaaS model is a secure, cloud-based, mature and proven environment. All managed services are

provided in a private cloud solution. We are capable of storing and securing low risk data, moderate risk

data and high risk data.

Our SaaS model includes ongoing technical support for all solution components: application software,

database, server operating software and server and storage hardware. We are responsible for maintenance,

repairs, warranty, security, anti-virus protection, backup and restore and disaster recovery related to any

server-level hardware or software. We take ownership of your project, under one contract, with a single

24/7/365 point of contact, leveraging our own corporate resources and no outsourced partners.

6 Best Practices 6.6

CDS has an established enterprise-wide information security program that ensures the confidentiality,

integrity and availability of customer information regardless of how it is created, distributed or stored.

This program is designed to meet NIST and HIPAA security and privacy requirements through a multi-

layered security structure. Security controls are implemented to protect all information assets, including

hardware, systems, software and data. The Information Security program addresses risk management of

information resources through adoption of preventive measures and controls designed to detect any errors

that occur. These controls ensure compliance with applicable federal legislation, policies and standards.

CDS recognizes the importance of being proactive in preventing any unauthorized use, access,

distribution or manipulation of the customer’s information. As part of this program, CDS maintains

policies and procedures regarding personal background screening, privacy and security training, data

security including data encryption, and violation reporting and incident response.

Background screenings are initiated by our Human Resources department and include all of the

referenced screening elements. Designated roles are subject to periodic criminal background

reinvestigation requirements. Providers of contractor/temporary staff ensure their staff passes the required

background screenings before they are assigned to CDS.

CDS has an established information security awareness and training program for all staff. At a minimum,

training is provided upon hire, prior to granting system access, and within 365 days thereafter. As

required based on job responsibilities, additional role-specific security awareness and training is provided.

In this training, the following security related items are reviewed:

Processes and procedures for reporting a security incident

Identification of confidential or sensitive information and the appropriate handling of this type of

information

Identification of insider threats and how to handle them

What information can and cannot be disclosed to others and the restrictions for disclosure

Penalties for violations of security policies






7/6/2018

Page 8

Data is safeguarded by:

Taking steps to ensure that the data is only accessed or able to be accessed by those having a

business need for the data

Monitoring systems to identify any attempts to compromise security

Ensuring that employees and contractors are trained to identify and address any attempts to

compromise security

Access to the systems and information is based on an employee’s or contractor’s position and requested

by the hiring manager. Any request for access outside of the norm must be justified and authorized. Upon

termination or an approved extended leave of absence, such as maternity leave or medical, access is

terminated on the last day of employment or first business day prior to the approved leave. If access is not

used within a prescribed number of days, access is automatically terminated. Periodically, managers are

provided with a report listing the access of each of their employees which they are required to verify is

still needed. These activities help to ensure that only the access needed to perform a job is being provided.

To gain access, the user has to use a password. Passwords are required to be changed at least every 30

days and immediately in the event of a known or suspected compromise and system installation.

Passwords must consist of a minimum of eight alphanumeric characters consisting of at least one number

and one special character. Users are locked-out after the a third incorrect consecutive log-on attempt and

are required to verify identification before the lock-out can be revoked. Data Security Administration

monitors invalid log-on and access violation reports to identify patterns or repeat offenders and reports

these findings to the appropriate level of management. Once access is gained, employees and contractors

are trained to lock their computers anytime they are away from their desks and to remove sensitive

information from desktops prior to stepping away from their desks, preventing insider unauthorized

access to data.

For data encryption, DocFinity uses SSL to encrypt data in transit. For data at rest, CDS’ Storage Area

Network solution will be FIPS 140-2 compliant.

CDS’ Security Operations uses enterprise security products to provide dynamic network monitoring and

notification. Security analysts monitor email alerts and management consoles daily to identify threats to

the CDS infrastructure. Security Operations reports any identified threats as information security events to

our 24/7/365 CDS Technology Support Center (TSC).

Monitoring consists of these functional categories:

Security – For infrastructure in CDS’ control, security monitoring is facilitated by our log

collection system. This system is fed by information from numerous systems including IDPs,

firewalls and anti-virus.

Infrastructure – Consists of Simple Network Management Protocol traps from devices and client-

assisted resource use information from servers.

CDS uses Intrusion Prevention Systems. These systems are utilized for network-based intrusion detection

and prevention and provide 24/7 monitoring for malicious activity. System security incidents, including

IDS alerts, are automatically logged within the SIEM console for review and resolution. The security

events are reviewed by Security Operations team members on a daily basis. All events are investigated

and actions are taken as necessary to identify and resolve the potential security incidents. If a potential

security incident is identified, the Security Operations team will follow the corporate incident response

plan.






7/6/2018

Page 9

All of these systems feed into our CDS TSC. If one of these monitoring systems detects a security event,

an automated system generates a trouble ticket and alerts the responsible technician of the problem.







7/6/2018

Page 10

Appendix A – Audited Financial Statements [REDACTED]

6.3







7/6/2018

Page 11







7/6/2018

Page 12







7/6/2018

Page 13







7/6/2018

Page 14







7/6/2018

Page 15







7/6/2018

Page 16







7/6/2018

Page 17







7/6/2018

Page 18







7/6/2018

Page 19







7/6/2018

Page 20







7/6/2018

Page 21







7/6/2018

Page 22







7/6/2018

Page 23







7/6/2018

Page 24







7/6/2018

Page 25



Request for Proposal Number SK18008 National Association of State Procurement Officials (NASPO) ValuePoint NASPO ValuePoint Master Agreement for Cloud Solutions REDACTED COPY - Organization and Staffing July 6, 2018








REDACTED COPY - Organization and Staffing


7/6/2018

Page i

Table of Contents


Organization and Staffing .......................................................................................................................... 1

1 Contract Manager ............................................................................................................................. 1

1.1 Contact Information ............................................................................................................... 1

1.2 Experience .............................................................................................................................. 1

1.3 Roles and Responsibilities ..................................................................................................... 1

Appendix A – Contract Manager Résumé [REDACTED] ...................................................................... 3






7/6/2018

Page 1

Organization and Staffing

3.10, 7

1 Contract Manager 7.1

If awarded a Master Agreement, CDS selects Ms. Vanessa Holmes as the NASPO ValuePoint Master

Agreement Contract Manager. Ms. Holmes’ experience managing contracts includes those for cloud

solutions.

1.1 Contact Information

7.1.1

Ms. Holmes’ contact information is:

Vanessa Holmes

NASPO ValuePoint Master Agreement Contract Manager

Companion Data Services

2401 Faraway Drive, AF-789

Columbia, SC 29219

Phone Number: 803-264-4793

Email: [email protected]

Work Hours: Monday through Friday, 8:00 a.m. – 5:00 p.m. Eastern Standard Time

1.2 Experience

7.1.2

As a Companion Data Services, LLC (CDS) Contracts and Pricing Administrator, Ms. Holmes is

committed to service excellence. She ensures contractual obligations are met and compliance maintained

with mandatory governmental regulations, applicable laws and corporate policies and procedures. Her

proven contract administration experience ensures compliance with contractual obligations of the NASPO

ValuePoint Master Agreement contract. She has more than 10 years of federal contract administration

experience interpreting Federal Acquisition Regulation (FAR) and Defense Federal Acquisition

Regulation and has served as a Warranted Contracting Officer. Please refer to Ms. Holmes’ résumé in

Appendix A.

1.3 Roles and Responsibilities

7.1.3

CDS developed and established a key system of internal controls that are an inherent part of our contract

administration processes and procedures. These controls are interwoven into the daily aspects of how we

manage contractual relationships, and are designed to ensure that contract management duties are

executed in an accurate, timely and efficient manner. These internal controls further serve to promote

consistency throughout the contract lifecycle, and mitigate risks to organization and contract

performance.

The roles and responsibilities of the contract manager are comprehensive, and require engagement and

coordination with other program stakeholders outlined in section 3.1, Working with Purchasing Entities,

of the Technical Response document. Ms. Holmes will overlook several key processes and procedures

that will ensure effective contract engagement and management throughout the term of the NASPO

master agreement. These processes include, but are not limited to the following:

Administrative compliance and contract modifications

Processing and adhering to supplemental agreements



mailto:[email protected]




7/6/2018

Page 2

Contract performance oversight and acceptance

Receiving and processing customer requests

Effective billing and invoicing techniques aided by our Cost Accounting Standards and Generally

Accepted Accounting Principles-compliant accounting system







7/6/2018

Page 3

Appendix A – Contract Manager Résumé [REDACTED]

7.1.2

Vanessa Holmes NASPO ValuePoint Master Agreement Contract Manager Summary of Experience

As CDS’ Contracts and Pricing Support, Vanessa Holmes is committed to service excellence. Mrs.

Homes ensures contractual obligations are met and compliance maintained with mandatory governmental

regulations, applicable laws and corporate policies and procedures. Her proven contract administration

experience ensures compliance with the contractual obligations of the NASPO ValuePoint Master

Agreement contract.

Relevance of Experience to Proposed Role

More than 10 years of federal contract administration experience

Extensive experience in applying statutory requirements including regulations, policies, and

procedures to all acquisitions

Extensive experience researching and interpreting the FAR and Defense Federal Acquisition

Regulation

Served as a Warranted Contracting Officer stateside and overseas

Proven civilian and military contracting background

Industry Experience

Number of years in the government contracting industry: 10

Number of years of federal contract administration: 10

Employment History

Companion Data Services 2017 to Present

Contract Administrator

Works as primary point of contact for federal contractual matters related to assigned contracts and

subcontracts.

Reviews contractual documents for accuracy, performance risk and conformance with contract

terms, conditions and other provisions including applicable federal regulations and business team

objectives prior to signature/acceptance.

Leads the maintenance of contract files using contract management software to ensure

completeness and accuracy of information.

Manages contract activities to ensure assigned contracts with the United States government and

other customers are in compliance with federal, state and commercial regulations.

Monitors contract requirements to ensure quality and timely delivery of reports and information

for internal management and external customer requirements.

Reviews and approves monthly invoices for each contract.

Works closely with internal pricing specialists to review related cost inputs, assumptions and final

pricing recommendations.

Researching and interpreting the FAR to determine the extent of relevance to particular

contracting actions.







7/6/2018

Page 4

United States Property and Fiscal Office (USPFO) for South Carolina 2006 to 2017

Contract Specialist (GS-9) 2006 to 2017

Warranted Contracting Officer (GS-11) 2009 to 2015

Performed pre-award and post-award actions in the Procurement Desktop-Defense contract

writing system.

Determined appropriate contract type, contract vehicle, applicable special provisions,

negotiations, set-aside requirements and determined fair and reasonableness as applied to specific

contracting actions.

Researched and interpreted the FAR to determine the extent of relevance to particular contracting

actions.

Educated and guided customers through procurement process, provided effective business

solutions, conducted market research/analysis and performed cost/price analysis.

Prepared contract modifications, administrative change orders and supporting documents for all

contract actions including termination.

Reviewed completed official contract file to determine all contractual actions were satisfied, no

pending administrative actions exist, all file documents were signed, no litigation actions were

pending and the contract was complete and ready to be closed.

South Carolina Army National Guard 2006 to present

1980th

Acquisition Team (CCT)

Contracting NCOIC (SFC/E7)

Serves as Contracting NCOIC in support of headquarters for training and mission support. Works

closely with the purchasing and contracting office to assist with contract administration on

multiple contracting requirements.

Deployed in 2011 to provided direct contracting support as a Warranted Contracting Officer for

the Expeditionary Contracting Command Balkans Regional Contracting Center in Kosovo.

Education

Bachelor of Science, Business Administration with a concentration in Finance, Benedict College,

Columbia, South Carolina

Various civilian and military contracting courses and continuous learning certificates obtained

from the Defense Acquisition University

Professional Memberships

Army Acquisition, Logistics and Technology Workforce

U.S. Army Acquisition Corps

Training and Certifications

DAWIA Level II Contracting Certification

Secret Security Clearance

Military Occupation Specialty 51C - Contracting NCOIC



Request for Proposal Number SK18008 National Association of State Procurement Officials (NASPO) ValuePoint NASPO ValuePoint Master Agreement for Cloud Solutions Technical Response July 6, 2018








Technical Response


7/6/2018

Page i

Table of Contents

Table of Contents ........................................................................................................................................... i

List of Figures .............................................................................................................................................. iv

Acronyms ...................................................................................................................................................... v

Technical Response ...................................................................................................................................... 1

1 Technical Requirements ...................................................................................................................... 1

1.1 NIST Characteristics .............................................................................................................. 1

1.2 Willingness to Comply ........................................................................................................... 2

1.3 Offerings Adhere to Attachment D ........................................................................................ 3

2 Subcontractors ..................................................................................................................................... 4

2.1 Use of Subcontractor .............................................................................................................. 4

2.2 Subcontractor Involvement .................................................................................................... 4

2.3 Subcontractor Qualifications .................................................................................................. 4

3 Working with Purchasing Entities....................................................................................................... 4

3.1 Before, During and After a Data Breach ................................................................................ 4

3.2 Adware, Software and Marketing Push.................................................................................. 5

3.3 User Testing/Staging Environment ........................................................................................ 5

3.4 Accessibility ........................................................................................................................... 6

3.5 Web Browser Platforms ......................................................................................................... 6

3.6 Storage of Sensitive Information ........................................................................................... 6

3.7 Project Work Plans ................................................................................................................. 6

3.8 Service Updates ...................................................................................................................... 7

4 Customer Service ................................................................................................................................ 7

4.1 Ensure Excellent Customer Service ....................................................................................... 7

4.2 Customer Service Requirements .......................................................................................... 10

5 Security of Information ..................................................................................................................... 21

5.1 Measures to Protect Data ..................................................................................................... 21

5.2 Data Privacy and Security .................................................................................................... 22

5.3 Purchasing Entity’s User Accounts ...................................................................................... 23

6 Privacy and Security ......................................................................................................................... 23

6.1 NIST Compliance ................................................................................................................ 23

6.2 Security Certifications .......................................................................................................... 25

6.3 Security Practices ................................................................................................................. 26

6.4 Data Confidentiality Practices .............................................................................................. 27

6.5 Third-Party Attestations, Reports and Security Credentials ................................................ 28

6.6 Logging Process ................................................................................................................... 29

6.7 Restrict Visibility ................................................................................................................. 30

6.8 Security Incident Notification Process ................................................................................. 31

6.9 Security Controls for Server Isolation .................................................................................. 35




Technical Response


7/6/2018

Page ii

6.10 Security Technical Reference Architectures ........................................................................ 35

6.11 Employee Verification ......................................................................................................... 36

6.12 Data Confidentiality At Rest and In Transit ......................................................................... 36

6.13 Data Breach Notification Policies ........................................................................................ 36

7 Migration and Redeployment Plan .................................................................................................... 36

7.1 Service End of Life Activities .............................................................................................. 36

7.2 Return of Customer Data ..................................................................................................... 37

8 Service or Data Recovery .................................................................................................................. 37

8.1 Response to Situations ......................................................................................................... 37

8.2 Backup and Restore Methodologies ..................................................................................... 38

9 Data Protection .................................................................................................................................. 40

9.1 Encryption Technologies and Options ................................................................................. 40

9.2 Data Protection Agreement .................................................................................................. 40

9.3 Use of Data ........................................................................................................................... 40

10 Service Level Agreements ................................................................................................................ 41

10.1 Negotiable Service Level Agreement .................................................................................. 41

10.2 Sample Service Level Agreement ........................................................................................ 41

11 Data Disposal .................................................................................................................................... 42

12 Performance Measures and Reporting .............................................................................................. 42

12.1 Reliability and Uptime ......................................................................................................... 42

12.2 Standard Uptime Service...................................................................................................... 42

12.3 Performance Support Process .............................................................................................. 43

12.4 Service Level Agreement Remedies .................................................................................... 43

12.5 Planned Downtime ............................................................................................................... 43

12.6 Disaster Recovery Remedies ................................................................................................ 43

12.7 Sample Performance Report ................................................................................................ 43

12.8 Print Reports Locally ........................................................................................................... 44

12.9 On-demand Deployment Support ........................................................................................ 44

12.10 Scale-up and Scale-down ..................................................................................................... 44

13 Cloud Security Alliance .................................................................................................................... 45

13.1 CSA STAR Self-Assessment ............................................................................................... 45

13.2 Exhibits 1 and 2 to Attachment B ........................................................................................ 45

13.3 CSA STAR Attestation, Certification or Assessment .......................................................... 45

13.4 CSA STAR Continuous Monitoring .................................................................................... 45

14 Service Provisioning ......................................................................................................................... 45

14.1 Emergency or Rush Services ............................................................................................... 45

14.2 Lead-time for Provisioning .................................................................................................. 45

15 Back Up and Disaster Plan ................................................................................................................ 45

15.1 Legal Retention Periods and Disposition by Agency ........................................................... 45

15.2 Inherent Disaster Recovery Risks ........................................................................................ 46




Technical Response


7/6/2018

Page iii

15.3 Infrastructure to Support Multiple Data Centers .................................................................. 46

16 Hosting and Provisioning .................................................................................................................. 46

16.1 Cloud Hosting Provisioning Processes ................................................................................ 46

16.2 Tools Sets ............................................................................................................................. 47

17 Pre- and Post-Purchase Trial and Testing Periods ............................................................................ 48

17.1 Testing and Training Periods Offered .................................................................................. 48

17.2 Proof of Concept Environment for Evaluation .................................................................... 48

17.3 Training and Support............................................................................................................ 48

18 Integration and Customization .......................................................................................................... 48

18.1 Integration ............................................................................................................................ 48

18.2 Customization ...................................................................................................................... 48

19 Marketing Plan .................................................................................................................................. 49

20 Related Value-Added Services to Cloud Solutions ........................................................................... 50

21 Supporting Infrastructure .................................................................................................................. 72

21.1 Infrastructure Required ........................................................................................................ 72

21.2 Installation ............................................................................................................................ 73

Appendix A – Sample Project Timeline and Project Plan .......................................................................... 74




Technical Response


7/6/2018

Page iv

List of Figures

Figure 1. CDS Response Requirements ........................................................................................................ 9

Figure 2. Support Services .......................................................................................................................... 10

Figure 3. SaaS Implementation/Production Organization Chart ................................................................. 11

Figure 4. Professional Services Resources ................................................................................................. 16

Figure 5. SaaS Based Implementation Approach ....................................................................................... 18

Figure 6. Event Monitoring/Reporting Capabilities.................................................................................... 29

Figure 7. Incident Classification Category Cross Reference ...................................................................... 32

Figure 8. CDS Response Requirements ...................................................................................................... 42

Figure 9. Sample Dashboard ....................................................................................................................... 44

Figure 10. DocFinity Functional Overview ................................................................................................ 51

Figure 11. Sample User Administration Panel ............................................................................................ 53

Figure 12. Sample Mobile Input Panel ....................................................................................................... 54

Figure 13. Sample Screenshot of Capture and Indexing ............................................................................. 58

Figure 14. Sample Search Panel ................................................................................................................. 59

Figure 15. Sample Checklist Search Panel ................................................................................................. 60

Figure 16. Sample Document View with Annotation ................................................................................. 61

Figure 17. Sample eForm Design ............................................................................................................... 63

Figure 18. Process Designer Panel .............................................................................................................. 64

Figure 19. Sample Workflow Job Panel ..................................................................................................... 65

Figure 20. Records Management (Records Panel) ...................................................................................... 66

Figure 21. Records Management (File Plan Panel) .................................................................................... 67

Figure 22. Sample Dashboard ..................................................................................................................... 69

Figure 23. Auditing (Document Activities Panel) ...................................................................................... 70

Figure 24. Auditing (Search Documents Panel) ......................................................................................... 70




Technical Response


7/6/2018

Page v

Acronyms

AIIM Association for Information and Image Management

API Application Programming Interface

ATO Authority to Operate

AWS Amazon Web Services

BPM Business Process Management

CDS Companion Data Services, LLC

CMO Change Management Organization

CMS Centers for Medicare and Medicaid

COLD Computer Output to Laser Disc

COTS Commercial Off-the-Shelf

DMS Document Management System

DR Disaster Recovery

DRP Disaster Recovery Plan

EBS Elastic Block Store

ECM Enterprise Content Management

EOC Emergency Operations Center

EST Eastern Standard Time

FedRAMP Federal Risk and Authorization Management Program

FERPA Family Educational Rights and Privacy Act

FIPS Federal Information Processing Standard

FISMA Federal Information Security Management Act

HIPAA Health Insurance Portability and Accountability Act of 1996

HSM Hierarchical Storage Management

HTTPS Hyper Text Transfer Protocol Secure

IRP Incident Response Plan

ISO International Organization for Standardization

IT Information Technology

KPI Key Performance Indicators

LOB Line of Business

NAIC MAR National Association of Insurance Commissioners Model Audit Rule

OCR Optical Character Recognition

OIT Optical Image Technology

PCI Payment Card Industry

PHI Protected Health Information




Technical Response


7/6/2018

Page vi

PII Personally Identifiable Information

PM Project Manager

POC Point of Contact

RFP Request for Proposal

RPO Recovery Point Objective

RTO Recovery Time Objective

SaaS Software as a Service

SAN Storage Area Network

SLA Service Level Agreement

SQL Structured Query Language

SRCA Security Risk and Compliance Assurance

SSAE Statement on Standards for Attestation Engagements

TB Terabyte

TSC Technology Support Center

TSM Tivoli Storage Manager

UPS Uninterruptible Power Supply

URL Uniform Resource Locator




Technical Response


7/6/2018

Page 1

Technical Response

3.10, 8

1 Technical Requirements 8.1

1.1 NIST Characteristics

8.1.1

Companion Data Service’s (CDS) capabilities of deploying, maintaining and servicing our Software as a

Service (SaaS) subscription include the following characteristics of the NIST 800-145 Service Model:





terabyte (TB) of storage that is proactively managed and monitored. If the purchasing agency begins to

exceed this threshold, we will notify them in advance to plan ahead for the purchase of additional

capacity.









Resource Pooling



1. Our secure, Health Insurance Portability and Accountability Act of 1996 (HIPAA)-compliant

CDS Data Center located in Columbia, South Carolina

2. Amazon Web Services (AWS) facilities located in the USA





proactive approach.










Technical Response


7/6/2018

Page 2





the entire year

Measured Service







Business Process Management (BPM)/Workflow that allows you to model, automate, execute,

control, measure, optimize and monitor your business processes.




Please refer to Section 20 under “Reporting and Analytical Capabilities” for details about the monitoring

features of our application software, DocFinity, that effectively manage your business processes at the

management level.




1.2 Willingness to Comply

8.1.2

CDS will comply with the requirements in Attachments C and D.

CDS will support the entire project from the application software perspective as well. We offer strategic

and tactical services to help you set directions, take the right steps, stay on course, take corrective action

and install and implement, go-live and post go-live service and support. We are able to leverage access of

shared pool of resources, allowing us to rapidly provision and release resources with minimal

management effort or service provider interaction. This is beneficial because purchasing entities will not

have to manage or control the underlying cloud infrastructure including network, servers, operating

systems, storage, or even individual application capabilities.

From tips to tools, we offer everything you need to optimize the use of the DocFinity system and

maximize the success of implementation through:

Needs analysis and organizational assessment

Requirements gathering and implementation planning

System design, installation and implementation

Change management expertise

Needs-specific installation and configuration




Technical Response


7/6/2018

Page 3

Process engineering, BPM and workflow consulting and mapping

Software and systems integration

Document indexing analysis

Custom programming, designs and feature enhancements

Records life-cycle management

Disaster recovery

Operational consulting

Training

Within the scope of this proposal we introduce and discuss our next-generation, high-powered,

configurable commercial off-the-shelf (COTS) Enterprise Content Management (ECM)/BPM software

product, DocFinity®. DocFinity, our SaaS offering, aligns with the five essential characteristics defined in

Attachment D:

On-demand self-service

Broad network access

Resource pooling

Rapid elasticity

Measured service

Please refer to our response in Section 1.1 above for more details about how we meet the NIST essential

characteristics.




1.3 Offerings Adhere to Attachment D

8.1.3

Within the scope of this proposal we discuss our capabilities of providing a SaaS deployment model

under the terms of the Request for Proposal (RFP), featuring our next-generation, high-powered,

configurable COTS ECM/BPM software product, DocFinity®. Please refer to our response in Section 1.1

above for details about how DocFinity meets the five essential characteristics defined in Attachment D.

Our SaaS model includes ongoing technical support for all solution components: application software,

database, server operating software and server and storage hardware. We are responsible for maintenance,

repairs, warranty, security, anti-virus protection, backup and restore and disaster recovery related to any

server-level hardware or software. In addition to the interoperability, compatibility, supportability and life

cycle management of any server-level hardware or software component of our solution, we take

ownership of your project, under one contract, with a single 24/7/365 point of contact, leveraging our own

corporate resources and no outsourced partners.




Technical Response


7/6/2018

Page 4

2 Subcontractors 8.2

2.1 Use of Subcontractor

8.2.1

We provide all cloud solutions directly, utilizing our corporate resources. We do not use any

subcontractors. All research, development, testing activities as well as professional and technical services

including support, operations, security and administration are performed by our corporate employees

within the USA with no on shore, near-shore or off-shore outsourcing – ever. In case the purchasing

entity selects the private cloud option for SaaS deployment of DocFinity on Amazon Web Services or

another entity in the future, they are considered “vendors” rather than “subcontractors”, similar to those

entities selling hardware for our data center.

2.2 Subcontractor Involvement

8.2.2

As explained above in Section 2.1, we will not use any subcontractor to perform contract requirements.

2.3 Subcontractor Qualifications

8.2.3

As explained above in Sections 2.1 and 2.2, we will not use any subcontractor to perform contract

requirements.

3 Working with Purchasing Entities 8.3

3.1 Before, During and After a Data Breach

8.3.1

Personnel Though CDS has never had a data breach, if one were to occur the personnel involved before, during and

after include:

CDS Technology Support Center (TSC) staff

Executive Management

Privacy Officer

Contract Manager

Client Advocate

Information Security Incident Response Team

Ms. Vanessa Holmes is the NASPO ValuePoint Master Agreement Contract Manager. The roles and

responsibilities of the contract manager are comprehensive, and require engagement and coordination

with other program stakeholders outlined above. Ms. Holmes will overlook several key processes and

procedures that will ensure effective contract engagement and management throughout the term of the

NASPO master agreement.

The Client Advocate would be responsible for communications with the purchasing entities during the

various stages of a data breach.

The stages of incident handling are:

Preparation

Detection and Analysis

Containment, Eradication and Recovery




Technical Response


7/6/2018

Page 5

Post-Incident Activity

Response Times CDS will report a security incident to the point of contact (POC) identified by the Purchasing Entity

immediately without reasonable delay as defined in the Service Level Agreement (SLA).

Processes and Timelines If it is confirmed that there is or we reasonably believe there has been a data breach, CDS will promptly

notify the appropriate Purchasing Entity POC within 24 hours or sooner by telephone, unless a shorter

time is required by applicable law. CDS will cooperate with the Purchasing Entity to investigate and

resolve the data breach, promptly implement necessary remedial measures and document our responsive

actions taken. The documentation will include any post-incident review of events and actions taken to

make changes in business practices in providing the services, if applicable.

Methods of Communication and Assistance CDS will notify the designated Purchasing Entity POC by telephone in accordance with the agreed upon

security plan or security procedures if it is confirmed that there is or we reasonably believe if there has

been a data breach.

Other Vital Information CDS will update and incorporate Purchasing Entity POC information in our established Incident

Response Plan (IRP). Please refer to Section 6.8 for detailed information about our IRP.

3.2 Adware, Software and Marketing Push

8.3.2

CDS will not engage in or permit any employees to push adware, software or marketing not explicitly

authorized by the Participating Entity or the Master Agreement.

CDS adheres to a strict whitelist software policy. Servers are configured so that only those with

administrator privileges may install software. CDS policy states that only approved software may be

installed on the network. In addition, CDS utilizes an extensive change management process. The Change

Management Organization (CMO) ensures that alterations to the hardware and software in the system and

network are approved by management and scheduled in advance.

The CMO collects all Requests for Change requests for a given change cycle, publishes the report of

proposed changes and presents those changes to required parties at the change management meeting. The

security impact analysis is reviewed and approved before changes are implemented. After a change is

implemented, the documents are retained for review and audit purposes.

3.3 User Testing/Staging Environment

8.3.3

All SaaS customers are provided a test and quality assurance environment in addition to the production

environment at no additional cost. The test and quality assurance region will be used for unit testing and

user acceptance testing of all new major and minor releases. The production environment is not upgraded

until the customer gives final approval on validation and testing. Additional nonproduction environments

for purposes like training, validation, pre-production, etc. are available at a nominal fee.




Technical Response


7/6/2018

Page 6

3.4 Accessibility

8.3.4

We maintain and deliver upon an ever evolving roadmap of new features and enhancements such as the

Public Gateway/Portal Self-Service Gateway module, and our accessibility features that are compliant

with WCAG 2.0 Level AA Accessibility Compliance Standards for impaired system users.

We support Section 508 of the Rehabilitation Act. We are ready to provide more information in case there

are specific questions or a declaration form to be completed.

3.5 Web Browser Platforms

8.3.5

All functionality is available through the most common web browsers. DocFinity is 100 percent web

based including administration panels and system configuration. Our customer base uses both Windows

PC and Apple Mac computers and mobile devices. This results in a wide range of fully supported systems

and browsers, including desktop, laptop and mobile devices, both phone and tablet sized.

DocFinity 11 has been tested and works with these browsers:

Internet Explorer 10, 11

Microsoft Edge 38

Firefox ESR 38, 45

Chrome 45, 46

Safari 7, 8, 9

JavaScript and Cookies must be enabled on the client browser.

3.6 Storage of Sensitive Information

8.3.6

Prior to the execution of a SLA, CDS will schedule a face-to-face project kick-off meeting with the

Purchasing Entity. The Professional Services team will travel onsite to work with the customer project

team. The purpose of the meeting is to provide direction for the DocFinity deployment, identify any

technical issues or risk factors and address the storage of any sensitive and personal information.

3.7 Project Work Plans

8.3.7

Work plans are derived from a project kickoff meeting that describes all of the planning documents and

establishes roles and timelines. The customer’s first deployment of DocFinity involves product training,

system installation and first-time repository and process designs. The steps and scope for DocFinity

resources are known before the kickoff meeting, but most of those tasks are dependent on the customer

finishing, reviewing and approving designs.

The system is guided by a system design document that outlines the document taxonomy, security and

retention of the repository. Processes are designed by first documenting the requirements for the

automated process, and then detailed design documents are created after design work between the

customer and analyst. Once documents are created, the customer must approve all designs before any

configuration changes are implemented. After designs are completed, configuration and testing can be

estimated and delivered on time.




Technical Response


7/6/2018

Page 7

Please refer to Section 4.2 (d) for detailed information about our professional services, roles and

responsibilities of each party and implementation timelines.

3.8 Service Updates

8.3.8

Offeror’s Services Continue to Meet Requirements

DocFinity is continually evolving to improve its capabilities and efficiencies. Generally all features

remain or are enhanced between versions and technology upgrades. When a specific feature is removed it

is because it is no longer needed, often because a new improved feature takes its place. Overall

functionality is not lost on upgrades.

Updates to DocFinity versions are quick and should fall within the agreed upon maintenance window so

system availability is also not affected.

Offeror Maintains Discounts

The CDS accounting system allows for accurate and timely tracking of company expenses and their

related fluctuations in the face of periodic technology changes. We will foster and maintain close

communication with NASPO and applicable Purchasing Entities to ensure proper awareness of changes to

our commercially published price lists in response to the impact of major technology changes on market

conditions. CDS is fully aware of the requirement to honor discount percentages as agreed-upon in the

pending master agreement.

Offeror Reports Changes and Makes Recommendations

In a SaaS-based implementation, the purchasing entities will not pay for any future DocFinity upgrades,

bug fixes or product enhancements unless an additional feature is requested. However, our commitment

regarding updates and upgrades extends beyond the DocFinity application software; it covers any server-

level software including the operating system, database, runtime modules, drivers and firmware. We

ensure that the latest official release of each server-level software component is supported and proven,

tested and approved to be interoperable. We deliver updates on a schedule consistent with the final

service level obligations defined in the final contract. For all other software or hardware components of

our solution, such as the database and operating system, we follow the original manufacturers’ upgrade

and update schedules.

Offeror Provides Transition Support

Any change to the service is always first applied to a customer’s test environment and then tested and

validated by the customer as acceptable before the change is promoted to the customer’s production

environment. We work with our customers to schedule upgrade activities so that the customer always

tests updated releases to ensure their operations will not be negatively impacted.

4 Customer Service 8.4

4.1 Ensure Excellent Customer Service

8.4.1

Quality Assurance Measures

The CDS Technology Support Center (TSC) help desk is located in Columbia, South Carolina. It operates

24/7/365, with a monitored web submission process for customers to submit issues and open tickets.

Technical support representatives will answer calls and work with the customer to quickly resolve issues.

A designated point of contact (POC) technical support representative is assigned to each customer to track

and manage tickets. Supporting your technical support representative is a team of engineers to address

severe issues. The Support Engineer team works with your help desk representative to ensure fast service




Technical Response


7/6/2018

Page 8

and to develop and maintain trouble shooting utilities and programs. Procedures exist for issue escalation

to other internal teams such as development, testing and professional services.

The following quality assurance measures are in place to ensure we provide excellent customer service

and the best support possible:

The CDS TSC records phone calls for review by management to ensure quality, accuracy and

effectiveness.

CDS TSC management reviews tickets and contacts notes for accuracy and timely entry, update

and closure.

Review, reporting and escalation procedures are in place for any outstanding tickets exceeding

time thresholds.

Management calibrates their reviews of the calls to ensure consistency in service and

performance.

We do not outsource our customer support or help desk operations to any entity outside our corporate

structure. All support is provided by our U.S.-based corporate employees. The CDS TSC has been

nationally recognized by the Service Quality Management Group for first call resolution efforts that are

measured against world renowned brands such as FedEx, American Express and Marriott.

Figure 1 depicts a typical response and resolution time chart for generic use in incident reporting. The

chart is provided for problem reporting only, providing an answer to a question may take a shorter time.

We will work with the customer to modify these response times or other proposed SLAs to comply with

the customer’s requirements, laws or terms and conditions that are not in your best interest.

CDS Severity/Priority Levels CDS Response

Time Standards Resolution Path/Goals (Escalation)

1 – Severe




2 – High




3 – Medium

The system or application issue is not critical. The system has not failed. The issue has been






Technical Response


7/6/2018

Page 9

CDS Severity/Priority Levels CDS Response

Time Standards Resolution Path/Goals (Escalation)

identified as product defect and not product design. The product defect does not hinder normal operation or the situation may be temporarily circumvented using an available workaround. This is a feature failure with an existing and convenient workaround.

4 – Low




Figure 1. CDS Response Requirements

Figure 2 provides additional information about our support services.

On-Site Support

As needed throughout the lifetime of the SaaS-based contract at no additional cost to the customer.

Because the application software will reside on the server platform we provision and operate in a SaaS-based implementation, there will be almost no need for on-site support after the go-live date. On-site support will only be provided in cases where the issue could not be resolved at the server level. All on-site support will be provided by our corporate employees, usually based in Pennsylvania or South Carolina.

Telephone

Support

Throughout the lifetime of the SaaS-based contract at no additional cost to the customer.

We maintain a fully staffed, large-scale Technology Support Center using state of the art tools including Computer Telephony Integration, Interactive Voice Responder and web chat technologies. We do not outsource our customer support or help desk operations. The CDS TSC operates 24/7/365 to support government and commercial customers. The CDS TSC assists millions of end-plan-member, business and government users. We support government and commercial contracts with strict SLA requirements. There is no scheduled downtime.

Future

Upgrades, Bug

Fixes, Patches

and Product

Enhancements

Provided throughout the lifetime of the SaaS-based contract at no additional cost to the customer, unless an additional feature is requested.

In a SaaS-based implementation, the customer will not pay for any future DocFinity upgrades, bug fixes or product enhancements unless an additional feature is requested. Our commitment extends beyond the DocFinity application software; it covers any server-level software including the operating system, database, runtime modules, drivers and firmware.

In a SaaS-based implementation, we will ensure that the customer uses the latest official release of each server-level software component that is supported and proven, tested and approved to be interoperable.

In a SaaS deployment, we will deliver on a schedule consistent with the final service level obligations defined in the final contract.




Technical Response


7/6/2018

Page 10

For all other software or hardware components of our solution, such as the database and operating system, we will follow the original manufacturers’ upgrade and update schedules.

Support

Provided for

Third party

Solutions

CDS is fully responsible throughout the lifetime of the SaaS-based contract.

CDS assumes full responsibility of any server-level component of the solution proposed including third party software and hardware products (if any) throughout the lifetime of a SaaS-based service contract. We will be the main point of contact for any support-related task or request.

Figure 2. Support Services

Escalation Plan

As mentioned above, our CDS TSC is available 24/7/365. The representative will assist you with any

logging any technical issues and addressing problems or complaints. Procedures are in place for issue

escalation to other internal teams such as development, testing and professional services in order to

provide you timely resolution.

Service Level Agreement

Service availability in our SaaS based deployment is 24/7/365 with the exception of downtime for

maintenance as noted below. Service availability is committed to be a minimum 99.5 percent as measured

on a monthly basis. Every Sunday from 5:00 p.m. to 10:00 p.m. Eastern Standard Time (EST) is the

maintenance period used for all system software (other than the application software) and hardware

upgrades. Every Wednesday from 5:00 a.m. to 7:00 a.m. EST is the maintenance period for updating the

application software.

4.2 Customer Service Requirements

8.4.2

We know the type and quality of support you receive is as important as the software you implement. We

have been providing support to DocFinity customers for more than 30 years. We partner with our

customers to find the best ways to meet their needs and provide them with the individual attention they

deserve. That is why we consistently retain more than 98 percent of our customers year after year. And

we typically earn 97-98 percent customer-satisfaction rates in anonymous, third-party surveys conducted

annually.

Lead Representative 8.4.2 (a)

We structured the Implementation and Production Support teams as outlined in Figure 3. The client

advocate will be the primary POC for the customer beginning with contract award and continuing

throughout the life of the contract. In addition to the support of the client advocate, technical support will

be provided through the CDS help desk and application support from our Document Management

Software Development division, Optical Image Technology (OIT).




Technical Response


7/6/2018

Page 11

Figure 3. SaaS Implementation/Production Organization Chart

Our team will be led by Michelle Mack as your client advocate. We understand it is important for you as

a valued customer to have a single POC for interaction with CDS. Ms. Mack will be that single POC to

ensure communications, between the customer’s staff and our team, are timely and responsive to your

requests, guidance and questions.

Our team also includes subject matter experts with years of experience in similar implementations. This

experience includes knowledge of the DocFinity software, project management, business requirements

analysis and solutioning and technical support.

Background information on the key personnel assigned to the roles of client advocate and implementation

project manager and the implementation team is provided below.

CLIENT ADVOCATE – MICHELLE MACK

Summary of Experience

Michelle Mack has more than 26 years of Information Technology (IT) experience. Her years of

experience in hosting operations, planning, coordination and process improvement initiatives will

significantly contribute to the successful execution of this effort. Ms. Mack fulfilled several roles that

required close coordination with internal customers, vendors and technical staff. Her leadership, planning

and technical knowledge enable her to deliver successful strategic solutions that involve people, processes

and technology. She has demonstrated ability to collaborate with customers to understand core processes

and meet desired goals, objectives and influence positive outcomes. Her leadership and experience in

hosting operations shows she has the level of experience and knowledge required to perform in this role.

Michelle Mack

Client Advocate/POC

Cory Benson

Implementation Project Lead

Technical Support

CDS Help Desk

Mike Pelesky

Integration/ProgrammerRyan Koehle

Implementation Analyst

Harold Hockman

Solution ArchitectJacob Shafer

Business Analyst

Cindy Scheider

Training

Jason Davoli

Application Support/SaaS Administrator

Implementation Team Production Support

Project Leadership/Account Manager

Implementation Staff

Training Lead

Technical Support

Application Support

Customer




Technical Response


7/6/2018

Page 12

IMPLEMENTATION PROJECT MANAGER – CORY BENSON


Mr. Benson is an experienced IT professional with more than 10 years of successful planning, managing,

designing, implementing and supporting diverse technology solutions that improve business processes

and functionality. Mr. Benson has managed projects from research and design through project

implementation. He coordinates and manages team resources and personnel to meet project deliverables

and drives projects to successful completion. This includes creating project plans, monitoring project risks

and scope to identify problems and proactively identify solutions. He manages all customer expectations

by delivering the highest quality service. Other areas of expertise include: system migrations and

integrations, ECM system administration and business process modeling.

SOLUTION ARCHITECT – HAROLD HOCKMAN


Mr. Hockman established vision and plan for a DocFinity Professional Services team to meet the growing

demand of larger customer sites for highly customized, cutting-edge products and services and created the

position requirements and on-the-job training needed to meet the needs of customers. He helped multiple

insurance, health care, financial, education, government and other customers to meet their own client

demands, cut costs and improve services. He accomplished this by listening to customers’ unique needs

and creating the development specifications, project plans and services required to ensure their needs and

expectations were met or exceeded.

BUSINESS ANALYST – JACOB SHAFER


Mr. Shafer is an experienced IT professional with a 15 year track record of success. He is an expert in

applying document management and workflow knowledge in support of forward-facing companies. He

evaluates the ECM needs of businesses, maps the best possible system design strategy relevant to

professional services and customizes the overall scale and shape of DocFinity to fit each customer’s

circumstances.

PROGRAMMER/INTEGRATION ANALYST – MICHAEL PELESKY


Mr. Pelesky is a dedicated software engineering professional with more than 20 years of IT experience

performing and managing full system development lifecycle projects. He has the knowledge and ability to

balance formal approaches with agile development techniques to produce high-quality software. He

provides value-added services to new and existing customers through custom integrations of the

DocFinity product suite and industry specific line of business applications. He provides client support in

the areas of resource assessment and allocation, risk mitigation, configuration management, system

integration and quality assurance.

IMPLEMENTATION ANALYST – RYAN KOEHLE


Mr. Koehle joined OIT seven years ago on graduation from college. He is responsible for understanding

the customer environment parameters and methodology by which the DocFinity software will function.

He works closely with customer project teams to evaluate and establish the specifics of the installation

and configuration, enabling DocFinity to be tailored to the customer’s systems and procedures. His skills

include networking and telecommunications, IT project management, storage networking and network

and IT security management.

DOCFINITY CLOUD APPLICATION SUPPORT – JASON DAVOLI (LEAD)





Technical Response


7/6/2018

Page 13

Jason Davoli is a member of the DocFinity Cloud team, a team composed of members with years of

experience supporting and maintaining customer environments. He has worked with on premise and cloud

(SaaS) customers as well as internal environments. For security purposes, roles and responsibilities are

spread out across the team. He provides DocFinity System Administration and environment maintenance

in the data center and ensures environment uptime, performance and security. He also manages the

DocFinity applications and supports end users. He has specific experience in Amazon Web Service,

Windows and Linux operating systems, Oracle databases and application programming interface (API),

web services and data source integration.

Customer Service Hours of Operation 8.4.2 (b)

The CDS Technology Support Center (TSC) located in Columbia, South Carolina operates 24/7/365. A

customer service representative will be available by phone during the required times. Please refer to

Section 4.1 for more details about our customer service.

Customer Service Response Time 8.4.2 (c)

The CDS TSC located in Columbia, South Carolina operates 24/7/365. A customer service representative

will respond to inquiries within one business day. Please refer to Figure 1 in Section 4.1 for details about

incident resolution times.

Design Services

8.4.2 (d)

We offer a high-powered, next-generation software product. DocFinity is a complete COTS product

which will meet your requirements out-of-the-box, with no customization through source code

modification. DocFinity is simply configured by the user, based on the customer’s unique needs.

We support all our implementation projects with professional services to ensure success. In today’s

sophisticated business requirements, almost all IT-related projects have a direct impact on the

effectiveness of the operation as well as financials on the customer’s side. The professional services we

provide are critical to establishing and sustaining long-term customer relationships.

General Approach to Design, Configuration and Implementation

In order to ensure a successful deployment, we offer strategic and tactical services to help you set

directions, take the right steps, stay on course, take corrective action and if necessary, install and

implement, go-live and post go-live service and support. From tips to tools, we offer everything you need

to optimize the use of the DocFinity system and maximize the success of implementation through:

Needs analysis and organizational assessment

Requirements gathering and implementation planning

System design, installation and implementation

Change management expertise

Needs-specific installation and configuration

Process engineering, Business Process Management (BPM) and workflow consulting and

mapping

Software and systems integration

Document indexing analysis




Technical Response


7/6/2018

Page 14

Custom programming, designs and feature enhancements

Records life-cycle management

Disaster recovery

Operational consulting

Training

We do on-site and remote implementations; with most projects being a blend of the two. We work with

customers to deliver implementation services in a cost-effective manner that meets their specific needs.

Remote support is provided through the facilities in State College, Pennsylvania, or Columbia, South

Carolina depending on the task.

We never stop enhancing DocFinity with the features and functionality from which our customers benefit.

We will keep you informed about the items in development and make it easy to request features, report

issues and get help. As a customer, you have access to full documentation for the entire DocFinity Suite

including implementation instructions and best practices from fellow DocFinity users.

Roles and Responsibilities

Our services team will work with the customer’s project leadership team to establish the project and

staffing plans. Project management is a joint effort between the customer’s project manager and CDS’

client advocate, together they handle customer resource allocations and project updates. Project change

management is addressed during project updates or any critical path change where an agreed on

deliverable or approach may change. Once the project’s critical path, milestones and deliverables are

established, changes to the implementation plan will be documented. CDS’ client advocate will be

responsible for allocating resources and laying out the project plan according to best practices to ensure a

successful deployment. In addition to the project’s implementation plan, thorough system design

documents are generated with a complete Implementation Project plan.

CDS’ client advocate also has responsibility for oversight of all project management activities such as

maintaining the project plan and all other plan deliverables, status reporting to include issues tracking and

timely resolution. The customer will use the client advocate as the primary point of contact throughout

implementation and ongoing production support.

We anticipate involvement of the following customer resources:

Project Manager (PM): Represents customer management and project stakeholders and coordinates and

organizes efforts between CDS personnel, the customer project team, stakeholders and line of business

(LOB) managers and system users with the goal of driving successful completion of the project. The PM

works to ensure good communication and efficient interaction between CDS personnel and the customer

project team to resolve conflicting situations that could inhibit progress and successful project

completion. Appropriately available to CDS personnel to assist and work toward project closure and

success.

Systems Administrator/Analyst: This role is optional and will have very limited involvement in a SaaS

based deployment.

Network Administrator/Analyst (only during the implementation phase): Responsible for

implementing, maintaining and supporting the customer computing infrastructure, and providing a

working knowledge of network security, user account management, email systems and servers, internet




Technical Response


7/6/2018

Page 15

access and servers, office systems and applications. Appropriately available to CDS personnel to assist

and work toward project closure and success.

Document and Data Knowledge/Solutions Architect: This staff member needs to know how, where

and why documents and data are generated and used in the customer’s business process. With a thorough

understanding of how system users need to search and retrieve documents and data, and then use the

documents and data to complete tasks and processes. In addition, having the ability to assist with business

requirements and create the appropriate information architecture, taxonomy and solution approach; to

work with users, management and executives to expand the use of the DocFinity solution; and to guide

the solution design and fit to solve business process challenges and address overall customer strategy.

Appropriately available to CDS personnel to assist and work toward project closure and success.

Line of Business Knowledge Analyst: Knowledge and understanding of the business issues and

document and data challenges related to the LOB process for which DocFinity is being implemented. Has

knowledge and understanding of the application user strength and weaknesses. Thorough knowledge of

the LOB processing and workflow requirements inclusive of compliance needs. Assists in developing and

fitting of system design to fit LOB purpose. Appropriately available to CDS personnel to assist and work

toward project closure and success.

In a typical implementation, to ensure the successful delivery of the professional services outlined in this

section, we use the staffing resources and their corresponding responsibilities described in Figure 4.

Tasks

The Professional Services team offers specialized services that address the unique needs of organizations

in relation to electronic document, records and business process and workflow management. We provide

personalized consulting, configuration, business process and workflow analysis and improvement. We

can also assist with customized integration to address changing needs as your organization and

requirements grow. Professional services include the following tasks. However, the necessity and

intensity of the tasks in an actual implementation depends on many factors including the project’s

sophistication level, integration requirements and others.

Requirements Planning and Design

Kickoff Meeting: Members of the Professional Services team will travel onsite to work with the

customer project team for a face-to-face project kickoff meeting. This visit will help establish the best

method for adding the DocFinity software stack to the business environment. The meeting will also help

identify any potential technical issues and risk factors. Most importantly, the meeting’s purpose is to

provide an overall direction for DocFinity deployment decisions. Specific milestones and project timeline

will be defined and a project communication plan.

System and Implementation Design: The design will include developing document taxonomy

(document categories, document types and metadata) to support a successful deployment. Also included

in design is creation of searches for efficient retrieval of documents and data and to ensure proper security

and accessibility are set up for these confidential documents. Once the teams agree to a design, those

items will be constructed in the test and quality assurance region.




Technical Response


7/6/2018

Page 16

Role Project Manager System Engineer Implementation

Analyst Business

Process Analyst Trainer

Ex

pe

rtis

e

Solution Project Management

Industry & Operations Functionality

Field Implementation & Application Functionality

Business Process Development

User Education and Working Knowledge

Res

po

ns

ibil

itie

s

Serves as primary point of contact throughout the project Manages all phases of the project: Coordinates all

project meetings Maintains all

reports and tracking tools

Directs all communication

Tracks project performance: Schedule Cost Quality Risk indicators Team success

Collects and distributes customer information: Provides

status updates Conducts

discovery meetings and interviews

Facilitates risk planning and monitoring

Documents the customer’s: Requirements Expectations System

requirements Change control

process

Configures application: On-site

configuration of application

Pre-implementation application testing

Customization Conducts on-site: System

implementation Application

testing and parallel testing

Administrative training

Status reports Production

transition

Provides business process consulting to aid in product use Interviews staff and establishes: Existing

workflows Workflows that

need to be created

Key business processes

Designs and develops workflows based on need and desire

Provides end-user product training: Offers

established course options depending on needs

Provides customized curricula based on customer request

Makes training available on-site, at CDS offices or through the web

Provides a working knowledge of all applications

Res

ult

s

Complete project documentation: Statement of

Work Change Control Action item list Status reports Project schedule

A project that matches expectations (per the RFP)

Discovery meetings that shape the project, facilitated by CDS Customer requirements document that guide the project, facilitated by CDS Requirements issues are resolved quickly System design document to guide the customer

DocFinity software is correctly configured and installed Administrators are trained how to use the system On-site issues are resolved quickly A collaborative implementation design document that is designed by your team, facilitated by CDS

A functional workflow design Streamlined business practices

End users are comfortable using the system when training is complete All project knowledge is transferred successfully to the customer

Figure 4. Professional Services Resources

Intelligent Capture Consulting: This stage is dedicated to the determination of the data that will be

automatically extracted from the scanned or imported documents using the Optical Character Recognition

(OCR) feature, regardless of whether the data resides in defined regions or in the document. Also,

Intelligent Capture allows the system to automatically start a workflow (business process) based on the

data captured from the document scanned or imported. Although the Enterprise Search (Full-Text Search)

virtually allows any document to be searched by the actual content, Intelligent Capture offers much more.

To take full advantage of Intelligent Capture, we will work together to determine what the feature is




Technical Response


7/6/2018

Page 17

expected to search for in the documents entered, and what type of workflows are to be initiated. The

success of this stage is critical and will provide valuable input to the next phase, Business Process

Engineering.

Business Process Engineering

We provide shoulder-to-shoulder consulting and services to verify existing business processes and

workflows. We then provide document inventories and flowchart diagrams, making customer processes

more efficient and ease the transition to electronic document management and electronic processing of

business processes/workflows. In addition, we help customers create and execute test cases for workflow

projects prior to implementing flows in a production environment. This step includes BPM analysis and

design. The customer’s existing and desired business processes will be analyzed in detail. The objective is

to optimize the processes from a business flow perspective and automate them using the BPM/Workflow

feature of DocFinity.

Systems Engineering

Systems Engineering includes installation and configuration of designed systems and integration

consulting.

Installation and Configuration of designed systems: The application program and the database

and any other component needed in a SaaS deployment will be installed by CDS. The system will

be configured per the requirements of the RFP and outcomes of the System and Implementation

Design, Intelligent Capture Consulting and Business Process Engineering phases. No source code

modification will be performed.

Integration Consulting: CDS will provide consulting and integration services within the scope

of the RFP and contract signed. To do this, we will require cooperation and collaboration of the

customer and the original developer of the software existing in the customer’s premises.

Project Management

Project Management includes the following tasks:

Project planning: Project planning is essential to the overall success of any project. You will

benefit from our high level of technical and business expertise. Project discovery, design and

review of hardware requirements serve to define and outline clear expectations. Together with the

customers, we identify project phases, set timelines and recognize key milestones. Indexing plans

are created to eliminate the frustration that is associated with unsuccessful document retrieval,

security and retention.

Project Management: CDS will provide a project manager for the entire duration of the project.

The project manager will be responsible for coordinating the project between CDS and the

customer. The project manager will manage CDS project resources, milestones and customer

expectations for the duration of the project. Unless agreed upon otherwise, there will be a weekly

call with the CDS project team and customer team to work towards agreed upon milestones and

activities. Any time remaining after the go-live date will be used for support or minor changes.

Go-Live Support: The CDS DocFinity Implementation team will provide support when the

system is made available to users to ensure the application is functioning as planned and the

workflows are progressing as designed.




Technical Response


7/6/2018

Page 18

Testing

Before DocFinity is installed and activated in a production environment, the system must be tested by

customer personnel. Often, configuration changes can be made to further customize the solution to fit the

customer’s exact needs. This task provides time for DocFinity personnel to work with the customer to

discover any changes and perform the required customizations prior to go live. The test and quality

assurance region will be used for unit testing and user acceptance testing. This is when end-users are

trained on the new platform. This stage includes the final approval of the design and configuration.

Finally, the system will be promoted into the production instance.

Risk assessment, change management and disaster recovery

Professional services help customers develop a risk assessment plan regarding procedures for personnel

changes, unmet deadlines, cost changes or other calculated but unwanted risks. Communication strategies

and change management plans help the customer embrace new IT projects at all levels. Data recovery

plans are developed in the event of a natural or man-made disaster. CDS works with customers to

prioritize which information is needed most and explain the effects of each step in the plan.

Project Stages

Figure 5 depicts the stages or phases of a typical project, tasks performed and the contribution of CDS

and the customer. Depending on the implementation, there can be minor or significant changes.

Figure 5. SaaS Based Implementation Approach

Our approach to solution implementation is designed to meet project timelines and milestones. Using the

customer go-live date, we will work backwards to accomplish this goal. Our waterfall model is a

sequential design process, in which progress is seen as flowing steadily downwards through the phases of

conception, initiation, analysis, design, construction, testing, production/implementation and

maintenance.

All professional services including business analysis, process modeling, workflow design,

implementation, project management, system configuration and testing are performed by our U.S.

corporate resources, under one contract where CDS assumes all responsibility.




Technical Response


7/6/2018

Page 19

Project Timeline

A sample project plan with a timeline is provided in Appendix A. The structured plan is broken out into

multiple stages: Initiation, DocFinity Course Training, System Design and Planning, System Build and

Execution, Testing and Acceptance, and Deployment.

Training

Thorough and relevant training is critical in helping staff to maximize use of the powerful tools provided

to them. Training is offered at our offices, on-site or interactively through the web. Courses are taught by

instructors who are CDIA+ certified. You can choose your own subset of courses or request a customized

series. We will bring instructors to your site and train your staff on location. All of our instructors are

legal U.S. residents.

In the case the customer selects the training program to be delivered in their offices, all

reasonable travel, meals, transportation and accommodation of the instructor(s), venue and

equipment (projector, screen, computers, internet connection and others) will be paid for and

provided by the customer.

In case the customer selects the training program to be delivered in a physical location other than

their offices or our corporate offices, all travel, meals, transportation and accommodation of the

instructor(s) and customer employees, venue and equipment (projector, screen, computers,

internet connection and others) will be paid and provided by the customer.

In case the customer selects the training program to be delivered in our corporate offices in

Columbia, South Carolina or State College, Pennsylvania, all travel, meals, transportation and

accommodation of the customer personnel will be paid by the customer.

CDS’ role and responsibility during the design and implementation of the training plan, is to ensure the

content is delivered per corporate standards, relevant to the specific implementation of the application and

meets business expectations.

The role and responsibility of the customer’s staff during the design and implementation of the training

plan, is to ensure that the relevant employees attend, pay full attention and are dedicated to training.

Below is a short description of select training programs:

DocFinity 101: This course provides a high-level overview and foundation to applying DocFinity

to daily practices. This is a prerequisite for all other courses.

DocFinity Administration: This class provides hands-on security administration of groups and

users necessary to secure sensitive information.

DocFinity System Design: Participants will learn about the DocFinity BPM tools, such as

designer, monitoring, administration and job assignments, and how they work together to

automate and manage a paperless business process.

DocFinity BPM: This course presents an overview of the BPM designer. Attendees learn the

components, terminology and theory used in building a business process design including

distribution, user tasks and options in the Job Assignments workspace.

DocFinity eForms: This course covers eForms administration, design and business process

integration, with hands-on activities that illustrate these concepts.




Technical Response


7/6/2018

Page 20

Records Management: Attendees will learn to comply with corporate record policies,

government regulations and legal discovery and how to enforce policies and regulations with

automation.

Dashboards: Participants learn to use structured query language to gather your key performance

indicators and how to create data sources in DocFinity for them. They then learn how to use those

data sources to create charts and dashboards for reporting.

Intelligent Capture: Attendees learn how to leverage Intelligent Capture technology to capture

structured and unstructured documents, OCR, automatic document classification, form and

invoice recognition and data extraction.

Documentation

All DocFinity documentation is maintained in a knowledge base which can be accessed by licensed users.

We maintain and publish tens of thousands of pages of official documentation. A list of product reference

manuals, user guides and administrator manuals is provided below. Only technical materials are listed:

DocFinity 11.1 Form Designer User Guide

DocFinity 11.1 Office Integration User Guide

DocFinity 11.1 Process Designer User Guide

DocFinity 11.1 Desktop User Guide

DocFinity 11.1 Mobile User Guide

DocFinity 11 Features Guide

DocFinity 11.1 Workspaces User Guide

DocFinity 11.1 Dashboards Module User Guide – Covering Dashboards and Dashboards

Designer

DocFinity 11.1.1 Administration User Guide

DocFinity 11.1.1 Enterprise Search Installation and Configuration Guide

DocFinity 11.1.1 Installation and Setup Guide

DocFinity 11.1 Desktop for Mac OS User Guide

DocFinity 11 User Group Synchronization Tool Guide

DocFinity 11.0 Administration Basic Tutorial

DocFinity 11.1 Checklist Search Tutorial

DocFinity 11.0 Dashboard Designer Tutorial

DocFinity 11.0 Export Tutorial

DocFinity 11.0 Form Designer Tutorial

DocFinity 11.0 Importer Tutorial

DocFinity 11.0 Process Designer Tutorial

DocFinity 11.0 User Quick Start Tutorial

DocFinity 11.0 Records Management Tutorial




Technical Response


7/6/2018

Page 21

DocFinity 11.1 REST Webservices API Guide

DocFinity 11.1 URL API Guide.

All product documentation is maintained online and kept up-to-date with the current version of

DocFinity. A knowledge base is maintained for customers. Knowledge base is an online library of

technical tips, tricks, articles and documents that helps customers resolve problems associated with

application of product and associated peripheral issues.

Installation Services 8.4.2 (e)

We will perform installation services for the application program, DocFinity, and the database and any

other component needed at the server level. Please refer to Section 4.2 (d) under “Systems Engineering”

for additional information.

5 Security of Information 8.5

5.1 Measures to Protect Data

8.5.1

CDS maintains security and privacy policies that address and provide guidance to employees and

contractors to ensure the confidentiality, integrity and availability of information and the systems we

maintain. These processes comply with HIPAA privacy and security rules and regulations.

A corporate privacy officer directs the development and implementation of corporate-wide privacy

principles, policies and practices and monitors the organization’s services and systems to ensure

compliance. This position advocates for and protects privacy rights of individuals.

The Information Assurance department of the Corporate Compliance and Ethics division has a privacy

office that conducts HIPAA Privacy Compliance assessments. In addition, this office facilitates monthly

meetings of the HIPAA Privacy Committee, composed of representatives from several lines of business

and subsidiaries. The committee members discuss issues, provide guidance, share lessons learned and

update procedures. Each year the HIPAA Privacy and Security section of the Annual Compliance

Training and the HIPAA Privacy e-training courses are reviewed and updated as necessary.

Our organization employs a framework for information security management. This includes assessment

of protected health information (PHI) use, identification of which positions require access to what types

of PHI and determining the minimum amounts of PHI required to perform each task. We follow

procedures related to the use, management and disclosure of PHI and the disposal and destruction of data,

which is reviewed annually. A corporate-wide HIPAA task force meets monthly to discuss privacy related

matters and to ensure rule compliance. In addition, our staff supports business-unit specific authoritative

sources. These include the Center for Medicare and Medicaid’s (CMS) Acceptable Risk Safeguards,

International Organization for Standardization (ISO), NIST 800-53 and other federal frameworks. We

have achieved:

Federal Information Security Management Act (FISMA) High Rating:

The FISMA of 2002 recognized the importance of information security to economic and national

security interests. A FISMA High Rating means that CDS has implemented an inventory of

systems, categorization of systems by risk level, security controls, risk assessment, a system

security plan, certification and accreditation and continuous monitoring.




Technical Response


7/6/2018

Page 22

ISO 9001:2015 Certified:

ISO is a set of quality management system standards designed to ensure customer requirements

are met and performance is continuously improved. CDS is certified in this internationally

recognized standard.

SAS 70/SSAE 16 SOC 2 Audit Compliance:

SAS 70/SSAE 16 SOC 2 are internationally recognized third-party assurance audits designed for

service organizations. Compliance includes audit and financial reporting and examination.

CDS’ Information Security policy and our Protection of Sensitive Information policy contain explicit

details on how to handle and manage personal information. Explicit procedures exist that describe how

personal information is to be managed including the disposal and destruction of data after its useful life.

Our policies address and provide guidance to employees and contracted resources to ensure the

confidentiality, integrity and availability of information and the system maintained or processed by CDS.

These policies adhere to fair information practice principles.

CDS demonstrates our commitment to protect the Purchasing Entity’s non-public information/data

provided in this contract by requiring strict adherence to security policies and procedures, completion of

annual security and privacy awareness training and applying human resource disciplinary policies

commensurate with the severity of non-compliance. For any PHI, personally identifiable information (PII)

and federal tax information, CDS adheres to the applicable HIPAA and NIST implementation standards.

CDS has procedures in place to erase sensitive information and software from computer components and

media before computers are disposed of or transferred to another associate or area. Unneeded media are

placed in a large, locked electronic media disposal bin to be destroyed. CDS uses a media disposal

contractor to destroy hard drives, magnetic media, disks, CDs and floppy disks identified for destruction.

The disposal containers are picked up by disposal contractors as needed for destruction. This media

destruction process includes passing magnetic tape and hard drives through a machine that degausses the

items and properly breaks down the magnetic field. This process scrambles any data present on the media

and renders the device useless. Computer hard drives and magnetic tape media are physically crushed in

addition to degaussing them. Contractors certify that all sensitive information is destroyed in their

contract and logs are maintained to provide evidence that the degausses step was completed. After the

magnetic media is destroyed, a Certificate of Destruction from the contractor is received and maintained.

CDS will retain and manage the information as defined and required per the Master Agreement or

applicable Participating Addendum.

5.2 Data Privacy and Security

8.5.2

CDS has an established enterprise-wide information security program that ensures the confidentiality,

integrity and availability of customer information regardless of how it is created, distributed or stored.

This program is designed to meet NIST and HIPAA security and privacy requirements through a multi-

layered security structure. Security controls are implemented to protect all information assets, including

hardware, systems, software and data. The Information Security program addresses risk management of

information resources through adoption of preventive measures and controls designed to detect any errors

that occur. These controls ensure compliance with applicable federal legislation, policies and standards.

The elements of our security program include:

Risk assessments

Security plans




Technical Response


7/6/2018

Page 23

Certifications

Self-assessments

Contingency and disaster recovery plans

Security reviews

Corrective action and safeguard planning

We also include the following:

Systems security policies and procedures

Violation reporting and incident response

Physical and electronic monitoring

OMB requirements

Personnel background screening

HIPAA, privacy and security training

Data security

5.3 Purchasing Entity’s User Accounts

8.5.3

CDS will not access a Purchasing Entity’s user accounts or data, except in the course of data center

operations, response to service or technical issues, as required by the express terms of the Master

Agreement, the applicable Participating Addendum, and/or the applicable Service Level Agreement.

CDS’ Information Systems Data Security staff manages access to all servers and workstations

environments, using available authentication methods such as Active Directory. Specific accesses depend

on the applications or system being accessed. Access is routinely recertified by managers to ensure levels

of access are current and necessary.

All unique ID and password combinations only provide access to the selected systems and data using the

least privileged: business need-to-know concept. Each unique ID is placed in logical groups (role,

organization, system or resource based). Logical groups are configured within the access control systems

(Active Directory and others) to grant the minimum resource authorizations necessary to use selected

systems and data based on job function or business need. These established policies and procedures

ensure that access to customer information is limited to only those employees and contractors designated

as having authorized access.

Each individual having systems access is held responsible for their actions. User activity is auditable

which allows security breaches to be reconstructed and traced to the responsible individual. Integrity

controls are used to ensure information is not modified or destroyed in an unauthorized manner.

6 Privacy and Security 8.6

6.1 NIST Compliance

8.6.1

CDS’ capabilities of deploying, maintaining and servicing our SaaS subscription include the following

characteristics of the NIST 800-145 Service Model:




Technical Response


7/6/2018

Page 24





TB of storage that is proactively managed and monitored. If the purchasing agency begins to exceed this

threshold, we will notify them in advance to plan ahead for the purchase of additional capacity.









Resource Pooling



1. Our secure, HIPAA-compliant CDS Data Center located in Columbia, South Carolina

2. AWS facilities located in the USA





proactive approach.











the entire year

Measured Service







Technical Response


7/6/2018

Page 25




BPM/Workflow that allows you to model, automate, execute, control, measure, optimize and

monitor your business processes.




Please refer to Section 20 under “Reporting and Analytical Capabilities” for details about the monitoring

features of our application software, DocFinity, that effectively manage your business processes at the

management level.




6.2 Security Certifications

8.6.2

Securing data is a crucial aspect of regulatory compliance as mandated by laws like HIPAA, Family

Educational Rights and Privacy Act (FERPA) and Sarbanes-Oxley. Guaranteeing audit trails over who

has access to documents and data is an important component of corporate accountability. DocFinity offers

a number of security features to control who sees and modifies documents and data.

Feature Rights control which groups of users can use specific application features and functions

such as searching, scanning, indexing and administration.

Document Security determines which groups of users have access to each document type.

Permissions control which groups of users can perform specific actions per document type such

as viewing, deleting, seeing markup, updating data or overriding redactions.

Filter Security limits document access and permissions for a document type according to

specific data values or ranges.

Batch Security sets user access security over unindexed documents and files.

Assigned Searches grant specific searching capabilities and rights to specific groups of users and

return only the documents to which users are granted access.

Restore and Purge functionalities enable backup options by administrators for user-deleted

documents and allow only an administrator to permanently delete a document in accordance with

compliance requirements.

In addition to these security features, DocFinity BPM’s ability to streamline and automate business

processes allows the Purchasing Entity to increase control over access to documents and data.

DocFinity audits all changes involving documents, data and user activities including system

administration actions. Audit records confirm the validity of audit trails. Aided by a detailed audit guide,

administrators create customized audit reports from the database.

In addition to the security in the application, DocFinity can be run on Hyper Text Transfer Protocol

Secure (HTTPS) to provide encryption and secure communication for sensitive data.




Technical Response


7/6/2018

Page 26

We are routinely audited for compliance with various information privacy and security rules and

regulations including HIPAA. CDS is routinely audited by the federal government for compliance in

information privacy and security rules and regulations due to our ongoing authority to operate (ATO)

issued by Medicare. CDS is subject to the Statement on Standards for Attestation Engagements 16

(SSAE16) audit on a yearly basis. We are ISO certified and have an ATO from CMS as a FISMA high

system.

We are continually assessed as part of internal and external requirements. Our FISMA environment

receives an annual FISMA assessment, Chief Financial Officer Audit and A-123 Assessment. CDS owns

a Federal Risk and Authorization Management Program (FedRAMP) Ready cloud environment. We

conduct numerous security and confidentiality measures including compliance with federal privacy and

information security standards such as the NIST, HIPAA, Payment Card Industry (PCI), National

Association of Insurance Commissioners Model Audit Rule (NAIC MAR) and our internal Information

Systems Standards Manual and procedures. We are measured internally by our Governance

organization’s Quality Assurance department-level self-audits. These self-audits prepare us to be formally

and objectively measured by a risk-ranked variety of corporate audits such as our Corporate Compliance

Group’s NAIC MAR audits and externally conducted SSAE16 and PCI audits.

The following is a list of external audits to the relevant environment. These audits are currently taking

place and expected to continue for the foreseeable future.





AICPA SOC2 for hosting contract

AICPA SOC1 (SSAE 16) for annual review of our Corporate environment

AICPA SOC1 (SSAE 16) for annual review of our Tricare environment

AICPA SOC1 (SSAE 16) for biennial review of our Medicaid Administrative Services Contract

AICPA SOC1 (SSAE 16) for biennial review of our Medicaid Third Party Liability Contract



6.3 Security Practices

8.6.3

Whether you chose the CDS Columbia Data Center or AWS facility, our SaaS solution is hosted in a

private cloud environment. This solution is optimized for a single customer. There will be no other

customers located in the same cloud environment. The virtual machine for your contract is separated from

the others.

Each individual with systems access is held responsible for their actions. User activity is auditable which

allows security breaches to be reconstructed and traced to the responsible person. Integrity controls are

used to ensure information is not modified or destroyed in an unauthorized manner.

Please refer to Section 6.4 below for more information about our security monitoring features.




Technical Response


7/6/2018

Page 27

Please refer to Section 20 under “DocFinity Software Application Based Security” for more information

about our application-level security features.

6.4 Data Confidentiality Practices

8.6.4

Access

CDS recognizes the importance of being proactive in preventing any unauthorized use, access,

distribution or manipulation of the customer’s information. All accesses are recertified every 90 days. As

part of this program, CDS maintains policies and procedures regarding personal background screening,

privacy and security training, data security including data encryption, and violation reporting and incident

response.

Data is safeguarded by:

Taking steps to ensure that the data is only accessed or able to be accessed by those having a

business need for the data

Monitoring systems to identify any attempts to compromise security

Ensuring that employees and contractors are trained to identify and address any attempts to

compromise security

Access to the systems and information is based on an employee’s or contractor’s position and requested

by the hiring manager. Any request for access outside of the norm must be justified and authorized. Upon

termination or an approved extended leave of absence, such paid leave, access is terminated on the last

day of employment or first business day prior to the approved leave. If access is not used within a

prescribed number of days, access is automatically terminated. Periodically, managers are provided with a

report listing the access of each of their employees which they are required to verify is still needed. These

activities help to ensure that only the access needed to perform a job is being provided.

To gain access to the system or application, the user has to use a password. Passwords are required to be

changed at least every 30 days and immediately in the event of a known or suspected compromise and

system installation. Passwords must consist of a minimum of eight alphanumeric characters consisting of

at least one number and one special character. Users are locked-out after the a third incorrect consecutive

log-on attempt and are required to verify identification before the lock-out can be revoked. Data Security

Administration monitors invalid log-on and access violation reports to identify patterns or repeat

offenders and reports these findings to the appropriate level of management. Once access is gained,

employees and contractors are trained to lock their computers anytime they are away from their desks and

to remove sensitive information from desktops prior to stepping away from their desks, preventing insider

unauthorized access to data.

Monitoring

CDS’ Security Operations uses enterprise security products to provide dynamic network monitoring and

notification. Security analysts monitor email alerts and management consoles daily to identify threats to

the cloud infrastructure. Security Operations reports any identified threats as information security events

to our 24/7/365 CDS Technology Support Center (TSC).

Monitoring consists of these three functional categories:




Technical Response


7/6/2018

Page 28

Security – For infrastructure in CDS’ control, security monitoring is facilitated by our log

collection system. This system is fed by information from numerous systems including IDPs,

firewalls, Cloudtrail, Cloudwatch and anti-virus.

Infrastructure – Consists of Simple Network Management Protocol traps from devices and client-

assisted resource use information from servers.

All of these systems feed into our CDS TSC. If one of these monitoring systems detects a security event,

an automated system generates a trouble ticket and alerts the responsible technician of the problem.

Security Training

All employees and contractors are required to participate in yearly compliance training. This is done to

reinforce the training received during new employee orientation. In this training the following security

related items are reviewed:

Processes and procedures for reporting a security incident

Identification of confidential or sensitive information and the appropriate handling of this type of

information

Identification of insider threats and how to handle them

What information can and cannot be disclosed to others and the restrictions for disclosure

Penalties for violations of security policies

6.5 Third-Party Attestations, Reports and Security Credentials

8.6.5

CDS has taken necessary measures to comply with HIPAA rules and regulations. We are routinely

audited for compliance with various information privacy and security rules and regulations including

HIPAA. CDS is routinely audited by the federal government for compliance in information privacy and

security rules and regulations due to our ongoing ATO issued by Medicare. CDS is subject to the

SSAE16 audit on a yearly basis. CDS is ISO certified and has an authority to operate from CMS as a

FISMA high system.

We are continually assessed as part of internal and external requirements. Our FISMA environment

receives an annual FISMA assessment, Chief Financial Officer Audit and A-123 Assessment. CDS owns

a FedRAMP Ready cloud environment. We conduct numerous security and confidentiality measures

including compliance with federal privacy and information security standards such as the NIST, HIPAA,

PCI, NAIC MAR and our internal Information Systems Standards Manual and procedures. We are

measured internally by our Governance organization’s Quality Assurance department-level self-audits.

These self-audits prepare us to be formally and objectively measured by a risk-ranked variety of corporate

audits such as our Corporate Compliance Group’s NAIC MAR audits and externally conducted SSAE16

and PCI audits.

The following is a list of external audits to the relevant environment. These audits are currently taking

place and expected to continue for the foreseeable future.








Technical Response


7/6/2018

Page 29


AICPA SOC2 for hosting contract

AICPA SOC1 (SSAE 16) for annual review of our Corporate environment

AICPA SOC1 (SSAE 16) for annual review of our Tricare environment

AICPA SOC1 (SSAE 16) for biennial review of our Medicaid Administrative Services Contract

AICPA SOC1 (SSAE 16) for biennial review of our Medicaid Third Party Liability Contract


6.6 Logging Process

8.6.6

All system users are responsible for reporting security-related events/breaches and are the first line of

defense against potentially dangerous security events. Members of the IT staff are responsible for the

monitoring and detecting of network security-related events, referred to as incident responders.

Incident responders monitor the environment appropriate to their organizations using assigned tools. For

example, incident responders will monitor network and server environments using Intrusion Detections

Systems Log Aggregation systems and other available tools. Incident responders reside within multiple

technical operations including Workstation Technical Services, Information and Communication

Technology/Distributed Systems and leveraged systems applications. Examples of events being

monitored and the support areas responsible are listed below in Figure 6.

Event Monitoring/Reporting Responsibilities

Event Type Responsible Team/Area

Malicious activities (successful or unsuccessful) including, but not limited to, worm infections, virus infections, server intrusions, denial of service attacks, network anomalies and firewall breaches

Security Operations

Unauthorized modifications to identified logging and audit files Security Operations Unapproved wireless networks Security Operations Phishing and spam emails Security Operations

Email Services Blackmail Security Operations

Corporate Compliance Investigations Social Engineering Security Operations and Law Department Information Leakage Security Operations and Human Resources Insider Abuse Security Operations and Human Resources Website Defacement Security Operations and applicable webmasters

Figure 6. Event Monitoring/Reporting Capabilities

Logging tools are used to collect logs from servers and network devices. These logs are aggregated and

reviewed daily by security staff. Security staff monitors events in real time from the Security Information

and Event Management console.

Logs are retained for 90 days live, one year in archive on each line of business' logger appliance and

archived for seven years. Auditing includes all information required by SCDIS-200 AU controls.




Technical Response


7/6/2018

Page 30

Audit Logs

Audit logs will be created whenever any of the following activities are requested to be performed by the

system and to ensure infrastructure equipment deployed has required logging enabled:

Create, read, update or delete confidential information; including confidential authentication

information such as passwords.

Create, update, or delete information not covered in the bullet above.

Initiate a network connection.

Accept a network connection.

User authentication and authorization for activities covered under the first or second bullet such

as user login and logout.

Grant, modify or revoke access rights, including adding a new user or group, changing user

privilege levels, changing file permissions, changing database object permissions, changing

firewall rules, and user password changes.

System, network or services configuration changes, including installation of software patches and

updates or other installed software changes.

Application process startup, shutdown or restart.

System shutdown, system reboot and system errors.

Application process abort, failure, or abnormal end, especially due to resource exhaustion or

reaching a resource limit or threshold (such as for central processing unit, memory, network

connections, network bandwidth, disk space, or other resources), the failure of network services,

such as Dynamic Host Configuration Protocol or Domain Name System, or hardware fault.

Detection of suspicious/malicious activity such as from an Intrusion Detection or Prevention

System, anti-virus system or anti-spyware system.

All administrative activities including account creation, modification or deletion.

6.7 Restrict Visibility

8.6.7

Our SaaS offering provides proactive monitoring, processes, procedures, compliance and security controls

for our system architecture. DocFinity offers several security features for customers to control the

visibility and modification of documents and data.














Technical Response


7/6/2018

Page 31




6.8 Security Incident Notification Process

8.6.8

CDS has a tested security breach plan designed to protect the privacy of customer’s information. Any

attempted or actual data breach would be handled according to the procedures defined in our Information

Security Incident Response Plan (IRP).

CDS’ IRP corresponds with the NIST, Special Publication 800-61 Revision 2 and Computer Security

Incident Handling Guide. It undergoes annual validation through tabletop exercise of IRP processes every

365 days.

This plan provides procedures that prevent problems from occurring, enables a quick and effective

response to potential or actual breaches and documents and implements lessons learned. The IRP consists

of five primary processes:

Monitoring and Detection

Incident Handling/Incident Management

Investigation

Post Security Incident Analysis

Pre/Post Incident Systems Security Planning

Initialization of the IRP assures preparation, identification, containment, eradication, recovery and follow-

up capabilities in response to security incidents are conducted in a consistent manner throughout the

corporation and in accordance with approved standards and established best practices.

Notification

The CDS Technology Support Center (TSC) is notified of security-related events through the CDS TSC

call process. This process triggers both the incident management and the security incident handling

processes.

To indicate that an event has been reported, our ticketing system generates a page and submits the event

to an on-call incident handler from Security Risk and Compliance Assurance (SRCA). Upon notification

from the CDS TSC, the incident handler reviews the event with the incident responder and classifies the

event as either an incident or not an incident. Incidents are further categorized to correspond to the

appropriate incident classification category for the customer.

Based upon the information available, the incident handler notifies the customer’s appropriate incident

handler staff, with the event classified appropriately as indicated in Figure 7 below - as soon as it has been

determined an incident has indeed occurred.

Incident Classification Category Cross Reference

CDS Classification

Name Description

1 Intrusion/Unauthorized Access An individual gains logical or physical access, without permission, to a network, system, application, data or other technical resource.




Technical Response


7/6/2018

Page 32

Incident Classification Category Cross Reference

CDS Classification

Name Description

2 PHI/PII/SI/PCI – Data Exposure A loss or theft of or unauthorized access to sensitive PII that could result in the potential compromise of the confidentiality or integrity of data.

3 Unsuccessful Attack An attack was unsuccessful (failed) to gain access to computers.

4 Denial of Service

An attack that prevents or impairs the authorized use of networks, systems or applications by exhausting resources. This activity includes being the victim of or participating in the attack.

5 Malware/Inappropriate Use A virus, worm, Trojan horse or other code-based malicious entity that successfully infects a host. An individual violates acceptable use of any network or computer use policy.

6 Probes/ Reconnaissance Events Any activity that seeks to access or identify a computer, open ports, protocols, service or any combination for later exploit. This activity does not directly result in compromise.

7 Investigation Unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant further review.

8 Explained Anomaly Events that are initially suspected as being malicious but after investigation are determined to be system malfunction or false positive.

9 Exercise This category is used during exercises and approved activity testing of internal and external network defenses or responses.

Figure 7. Incident Classification Category Cross Reference

Based upon the classification of the incident, the incident handler notifies the customers impacted by the

incident and develops an appropriate communication plan if applicable.

For actual incidents, the SRCA assesses the impact based on the information available such as:

Affected systems

Affected enclaves/subsidiaries

Impacted customer areas

As necessary, the SRCA will create child tickets assigned to system support groups for assistance.

Incident Handling/Incident Management

Incident handling consists of:

Incident containment

Eradication of malware and tools

Evident collection and handling

Recovery of affected systems

Incident Containment

Incident containment involves the below five activities in order of priority:

Protect human safety and prevent loss of life




Technical Response


7/6/2018

Page 33

Protect sensitive/classified data

Protect all other data

Protect hardware and software from attack

Minimize disruption of computer resources

Identification of the appropriate containment strategy takes into consideration these factors in descending

order of priority:

Potential damage to and theft of resources

Need for evidence preservation

Service availability

Time and resources necessary to implement the strategy

Effectiveness of the proposed strategy

Duration of the solution

Eradication of Malware and Tools

Systems support groups and incident responders remove malware, intruder tools and accounts created

during an adverse event. Documentation of the eradication phase may be more or less detailed, depending

upon the event type, tool type or malware discovered.

Evidence Collection and Handling

The incident handler works with systems support groups and incident responders to ensure that evidence

is collected in the form of logs, forensic artifacts and other data with an evidentiary value. This data is

collected in the most forensically sound manner available and according to evidence collection and

handling procedures.

Recovery

Recovery from the incident is managed as a part of the TSC incident management process and is

considered complete when all information systems are returned to operable condition and are free from

the vulnerabilities that allowed the incident to occur. Upon recovery from the incident, both incident

handling and incident management processes enter the post-incident analysis phase, if necessary further

investigation is conducted.

Incident Management

Incident management requires the input of key business leaders with insight into both operational

processes and systems security. Their input ensures that both operational and security requirements are

met. The incident management phase of the process gives key leadership adequate explanations to

evaluate the extent of the incident, best and worst case scenarios to model operational loss and the

appropriate reporting and response requirements for the company. Business drivers and legal and

contractual requirements are balanced to achieve maximum efficiency in the incident management phase.

Upon notification of the incident by the incident handler, systems security officer, customer management

and any other person required for the incident type join a conference bridge pre-established by the

incident handler. The conference bridge is reestablished at a pre-determined interval and until recovery is

complete. During incident review, management is briefed on the extent of the incident and provided with

both the best and worst case scenarios by incident handling. The incident review provides an opportunity

for impacted areas to develop a thorough understanding of the event’s causes and resolution.




Technical Response


7/6/2018

Page 34

System support groups for each customer are responsible for providing a loss estimate for any outage

resulting from an incident as well as cost estimates for containment, eradication, evidence collection and

recovery. During the business analysis phase, this high-level estimate will offer key leaders insight into

the severity of the incident. Additional management may need to be notified at this time. Business

continuity plans and disaster recovery may be invoked at this time.

Based on legal or contractual obligations, incident management staff may have immediate reporting

requirements. The incident handler ensures that all contractual obligations can be met, from the time of

notification to the briefing of incident management.

In cases when it is not immediately possible to determine the extent or severity of the event, incident

handlers request the Incident Management team to report on the incident. This will allow the event to be

later re-classified for the government agency as an explained anomaly or an incident of the appropriate

type. Communications planning during the call ensures consistent reporting across all customer incidents.

Investigation

If an investigation is warranted, the incident handling staff engages the appropriate resources to initiate

forensic examination of the evidence collected during the incident handling phase. Investigators are

responsible for analyzing the evidence collected during the incident handling process. While some

investigation may already have been conducted to discover the extent and severity of the incident,

forensic examination in this situation includes a full examination of systems, logs and records to discover

evidence indicating the methods, tools and results of an attack.

Upon completion of the investigative analysis, evidence is retained for the period of time required by

applicable laws and contractual requirements. Investigators provide formal investigative reports for

review during post-incident analysis. Said reports are delivered to incident management for dissemination

to the appropriate agencies.

Post Security Incident Analysis

Once the threat is contained and recovery efforts initiated, incident management begins a post-incident

analysis, determining first if an investigation is necessary, then requiring mitigation strategies for any

vulnerabilities exploited. If an investigation is necessary, investigation work commences, involving

incident response and incident handling staff and external contract consultants necessary to provide

specific expertise or tools for events.

If it is decided that an investigation is not necessary, a post-incident analysis is conducted. The results of

lessons learned and a root cause analysis are furnished to the Incident Management team for final

reporting. Information security incident response staff works closely with the TSC problem management

staff to produce documentation of the lessons learned, the root cause analysis and the results of any

necessary investigation completed for each declared security incident.

Finally, a mitigation strategy is completed that addresses any systemic security vulnerabilities discovered

during the incident. This mitigation strategy is developed in coordination with incident management and

incident response teams to ensure that both regulatory and technical requirements can be implemented

without conflict.

Pre-/Post-Incident Systems Security Planning

Incidents will often expose unexpected or unusual vulnerabilities, or systemic issues that could result in

the future exposure of data. The appropriate planning for efficient and effective incident response occurs

both before and after the event, taking into account security concerns such as:




Technical Response


7/6/2018

Page 35

Tools and resources

Records retention planning

Monitoring capacity

Network planning

Architecture review

Incident responders and incident handlers meet regularly to review incident reports for gaps and concerns

not mentioned in the list above. They report their findings to the Security Council on a regular basis, with

a request to initiate changes to preclude the occurrence of potential incidents or to resolve them

satisfactorily. Documentation of the event is managed by the SRCA team and reviewed upon completion

by IT management for pre- and post-incident systems security planning. Reviews of the architecture,

networks, monitoring capacity and records retention strategy are completed and recommendations made

concerning changes in tools and resources necessary to reduce the risk of future incidents of a similar

type.

Ms. Vanessa Holmes is the NASPO ValuePoint Master Agreement Contract Manager. The roles and

responsibilities of the contract manager are comprehensive, and require engagement and coordination

with other program stakeholders outlined in Section 3.1 of this Technical Response document. Ms.

Holmes will overlook several key processes and procedures that will ensure effective contract

engagement and management throughout the term of the NASPO master agreement. The Client Advocate

will be responsible for communications with the Purchasing Entities and will work directly with you and

alert you to any incidents or critical business information as soon as it is known. CDS will incorporate the

Purchasing Entity’s notification requirements if they are different than our standard notification process in

the event of the security incident.

6.9 Security Controls for Server Isolation

8.6.9

Our SaaS solution has the capability of providing server isolation accomplished by deploying servers into

different virtual networks based on security and connectivity requirements. In addition, we can also

segment the different zones, or logical network layers, each having specific function and importance

within the overall architecture. These logical layers are created by the physical separation of network

ports within the framework or by the use of Virtual Local Area Network technology; these zones are fully

independent and segregated.

6.10 Security Technical Reference Architectures

8.6.10

Rather than reactively trying to meet the requirement by placing our software in a public cloud provider’s

infrastructure, we have been proactive in this market by supporting our SaaS-based DocFinity customers

in our own data center that possesses healthcare-class security and alternatively in Amazon Web Services

Infrastructure for several years. Our SaaS offering is secure, cloud-based, mature and proven. All

managed services, including security and administration, are performed by our corporate employees

regardless of whether we are using our Columbia, South Carolina Data Center or AWS Infrastructure.

We offer SaaS deployment of our software product DocFinity. The only way for the users to access

government-sensitive data is the application itself. We provided detailed information about application

security and role-based access within relevant sections. Please refer to Section 6 for the details on data

security in the hosting environment.




Technical Response


7/6/2018

Page 36

6.11 Employee Verification

8.6.11

CDS strives to recruit high-quality employees in an efficient, professional and nondiscriminatory manner.

Selected external candidates, employees and contractors, must satisfy background checks including but

not limited to criminal records search, drug screening, education verification, employment verification

and federal government exclusions databases. Depending on the requirements of the positions, candidates

may be subject to additional background screening including security clearances. For example, for our

Federal government business, the Office of Inspector General and General Services Administration

exclusion lists are reviewed to verify that all employees at time of hire are not included on either

exclusion list. Existing employees are subject to this verification on a monthly basis. If an employee is

found on one or both of the lists, they are immediately removed from any work related to any

governmental programs including federal health care programs.

Please refer to Section 6.4 under “Access” for details on our security procedures in place for employee

access to sensitive data.

6.12 Data Confidentiality At Rest and In Transit

8.6.12

Our implementation allows and supports the data to be encrypted at rest and in transport. Access to

DocFinity can be via HTTPS for encrypted data transfer. For data at rest, CDS’ Storage Area Network

(SAN) solution will be compliant with the Federal Information Processing Standard (FIPS) 140-2. We

have mature policies and procedures that govern data and storage that include role-based access to the

devices and encryption for the data at rest.

6.13 Data Breach Notification Policies

8.6.13

CDS has a tested security breach plan designed to protect the privacy of customer’s information. Any

attempted or actual data breach would be handled according to the procedures defined in our Information

Security Incident Response Plan.

Please refer to Section 6.8 for the specifics of policies, procedures and our mitigation strategy regarding

notification and mitigation of potential breaches.

7 Migration and Redeployment Plan 8.7

7.1 Service End of Life Activities

8.7.1

At the end of the contract, we physically delete the data from our storage so that it cannot be

reconstructed. The customer owns the data and therefore has all the rights to it. Customer data will not be

read, copied or manipulated by CDS unless there is a technical need and the customer requests we

perform a diagnosis.

We ensure security of the data migration by physically deleted all customer data immediately after the

contract ends.

DocFinity does not use any proprietary digital format for any file that is uploaded, imported or scanned.

Although DocFinity allows its own tools to be used for opening and viewing certain types of files, it

keeps all content in their native format for portability and openness. There is no file type or file size

limitation of DocFinity; It supports any digital format including but not limited to DOCX, PDF, PDF/A,




Technical Response


7/6/2018

Page 37

TIFF, JPG, MP3 and MPG4, (DWG, .XLS, PPT, GIF). Both the data and metadata are fully portable

during migration.

7.2 Return of Customer Data

8.7.2

Data (Files and Documents): As explained above, DocFinity does not use any proprietary digital format

for any file that is uploaded, imported or scanned. All data is stored in their native format. At the end of

the contract, the customer has several convenient ways to retrieve the files:

1. Download or export using the application software DocFinity to local storage

2. Request CDS to provide the data on a removable format (i.e. Hard disk) at a reasonable cost

Metadata: Since the data dictionary is published, well-documented and open, the customer is able to

export the metadata in a non-proprietary, machine-readable format at the end of the contract.

Since the tasks explained above can be performed by the customer before the end of the contract, there is

no SLA associated with returning the data to the customer. However, if the customer, through a change

control, requests CDS to perform these tasks at additional cost, then the SLAs will separately be

negotiated on a case-by-case basis.

8 Service or Data Recovery 8.8

8.1 Response to Situations

8.8.1

Extended Downtime 8.8.1 (a)

For the CDS Columbia Data Center hosting option, CDS would implement our business contingency plan

and move operations to a hot site facility. Recovery personnel will invoke procedures to transport tapes or

digital images to the hot site and move staff there to man the facility until normal operations resume.

While the disaster recovery team members are working from their plans, the business unit team leads will

activate their Life Safety and Business Resumption Plan.

For the Amazon Web Services hosting option, standard service or data recovery procedures of the vendor

would apply, depending on the Recovery Time Objective (RTO) and Recovery Point Objective (RPO)

levels that are chosen by the customer.

Unrecoverable Loss of Data 8.8.1 (b)

For the CDS Columbia Data Center hosting option, CDS would implement our business contingency

plan. A determination must be made on whether the system has undergone significant change and will

require reassessment and reauthorization. The phase consists of two major activities – validating

successful reconstitution and deactivation of the plan. Salvage operations would be carried out by staff

after completion of the damage assessment. If required, CDS would initiate a secure destruction and

disposal of hard drives and portable media, and destruction of paper media.


would apply.




Technical Response


7/6/2018

Page 38

System Failure 8.8.1 (c)

Redundant systems are in place to eliminate downtime. Operations would be moved over to one of the

redundant systems until the system failure has been recovered.

Severe System Outage 8.8.1 (d)

The instances will be backed up via snapshots to cloud storage solution and deploying application

infrastructure in cloud solution within the four hour window.

Recovery Point Objective and Recovery Time Objective 8.8.1 (e)

For the CDS Columbia Data Center hosting option, all disaster recovery (DR) plans contain a stated RPO

and RTO. The RTO is based on the customer’s specific requirements. Our standard RTO is 72 hours. The

RPO addresses the need for recovery based on the customer’s prioritization of applications. Applications

will be brought online for use as they become available. The list of business group priorities are integrated

into an overall priority list, complete with system inter-dependencies as they relate to contractual or

revenue requirements.


would apply, depending on the RTO and RPO levels that are chosen by the customer.

8.2 Backup and Restore Methodologies

8.8.2

Method of Data Backups 8.8.2 (a)

Our SaaS solution has the capability of both physical tape and digital backup.

Backups

CDS maintains comprehensive backups of all system and data files to ensure the timely recovery of

systems, applications and connectivity in the event of a hardware failure, natural disaster or data

destruction. Critical backup is performed daily and weekly using tape and disk backup systems to ensure

that all production systems are recoverable with full data integrity. The DR Manager and Tape

Management System tools are used to identify dataset names to be stored off-site. Off-site storage for

media is provided in a secure vault away from the operational premises for any informational data while

data replication is performed at the hot site. Monthly audits of off-site tape media storage are conducted to

guarantee the reliability and integrity of the data backup process. Each month CDS tests off-site storage

vault procedures and effectiveness. In addition, we can perform Amazon Elastic Block Store (EBS)

snapshots and Amazon Machine Images. These backups are stored on redundant hard drives and can be

replicated to a separate Availability Zone.

Tape Management System

CDS uses tools to ensure critical applications and data are backed up and stored off-site. Tape

management systems are used to track the inventory of tapes stored in the off-site vault. The movement of

tapes to and from the vault is maintained within the tape management system. Only CDS employees

handle and transport the tapes. Tape librarians prepare data that resides on tapes for distribution to the off-

site storage vault. In most cases, balancing procedures are in place to ensure data integrity.

In addition to preparing data tapes for distribution, tape librarians are responsible for monitoring,

maintaining and providing a variety of removable media (tape/optical disks) to ensure timely processing.




Technical Response


7/6/2018

Page 39

They manage directing datasets to the various physical tape robotics systems. They also monitor and

provide required resources to the various virtual tape subsystems. Tape librarians maintain the vault

patterns and are responsible for the daily accurate placement of backup tapes in CDS’ off-site storage

vault facility.

Method of Server Image Backups 8.8.2 (b)

Frequency and Included Data

A full backup of applications is made weekly and incremental backups are executed daily. Backups are

maintained under a seven year retention program. Also, eight-change and eight-deleted versions are

maintained. Backup files consist of image copies made by the COPY utility of the database management

system.

At the mid-tier, we provide backup and recovery services with the use of IBM’s Tivoli Storage Manager

(TSM), an enterprise-class, multifunction backup and recovery system, used in conjunction with state-of-

the-art data storage networks and a layered approach to engineered storage solutions. The data is

concurrently stored at three locations, but for the purpose of archiving and total preservation, TSM

provides a scalable, multiplatform architecture. TSM provides policy-based task automation to ensure that

mid-tier data is archived. Network bandwidth is reduced through TSM’s Intelligent Data Movement and

with 128-bit encryption; data is safe as it is transferred to TSM. In addition, we can perform Amazon EBS

snapshots and Amazon Machine Images. These backups are stored on redundant hard drives and can be

replicated to a separate Availability Zone.

Digital Location of Backup Storage 8.8.2 (c)

Amazon EBS snapshots and Amazon Machine Images can be replicated to a separate Availability Zone or

Region. In addition, Iron Mountain provides off-site backup storage for the primary recovery site and is

located approximately 100 miles from the primary recovery site.

Alternate Data Center Strategies 8.8.2 (d)

For the CDS Columbia Data Center hosting option, CDS owns and operates an Emergency Operations

Center (EOC) from its Dallas, Texas office. In the event of a declared disaster in Columbia, South

Carolina which renders the CDS operations center incapacitated, CDS will activate and operate from its

EOC in Dallas. All operations performed on behalf of the customer will be fully executed from this

location and is tested as part of our annual DR exercise.

CDS uses SunGard Availability Services to supply site services, located in Philadelphia, Pennsylvania in

case of a disaster. This site is also used for the annual Disaster Recovery Plan (DRP) testing and is

contractually available for extended period hot site use. SunGard Availability Services provides the

physical, logical and security controls sufficient to meet CDS’ standards and reduce security and

availability risks associated with an alternate data center site. Our preferred alternate location is

Philadelphia, Pennsylvania, more than 600 miles from Columbia, South Carolina.


would apply, depending on the RTO and RPO levels that are chosen by the customer. All production and

backup data will always reside within continental USA.




Technical Response


7/6/2018

Page 40

9 Data Protection 8.9

9.1 Encryption Technologies and Options

8.9.1

At rest, backup and during transmission all data is encrypted using approved FIPS 140-2 approved

methods.

Data encryption at rest is not enabled for block storage except where specifically stated as a contractual

requirement. In addition, the storage arrays that are encrypted are FIPS 140-2 compliant. Any failed hard

drives are not allowed to leave our data centers intact. All failed hard drives are inventoried and destroyed

on site. When an entire storage array is decommissioned there is a scrubbing process that adheres to

Department of Defense standards.

All Storage Area Network Systems (SANs) used for this contract will be configured to FIPS 140-2

compliant encryption.

In transmitting data, data encryption occurs at the transport protocol and/or application level. The use of

secure protocols is enforced throughout the enclave. Protocols that transmit sensitive data through clear

text are restricted at internal and external boundary security devices. All network devices that transmit

data are located in secure and restricted areas.

Advanced Encryption Standard 256-bit encryption is enforced on all traffic that travels to an external

entity through Virtual Private Networking.

In addition and per corporate policy, all employees will encrypt any PHI that is electronically stored,

maintained or transferred when the data is:

Stored on a portable personal computer such as a laptop, notebook or tablet.

Written from any personal computer to removable media to be taken outside of a company

facility.

Transmitted externally through email or other public electronic transmittal mechanism.

Transmissions such as Network Data Mover, BlueWebSM and secure File Transfer Protocol are

through private connection and do not require encryption under this policy.

All corporate-owned laptop computers must have approved full-disk encryption software installed

and active.

PHI may never be sent through a text message.

9.2 Data Protection Agreement

8.9.2

CDS is willing to sign relevant and applicable Business Associate Agreement or any other agreement that

may be necessary to protect data with a Purchasing Entity.

9.3 Use of Data

8.9.3

CDS maintains security and privacy policies that addresses and provides guidance to employees and

contractors to ensure the confidentiality, integrity, and availability of information and the systems we

maintain. These processes comply with HIPAA privacy and security rules and regulations. Employees

and contractors will only use the data for purposes defined in the Master Agreement or related service




Technical Response


7/6/2018

Page 41

level agreement. The data will not be used for any other purposes, resold, or redistributed as a result of the

RFP.

10 Service Level Agreements 8.10

10.1 Negotiable Service Level Agreement

8.10.1

Figure 8 in Section 10.2 depicts our typical response and resolution time chart for generic use in incident

reporting. The chart is provided for problem reporting only, providing an answer to a question may take a

shorter time. We will work with the customer to modify these response times or other proposed SLAs to

comply with requirements, laws or terms and conditions that are not in your best interest.

10.2 Sample Service Level Agreement

8.10.2



1 – Severe




2 – High




3 – Medium

The system or application issue is not critical. The system has not failed. The issue has been identified as product defect and not product design. The product defect does not hinder normal operation or the situation may be temporarily circumvented using an available workaround. This is a feature failure with an existing and convenient workaround.



4 – Low



Resolution of problem may appear in future release of software where practical. If the enhancement request is deemed to require custom programming, CDS will engage the customer in a process of specification, resulting in a custom programming specification document. This document will define the need, customer responsibilities,




Technical Response


7/6/2018

Page 42



what CDS will provide as a solution and how and an estimate on the time and cost required.

Figure 8. CDS Response Requirements

11 Data Disposal 8.11

CDS has procedures in place to erase sensitive information and software from computer components and

media before computers are disposed of or transferred to another associate or area. Unneeded media is

placed in a large, locked electronic media disposal bin to be destroyed. CDS uses a media disposal

contractor to destroy hard drives, magnetic media, disks, CDs and floppy disks identified for destruction.

The disposal containers are picked up by disposal contractors as needed for destruction. This media

destruction process includes passing magnetic tape and hard drives through a machine that degausses the

items and properly breaks down the magnetic field. This process scrambles any data present on the media

and renders the device useless. Computer hard drives and magnetic tape media are physically crushed in

addition to degaussing them. Contractors certify that all sensitive information is destroyed in their

contract and logs are maintained to provide evidence that the degausses step was completed. After the

magnetic media is destroyed, a Certificate of Destruction from the contractor is received and maintained.

CDS will retain and manage the information as defined and required per the Master Agreement or

applicable Participating Addendum.

12 Performance Measures and Reporting 8.12

12.1 Reliability and Uptime

8.12.1

Service availability is 24/ 7/365 with the exception of downtime for maintenance which happens on a

scheduled basis. Standard service availability is committed to be a minimum 99.5 percent as measured on

a monthly basis.

The service is monitored 24/7/365 to ensure availability and that we meet or exceed the 99.5 percent

minimum. Our monitoring capabilities are of the highest quality generating real time alerts on all potential

risks that could result in down time. We have staff available 24/7/365 to address all alerts and minimize

potential for down time.

We have never experienced a system outage that resulted in monthly availability falling below 99.5

percent.

We are able to guarantee 99.9 percent availability with no downtime for maintenance for certain projects.

However, this usually requires solutioning and therefore, pricing per the project requirements. We

strongly recommend the purchasing entity to contact us directly in case there is a requirement of

continuous 99.9 percent availability.

12.2 Standard Uptime Service

8.12.2

Service availability is generally 24/ 7/ 365 with the exception of downtime for scheduled maintenance.

Service availability is committed to be a minimum 99.5 percent as measured on a monthly basis.




Technical Response


7/6/2018

Page 43

12.3 Performance Support Process

8.12.3

The CDS Technology Support Center operates 24/7/365. In addition, a web submission process is used

for customers to submit issues and open tickets. The web submission process is continuously monitored.

You will be trained in the use of the web submission system to register your issues and obtain support.

Once you entered your issue in the system, you can call or email your assigned representative. A CDS

TSC representative is assigned to each customer to track and manage tickets. A team of engineers provide

support to the representative to address severe issues. The support engineer team works with the

representative to ensure expedient service, and to develop and maintain trouble shooting utilities and

programs. Procedures are in place for escalation of issues to other internal teams such as development,

testing and professional services.

12.4 Service Level Agreement Remedies

8.12.4

Our SaaS offering provides you assurance that missing a SLA response time or incident fix time is rare.

We are accountable in the event that this occurs and follow a robust chain of command escalation

procedure. This ensures incident response and fixes are timely. In the unlikely event of missing an SLA,

our remedy includes diagnosing the root cause of the problem and revising our internal processes to

ensure the incident does not occur again.

12.5 Planned Downtime

8.12.5

Scheduled downtime for service maintenance will be documented within the SLA. The standard reserved

maintenance window for non-DocFinity application software is every Sunday from 5:00 p.m. to 10:00

p.m. EST. This includes maintenance for all hardware upgrades and system software and security

patching. The standard reserved maintenance window to update the DocFinity application software is

every Wednesday from 5:00 a.m. to 7:00 a.m. EST.

12.6 Disaster Recovery Remedies

8.12.6

Our SaaS offering provides you assurance that missing a disaster recovery metric is rare. We are

accountable in the event that this occurs and follow a robust chain of command escalation procedure. This

ensures response and fixes are timely.

12.7 Sample Performance Report

8.12.7

DocFinity is a 100 percent browser-based application. The purchasing entity will be able to access the

performance reports within the Dashboards feature of DocFinity over the web any time. DocFinity

Dashboards provide both real-time snapshots and batch statistics on how the business processes are

functioning. Most customers prefer to measure different key performance indicators (KPIs). Therefore,

performance reports are tailored to your specific organization rather than a generic, out of the box default

template. Designing the performance reports are part of the project and addressed during system design.

We have robust performance monitoring and reporting capabilities that can be configured to ensure the

customer receives performance reports that measure their defined KPIs. A sample dashboard is displayed

in Figure 9.




Technical Response


7/6/2018

Page 44

Figure 9. Sample Dashboard

Please refer to Section 20 under “Reporting and Analytical Capabilities” for more details.

12.8 Print Reports Locally

8.12.8

Through system design we can define the reports required per customer specifications and ensure the

system is configured to provide those reports. Through proper configuration, the reports are available for

down load and printing locally by authorized users. Please refer to our response above in Section 12.7 for

more details.

The DocFinity Auditing feature tracks all changes even including view (Display) transactions used to

generate detailed reports. Please refer to Section 20 under “Reporting and Analytical Capabilities” for

additional information about this feature.

12.9 On-demand Deployment Support

8.12.9

Our SaaS offering is all encompassing. Though possible, there is no need for the consumer to allocate

compute resources on an on-demand basis with our offering. We manage and monitor computing

resources and proactively provision server time and network resources when necessary, based on the

needs of the customer. We provide one TB of storage that is proactively managed and monitored. If the

purchasing agency begins to exceed this threshold, we will notify them in advance to plan ahead for the

purchase of additional capacity.

12.10 Scale-up and Scale-down

8.12.10

Our SaaS offering is all encompassing. Though possible, there is no need for the consumer to scale-up or

scale-down compute resources. We manage and monitor computing resources and proactively provision


TB of storage that is proactively managed and monitored. If the purchasing agency begins to exceed this

threshold, we will notify them in advance to plan ahead for the purchase of additional capacity.










Technical Response


7/6/2018

Page 45





the entire year

13 Cloud Security Alliance 8.13

13.1 CSA STAR Self-Assessment

8.13 (a)

CDS completed the CSA STAR Registry Self-Assessment. All information is current and accurate.

13.2 Exhibits 1 and 2 to Attachment B

8.13 (b)

Please refer to our completed Exhibit 1 to Attachment B.

13.3 CSA STAR Attestation, Certification or Assessment

8.13 (c)

CDS completed Exhibit 1 to Attachment B. This self-assessment document best fulfills the requirement

and provides the necessary security disclosure.

13.4 CSA STAR Continuous Monitoring

8.13 (d)

CDS completed Exhibit 1 to Attachment B. This self-assessment document best fulfills the requirement

and provides the necessary security disclosure.

14 Service Provisioning 8.14

14.1 Emergency or Rush Services

8.14.1

Our SaaS offering provides a proactive approach; emergency provisioning it is not necessary for our

solution. Please refer to Section 1.1 under “On-demand Self-Service” and “Rapid Elasticity” for more

details.

14.2 Lead-time for Provisioning

8.14.2

Our SaaS offering provides a proactive approach; provisioning is performed by us in order to achieve and

maintain optimized response times for the end user. Reactively responding to a hardware provisioning

request by the customer is not applicable for our solution. Please refer to Section 1.1 under “On-demand

Self-Service” and “Rapid Elasticity” for more details.

15 Back Up and Disaster Plan 8.15

15.1 Legal Retention Periods and Disposition by Agency

8.15.1

Through our Records Management record retention allows users with the proper feature rights to create

retention policies that specify the useful lifespan of each type of document in an organization. These




Technical Response


7/6/2018

Page 46

retention policies also define how to dispose of the documents when their useful life has been exceeded.

The disposition process for a document that is no longer required can be completely automated, or set to

require the manual approval of a designated user either through Records Management itself or through a

BPM/Workflow process.

When documents are needed for legal action, it may be necessary to place any documents/records relating

to the case on legal hold to prevent those records from being disposed of either manually or as part of the

automated record retention schedule. Legal Case Support helps authorized users find those documents and

related material and flag them so they cannot be purged until they are no longer required for the legal

case. With Legal Case Support, users can also easily export the records for use.

15.2 Inherent Disaster Recovery Risks

8.15.2

The inherent disaster recovery risks are fire, power outage and atmospheric conditions. The CDS solution

is protected by fire detection and suppression systems are air conditioned to maintain appropriate

atmospheric conditions. Personnel and systems monitor and control air temperature and humidity at

appropriate levels. Uninterruptible Power Supply (UPS) units provide backup power in the event of an

electrical failure in the data centers. The data centers have generators to provide backup power in case of

electrical failure.

Contracts are in place with third-party co-location service providers which include provisions to provide

fire suppression systems, air conditioning to maintain appropriate atmospheric conditions, UPS units, and

redundant power supplies. Periodic reviews are conducted of colocation service providers to validate

adherence with security and operational standards.

15.3 Infrastructure to Support Multiple Data Centers

8.15.3

For the CDS Columbia Data Center hosting option, CDS uses SunGard Availability Services to supply

site services, located in Philadelphia, Pennsylvania in case of a disaster. This site is also used for the

annual DRP testing and is contractually available for extended period hot site use. SunGard Availability

Services provides the physical, logical and security controls sufficient to meet CDS’ standards and reduce

security and availability risks associated with an alternate data center site. Our preferred alternate location

is Philadelphia, Pennsylvania, more than 600 miles from Columbia, South Carolina. All data centers

support redundancy, failover capability and the ability to run large scale applications independently in

case one data center is lost.


would apply. All production and backup data will always reside within continental USA.

16 Hosting and Provisioning 8.16

16.1 Cloud Hosting Provisioning Processes

8.16.1

CDS has defined and well-documented processes for provisioning computing power, storage and other

hardware resources in the cloud hosting environment chosen by the customer. Our proposal consists of a

SaaS cloud service model. We are responsible for an end-to-end solution that covers hardware

provisioning to support an online application. In essence, hardware provisioning is performed by CDS in

a proactive fashion in order for us to meet our end-to-end contractual obligations. This includes but is not

limited to the SLAs which cover various parameters like response time. To be more specific, we

proactively provision computing resources and storage space so the customer is unaffected by increased




Technical Response


7/6/2018

Page 47

load to the SaaS application. Therefore, our response to this requirement is, in nature, significantly

different than a Platform as a Service or Infrastructure as a Service provider who provisions hardware

based on a request received from the customer.

16.2 Tools Sets

8.16.2

Deploying New Servers 8.16.2 (1)

For this RFP, our offering is a SaaS based approach to deployment. In our approach we monitor our

systems to know whether to provision additional storage or servers. Therefore, all provisioning,

deployment, monitoring, updates, upgrades and configuration of the servers are performed by us in order

to achieve and maintain optimized response times for the end user. Please refer to Section 1.1 under “On-

demand Self-Service” and “Rapid Elasticity” for more details.

Creating and Storing Server Images 8.16.2 (2)

Each DocFinity SaaS implementation is different in nature; however, we always install an officially

released version of the software during deployment for each customer. Although there may be

commonalities, usually the connectivity requirements and the size of the implementation vary greatly. For

this reason, we may or may not replicate one customer’s environment in a future deployment from a

purely technical perspective.

We never use the configuration files such as document taxonomy, business processes, workflows, eForms

or reports from one customer in another deployment. Configuration files, data and metadata are owned by

the customer and we have no rights or intention to use.

Securing Additional Storage Space 8.16.2 (3)

We proactively monitor our storage resources in a SaaS deployment. We include one TB of starting data

storage space in our SaaS subscription. If the purchasing agency begins to exceed this threshold, we will

notify them in advance to plan ahead for the purchase of additional capacity.

For the CDS Columbia Data Center hosting option, we use various tools like Tivoli Storage Management,

CA Vantage Storage Resource Manager and IBM Hierarchical Storage Management to manage storage.

For the Amazon Web Services hosting option, we use Amazon CloudWatch which monitors Amazon

EBS for disk utilization. Once disk utilization crosses the defined threshold an AWS API will expand the

disk size of the EBS volume that is running out of space.

Monitoring Tools by Authorized Personnel 8.16.2 (4)

With our SaaS DocFinity offer, system administration is performed by authorized personnel in each

jurisdiction. These individuals use the monitoring tools at the application level. Please refer to Section 20

under “Reporting and Analytical Capabilities” for more details.

Some tool sets we use to monitor our systems are Sysview, System Consoles and CONMON. Amazon

Web Services Cloudwatch is used to monitor the system and network. We do not allow anyone outside

our organization to use these tools in a SaaS setting.




Technical Response


7/6/2018

Page 48

17 Pre- and Post-Purchase Trial and Testing Periods 8.17

17.1 Testing and Training Periods Offered

18.17.1

For pre-purchase testing, we will assess the availability of a trial and testing period on a case-by-case

basis. We may choose to provide a pre-purchase trial and testing environment that must be, at all times,

accompanied by a paid or non-paid classroom training session. The pre-purchase testing period, if and

when applicable, is determined by us. Please refer to Section 4.2 (d) under “Training” for a list of our

training programs. Duration of training courses vary by topic.

Please refer to Section 4.2 (d) under “Testing” for more information about post-purchase testing. The

post-purchase testing period has no theoretical limits; we make sure the configured system meets the

customer’s business requirements – all the time.

17.2 Proof of Concept Environment for Evaluation

18.17.2

We are open to discuss this topic for the pre-award of the master contract. We do have the intention to

provide a test and/or proof of concept environment, provided that the evaluators:

Attend a classroom training rigorously with full commitment prior to actually testing and

evaluating the software

Use the environment intensively (full-time) during the period where the test and/or proof of

concept is at their disposal

Immediately reach out to CDS as soon as they have any question, comment or concern during the

period where the test and/or proof of concept is at their disposal

17.3 Training and Support

8.17.3

As described in Sections 18.1 and 18.2, if and when we provide a pre-purchase testing and/or proof of

concept environment, we:

Provide training at no additional cost or at cost, assessed on a case-by-case basis

Always provide support at no additional cost – no exceptions

18 Integration and Customization 8.18

18.1 Integration

8.18.1

DocFinity supports extensive features and an open architecture to integrate with LOB applications and

legacy systems. We offer standards-based interfaces to enable additional integrations. These features, our

open architecture and integration philosophy are explained in detail within Section 20 of the proposal.

18.2 Customization

8.18.2

DocFinity, a complete COTS software product, provides a very high degree of configurability with no

source code modification. DocFinity is simply configured by the user, based on the customer’s unique

needs. However, we always support our customers with professional services comprising of business

analysis, workflow design, process consulting and more. Please refer to Section 20 for detailed




Technical Response


7/6/2018

Page 49

explanations about configurability and user interfaces. Professional services to support a successful

deployment are described within Section 4.2 (d) of our proposal.

19 Marketing Plan 8.19

CDS will consistently communicate the role, purpose, value and customer service the NASPO ValuePoint

Cooperative Purchasing Program provides. These benefits along with our Enterprise Content

Management capabilities will be integrated throughout the following:

Collateral sales sheets

Direct mail and email campaigns

Sales training module

CDS website’s Vertical Markets page

Sales demonstration and presentations

Tradeshows

Within the first 90 days of becoming a NASPO ValuePoint Cooperative Purchasing Program partner, we

will market our partnership and Enterprise Content Management solutions to the target markets (public

schools, colleges and universities, cities, counties and government entities) as follows:

Press Release

We will produce a co-branded NASPO ValuePoint specific press release through our Media Relations

department. The Media Relations department will contact and speak to the appropriate contacts to gather

the information about the business advantage and “why this is news” elements. The press release will be

written and then sent for appropriate approvals. After approvals are received, the press release will be

distributed to NASPO ValuePoint target market media outlets and posted on our website. We will follow-

up with the selected outlets to ensure the press release was received and distributed.

Social Media

CDS uses LinkedIn as our primary social media tool. We use this platform for Business-to-Business and

Business-to-Customer engagement. Social media promotion offers a great opportunity to reach 90 percent

of customers who go online to research business purchases.

Direct Mail and Email Campaigns

Direct Mail - We will develop and distribute direct mail pieces through an ongoing campaign that

announces our NASPO ValuePoint Cooperative Purchasing Program partnership, capabilities and

solution. The message and design of the direct mail pieces will be tailored to each target market within

the award.

Email - In conjunction with our direct mail campaign, we will craft a series of email communications that

will be tailored to each market and sent to targeted contact lists. The email communications will reinforce

the message and point people to a branded page on the CDS website where visitors can learn more

information and be pointed to the NASPO ValuePoint homepage.

Co-branded Collateral Pieces

In addition to the items listed above and below, we will produce a print and digital sales sheet for each

target market. The consistency of the design and content of each target market will be maintained. This

sales sheet will be used for distribution and follow-up to potential customers at tradeshows.




Technical Response


7/6/2018

Page 50

Advertisements in Regional or National Publications

To announce the award of our partnership with the NASPO ValuePoint Cooperative Purchasing Program,

we will research and purchase print and digital advertisement space in regional and national publications.

The message and design of the advertisements will be tailored to the target markets.

Trade Shows

We will consider sponsorship opportunities and other relevant tradeshows to directly access the target

market audience, public procurement experts, suppliers and industry leaders. Our exhibit booth will

include and promote our partnership, solution and capabilities. We will promote our participation with

pre-conference communications and distribute our co-branded collateral.

20 Related Value-Added Services to Cloud Solutions 8.20

We would like to provide detailed information about our ECM/BPM solution in this section. Please refer

to Section 4.2 (d) for details about our professional services.

DocFinity®

DocFinity is a high-powered, COTS product, flexible and ready to be configured as your Document

Management System (DMS) with no programming or source-code modification. This integrated, web-

based solution was built using powerful, cross-platform enterprise server technology that brings

performance to a new level. With its flexibility and ease of configuration, DocFinity can be implemented

by any document intensive LOB.


The flexibility and configurability of DocFinity allows it to serve many purposes

such as:

Document management system

Business process and workflow management system

Enterprise content management system

Case management system

Records management system

Engineering document management system

DocFinity is a next-generation ECM and BPM suite. It offers capabilities beyond traditional document

imaging and database systems to offer increased efficiency, flexibility and scalability. The integrated,

web-based software was built using powerful, cross-platform enterprise server technology. With its

flexibility and ease of customization, DocFinity can be implemented by any information intensive

industry. Figure 10 is a depiction of the functional overview of the DocFinity solution.




Technical Response


7/6/2018

Page 51

Figure 10. DocFinity Functional Overview

DocFinity delivers:

Powerful document management: Efficient and customizable electronic document management

including scanning, importing, uploading, indexing, searching, full-text searching, viewing,

document versioning and markup.

Business process management: Design, execute and monitor business processes that manage the

flow of work, documents and data including integration with other business applications.

A cross-platform suite: Runs on Windows and Linux operating systems. DocFinity supports the

most widely used databases such as Microsoft’s Structured Query Language (SQL) server and

Oracle and client browsers like Internet Explorer, Firefox and Safari.

Enterprise scalability: Equally efficient whether used by a small office, department or large

enterprise. DocFinity supports creating nearly limitless document types and metadata and options

for scaling server, database and repository resources.

Integration capabilities: Uses servlets and web service calls based on the Apache CXF Web

Services Framework for every application function and user action. It publishes the API for client

use. DocFinity can integrate with existing LOB applications and work behind the scenes, while

end users work with familiar applications. DocFinity also offers the Uniform Resource Locator

(URL) API as a zero programming integration alternative.

Simplified installation and administration: Offers one-main installation and an intuitive,

browser-based administration interface.

Intuitive web interface: Users access DocFinity through a browser, using an easy-to-learn

interface featuring customizable workspaces, dynamic feedback and online help.

DOCFINITY CORE MODULE

DocFinity Enterprise Core provides the product suite, a foundation and base system which includes:

Searching: Enables keyword searches for intuitive inquiry of active databases and archives

Indexing: Categorizes information for quick and easy search and retrieval of documents




Technical Response


7/6/2018

Page 52

Viewing: Provides instantaneous, on-screen visibility for single documents or complete files

Administration: Gives the customer complete control over access, task assignment and

monitoring, load balancing and security from a single, intuitive interface

Scanning: Converts paper documents to digital files to ease handling, speed processing and save

space

Import: Includes object, index and email importers that automate importing of virtually any file

type directly into the system or a workflow process including other DMSs

Print Server: Enables the printing of multiple stored documents without having to open them,

reducing network traffic and increasing productivity

Versioning: Tracks changes to documents, files, metadata and markup, preserving the history

and evolution of a document and allowing reversions to previous versions

Office Integration: Integrates DocFinity and Microsoft Office for Word documents to be

imported to DocFinity and to open documents stored in DocFinity in Word

Application Program Interfaces (APIs): Allows all attendant systems, applications and data

sources to interface with DocFinity

Additional details about the functionality outlined above are provided in the subsequent sections.

ADDITIONAL DOCFINITY MODULES

Additional DocFinity modules that complete the solution stack are provided below. These modules are

offered in the SaaS subscription as DocFinity Full Suite at no additional charge. When a customer selects

an on-premise deployment, they are offered as optional, separately priced components:

DocFinity Exporter: Takes user‐defined collections of documents and extracts files and

associated database records that identify those documents. The extracted content, written to the

network folder or CD or DVD drive of choice, can be used to transfer document collections to

third parties and other systems.

DocFinity Connect: Calls documents from the database and integrates DocFinity into the

customer’s LOB applications without programming.

Print to DocFinity: Indexes documents into the DocFinity repository from their native

applications by selecting DocFinity’s PDF Printer. The PDF copy then opens for you to provide

indexing metadata according to a preselected indexing scheme.

BPM Workflow: Standardizes and expedites processes by pushing and pulling data and files

from email, voice mail, faxes and administrative systems to people and systems. You can easily

design and modify robust workflows through the intuitive drag‐and‐drop, point‐and‐click

designer.

Enterprise Search: Queries the repository for text matches in non-text file formats such as PDF,

TIFF, HTML and JPEG. Locates structured and unstructured data in files and other documents

and combines keyword and full‐text searching.

eForms: Lets users design simple and complex electronic forms. It allows forms to automatically

trigger new workflow processes on submission and to be integrated into existing websites, portals

or other systems and software.

DocFinity Hierarchical Storage Management (HSM): Processes requests to retrieve, store and

move data from multiple storage devices. This module has tools for data migration, prefetching




Technical Response


7/6/2018

Page 53

(caching) and automatic purging of outdated, useless documents. It supports a range of media

including magnetic drives, optical drives and jukeboxes. DocFinity HSM can be used for off-site,

live backups and full redundancy of data in separate locations.

Records Management: Creates clear, auditable trails of evidence for every process performed on

records in the system. Groups related documents into record series and provides mechanisms to

automate management in basic retention policies. This includes rules to map records to retention

policies, approval process or record disposal and rendering records in non-editable formats.

Provides advanced retention policies including legal hold.

Dashboard: Offers a clear picture of how the system is working and a business process is

functioning through comprehensive metrics of performance.

ADMINISTRATION

DocFinity is a configurable enterprise suite that makes system configuration and maintenance

straightforward and intuitive. All system setup and configuration are performed in DocFinity

Administration. The interface guides administrators through setup from top to bottom, through

repositories, users, groups, document classification, data setup and BPM. Administrators can manage

multiple instances of DocFinity on different servers from one location in central administration. Figure 11

depicts one easy to use tool available in DocFinity Administration. Administrators can easily import and

export the system settings, importer configurations and business process designs between DocFinity

instances such as from a testing system to a production system. Figure 11shows a sample user

administration panel.

Figure 11. Sample User Administration Panel

USER INTERFACE – MOBILE DEVICES AND CLIENT WORKSTATIONS

DocFinity is 100 percent web based accessible by mobile devices and desktops. The user interface adapts

and scales to the device. No application is required. The user accesses DocFinity through a device

browser, and DocFinity runs in the browser. This provides mobile functionality without the overhead of

downloading an application. Figure 12 denotes a sample mobile input panel.




Technical Response


7/6/2018

Page 54

Figure 12. Sample Mobile Input Panel


DocFinity was built using the latest technology and architecture, resulting in

all business processes defined/configured for the customer being accessed

simply, uniformly and intuitively.

Users needing access to different business processes do not need to learn

different user interfaces because our offering encompasses flexible

configuration of the same system for each process.

There is no need to install, support or maintain any additional software

component on client workstations or mobile devices. This eliminates the day-

to-day issues caused by another piece of software residing on another piece

of hardware.

DOCUMENT MANAGEMENT

The DocFinity suite includes powerful document management capabilities including scanning, uploading,

importing, indexing, versioning, searching and markup to manage the flow and storage of documents and

data. The DMS is customizable. Administrators set up unique categories, document types, metadata and

indexing rules that correspond to your business needs.

Capture

DocFinity enables enterprise-wide setup to automate capture processes and systematize scanning and

indexing while allowing designated users to upload and index documents quickly.

Scanning

Capturing documents as stable electronic media is a crucial step in the ECM process. DocFinity

supports the most common industry scanning standards, TWAIN and Kofax supported scanning.

Through its built in interface, DocFinity allows Windows workstation users to scan from a local

workstation through a simply installed scanning integration component that allows the DocFinity

web application to communicate with a local scanner driver. Windows and MAC workstation




Technical Response


7/6/2018

Page 55

users can bypass DocFinity’s built-in scanning interface and scan in documents using a scanner’s

native interface.

The scanning workspace offers convenient features that allow users to easily work with

documents:

Administrators can create scan profiles that specify scan settings by document type to

ensure consistent scan outcomes

Security can be assigned to scanned batches

Scanned pages in a batch can be reordered

Scanned pages can be combined into documents

Multipage documents can be separated into pages

Pages can be rotated and resized

A batch of documents can be partially indexed on scanning with the category and

document type

Documents can be scanned to an external directory or server for preprocessing or to

accommodate network security


DocFinity minimizes the software to be installed, supported

and maintained on client workstations, which currently

perform scanning.

The end users can continue to use their current scanner’s

native interface.

Scanned pages can be easily and intuitively manipulated at

the user level.

Uploading

A comprehensive ECM system lets users conveniently capture documents for storage in the

DMS. DocFinity allows users with granted rights to upload documents and files to the system

from their own workstations and index them. DocFinity comes with Print to and Send to

capabilities, enabled by the same simply installed integration component that enables scanning.


These upload features enable the users to efficiently and accurately

capture their documents and data at the point of interaction:

Upload and index any document to DocFinity from any

interface users are familiar with.

Print to DocFinity allows users to convert a file to PDF from

any application such as Microsoft Office and index it in

DocFinity.

Send to DocFinity allows users to send a file or an entire

folder in their native format from supported applications such

as Microsoft Office or Windows Desktop and index them in

DocFinity.




Technical Response


7/6/2018

Page 56

Importing

DocFinity features powerful importers to automate the capture of enterprise content: Email

Importer, Object Importer, Index Importer and Computer Output to Laser Disc (COLD) Importer.

An importer monitors a watched directory for incoming files such as index files, email, web

submissions, COLD-Enterprise Report Management reports or output from other business

applications. Importers can be scheduled to run at specific times such as off-peak hours or in

accordance with a business schedule. All importers can be set up with detailed rules to filter what

is imported and to assign indexing based on conditions. Indexing information for imported

documents can be automatically populated by data sources for third party databases or

applications. Imported documents can be sent directly into a business process. Importers feature

options to fine tune the way documents are processed and rendered for optimal performance.

Email Importer: An invaluable tool for capturing the most difficult content to manage.

According to the Association for Information and Image Management (AIIM), “Email is

still out of control, with 55 percent of organizations having little or no confidence that

important emails are recorded, complete and retrievable.” With the increasing pressures

for corporate records management, due to regulatory compliance requirements, email

capture is more important than ever. DocFinity's email Importer is easy to configure,

featuring the abilities to import the email body and attachments, to set up white and black

lists of email addresses to monitor and to construct filters for importing and indexing.

Object Importer: A flexible tool for importing items from a monitored directory. It can

be used for one-time file conversion such as to bring all stored documents into the

DocFinity system. Object Importer can be used for ongoing importing of any type of files

and documents from a watched directory such as web submissions or other LOB

application output.

Index Importer: Similar to Object Importer, Index Importer monitors a watched

directory and can import records from tab-delimited files into DocFinity and index their

data.

COLD Importer and Report Importer: Enables the capture, compression, indexing and

storage of computer-generated reports from legacy systems. These importers work with

other DocFinity report management products like DocFinity Archive that can capture

print streams in American Standard Code for Information Interchange and Extended

Binary Coded Decimal Interchange Code for simple line reports and advanced print

streams like IBM Advanced Function Presentation, Xerox Metacode/Dynamic Job

Descriptor Entry, Postscript/PDF and Point Cloud Library for more detailed and

formatted statements, bills and invoices. Report Importer automatically indexes reports

based on the report metadata associated with the report. COLD Importers import reports

and convert them to PDFs or plain text files according to a user-created script.


In addition to providing the flexibility to import documents and files into

DocFinity, the set of import functions can trigger a business process based

on a document that is created on another system. It is even possible to

trigger a business process in DocFinity based on:

A document or file that is placed on a specific folder

An email message that is sent to a watched email address

An entry, document and file submitted through a web portal or

mobile device




Technical Response


7/6/2018

Page 57

Intelligent Capture

Adding DocFinity Intelligent Capture to your solution eliminates manual indexing and the chance

for human error. As the customers are usually tasked with accomplishing more with fewer

resources, this technology frees up staff for more meaningful work. This means increased

turnaround time, better client services and ensures information accuracy.

DocFinity Intelligent Capture goes beyond traditional zonal and template-based Optical Character

Recognition (OCR) capabilities. The software’s intelligent recognition functionality extracts

information and adapts to changes in individual documents, structured and unstructured, and auto

classifies and auto populates fields associated with the document type. Data matching criteria in

the system triggers workflows and pushes information to other systems. As the document enters

into DocFinity, retention rules are applied to the lifecycle of the document. The room for error

during these steps is drastically reduced and standardization upheld.

Key features include:

Extracts content eliminating or drastically reducing the need for manual entry

Launches workflows and business processes based on extracted data

Offers intelligent recognition with the ability to learn where data is held in specific

documents

Eliminates the need for designing templates or identifying zones

Extracts lengthy detail from line items

Classifies large groups of documents held in a folder or scanned without presorting


DocFinity Intelligent Capture integrates seamlessly with all

DocFinity modules including Records Management, ensuring that

retention plans are applied accordingly. As a result, accurate

information is available immediately to the customer’s employees,

departments and external stakeholders.

Variety of incoming documents such as invoices, forms,

expense statements, vouchers, applications, claims, appeals

and remittance advices to the same mailbox are

immediately imaged and imported without manual

classification. There is no need to:

- Specify a particular P.O. Box number for each

document type or filing

- Manually separate documents that are incoming to

the same P.O. Box number, based on the type, into

different batches prior to scanning

DocFinity Intelligent Capture will:

- Auto-classify the document or group of documents

- Extract metadata buried in the document to auto-

populate indexing fields

- Trigger relevant workflows/business processes,

based on the document type detected and metadata

such as Social Security Number, subscriber-ID,

member-ID and employee-ID automatically




Technical Response


7/6/2018

Page 58

extracted

- Feed data to other systems

Indexing

Electronic documents are only useful to the extent that they can be easily found and retrieved. DocFinity

features a comprehensive indexing component customizable to provide dynamic validation and user

feedback, ensuring that documents are indexed correctly. For example, if an indexer enters a date out of

the permitted range, an onscreen alert notifies them. Indexing can be automated through the importing

and scanning processes and configured with data sources to pull in associated data from third party

applications or databases. Indexing requirements and validation can be uniquely configured per each

document type to meet your business needs. Figure 13 is an example of an indexing screen shown in the

document viewer.

Figure 13. Sample Screenshot of Capture and Indexing


Business transactions and data for processes will be integrated into one

cohesive system under a holistic approach.

Required fields for each process will be cross-checked against others

during the implementation, process design and configuration phase,

while working closely with the customer.

Indexes, metadata and search methodologies are thought and designed

together, eliminating discrepancies, misalignments and inconsistencies

among record types used in different business processes.

A single view of an individual, bringing up all the records of the same

person based on a common index, depending on the security and

feature rights settings of the employee performing the inquiry.

Searching

Retrieving documents is easy, intuitive and secure. DocFinity returns documents to users based on the

document types they have permission to access. Document access is further controlled by specific




Technical Response


7/6/2018

Page 59

metadata values or ranges and by permissions for specific actions such as view, deletes or override

redactions. Administrators can customize searches in these ways:

Searches can be designed based on commonly used categories and document types such as claims

applications. For example, Figure 14 is configured to display a list of employees missing a

specific document on file.

Searches can be designed as customizable forms called template searches to prompt users through

the search process such as for client account information and to drill down through a configured

hierarchical folder structure to browse for documents.

Stored procedures searches offer a way to customize searching against the DocFinity database.

Administrators can store and run reports against the system for business process statistics or user

audits.

Checklist searches lets you manage multiple related documents and track their status in the

system such as whether all required documents for an application, enrollment or claim are

processed. For example, Figure 15 shows that a packing slip is missing; therefore, a payment

process cannot proceed.

Figure 14. Sample Search Panel




Technical Response


7/6/2018

Page 60

Figure 15. Sample Checklist Search Panel


A variety of search options can be set up based on the customer’s business

needs of a certain role.

All search options are defined in the security settings based on roles.

The checklist search allows examiners to visually check or run reports based

on whether required documentation has or has not been submitted to proceed

with a task. For example, an effective checklist search can be defined for

enrollment, finance or accounting clerks to enable them to examine what is

submitted and missing to proceed with the relevant business process.

Full-Text Searching

In addition to standard search functions, DocFinity features a Full-Text Search component, which extends

search capabilities to the full-text content of documents. Enterprise Search is an additional module, which

runs on its own server to maximize indexing and search performance. Administrators specify which

document types in the system should be full-text indexed. Those documents can be processed by the OCR

server and then indexed by Enterprise Search. Users can then search the full text of documents for a name

or key word. Enterprise Search returns all instances of the term, highlighted. The ability to locate

structured and unstructured data contained in PDFs, TIFF files and other documents streamlines

efficiency and improves processing turnaround. Full-Text Searching improves access to unindexed data,

reducing indexing overhead. In addition, Full-Text Searching dramatically improves the capacity to

respond to e-discovery requests. By enabling searching directly into document contents, DocFinity takes

access to document information to a new level.


If the text in question is not indexed as a metadata item, it is still possible to

perform a search. This is helpful for customer service clerks and agents to pull

up information when the stakeholder can only provide limited information.

Even if the documents subject to search have not originally been recognized

through the OCR process, it is still possible to search for their content later.




Technical Response


7/6/2018

Page 61

Document Viewing, Annotation, Markup and Redaction

Document images need to be viewable in a variety of formats to meet your varied business uses. With

enterprise scale scanning and indexing, documents must load and be viewable quickly, so thumbnails and

document previews are available. Documents, such as Microsoft Office files, can be viewed as PDFs to

enable cross-platform compatibility. Documents, images and other items, such as audio and video files,

feature the option to open in the file's native application. Users can view document images using a full-

featured image editor with the ability to perform annotations and markup such as highlighting, footnotes

and redactions. Figure 16 below depicts the annotation feature. Users can also use standard stamps, such

as Approved or Rejected and custom stamps, as done in paper-based work. Once the redaction or

annotation is completed, the document is saved in the system. Although the original document is never

modified, the security settings can be adjusted to allow certain users to view or print only the

annotated/redacted version. Permission to view documents is restricted or granted based on the security

settings applied to each document type.

Figure 16. Sample Document View with Annotation


Viewing and redaction features eliminate cumbersome and time-consuming manual

processes.

For example, instead of going through a multi-step process involving:

Accessing scanned documents containing sensitive data like payments

Searching for specific items from several hundred entries and printing certain

document pages

Redacting portions of the paper copies

Scanning documents and placing them on a shared drive




Technical Response


7/6/2018

Page 62

An employee can:

Search, retrieve and view the document

Redact the document with standard and custom stamps directly on the screen,

using enhanced features as done in paper-based work while not modifying the

original document

Save the redacted version into DocFinity, allowing certain users to see the

redacted-version only, based on role-based security settings

Document Versioning and Editing

DocFinity offers robust support for document versioning in which all iterations of a document are

retained. Accurate version records of documents are crucial to business cases when past versions need to

be retained and accessible such as changes to contracts and insurance policies. Versioning tracks any

changes to an electronic document and its metadata including markup and redactions. Versioning can be

applied to individual document types and security measures extend fine-grained control over who can

create, view and go back to past document versions. Users with permission can check out a document for

editing or revision, and administrators can review and manage documents that users’ access to edit. All

changes to a document and its metadata are tracked by user and date. Authorized users can revert

documents to a prior version. DocFinity accurately manages business documents that evolve over time.

Document History

Accountability for actions involving documents and data is a crucial component of a document

management. DocFinity conveniently puts a documents history at your disposal. Authorized users can

access an entire document's history record including when it was acquired and indexed and each time it

was viewed, annotated, versioned, output or reindexed.

Hierarchical Storage Management

DocFinity HSM allows administrators to automate the lifespan of documents. With HSM, administrators

set up rules to process documents based on a schedule such as moving documents to an archive or backup

storage, sending documents into a business process or purging documents completely from the repository

or database. HSM allows managers to customize the retention and destruction of documents and data

according to regulatory guidelines. Automating document storage, backup and destruction will help

optimize repository and database resources such as movement of records from expensive, fast storage to

more cost-effective, long-term storage options. Plug-ins can be created to add any type of scheduled batch

functionality needed.

Printing and Faxing

DocFinity enables enterprise-scale printing and faxing so these operations can be handled in the ECM

system. Users can conveniently print documents while indexing, searching or working a business process,

and documents are sent to the print/fax queue to be managed, enabling high-volume printing. As with all

DocFinity documents, user printing and faxing access is controlled by feature rights and security, only

users with the appropriate permissions can output documents.

EFORMS

The DocFinity eForms module enables capturing data in simply created, structured forms customizable in

design and behavior. Forms are created by administrators in the Form Designer, which features an

intuitive interface with drag-and-drop functionality for adding form components to the canvas. Forms can

be designed to display dynamically depending on the data entered and can feature multiple steps to be

completed by different users or depending on different conditions. Forms can execute a variety of actions

on submission from sending dynamic email messages, generating PDF form versions, storing data and

starting a business process.




Technical Response


7/6/2018

Page 63

Users can complete forms in DocFinity and receive and complete forms through a business process job.

DocFinity forms and data can be indexed, searched and retrieved like other documents and forms can be

assigned and monitored in DocFinity Administration, as shown in Figure 17.

Figure 17. Sample eForm Design

DocFinity eForms offer options that enable integration. Forms can be linked to external data sources to

automatically populate with existing data. On submission, forms can trigger running a stored procedure or

sending data to an external database. Users external to DocFinity can access and complete forms using the

DocFinity interface. External access to eForms offers a powerful way to integrate with public-facing web

pages and applications to capture data and enables self-service by users.


Enables users to submit and track information such as reports, requests and

orders. The submittal might, but does not have to be complemented by

supporting documentation.

eForms can trigger a business process on the entity that receives submitted

information, with or without supporting documentation.

Information on an eForm can be converted to PDF for viewing and printing,

appearing similar to what the users are used to seeing.

BUSINESS PROCESS MANAGEMENT

DocFinity’s BPM is fully integrated with the ECM system to manage the flow of documents, data and

work. According to a recent AIIM business survey, 49 percent of respondents agreed that "Finding the

information I need to do my job is difficult and time consuming." DocFinity BPM solves the information

gap by automatically delivering documents and information directly to the people who need them.




Technical Response


7/6/2018

Page 64

Process Designer

DocFinity BPM expands workflow capabilities to include a full-featured, web-based Process Designer

with the capability to document and model business processes. Business process analysts gather

information about processes, designing at a high level how those processes work with a diagram that

speaks to managers, decision-makers and technical administrators. The Process Designer lets the diagram

be configured into an executable model, regardless of whether or not it is related to documents. The

Process Designer offers zero programming requirements and convenient features like an intuitive

interface, annotations, drag-and-drop functionality and libraries to save configured process components

for reuse. A sample view is provided in Figure 18.

Figure 18. Process Designer Panel

Business process models can incorporate these technical features:

Assign user tasks and monitor completion

Enforce deadlines and processing times

Create customized forms, prompts and instructions for workers

Determine routing and tasks based on conditions and data

Configure distribution based on users' group memberships, roles, workload, attendance and other

rules

Schedule job distribution around business hours, business holidays, shifts and attendance

Integrate with third party applications automatically during a process by running executables,

URLs and web services or by populating data from external databases or applications

Run database stored procedures to access stored and automated business transactions

Generate and send emails containing dynamic information to workers, managers and clients

Automate document indexing

Versioning for process models that are saved, activated and modified




Technical Response


7/6/2018

Page 65

Job Assignments

DocFinity business processes are web based. Users access their business process job assignments,

complete with task lists and user instructions, in the DocFinity interface. Users check out and work on

jobs, viewing documents and data, and when they are complete, the business process executes to the next

step. Business processes can integrate with other document management features for indexing, searching,

viewing, annotating, printing and emailing documents. Business processes can start automatically when

documents are imported or indexed into the system. A sample Workflow Job panel configured for

payment processing is shown in Figure 19.

Figure 19. Sample Workflow Job Panel

Monitoring

DocFinity BPM provides robust monitoring tools for tracking business processes as they are running, for

administrators to view and adjust process instances in progress. Monitoring issues warnings for process

errors and tracks which business processes are active, how many instances of a process are running, what

stage of execution has been reached and what documents and variables are handled by a process.

DOCFINITY SOFTWARE APPLICATION BASED SECURITY

Securing data is a crucial aspect of regulatory compliance as mandated by laws like HIPAA, FERPA and

Sarbanes-Oxley. Guaranteeing audit trails over who has access to documents and data is an important

component of corporate accountability. DocFinity offers a number of security features to control who sees

and modifies documents and data.












Technical Response


7/6/2018

Page 66






In addition to these security features, DocFinity BPM’s ability to streamline and automate business

processes allows the customer to increase control over access to documents and data.

DocFinity audits all changes involving documents, data and user activities including system

administration actions. Audit records confirm the validity of audit trails. Aided by a detailed audit guide,

administrators create customized audit reports from the database.

In addition to the security in the application, DocFinity can be run on HTTPS to provide encryption and

secure communication for sensitive data.

RECORDS MANAGEMENT

The DocFinity Records Management module allows the customer to comply with internal record

retention policies and government regulations and ensures records needed for legal cases are not disposed

of prematurely. Representative views of this module are shown in Figure 20 and Figure 21.

Figure 20. Records Management (Records Panel)




Technical Response


7/6/2018

Page 67

Figure 21. Records Management (File Plan Panel)

Records Management automates retention based on your policies. Custodians approve record disposal,

and legal hold allows e-discovery compliance. Clear, auditable trails reveal who touched what and when

and rendering records in noneditable formats keep sensitive information safe.

The Records Management module is integrated with the core engine. It provides full-featured Records

Management functionality including:

Automated record classifications

Configurable retention scheduling

e-discovery compliance

Record disposition through custodian approval (requires Workflow)

Automated record disposition without custodian approval

Legal hold configuration options

DocFinity Records Management creates clear, auditable trails of evidence for every process performed on

every record in the system. It groups related documents into record series and provides mechanisms to

automate the management of document lifecycles.

Records Management has four major components:

Record Retention: Every document has a useful lifespan. After which, the document becomes a

liability. Record Retention lets users create retention policies that specify the useful lifespan of

each document type. These retention policies define how to dispose of documents when their

useful life has exceeded. The disposition process for a document no longer required can be

automated or set to require approval of a designated user, called a custodian, through Records

Management or a BPM process.

File Planning: Lets you create and enforce your over-arching plan for records management of the

records stored in DocFinity.

Record Search: Lets users search beyond the current version of each document into all document

versions and the history data that makes up the record account. This allows a custodian to find

every instance of any record, even obsolete versions, when putting records on hold due to a

lawsuit or other legal matter.




Technical Response


7/6/2018

Page 68

Legal Case Support: When documents are needed for a lawsuit or other legal action, documents

and records relating to the case can be put on Legal Hold to prevent them from being disposed of

either manually or as part of an automated record retention schedule. Legal Case Support helps

users find those documents and any other related materials and flags them so they are not purged

until they are not required. With Legal Case Support, users can easily export records for use in

the case.


Provides the customer with the tools and controls for classifying, archiving,

preserving and destroying records.

Records management facilitates the efficient and economical control of

records and information created, received, used and kept.

Provides the controls and automation required to manage large record

volumes from creation to transfer to archives for permanent retention or other

final disposition DocFinity Records Management.

REPORTING AND ANALYTICAL CAPABILITIES

The architecture and technologies behind DocFinity allow the application suite to be flexible and scalable

to suit your business needs. Open database structure is published for custom reporting and programming.

The following information provides additional details on DocFinity’s reporting tools and features.

Dashboards

DocFinity Dashboards is an integrated, out-of-box design and reporting tool that visually provides

reports, charts and graphs with no programming required. Third party reporting tools can leverage

DocFinity's API and direct database connection. All of the information about documents, auditing, system

state, workflow and more can be accessed for reporting. Combining meaningful reports using DocFinity

and third party data and is a key benefit of Dashboards.

The Dashboards module provides system usage and workflow statistics in a graphical presentation. You

can design and view all types of charts to display information about your DocFinity instance, the

documents within, BPM data and any data you have access to through a data source. Because you can use

Dashboards to monitor any data accessible through a data source, including data outside of DocFinity,

dashboards can serve as your view into your entire organization.

With Dashboards you can visually see how your business is running, enabling you to proactively avoid

bottlenecks and productivity losses. With real-time monitoring capabilities, Dashboards lets you see

where workloads are light or overloaded. It also monitors importers and your servers and repositories. It

can be used to gain insight into other business systems. An example of a DocFinity dashboard is depicted

in Figure 22.




Technical Response


7/6/2018

Page 69

Figure 22. Sample Dashboard

We simplified the development of dashboards so business users can focus on presentation without SQL

knowledge. For example you can:

See how systems and repositories are keeping up with your processes: Performance issues

can be tied to bogged-down systems, over-used importers, over-worked servers and full

repositories. Dashboards show you how these elements are functioning to be proactive about

future needs or to make simple changes to expedite processes.

Identify bottlenecks within your processes in real time: Dashboards gives you a here-and-now

view of what is being accomplished. You can compare today’s activities with those of the past

month. You will identify when productivity is slow or efficient, see the reason and know where to

modify your processes based on this information.

Drill down into charts and graphs for further details: Whether you are monitoring DocFinity

or another system, you can drill down into charts and graphs to view details like individual staff

productivity or the time of day your importer experiences issues. You can even drill down to a

URL, allowing you to view a specific document or launch the job queue in question. These details

help your staff to identify and address concerns.

Custom Reporting

DocFinity Dashboards provides configurable reporting of the system. In addition, the database is fully

documented with a data dictionary. With that knowledge, you can use a third party reporting tool against

the database such as Crystal Reports for your reporting requirements.

Auditing

DocFinity audits all document and data changes and user activities including system administration

actions. Audit records confirm the validity of audit trails. Aided by a detailed audit guide, administrators

can create customized audit reports from the database according to your needs. Sample screen shots of the

Document Activities and Search Documents panels are shown in Figure 23 and Figure 24.




Technical Response


7/6/2018

Page 70

Figure 23. Auditing (Document Activities Panel)

Figure 24. Auditing (Search Documents Panel)

SYSTEM INTEGRATION AND INTEROPERABILITY CAPABILITIES

DocFinity integrates with LOB applications and legacy systems. It supports integration by using service-

oriented architecture, a standardized but flexible system design, leveraging web services and servlets to

create loosely coupled and interoperable services. With the proper integration, DocFinity disappears

behind the scenes, operating as the ECM and BPM engine that processes documents and data.




Technical Response


7/6/2018

Page 71

Members may have a unique combination of software, LOB applications, databases and communication

technologies, a successful ECM solution must be flexible to integrate with a broad range of existing

applications and data. Integration is one of DocFinity's strengths, enabled by these capabilities:

Obtain external data: To capture data and minimize processing, DocFinity offers many ways to

obtain existing, externally stored information. Importers, indexing, electronic forms and business

processes can be configured to connect with external databases or applications and to obtain

indexing data automatically, minimizing staff time and ensuring accuracy.

Search linked data: User searches can link to external data sources to return information not

stored in DocFinity, helping the customer reduce data duplication and storage space. Search

results can display dynamic and up-to-date external data alongside DocFinity data in the same

search interface.

DocFinity URL API: The URL API offers an out of the box tool for integrating DocFinity with

other applications. Using simply written URL queries, another application can link directly to a

DocFinity document or function.

Web Services API: DocFinity's architecture is web-services based, and the complete public API

is published for the customer to use. With customized integration, users can work in familiar

applications while DocFinity operates behind the scenes. DocFinity disappears into the

background, with operations tightly tied to another product's interface through web services, yet

continues to function as the ECM engine handling documents and data.

BPM integration: The business processes routing documents, data and tasks to workers offer

many options for setting up integration with other business data and applications such as:

- Start business processes that are triggered automatically by external events or

applications such as by importing, email or web services.

- Web service tasks can connect a business process to an external or DocFinity web

service and enable dynamically communicating data and executing operations.

- Run executable tasks automatically start and send data to another application on the

server or a user's workstation from within a business process.

- SQL data sources enable communication with an external database during a business

process.

- Run stored procedure tasks automatically runs business transactions on a database.

- Run URL tasks let a user or server connect to a URL to access documents, data or web

services.

Integrate with users' daily document tasks: DocFinity makes handling documents easier for

users with Office Integration. Users can access DocFinity directly in Microsoft Word to

download documents and upload and index documents. Users can also send and index documents

directly from an open application or file directory using Print to DocFinity and Send to

DocFinity. Integrating with familiar tools means users can manage DocFinity documents in their

normal work stream.

Managing users and security: Users can be handled using existing systems and security.

Synchronizing with a Lightweight Directory Protocol server such as Microsoft's Active

Directory. This means existing user accounts can be tied to DocFinity and updated without

administrator overhead. Kerberos authentication and trusted authentication, using a single sign-on

server, can also be used to leverage existing resources, avoid redundancies and speed user access.




Technical Response


7/6/2018

Page 72

Zero-programming integration: DocFinity Connect is an integration tool that lets users scrape

data from another application using a configurable Hot Key. Information can be sent to DocFinity

or the URL API with a keystroke.

Custom integration: Indexing is another integration component that implements a standard

plugin framework customizable for a wide range of indexing scenarios such as for specific

security or communication protocols. Our experienced Professional Services department is

available to develop custom integration programming for the customer’s unique environments.


Our professional services experts work with the customer in refining existing

processes to take advantage of the technology towards effectiveness. This work may

include a complete rewrite of certain processes for example:

Replacement of email with clearly defined workflows.

Potential elimination of spreadsheets and manual entries.

Elimination of manual scanning.

Replacement of manual entries by automatically sending data to or receiving

data from legacy systems.

Automatic generation of periodic reports.

Should the customer need to retain existing spreadsheets and email

messages; for example, to remind users about an upcoming task or as

backup, DocFinity helps by interfacing these applications. It can

automatically create or update a record on or read a record from them. If the

customer sees any benefit to integrate legacy systems including email and

spreadsheets to DocFinity instead of eliminating them, this will still result in

significantly improved accuracy and effectiveness.

PUBLIC ACCESS TO RECORDS

DocFinity is a 100 percent browser-based product, developed in HTML5. Therefore, the functionality of

being accessed over the web by authorized users already exists and is provided out-of-the box.

Under development and scheduled for release late third quarter of 2018, is a new module which expands

our sharing capabilities to include more portal like features that can serve as a public gateway but will

also provide workflow tasking, documents, forms and integrations with other systems. The Public

Gateway/Portal will provide external access to users not registered in your system, the Gateway/Portal

Server will be capable of living outside of your firewall, and the Gateway/Portal will support multi-factor

verification.

21 Supporting Infrastructure 8.22

21.1 Infrastructure Required

8.22.1

In our SaaS deployment model, the purchasing entity provides only the following to support our solutions

and deployment models:

Personal computers

Mobile devices

Scanners




Technical Response


7/6/2018

Page 73

Printers

Compatible web browser

Internet connection

21.2 Installation

8.22.2

In a SaaS based deployment, we will make sure the customer always uses officially supported

infrastructure including network and computing hardware.

If new infrastructure (server processing power, server memory, network equipment on the server

side, network bandwidth on the server side) is needed to support the SaaS environment, then we

are responsible for the installation and we will incur those costs.

If new infrastructure (hard disk, tape, etc.) is needed to support the growth of data beyond the

contract limitations, then we are responsible for the installation and the customer will incur those

costs at the rates specified in our price schedule.




Technical Response


7/6/2018

Page 74

Appendix A – Sample Project Timeline and Project Plan




Technical Response


7/6/2018

Page 75




Technical Response


7/6/2018

Page 76




Technical Response


7/6/2018

Page 77




Technical Response


7/6/2018

Page 78




Technical Response


7/6/2018

Page 79




Technical Response


7/6/2018

Page 80




Technical Response


7/6/2018

Page 81




Technical Response


7/6/2018

Page 82




Technical Response


7/6/2018

Page 83




Technical Response


7/6/2018

Page 84




Technical Response


7/6/2018

Page 85




Technical Response


7/6/2018

Page 86




Technical Response


7/6/2018

Page 87




Technical Response


7/6/2018

Page 88




Technical Response


7/6/2018

Page 89




Technical Response


7/6/2018

Page 90




Technical Response


7/6/2018

Page 91



Request for Proposal SK18008

NASPO ValuePoint Master Agreement for Cloud Solutions

Attachment F ‐ Cost Proposal Form | Software (SaaS)

Cloud Service Model: Software as a Service (SaaS)Vendor Name:

Instructions

4. When proposing your minimum discount % off, do not provide a percentage range . Provide single values.

Minimum Discount % Off

Section 1SaaS Minimum Discount % *

(applies to all OEM's offered within this SaaS

model 0.50%

Section 2

Average SaaS OEM Discount Off* ‐

OR Individual OEM Discount (if different)

1. Notice, this spreadsheet is divided into multiple tabs below. Offeror must complete all gray shaded fields within this Attachment F.

If a gray field does not apply to your solution, enter N/A.

*The Offeror with the highest proposed minimum discount % (or Average disocunt off) for the given service category (SaaS, IaaS, or

PaaS) will receive 100% of the cost points possible for that service category. All other Offerors will receive a percentage of the cost

points possible based on the percentage by which their proposed discount % is lower than the highest discount % in the given

category. The formula to compute cost points is: (Maximum Proposed % / Proposed Price) * Total Cost Points Available.

Attachment F ‐ Cost Proposal FormSolicitation #: SK18008

NASPO ValuePoint Cloud Solutions RFP


7. In a separate document, provide a detailed product offering for each service model with the Minimum Discount % reflected

therein. Title this document "Solicitation # ‐ Vendor Name ‐ Detailed Product Offering". Offeror's proposed Minimum Discount % for

a given Cloud Service Model, must be reflected within NVP Price of Offeror's offered catalog.

6. Minimum Discount % provided herein shall apply to all products offered/referenced in detail listings for the given service model of

SaaS, IaaS, PaaS, or Value Added Services.

3. Offeror shall provide a Minimum Discount % for each service model (SaaS, IaaS, or PaaS) it is seeking an award in. A vendor will be

deemed non‐responsive for any service model it does not provide a Minimum Discount % of at least greater than 0%.

2. The cost for the SaaS, IaaS, and PaaS service categories will be evaluated and scored independent of each other.

5. Complete only Section 1 or Section 2 below, not both. Any deviation from this format may result in disqualification of

your proposal.

N/A

© 2018 copyright of Companion Data Services, LLC.

All rights reserved.

Attachment F ‐ Cost Schedule

Software (SaaS)

July 6, 2018

Page 1 of 4





Attachment F ‐ Cost Proposal Form | Infrastructure (IaaS)

Cloud Service Model: Infrstructure as a Services (IaaS)Vendor Name:

Instructions

4. When proposing your minimum discount % off, do not provide a percentage range. Provide single values.


Section 1IaaS Minimum Discount % *

(applies to all OEM's offered within this IaaS

model)N/A

Section 2

Average IaaS OEM Discount Off* ‐

6. Minimum Discount % provided herein shall apply to all products offered/referenced in detail listings for the given service model

of SaaS, IaaS, PaaS, or Value Added Services.


therein. Title this document "Solicitation # ‐ Vendor Name ‐ Detailed Product Offering". Offeror's proposed Minimum Discount %

for a given Cloud Service Model, must be reflected within NVP Price of Offeror's offered catalog.


*The Offeror with the highest proposed minimum discount % (or Average disocunt off) for the given service category (SaaS, IaaS,

or PaaS) will receive 100% of the cost points possible for that service category. All other Offerors will receive a percentage of the

cost points possible based on the percentage by which their proposed discount % is lower than the highest discount % in the given




1. Notice, this spreadsheet is divided into multiple tabs below. Offeror must complete all gray shaded fields within this Attachment

F. If a gray field does not apply to your solution, enter N/A.


3. Offeror shall provide a Minimum Discount % for each service model (SaaS, IaaS, or PaaS) it is seeking an award in. A vendor will

be deemed non‐responsive for any service model it does not provide a Minimum Discount % of at least greater than 0%.

5. Complete only Section 1 or Section 2 below, not both. Any deviation from this format may result in disqualification

of your proposal.

N/A




Infrastructure (IaaS)

July 6, 2018

Page 2 of 4





Attachment F ‐ Cost Proposal Form | Plantform (PaaS)

Cloud Service Model: Platform as a Service (PaaS)Vendor Name:

Instructions

4. When proposing your minimum discount % off, do not provide a percentage range. Provide single values.


Section 1PaaS Minimum Discount % *

(applies to all OEM's offered within this

PaaS model)N/A

Section 2

Average PaaS OEM Discount Off* ‐

6. Minimum Discount % provided herein shall apply to all products offered/referenced in detail listings for the given service model of

SaaS, IaaS, PaaS, or Value Added Services.


therein. Title this document "Solicitation # ‐ Vendor Name ‐ Detailed Product Offering". Offeror's proposed Minimum Discount % for a

given Cloud Service Model, must be reflected within NVP Price of Offeror's offered catalog.


*The Offeror with the highest proposed minimum discount % (or Average disocunt off) for the given service category (SaaS, IaaS, or

PaaS) will receive 100% of the cost points possible for that service category. All other Offerors will receive a percentage of the cost

points possible based on the percentage by which their proposed discount % is lower than the highest discount % in the given




1. Notice, this spreadsheet is divided into multiple tabs below. Offeror must complete all gray shaded fields within this Attachment F.

If a gray field does not apply to your solution, enter N/A.


3. Offeror shall provide a Minimum Discount % for each service model (SaaS, IaaS, or PaaS) it is seeking an award in. A vendor will be

deemed non‐responsive for any service model it does not provide a Minimum Discount % of at least greater than 0%.

5. Complete only Section 1 or Section 2 below, not both. Any deviation from this format may result in disqualification of

your proposal.

N/A




Plantform (PaaS)

July 6, 2018

Page 3 of 4





Attachment F ‐ Cost Proposal Form | Value Added Services

Additional Value Added ServicesVendor Name:

Instructions

Additional Value Added Services ‐0.5% 0.25%

Item Description NVP Price Catalog Price NVP Price Catalog Price

Maintenance Services ‐ (SaaS) (N/A ‐ Included in rates)


Deployment Services 142.69$ 143.05$ 142.69$ 143.05$

Integration Services) 142.69$ 143.05$ 142.69$ 143.05$

Consulting/Advisory Services 142.69$ 143.05$ 142.69$ 143.05$

Architectural Design Services 142.69$ 143.05$ 142.69$ 143.05$

Statement of Work Services 142.69$ 143.05$ 142.69$ 143.05$

Partner Services N/A

Training Deployment Services

DocFinity 101/Core Training 7,481.16$ 7,500.00$ 7,481.16$ 7,500.00$

DocFinity BPM Core Training DCPT‐2 7,481.16$ 7,500.00$ 7,481.16$ 7,500.00$

DocFinity BPM Concepts for Manag 1,496.23$ 1,500.00$ 1,496.23$ 1,500.00$

DocFinity COLD Training 4,488.69$ 4,500.00$ 4,488.69$ 4,500.00$

DocFinity API 1,496.23$ 1,500.00$ 1,496.23$ 1,500.00$

DocFinity eForms 2,992.46$ 3,000.00$ 2,992.46$ 3,000.00$

DocFinity Records Management 1,496.23$ 1,500.00$ 1,496.23$ 1,500.00$

SQL 101 1,496.23$ 1,500.00$ 1,496.23$ 1,500.00$

DocFinity Dashboards 2,992.46$ 3,000.00$ 2,992.46$ 3,000.00$

DocFinity Intelligent Capture 4,488.69$ 4,500.00$ 4,488.69$ 4,500.00$

DocFinity Enterprise Search 1,496.23$ 1,500.00$ 1,496.23$ 1,500.00$

NVP Price Catalog Price

OCR

Enterprise Search 5,735.55$ 5,750.00$

Intelligence Capture

360,000 Pages per Year 27,568.51$ 27,637.95$

480,000 Pages per Year 32,791.11$ 32,873.71$

720,000 Pages per Year 41,438.38$ 41,542.75$

960,000 Pages per Year 50,085.64$ 50,211.80$

1,200,000 Pages per Year 56,078.80$ 56,220.05$

2,000,000 Pages per Year 86,609.63$ 86,827.79$

2,400,000 Pages per Year 91,609.64$ 91,840.39$

3,000,000 Pages per Year 114,503.48$ 114,791.90$

Barcode Recognition

50,000 Pages per Year 2,500.00$ 2,506.30$

100,000 Pages per Year 4,914.39$ 4,926.76$

200,000 Pages per Year 9,452.06$ 9,475.87$

400,000 Pages per Year 17,773.98$ 17,818.75$

800,000 Pages per Year 32,363.03$ 32,444.55$

1,000,000 Pages per Year 40,462.35$ 40,564.27$

Digital Price 0.9975$ 1.00$




Deliverable Rates

Onsite Hourly Rate Remote Hourly Rate

1. Offeror must complete all gray shaded fields within this Attachment F. If a gray field does not apply to your

solution, enter N/A.

2. Pricing provided within this Value Added Services tab is for reference only, and will be used by Purchasing Entities

in making a best value selection. Costs provided below will not be factored into the Master Agreement cost

evaluation.




Value Added Services

July 6, 2018

Page 4 of 4



Request for Proposal Number SK18008 National Association of State Procurement Officials (NASPO) ValuePoint NASPO ValuePoint Master Agreement for Cloud Solutions Attachment F Pricing Narrative July 6, 2018








Attachment F Pricing Narrative


7/6/2018

Page i

Table of Contents

Attachment F Cost Proposal ...................................................................................................................... 1

Introduction ................................................................................................................................................. 1

DocFinity Product Pricing Principles ....................................................................................................... 1

Licensing Option for NASPO Members – SaaS ....................................................................................... 1

DocFinity SaaS Concurrent User Licensing – Hosting Dependent ........................................................ 3

Concurrent User Licensing – Private Cloud (Columbia Hosting) ................................................ 3

Concurrent User Licensing – Private Cloud (AWS Hosting) ........................................................ 3

Data Storage – Hosting Dependent............................................................................................................ 4

DocFinity Optional Features – Hosting Dependent ................................................................................. 4

Optional Features (Columbia Hosting) ........................................................................................... 4

Optional Features (AWS Hosting) ................................................................................................... 5

DocFinity Optional Features – Hosting Independent .............................................................................. 5

DocFinity Training – Hosting Independent .............................................................................................. 6

DocFinity Professional Services – Hosting Independent ......................................................................... 6

Exhibit A ...................................................................................................................................................... 8






7/6/2018

Page ii

List of Figures

Figure 1. SaaS Deployment Summary .......................................................................................................... 3

Figure 2. SaaS Private Cloud Subscription Rates (Columbia Hosting) ........................................................ 3

Figure 3. SaaS Private Cloud Subscription Rates (AWS Hosting) ............................................................... 4

Figure 4. SaaS Private Cloud Additional Storage Rates (Columbia Hosting) .............................................. 4

Figure 5. SaaS Private Cloud Additional Storage Rates (AWS Hosting) ..................................................... 4

Figure 6. SaaS Private Cloud Intelligent Capture, Enterprise Search and OCR Barcode Recognition

Rates (Columbia Hosting) ............................................................................................................................. 5

Figure 7. SaaS Private Cloud Intelligent Capture, Enterprise Search and OCR Barcode Recognition

Rates (AWS Hosting) ................................................................................................................................... 5

Figure 8. Electronic Signature Prices ............................................................................................................ 6

Figure 9. Training Module Pricing ............................................................................................................... 6

Figure 10. Professional Services Rate ........................................................................................................... 7






7/6/2018

Page 1

Attachment F Cost Proposal

3.10, 3.12, 9

Introduction

Companion Data Services, LLC (CDS) is offering two distinct hosting options to meet the diverse needs

of the participating entities:

Software as a Service (SaaS) – Private Cloud, hosted in CDS government data center located in

Columbia, South Carolina, USA (Columbia Hosting)

Software as a Service (SaaS) – Private Cloud, hosted in an Amazon Web Services (AWS)

government-rated data centers located in the United States (AWS Hosting)

Our proposed pricing is simple yet comprehensive in nature. List pricing is provided, but CDS

recommends that participating entities work directly with our team of experts to define their own

requirements to structure the most effective program.

DocFinity Product Pricing Principles

We offer a no-surprise product pricing:

The SaaS subscription fees include access to DocFinity Full Suite which consists of the DocFinity

Core module and all Add-On modules

There are no additional fees for the number of scanners, scanning workstations or scanning users

accessing DocFinity

There are no additional fees for administrative users, power users or users with update capability

Optional features, available at additional costs, are identified and unit costs included in the

proposed price list

Licensing Option for NASPO Members – SaaS

SaaS is the recommended option for member entities that prefer zero capital expenditure, zero

maintenance costs and lower personnel expenses with sophisticated needs to use the full DocFinity suite.

All server-level hardware and software as well as maintenance and system security are provided by CDS

and included in our simple SaaS subscription pricing. For details of our SaaS offering, please refer to the

CDS Technical Response document.

CDS proposes tiered pricing for its SaaS offering. Pricing tiers reflect significant volume discounts based

on increased numbers of licensed users. These rates are proposed as Firm Fixed Price for the entire

duration of the master contract with NASPO. Additional user subscriptions can be purchased at rates

included in the tiered-pricing structure in the price list below.

SaaS Pricing Assumptions and Methodologies

SaaS user pricing is calculated as described in the sample calculation below (based on 30 concurrent users

per month in the private cloud, hosted in AWS):

Number of concurrent users : 30 Tier 1 monthly rate per concurrent user per month : $266.90 Extended price for 30 concurrent user licenses for one year : $96,084.00

Concurrent User Philosophy

We license DocFinity on a monthly per concurrent user basis, instead of an individual named user basis.

While DocFinity allows for individual user names, security and authentication, not all users may need






7/6/2018

Page 2

access to the system at the same time. In essence, we provide unlimited number of named users at the

concurrency level procured.

Each customer’s usage will be different based on how the system is used, but historically we have found

that a ratio of about one concurrent user to four named users is often experienced by our customers.

Depending on the access required and the extent of their individual duties, some staff may require full

time access to the system and others may require less frequent use. For those cases, customers can reserve

a license pool which guarantees access to certain users or group of users with critical roles.

This methodology ensures that entities pay only for the expected maximum number of active users in the

system at a given time and enjoy the convenience of not having to deal with named user licenses each

time a new employee joins the organization.

Flexible Pricing Philosophy

The number of concurrent users can easily scale up over time as you further deploy and use our DocFinity

system. Individual entities also have the flexibility of adjusting the number of licenses each month to

accommodate seasonality. This way, entities pay only for the contracted licenses and therefore, decrease

the number of licenses during seasonal periods in which they expect less usage.

Volume Discount Schedule

Our offering provides significant price reductions for an increased number of licensed users. As seen on

our proposed pricing tables, the price per concurrent user decreases by close to 60 percent as you increase

the number of concurrent user licenses to 500. The reduction percentage grows significantly as the

number of concurrent users’ increases.

Billing

Monthly billings are based on the number of licensed concurrent users per month for the desired period.

All Inclusive Pricing

Monthly SaaS subscription pricing is comprehensive and includes the following:

All server-level hardware and software infrastructure to support the comprehensive, out-of-the-

box functionality of the DocFinity Full Suite, consisting of the Core Module and all Add-on

Modules

Full server-level system and application support and maintenance on all solution components

including updates and upgrades at no additional cost. Please refer to the CDS Technical Response

document for details on customer support.

One terabyte (TB) of actual customer data storage; additional TB of storage can be purchased for

the monthly price listed in the price list

Two instances (environments) as follows (additional environments like development, training,

pre-production and others can be provided separately at an additional cost):

- Production system running against one instance of the production database tables

- Test and Quality Assurance system running against one instance of the development/test

database tables

Figure 1 below is an overview of the solution components provided by CDS and devices and connectivity

provided by NASPO members.1

1 For a comprehensive list of DocFinity Full Suite features, please refer to Exhibit A at the end of this document






7/6/2018

Page 3

Companion Data Services Provides The Customer

Provides Solution Components Services for all Solution Components

Application Software (DocFinity Full Suite)

Provisioning Hosting Installation Maintenance Support Upgrades Updates Warranty Repairs Operations Monitoring Physical security Data security including anti-virus protection Data backup Disaster recovery Performance tuning

Personal computers

Mobile devices Scanners Printers Compatible web

browser Internet

connection

Server Hardware

Server Operating System

Server Data Base

Server Data Storage (starting at 1TB) with Input / Output (I/O) requests: Unlimited and included in

subscription fees for CDS Columbia Data Center hosting

Billed as a pass-through at cost for cloud vendor Amazon Web Services (AWS) hosting

Server Application Software Storage as needed

Figure 1. SaaS Deployment Summary

DocFinity SaaS Concurrent User Licensing – Hosting Dependent

Our SaaS concurrent user licensing rates for both hosting options are provided in this section.

Concurrent User Licensing – Private Cloud (Columbia Hosting)

Customer’s data is hosted in the Health Insurance Portability and Accountability Act (HIPAA) compliant

CDS data center located in Columbia, South Carolina. The SaaS subscription fees include unlimited I/O

requests. The minimum number of concurrent users per month required for an entity to use the Private

Cloud (Columbia Hosting) option is 50. Figure 2 shows the Private Cloud – Columbia Hosting per user

per month subscription rates.

Figure 2. SaaS Private Cloud Subscription Rates (Columbia Hosting)

Concurrent User Licensing – Private Cloud (AWS Hosting)

Customer’s data is hosted in an AWS facility in the United States. Amazon Web Services I/O fees are

directly reflected to DocFinity users as a pass through. Figure 3 shows the Private Cloud (AWS Hosting)

per user per month subscription rates.

Part # Description Commercial Price Discount off SRPNASPO Administrative

FeeNASPO Price

0.5% 0.25%

PRIVATE Cloud (Columbia Hosting) User Subscriptions

SaaS-100-1-50 Users 1-50 Per User Per Month $267.57 -$1.34 $0.67 $266.90















7/6/2018

Page 4

Figure 3. SaaS Private Cloud Subscription Rates (AWS Hosting)

Data Storage – Hosting Dependent

Our data storage rates for both hosting options are provided in this section. Our SaaS pricing in both

hosting options are comprehensive and include 1TB of storage. Additional TB of storage can be

purchased for the monthly price indicated in Figure 4 (Columbia Hosting) and Figure 5 (AWS Hosting).

Figure 4. SaaS Private Cloud Additional Storage Rates (Columbia Hosting)

Figure 5. SaaS Private Cloud Additional Storage Rates (AWS Hosting)

DocFinity Optional Features – Hosting Dependent

Features fully integrated within DocFinity but powered by external tools are introduced here as optional

features. For details on these features refer to Section 20 under “Related Value-Added Services to Cloud

Solutions” of the CDS Technical Response document.

DocFinity Intelligent Capture feature is priced based on pages processed per year, with no roll-

over to the following year.

DocFinity Enterprise (Full-text) Search feature is based on the number of servers dedicated per

year, allowing unlimited searches.

DocFinity OCR Barcode Recognition feature is based on the number of pages processed per

year, with no roll-over to the following year.

Optional Features (Columbia Hosting) Figure 6 shows the annual subscription price for SaaS Private Cloud Intelligent Capture, Enterprise

Search and OCR Barcode Recognition for hosting in Columbia. The software components are installed on

servers owned, operated, managed and secured by CDS in our secure data center in Columbia, South

Carolina.

Part # Description Commercial Price Discount off SRP NASPO Administrative Fee NASPO Price

0.5% 0.25%

Private Cloud (AWS Hosting) User Subscriptions












FeeNASPO Price

0.5% 0.25%

PRIVATE Cloud (Columbia Hosting) Storage Pricing

SaaS-101-100 Per Terabyte of Storage Per Month Pricing $110 -$0.55 $0.27 $109.88


0.5% 0.25%

Private Cloud (AWS Hosting) Storage Pricing

SaaS-201-100 Per Terabyte of Storage Per Month Pricing $104.24 -$0.52 $0.26 $103.98






7/6/2018

Page 5

Figure 6. SaaS Private Cloud Intelligent Capture, Enterprise Search and OCR Barcode Recognition Rates

(Columbia Hosting)

Optional Features (AWS Hosting) Figure 7Error! Reference source not found. shows the annual subscription price for SaaS Private Cloud

Intelligent Capture, Enterprise Search and OCR Barcode Recognition for hosting in AWS. The software

components are installed on servers located in an AWS government-rated data center the United States

which are managed and secured by CDS.

Figure 7. SaaS Private Cloud Intelligent Capture, Enterprise Search and OCR Barcode Recognition Rates

(AWS Hosting)

DocFinity Optional Features – Hosting Independent

Electronic Signature is powered by AssureSign and provides fast and secure digital signing of both

documents and eForms. The digital signing process is seamlessly integrated with Business Process

Management/Workflow. Signatures can be performed by those internal to the DocFinity system or by

external users. The entire signature process is audited and the report is imported along with the fully


Fee

NASPO

Price

0.5% 0.25%

OCR Services (Columbia Hosting)

Intelligent Capture Annual Subscription Price

OCR-IC-101 360,000 Pages per Year $27,638 -$138 $69 $27,569




OCR-IC-105 1,200,000 Pages per Year $56,220 -$281 $140 $56,079



Enterprise Search Annual Subscription Price

OCR-ES-101 Unlimited Searches $5,750 -$29 $14 $5,736

Barcode Recognition Annual Subscription Price

OCR-BR-101 50,000 Pages per Year $2,506 -$13 $6 $2,500





OCR-BR-106 1,000,000 Pages per Year $40,564 -$203 $101 $40,462


0.5% 0.3%

OCR Services (AWS Hosting)

Intelligent Capture Annual Subscription Price








Enterprise Search Annual Subscription Price

OCR-ES-101 Unlimited Searches $5,635 -$28 $14 $5,621

Barcode Recognition Annual Subscription Price






OCR-BR-106 1,000,000 Pages per Year $39,753 -$199 $99 $39,653






7/6/2018

Page 6

executed document. The cost is by signature event, which is considered one document requiring one

signature or an envelope of documents that require more than one signature. Figure 8 shows the

Electronic Signature prices.

Figure 8. Electronic Signature Prices

DocFinity Training – Hosting Independent

The daily rate for instructor-led DocFinity training is provided below. For a short description of training

programs, please refer to the CDS Technical Response document. For training programs that take place

outside our corporate offices in Columbia, South Carolina, or State College, Pennsylvania, the instructor’s

travel expenses, technological equipment (personal computers) and services (internet connection) as well

as any venue-related expenses (rent, catering and others) will be provided or paid by the NASPO member.

Figure 9 details training module pricing.

Figure 9. Training Module Pricing

DocFinity Professional Services – Hosting Independent

CDS offers comprehensive implementation services that will be further defined upon discussions with the

participating entity in the context of the Professional Services category.

The rates below apply to members receiving professional services based on DocFinity software

application and use like the following:

In most cases, required for a successful implementation:

- Kickoff meeting and project management

- Training of entity personnel concerning how to administer and use DocFinity

DescriptionCommercial

Price

Discount off

SRP

NASPO

Administrative

Fee

NASPO Price

0.5% 0.25%

Electronic Signature (Per Signature Event)

1.00$ 0.01$ 0.00$ 1.00$

DescriptionCommercial

Price

Discount off

SRP

NASPO

Administrative

Fee

NASPO Price

0.5% 0.25%

Training

DocFinity 101/Core Training 7,500.00$ 37.50$ 18.66$ 7,481.16$

DocFinity BPM Core Training 7,500.00$ 37.50$ 18.66$ 7,481.16$

DocFinity BPM Concepts for Managers 1,500.00$ 7.50$ 3.73$ 1,496.23$

DocFinity COLD Training 4,500.00$ 22.50$ 11.19$ 4,488.69$

DocFinity API 1,500.00$ 7.50$ 3.73$ 1,496.23$

DocFinity eForms 3,000.00$ 15.00$ 7.46$ 2,992.46$

DocFinity Records Management 1,500.00$ 7.50$ 3.73$ 1,496.23$

SQL 101 1,500.00$ 7.50$ 3.73$ 1,496.23$

DocFinity Dashboards 3,000.00$ 15.00$ 7.46$ 2,992.46$

DocFinity Intelligent Capture 4,500.00$ 22.50$ 11.19$ 4,488.69$

DocFinity Enterprise Search 1,500.00$ 7.50$ 3.73$ 1,496.23$






7/6/2018

Page 7

- Migration of the entity’s existing data from its legacy system to DocFinity

- Business analysis, process modeling and workflow design, at least for the first few workflows

in DocFinity, where applicable

- User acceptance testing and go live

As needed per specific project requirements and requested by the purchasing entity:

- Business process analysis and consulting

- Risk assessment consulting

- Change management consulting

- DocFinity software custom programming

- DocFinity software interfacing and integration with third party or customer-owned software

applications

Already included in the SaaS subscription fees; not needed in a SaaS deployment

- DocFinity software installation

- Maintenance, upgrades, updates, warranty and repair at any hardware or software component

at the server level

- Performance tuning

- Backup and disaster recovery consulting (unless the purchasing entity also wants to have a

separate backup)

Professional services are contracted as work-for-hire engagements that require agreed and signed

Statements of Work (SOW). Figure 10 provides the hourly rate (unit price) for professional services.

Figure 10. Professional Services Rate


Hourly Rate 0.5% 0.25%


Hourly Rate

OITPS-101-1 Professional Services Hourly Rate $144.05 -$0.72 $0.36 $143.69






7/6/2018

Page 8

Exhibit A

Module Name and Features Price

DocFinity Core Engine Included within monthly SaaS subscription

fees

DocFinity System Administration No Charge - Included with Core Engine Single Sign-on for Active Directory No Charge - Included with Core Engine Single Sign-on for ADFS No Charge - Included with Core Engine DocFinity Feature Rights Control No Charge - Included with Core Engine DocFinity Document Security Control No Charge - Included with Core Engine DocFinity Permissions Control No Charge - Included with Core Engine DocFinity Filter Security No Charge - Included with Core Engine DocFinity Batch Security No Charge - Included with Core Engine DocFinity Assignable Search Control No Charge - Included with Core Engine Single Sign-on for Open ID Connect No Charge - Included with Core Engine DocFinity MS SQL Server Database Support No Charge - Included with Core Engine DocFinity Oracle Database Support No Charge - Included with Core Engine DocFinity Document Scanning/Imaging (TWAIN) No Charge - Included with Core Engine DocFinity High Speed Object Importer (Unlimited Instances) No Charge - Included with Core Engine DocFinity High Speed Index Importer (Unlimited Instances) No Charge - Included with Core Engine DocFinity High Speed email Importer (Unlimited Instances) No Charge - Included with Core Engine DocFinity Print Server No Charge - Included with Core Engine Document Versioning and Editing No Charge - Included with Core Engine Document History No Charge - Included with Core Engine Microsoft Office Integration No Charge - Included with Core Engine DocFinity REST Web Service API No Charge - Included with Core Engine DocFinity URL API No Charge - Included with Core Engine DocFinity URL API Generation Tool (Assistant) No Charge - Included with Core Engine REST API Tester/Generator No Charge - Included with Core Engine External Data Integration No Charge - Included with Core Engine Search Link Data Integration No Charge - Included with Core Engine Data Source Connectivity for Integrations No Charge - Included with Core Engine DocFinity Mobile on iPad (iOS) No Charge - Included with Core Engine DocFinity Mobile on iPhone (iOS) No Charge - Included with Core Engine DocFinity Mobile on Android (Phone and Tablets) No Charge - Included with Core Engine Desktop Integration Features No Charge - Included with Core Engine DocFinity Document Checklists No Charge - Included with Core Engine Database Stored Procedure Searching No Charge - Included with Core Engine Database Linked Output No Charge - Included with Core Engine Additional scanner connected No Charge - Included with Core Engine Additional printer connected No Charge - Included with Core Engine PDF generation for export No Charge - Included with Core Engine






7/6/2018

Page 9


DocFinity BPM/Workflow Included within monthly SaaS subscription fees

DocFinity Business Process/Workflow Process Designer No Charge - Included with BPM/Workflow DocFinity Business Process/Workflow Engine No Charge - Included with BPM/Workflow DocFinity Business Process Job Assignment No Charge - Included with BPM/Workflow DocFinity Business Process Monitoring No Charge - Included with BPM/Workflow

DocFinity Records Management

Included within monthly SaaS subscription fees

Record Retention No Charge - Included with Records Management File Planning No Charge - Included with Records Management Records Search No Charge - Included with Records Management Legal Case Support No Charge - Included with Records Management Legal Hold No Charge - Included with Records Management BPM/Workflow Integration No Charge - Included with Records Management PDF/A Archiving No Charge - Included with Records Management

DocFinity eForms


DocFinity eForms Designer No Charge - Included with eForms Web-based eForms No Charge - Included with eForms Mobile Device eForms No Charge - Included with eForms Web-embedded eForms No Charge - Included with eForms

DocFinity Exporter


Convert to Combined PDF No Charge - Included with Exporter Convert to Separate PDFs No Charge - Included with Exporter Native File Export No Charge - Included with Exporter Automatic CD/DVD Creation No Charge - Included with Exporter

DocFinity Dashboards


Designer No Charge - Included with Dashboards Web Dashboards No Charge - Included with Dashboards Mobile Device Dashboards No Charge - Included with Dashboards

DocFinity Connect


Web-based triggers No Charge - Included with Connect Thick-client triggers No Charge - Included with Connect Barcode Creation No Charge - Included with Connect Indexing Integration No Charge - Included with Connect

Print to DocFinity (Virtual Print Application) Included within monthly SaaS subscription fees






7/6/2018

Page 10


DocFinity Hierarchical Storage Management (HSM) Included within monthly SaaS subscription

fees

DocFinity Scheduled/Automated System Maintenance No Charge - Included with HSM Copy/Move Documents No Charge - Included with HSM Trigger Workflows No Charge - Included with HSM Purge Documents, Files and Renderings No Charge - Included with HSM Render Documents No Charge - Included with HSM Archive Audit Data No Charge - Included with HSM



National Association of State Procurement Officials (NASPO) ValuePoint NASPO ValuePoint Master Agreement for Cloud Solutions

Attachment E – Service Offering EULAs, SLAs, etc.



This material is the confidential and proprietary product of Companion Data Services, LLC. Any unauthorized use, reproduction or

transfer of these materials is strictly prohibited. © 2019 copyright of Companion Data Services, LLC. All rights reserved.

Attachment E - Service Offering EULAs, SLAs

Attachment E Page 1 of 16

DocFinity Cloud NASPO ValuePoint Master Agreement for Cloud Solutions

Attachment E – Service Offering EULA

This material is the confidential and proprietary product of Companion Data Services, LLC. Any unauthorized use, reproduction or transfer of these materials is strictly prohibited. © 2019 copyright of Companion Data Services, LLC. All rights reserved.

March 6, 2019

Page i

Table of Contents

Table of Contents ............................................................................................................................ i

1 Legal Agreement .....................................................................................................................2

2 Definitions..............................................................................................................................2

3 The Service and Support .........................................................................................................2

4 Intellectual Property ...............................................................................................................4

5 Fees and Expenses ..................................................................................................................4

6 Confidentiality and Security ....................................................................................................5

7 Term and Termination ............................................................................................................6

8 Independent Contractors; Publicity .........................................................................................7

9 Warranties; Disclaimers ..........................................................................................................7

10 Insurance ...............................................................................................................................8

11 Indemnification ......................................................................................................................8

12 Limitation of Liability ..............................................................................................................9

13 Dispute Resolution .................................................................................................................9

14 Miscellaneous ...................................................................................................................... 10

15 Agreement and Amendments ............................................................................................... 12

Service Offering SLAs ..................................................................................................................... 13






March 6, 2019

Page 2

1 Legal Agreement This Master Subscription and Services Agreement ("Agreement") is entered into, to be effective as of / /2018 (“Effective Date”), by and between CUSTOMER (“Customer or You”), with its principal place of business located at and Companion Data Services (“CDS”), with its principal place of business located at I-120 at Alpine Road, Columbia, SC 29219.

2 Definitions “Downloaded Software” means customer software downloaded by an Authorized User (defined below, paragraph 3.5) from the CDS Site that augments your use of the Service, including add- ins and ancillary programs. “Order Form” means a signed paper or web-based order form completed by you when ordering the Service. “Service” means the provision by CDS to you of hosted document and business process management and related services. The Service includes the provision on a hosted basis of non- exclusive use and access to proprietary CDS software, and associated hosting and support services as described herein. “Site” means the entry point where you will access the CDS Service < live.docfinity.com >. “Software” means CDS’s proprietary software used by CDS to deliver the Service, made available to you through the Site on a “Software as a Service” basis, and all updates and associated documentation thereto made available as a part of the Service pursuant to this Agreement. The term “Software” includes the Downloaded Software.

3 The Service and Support 3.1 Under the terms of and subject to the restrictions in this Agreement, including payment of all applicable fees, CDS will provide the Service on a subscription basis to you during the term of this Agreement. You may use and access the Service and Software solely through the Site. Your rights to use the Service are non-exclusive and non-transferable. You agree to use the Service only in the course of your own business enterprise. 3.2 As part of the Service, CDS will provide reasonable technical support. 3.3 CDS will use commercially reasonable efforts to make the Service available, subject to Section 14.2 (Force Majeure) below and to downtime for maintenance purposes. CDS will, to the extent practicable, schedule maintenance downtime outside of regular business hours and communicate in advance when you can expect maintenance based downtime. 3.4 CDS may from time to time modify the Site, the Software, and the Service and add, change, or delete features of the Site, the Software, and the Service in its sole discretion, without notice to you. Your continued use of the Service after any such changes to the Site, the Software, and the Service constitutes your acceptance of these changes. CDS will use commercially reasonable efforts to communicate such information in advance regarding material changes to the Site, the Software, and the Service. To the extent any such changes materially or adversely impact Customer’s use of the Site, the Software, or the Service for the intended purpose, CDS agrees to use commercially reasonable to rectify






March 6, 2019

Page 3

such impact by providing commercially feasible changes or workarounds. 3.5 The Service may be used and accessed for your internal business purposes and only by your employees, independent contractors, and customers enabled by you to use the Service (“Authorized Users”). Third party Authorized Users may use the Service only for the purpose of facilitating business transactions with you or for providing services to you, and in no event may third parties use and access the Service provided to you as a document management solution for their own or for another person’s benefit. You agree not to charge any Authorized Users to use the Service, either directly or indirectly. You shall be fully responsible for use of the Service by Authorized Users and their compliance with the terms of this Agreement. 3.6 You acknowledge that you are solely responsible for: (a) all use of the Service made using your Authorized Users’ user names and passwords, and (b) maintaining the confidentiality of your Authorized Users’ user names and passwords. Only one individual may access the Service at the same time using the same user name and password. You agree to notify CDS immediately of any unauthorized use of an Authorized User’s email address, user name or password, or any other breach of security regarding the Service of which you become aware. 3.7 You warrant and agree not to:

• Violate any local, state, national or international law or regulation in connection with use of the Service, or otherwise use the Service in any way that is in furtherance of criminal, fraudulent, or other unlawful activity

• Interfere with or disrupt the Service or servers or networks connected to the Service • Violate any codes of conduct, requirements, terms of use, policies or regulations of

networks connected to the Service • Interfere with or attempt to interfere with any other person’s use of the Service • Gain access to or attempt to gain access to any account, computers or networks related to

the Service without authorization • Use the Service to send, store or otherwise make available any viruses, Trojan horses,

worms, corrupted files, or any other similar software that may damage the operation of another’s computer or property

• Use the Service in a manner that results in excessive bandwidth usage, as determined in CDS’s sole discretion

• Impersonate any other person or entity, or misrepresent your affiliation with any other person or entity

• Forge headers or otherwise manipulate identifiers in order to disguise the origin of any content or communication transmitted through the Service

3.8 CDS shall not itself install, any Disabling Device in resources utilized to provide the services or hardware capacity. Customer acknowledges and agrees, however, that no network security system can guarantee complete network security or prevent all unauthorized network access. “Disabling Device” means any virus, timer, clock, counter, time lock, time bomb, Trojan horse, worm, file infector, boot sector infector or other limiting design, instruction or routine that could, if triggered, erase data or programming or cause the resources to become inoperable or otherwise incapable of being used in substantially the same manner for which such resources were intended to be used. CDS shall promptly






March 6, 2019

Page 4

communicate with Customer in the event of any breach.

4 Intellectual Property 4.1 You agree that CDS and its licensors own all intellectual property rights in and to the Service, the Software, and the Site, including but not limited to the look and feel, structure, organization, design, algorithms, templates, data models, logic flow, text, graphics, logos, and screen displays associated therewith. You will not reverse engineer, decompile or disassemble the Software, or otherwise attempt to reconstruct or discover the source code for the Software. You further agree not to resell, lease, assign, distribute, time share or otherwise commercially exploit or make the Service available to any non-affiliated third party for such third party’s benefit. CDS reserves all rights in the Service not expressly granted to you hereunder. 4.2 You shall retain ownership of the documents, data and related materials and information you upload in connection with the Service (“Customer Documents/Data”). CDS shall not access or otherwise use the contents of any Customer Documents/Data, unless you give specific permission to such access in connection with CDS’s handling of a support issue. Solely in order to provide the Service to you, CDS may copy, archive, index, and create metadata relating to the Customer Documents/Data. CDS may derive and compile from your usage of the Service certain aggregated and/or analytical information, so long as such aggregated or analytical information does not reveal any information about you, any individual, or the contents of any Customer Documents Data. Such aggregated data and metadata may be used for CDS’s own purposes without restriction, including, but not limited to, using such data in conjunction with data from other sources to improve CDS’s products and services and create new products. 4.3 CDS shall have a royalty-free, worldwide, transferable, and perpetual license to use or incorporate into the Service any suggestions, ideas, enhancement requests, feedback, or other information provided by you or any Authorized User relating to the Service. The foregoing shall not be applicable to any suggestions, ideas, enhancement requests, feedback or other information that relates to Customer Documents/Data or intellectual property of Customer. 4.4 Any company or product names used on the Site or in connection with the Service are the property of CDS or the respective trademark owner.

5 Fees and Expenses 5.1 You shall pay CDS all applicable subscription fees associated with the Service as set forth in your Order Form and in accordance with the terms set forth therein. All payments under this Agreement are non-refundable and, unless otherwise agreed, shall be made in United States dollars. Past-due payments will be subject to late payment charges of the lesser of: (a) one and one-half percent (1 ½ %) per month, or (b) the maximum rate allowed by law. The fees and rates under this Agreement are applicable for the Initial Term of this Agreement. CDS reserves the right to discuss and negotiate updated fees and rates for subsequent terms following the initial term with Customer. Customer agrees to not withhold participation in such discussions and negotiations unreasonably. 5.2 You shall be responsible for all applicable and timely invoiced taxes, however designated, incurred in connection with this Agreement, including but not limited to state and local privilege, excise, sales, VAT, and use taxes and any taxes or amounts in lieu thereof paid or payable by CDS, but excluding taxes based upon the net income of CDS.






March 6, 2019

Page 5

5.3 If an undisputed payment becomes ten (10) business days or more overdue, CDS reserves the right to suspend your access to the Service upon notice to you, without liability to you, until payment is made in full. If any undisputed payment becomes thirty (30) days or more overdue, CDS may terminate this Agreement upon notice to you. CDS has the right to change payment terms, including by requiring upfront payment for the Service, in its reasonable discretion based on your payment history and/or financial status.

6 Confidentiality and Security 6.1 “Confidential Information” means any information or data that is disclosed by one party to the other party pursuant to this Agreement that is marked as confidential. In addition, your Confidential Information includes the Customer Documents/Data (whether or not marked), and Confidential Information of CDS (whether or not marked) includes the Site, the Service, and the Software, as well as the structure, organization, design, algorithms, templates, data models, logic flow, and screen displays associated with the Site, the Service, and the Software. Confidential Information does not include information that the receiving party can show: (a) is or becomes publicly known or available without breach of this Agreement; (b) is received by a receiving party from a third party without breach of any obligation of confidentiality; or (c) was previously known by the receiving party as shown by its written records. 6.2 A receiving party agrees: (a) to hold the disclosing party’s Confidential Information in confidence, and to protect the disclosing party’s Confidential Information in the same manner that it protects the confidentiality of its own similar confidential information (but in no event using less than reasonable care); and (b) except as expressly authorized by this Agreement or as reasonably necessary to perform its obligations under this Agreement, not to, directly or indirectly, use, disclose, copy, transfer or allow access to the disclosing party’s Confidential Information. CDS is authorized to disclose Customer’s Confidential Information to CDS’s contractors. Without limiting the foregoing, you shall disclose and allow access to the Service only for the purpose of supporting and augmenting your use of the Service. Notwithstanding the foregoing, a receiving party may disclose Confidential Information of the disclosing party as required by law, applicable regulatory authorities, or court order; in such event, such party shall use its best efforts to inform the other party prior to any such required disclosure so that the disclosing party can seek a protective order or other remedy. If so required by the disclosing party, the receiving party shall provide reasonable assistance to the disclosing party in opposing such disclosure or seeking a protective order or other limitations on disclosure. No compelled disclosure will otherwise affect the receiving party’s obligations hereunder with respect to the Confidential Information so disclosed. 6.3 Each party acknowledges and agrees that any violation of this Section 6 may cause the disclosing party irreparable injury for which the disclosing party would have no adequate remedy at law, and that the disclosing party shall be entitled to preliminary and other injunctive relief against the receiving party for any such violation without any requirement to post a bond or other security. Such injunctive relief shall be in addition to, and not in limitation of, all other remedies or rights that disclosing party shall have at law or in equity. 6.4 CDS will take reasonable security measures (that are consistent with generally accepted industry standards for like Services and considering the nature of the information contained in the Customer Documents/Data), designed to protect your Confidential Information, including your Customer Documents/Data. These measures will include the use of reasonable physical, administrative, and






March 6, 2019

Page 6

technical security techniques and systems (that are consistent with generally accepted industry standards for like Services and taking into consideration the nature of the information contained in the Customer Documents/Data), designed to prevent unauthorized access and disclosure, maintain data accuracy, and ensure appropriate use of your Confidential Information. 6.5 Upon termination or expiration of this Agreement, the receiving party will return to the disclosing party or destroy all Confidential Information delivered or disclosed to the receiving party (including, with respect to you as receiving party, the Downloaded Software), together with all copies in existence thereof at any time made by the receiving party, except those retained for compliance or legal purposes; provided that return of Customer Documents/Data by CDS to you is covered by Section 7.5 below. 6.6 CDS will maintain and enforce an information security program in relation to accessing the DocFinity application that will include organizational and DocFinity application based technical security measures consistent with commercially reasonable industry best practices to help ensure continued operation of the Software in accordance with this Agreement and to protect the Confidential Information of Customer from accidental, unauthorized, unlawful or intentional tampering misuse, access, disclosure, commingling, hacking, disruption, damage, modification or contamination.

a) CDS shall maintain complete and accurate records related to its procedures, practices and policies to continuously monitor and protect Customer Documents/Data and Customer Confidential Information, including any backup, redundancy, business continuity and disaster recovery procedures. Upon Customer’s request, CDS shall make all such records, appropriate personnel and relevant materials, including, but not limited to records of periodically conducted penetration testing conducted at CDS’s expense, available during normal business hours for inspection by Customer or an independent data security expert retained by Customer. CDS shall have written hardware, software and data security policies. CDS shall assist in investigating security breaches by retaining and providing to Customer all information reasonably requested by Customer, including, but not limited to, log files and forensic information.

b) CDS shall immediately report to Customer any breach of security or unauthorized access to Customer Confidential Information and Customer Documents/Data that CDS detects or of which it becomes aware. CDS shall use diligent efforts to remedy such breach of security or unauthorized access in a timely manner and deliver to Customer, a root cause assessment and future incident mitigation plan with regard to any breach of security or unauthorized access affecting any Confidential Information of Customer or Customer Documents/ Data that sets out written details regarding CDS’s investigation of such incident and, upon Customer's written request, provide a second more in-depth investigation and results of the findings. Without limiting the generality of the foregoing, Customer and CDS will work together to formulate a plan to rectify all security breaches and unauthorized access concerning Customer Confidential Information and Customer Documents/Data.

7 Term and Termination 7.1 This Agreement will be effective for an initial minimum five (5) year term (the “Initial Term”) beginning as of the Effective Date detailed in Section 1. Thereafter, this Agreement shall automatically renew annually for one (1) year renewal terms based on CDS’s then current fees, unless either party provides written notice of its intent to terminate this Agreement at least ninety (90) days prior to the






March 6, 2019

Page 7

end of the Initial Term or applicable renewal term. 7.2 Either party may terminate this Agreement: (a) upon thirty (30) days prior written notice if the other party materially breaches any of the terms and conditions of this Agreement and such material breach is not cured within the thirty (30) day period or (b) if the other party ceases to conduct business in the ordinary course, is subject to any bankruptcy or reorganization proceedings or becomes insolvent. CDS will have the right to suspend your use of or access to the Service upon notice to you in the event CDS determines that you have breached this Agreement. 7.3 The terms provided in Sections 4, 5, 6, 8, 9, 11, 12, 13, and 14 of this Agreement shall survive any termination of this Agreement. In addition, upon termination you shall promptly pay CDS all outstanding amounts due to CDS under this Agreement. If this Agreement is terminated by CDS due to your breach, which you fail to cure after receipt of written notice, then all fees unpaid for the remainder of the current term shall become immediately due and payable by you to CDS as liquidated damages, without any further demand by CDS. The parties acknowledge that CDS’s actual damages arising from such termination would be difficult to determine with accuracy and, accordingly, have agreed to the foregoing liquidated damages, which the parties acknowledge is a reasonable estimate of CDS’s potential losses. 7.4 Within ninety (90) days after termination, you may request in writing that CDS provide you with access to a copy of all Customer Documents/Data, and CDS will provide such Customer Documents/Data in platform agnostic format in exchange for the then-current standard fee for such service.

8 Independent Contractors; Publicity 8.1 The parties are and intend to be independent contractors with respect to the services contemplated hereunder. CDS agrees that neither its employees nor its contractors shall be considered as having an employee status with you. No form of joint employer, joint venture, partnership, or similar relationship between the parties is intended or hereby created.

9 Warranties; Disclaimers 9.1 You and CDS each warrant that they have full authority to enter into this Agreement and are not bound by any contractual or legal restrictions from fulfilling their obligations hereunder. In addition, CDS warrants that the then current version of the Service will materially conform to the then current written or electronic documentation provided by CDS in connection with the Service. In the event of a breach of this warranty by CDS, as your sole and exclusive remedy, CDS will, at its expense, use commercially reasonable efforts to promptly cause the Service to conform. 9.2 You represent and warrant that all Customer Documents/Data and associated content provided to CDS in connection with your use of the Site and the Service: (i) is owned by you, or you have the full right to provide the Customer Documents/Data to CDS; (ii) does not infringe or misappropriate any copyright, trademark, trade secret or other intellectual property right; (iii) does not violate any person’s right of privacy or publicity; and (iv) does not contain any unlawful, obscene, defamatory or libelous material. You further represent and warrant that your use of Customer Documents/Data in connection with the Service is not in breach of any covenant or obligation of confidentiality that you have to any other person or entity. You are solely responsible for the Customer Documents/Data, and acknowledge that CDS has no responsibility or intent to review or monitor any Customer Documents/Data.






March 6, 2019

Page 8

9.3 You shall be solely responsible for your use of the Service, and, except as otherwise agreed in writing by the parties, for maintaining backup copies of the Customer Documents/Data. You acknowledge and agree that the Service is strictly a tool to be used in conjunction with good and reasonable business judgment by competent personnel. 9.4 The Service may contain features, functionality and information that are provided through or by third-party content, software, web sites, and/or systems (“Third-Party Materials”). Your use and access of these features and functionality are subject to the terms published or otherwise made available by the third-party providers of Third-Party Materials. CDS has no responsibility for any Third-Party Materials that are incorporated into the Service by Customer, and Customer irrevocably waives any claim against CDS with respect to such Third-Party Materials that are incorporated into the Service by Customer. The foregoing waiver shall not be applicable to any Third-Party Materials that are incorporated or integrated into the Services, Site or Software by CDS or anyone acting on its behalf. 9.5 CDS does not warrant that the Service will operate without interruption or error-free. To the extent that data is being transmitted over the internet hereunder, you acknowledge that CDS has no control over the functioning of the internet, and CDS makes no representations or warranties of any kind regarding the performance of the internet. EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, CDS MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AND EXPRESSLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT, OR FITNESS FOR A PARTICULAR PURPOSE OR ANY WARRANTIES ARISING AS A RESULT OF CUSTOMER USAGE IN THE TRADE OR BY COURSE OF DEALING.

10 Insurance 10.1 CDS shall maintain and shall require any subcontractor to maintain insurance coverage of at least the following amounts: A) Worker’s Compensation: applicable statutory limits or such limits as may apply to the jurisdiction where the work is performed; B) General Liability Insurance: one million dollars ($1,000,000.00) per occurrence, two million dollars ($2,000,000 aggregate); C) Automobile Liability Insurance: one million dollars ($1,000,000) combined single limit per accident; D) Tech Errors and Omissions Insurance in the amount of at least three million dollars ($3,000,000); Cyber Liability Insurance in the amount of at least five million dollars ($5,000,000). 10.2 CDS or any subcontractor, as applicable, shall certify any and all compliance with the required insurance coverage detailed in paragraph 10.1 upon execution of this Agreement and cause its insurance agent to submit to Customer a certificate of insurance demonstrating said compliance and evidence that the coverage is in place. CDS shall provide Customer with thirty (30) days prior written notice of any cancellation or non-renewal in coverage, scope or amount of any the foregoing insurance policies. This Section contains minimum insurance requirements and is not intended to and shall not be construed in any manner as waiving, restricting or limiting the liability of CDS under this Agreement.

11 Indemnification 11.1 You, at your expense, shall indemnify, defend and hold CDS and its officers, directors, owners, and employees harmless from and against all liability, damages, injuries, losses, costs and expenses (including reasonable attorney’s fees) arising out of or relating to your use of the Service except as a result of gross negligence or willful malfeasance, including but not limited to liability, damages, injuries, losses, costs and expenses arising from any claims relating to: (a) your breach of any representations,






March 6, 2019

Page 9

warranties, or covenants in this Agreement, (b) your compliance with applicable laws and regulations, and (c) the Customer Documents/Data. CDS shall provide you with prompt written notice of any such claim. 11.2 CDS, at CDS’s expense, shall indemnify, defend and hold Customer and its officers, directors, owners, and employees harmless from and against all liability, damages, injuries, losses, costs and expenses (reasonable attorney’s fees) arising out of or relating to any claim, suit or proceeding brought against Customer alleging that the Services, Site or Software or Customer’s access to or use thereof, when used according to the terms of this Agreement, constitutes an infringement of the patent, copyright, trademark, trade secret, or any other proprietary, privacy, or intellectual property right of any third party Customer shall provide CDS with prompt written notice of any such claim and CDS shall control the defense and settlement of any such claim. 11.3 The indemnifying party shall seek the indemnified party’s prior written consent to any settlement or compromise that seeks to impose obligations on the indemnified party in addition to or contrary to the terms of this Agreement or to admit any liability of the indemnified party. The indemnified party’s consent shall not be unreasonably withheld, conditioned, or delayed.

12 Limitation of Liability 12.1 The limit of either Party’s liability (whether in contract, tort, negligence, strict liability in tort, or by statute or otherwise) to the other party or to any third party concerning performance or non-performance by that party, or in any manner related to this Agreement or the Service, for any and all claims shall not exceed in the aggregate the Subscription Fees paid or payable by Customer to CDS hereunder with respect to the Service at issue (excluding any additional Service Plan fees and fees or charges relating to approved expenses incurred by CDS on behalf of you) during the twenty four (24) months prior to the date that the relevant cause of action occurred. The foregoing limitation of liability shall not be applicable to: (i) claims subject to indemnification under Section 11; or (ii) Customer’s violation of any Service limitations or restrictions on use of the Service. 12.2 Except with respect to (i) claims subject to indemnification under Section 11; or (ii) Customer’s violation of any Service limitations or restrictions on use of the Service, in no event shall either party be liable for special, consequential, incidental, indirect or punitive loss, damage or expenses whether arising in contract or tort (including but not limited to lost profits, loss of documents or data, or the cost of recreating lost data), even if it has been advised of their possible existence. 12.3 The allocations of liability in this Section represent the agreed and bargained for understanding of the parties and CDS’s compensation reflects such allocation. These limitations of liability will apply notwithstanding any failure of essential purpose of any limited remedy.

13 Dispute Resolution 13.1 The parties agree to work together in good faith to resolve any dispute regarding this Agreement internally and by escalating it to higher levels of management and optional mediation, prior to resorting to binding arbitration. 13.2 Any dispute, controversy or claim arising out of or relating to this Agreement, or the breach, termination or invalidity thereof, that cannot be resolved by good faith negotiations shall be finally






March 6, 2019

Page 10

settled by binding arbitration conducted in the English language in Columbia, South Carolina (USA), under the commercial arbitration rules of the American Arbitration Association (“AAA”). The prevailing party shall be entitled to an award of reasonable attorney fees incurred in connection with the arbitration in such amount as may be determined by the arbitrator. The arbitrator shall issue a “reasoned award,” and the award of the arbitrator shall be the sole and exclusive remedy of the parties and shall be enforceable in any court of competent jurisdiction. Notwithstanding anything contained in this Section to the contrary, each party shall have the right to institute judicial proceedings against the other party or anyone acting by, through or under such other party, in order to enforce the instituting party’s rights hereunder through specific performance, injunction, or similar equitable relief. 13.3 This Agreement shall be interpreted, construed, and governed by the laws of the State of South Carolina, without regard to its conflict of law provisions. The United Nations Convention on Contracts for the International Sale of Goods shall not apply to this Agreement.

14 Miscellaneous 14.1 Neither party shall be liable for any delay in the performance of its obligations due to causes beyond the reasonable control of the party affected, including but not limited to war, sabotage, insurrection, riot or other act of civil disobedience, strikes or other labor shortages, act of any government affecting the terms hereof, acts of terrorism, accident, fire, explosion, flood, hurricane, severe weather or other act of God, failure of telecommunication or internet service providers. 14.2 This Agreement (including the Order Form, Exhibits, Schedules, and any attachments thereto specifically agreed by the parties) constitutes the entire understanding of the parties with respect to its subject matter, and supersedes all prior or contemporaneous written and oral communications, understandings or agreements with respect to its subject matter. No waiver of any provision of this Agreement, or of any rights or obligations of any party hereunder, will be effective unless in writing and signed by the party waiving compliance. The failure by any party to exercise any right provided herein shall not be deemed a waiver or forfeiture of any such right. Headings used in this Agreement are for convenience of reference only and shall not be deemed a part of this Agreement. 14.3 Neither party shall have the right to assign this Agreement or any of its obligations hereunder without the prior written consent of the other party, except that CDS shall be entitled to assign this Agreement in connection with any sale or merger involving CDS. Notwithstanding the foregoing, for general corporate restructuring purposes, either Party may assign this Agreement and any of its rights hereunder to an entity that is controlled by or under common management control with the assigning party. 14.4 Every provision of this Agreement is intended to be severable. If any section of this Agreement is found to be invalid or unenforceable, then such section will be deemed amended and interpreted, if possible, in a way that renders it enforceable. If such an interpretation is not possible, then the section will be deemed removed from this Agreement and the rest of this Agreement will remain in full force and effect. 14.5 This Agreement does not designate either party as the agent, employee, legal representative, partner or joint venture of the other party for any purpose whatsoever. There are no intended third-party beneficiaries under this Agreement.






March 6, 2019

Page 11

14.6 You agree to comply with all relevant export laws and regulations, including, but not limited to, the U.S. Export Administration Regulations and Executive Orders ("Export Controls"). You warrant that you are not a person, company or destination restricted or prohibited by Export Controls ("Restricted Person"). You will not, directly or indirectly, export, re-export, divert, or transfer the Software or Service, any portion thereof or any materials, items or technology relating to CDS's business or related technical data or any direct product thereof to any Restricted Person.






March 6, 2019

Page 12

15 Agreement and Amendments 15.1 By executing this Agreement and/or using the Service, you represent that you are 18 years old or older, are authorized to bind any legal entity that you represent, and agree to all of the terms in this Agreement. 15.2 This Agreement may be modified or amended only by a writing signed by the authorized representatives of both parties to this Agreement. 15.3 CDS and DocFinity will periodically send emails regarding the DocFinity Live service, including general information about the technology and business. You can easily unsubscribe from email communications using our simple unsubscribe process. Executed on the dates set forth below by the undersigned authorized representatives of the parties to be effective as of the Effective Date.

Customer Companion Data Services, LLC (CDS)

By: By:

Name: Name:

Title: Title:

Date: Date:




Attachment E – Service Offering SLAs


March 6, 2019

Page 13

Service Offering SLAs

CDS Severity/Priority Levels CDS Response Time Standards Resolution Path/Goals (Escalation)

1 – Severe The system or major application is down or seriously impacted, users cannot log in and there is no reasonable workaround available.



2 – High The system or application is moderately affected due to product defect and not product design. There is no workaround available or the workaround is cumbersome to use.



3 – Medium The system or application issue is not critical. The system has not failed. The issue has been identified as product defect and not product design. The product defect does not hinder normal operation or the situation may be temporarily circumvented using an available workaround. This is a feature failure with an existing and convenient workaround.



4 – Low Noncritical issues, general questions, enhancement requests or the functionality does not match documented specifications.








March 6, 2019

Page 14

On-Site Support

As needed throughout the lifetime of the SaaS-based contract at no additional cost to the customer.

Because the application software will reside on the server platform we provision and operate in a SaaS-based implementation, there will be almost no need for on-site support after the go- live date.

On-site support will only be provided in cases where the issue could not be resolved at the server level. All on-site support will be provided by our corporate employees, usually based in Pennsylvania or South Carolina.

Telephone Support

Throughout the lifetime of the SaaS-based contract at no additional cost to the customer.

We maintain a fully staffed, large-scale Technology Support Center using state of the art tools including Computer Telephony Integration, Interactive Voice Responder and web chat technologies. We do not outsource our customer support or help desk operations.

The CDS TSC operates 24/7/365 to support government and commercial customers. The CDS TSC assists millions of end-plan-member, business and government users. We support government and commercial contracts with strict SLA requirements. There is no scheduled downtime.

Future Upgrades, Bug Fixes, Patches and Product Enhancements

Provided throughout the lifetime of the SaaS-based contract at no additional cost to the customer, unless an additional feature is requested.

In a SaaS-based implementation, the customer will not pay for any future DocFinity upgrades, bug fixes or product enhancements unless an additional feature is requested. Our commitment extends beyond the DocFinity application software; it covers any server-level software including the operating system, database, runtime modules, drivers and firmware.

• In a SaaS-based implementation, we will ensure that the customer uses the latest

official release of each server-level software component that is supported and proven, tested and approved to be interoperable.

• In a SaaS deployment, we will deliver on a schedule consistent with the final service level obligations defined in the final contract.

For all other software or hardware components of our solution, such as the database and operating system, we will follow the original manufacturers’ upgrade and update schedules.

Support Provided for Third party Solutions

CDS is fully responsible throughout the lifetime of the SaaS-based contract.

CDS assumes full responsibility of any server-level component of the solution proposed including third party software and hardware products (if any) throughout the lifetime of a SaaS- based service contract. We will be the main point of contact for any support-related task or request.

Escalation Plan As mentioned above, our CDS TSC is available 24/7/365. The representative will assist the customer with any logging any technical issues and addressing problems or complaints. Procedures are in place for issue escalation to other internal teams such as development, testing and professional services in order to provide the customer timely resolution.






March 6, 2019

Page 15

Service Level Agreement Service availability in our SaaS based deployment is 24/7/365 with the exception of downtime for maintenance as noted below. Service availability is committed to be a minimum 99.5 percent as measured on a monthly basis. Every Sunday from 5:00 p.m. to 10:00 p.m. Eastern Standard Time (EST) is the maintenance period used for all system software (other than the application software) and hardware upgrades. Every Wednesday from 5:00 a.m. to 7:00 a.m. EST is the maintenance period for updating the application software.

