freshaddress, llc soc 2 type 1 report · 36 crafts street newton ma 02458 617.965.4500 ...

36 CRAFTS STREET � NEWTON � MA � 02458 � 617.965.4500 � WWW.FRESHADDRESS.COM

FRESHADDRESS, LLC SOC 2 Type 1 Report

SYSTEM AND ORGANIZATION CONTROLS (SOC) 2 REPORT

ON ITS EMAIL SERVICES PLATFORM

INDEPENDENT SERVICE AUDITOR’S REPORT ON CONTROLS RELEVANT TO SECURITY

APRIL 1, 2020

Proprietary and Confidential The information in this report is proprietary and confidential and not for public distribution.

Only customers or prospective customers of FreshAddress, LLC who have signed non-disclosure agreements are permitted access to this information.

Table of Contents

Section 1 - Assertion of FreshAddress, LLC Management 1

Section 2 - Independent Service Auditor’s Report 2 - 4 Section 3 - Description of the System: Overview of FreshAddress, LLC 5

Components of the System 5 - 8

Overview of FreshAddress, LLC’s Control Activities 8 - 11

Controls at Subservice Organizations 12

Complementary User Entity Controls 12 - 13

Section 4 - Applicable Trust Services Criteria and Related Controls Activities 14 - 26

SECTION 1

ASSERTION OF FRESHADDRESS, LLC MANAGEMENT

36 CRAFTS STREET � NEWTON � MA � 02458 � 617.965.4500 � WWW.FRESHADDRESS.COM

1

Assertion of FreshAddress, LLC Management We have prepared the accompanying description of FreshAddress, LLC’s (“FreshAddress” or the “Company”) Email Services Platform system as of April 1, 2020 (description), based on the criteria for a description of a service organization’s system in DC section 200, 2018 Description

Criteria for a Description of a Service Organization’s System in a SOC 2® Report (AICPA, Description Criteria) (description criteria). The description is intended to provide report users with information about the Email Services Platform system that may be useful when assessing the risks arising from interactions with the Company’s system, particularly information about system controls that the Company has designed, implemented, and operated to provide reasonable assurance that its service commitments and system requirements were achieved based on the trust services criteria relevant to security (applicable trust services criteria) set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and

Privacy (AICPA, Trust Services Criteria). The Company uses Microsoft Azure and Amazon Web Services (together the “subservice organizations”) to provide cloud computing, backups and disaster recovery. The description indicates that complementary subservice organization controls that are suitably designed are necessary, along with controls at the Company, to achieve the Company’s service commitments and system requirements based on the applicable trust services criteria. The description presents the Company’s controls, the applicable trust services criteria, and the types of complementary subservice organization controls assumed in the design of the Company’s controls. The description does not disclose the actual controls at the subservice organization. The description indicates that complementary user entity controls that are suitably designed are necessary, along with controls at FreshAddress, to achieve the Company’s service commitments and system requirements based on the applicable trust services criteria. The description presents the Company’s controls, the applicable trust services criteria, and the complementary user entity controls assumed in the design of the Company’s controls. We confirm, to the best of our knowledge and belief, that:

a. The description presents the Company’s Email Services Platform system that was designed and implemented as of April 1, 2020, in accordance with the description criteria.

b. The controls stated in the description were suitably designed as of April 1, 2020, to provide reasonable assurance that the Company’s service commitments and system requirements would be achieved based on the applicable trust services criteria, if its controls operated effectively as of that date.

Craig Marcellus, Director of Data Systems & Security April 16, 2020

SECTION 2

INDEPENDENT SERVICE AUDITOR’S REPORT

2

Independent Service Auditor’s Report

FreshAddress, LLC Scope We have examined FreshAddress, LLC’s (“FreshAddress” or the “Company”) accompanying description of its Email Services Platform system as of April 1, 2020 (description), based on the criteria for a description of a service organization’s system in DC section 200, 2018 Description

Criteria for a Description of a Service Organization’s System in a SOC 2® Report (AICPA, Description Criteria) (description criteria) and the suitability of the design of controls stated in the description as of April 1, 2020, to provide reasonable assurance that the Company’s service commitments and system requirements were achieved based on the trust services criteria relevant to security (applicable trust services criteria) set forth in TSP section 100, 2017 Trust Services

Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria).

FreshAddress uses subservice organizations to provide cloud computing, backups, and disaster recovery. The description indicates that complementary subservice organization controls that are suitably designed are necessary, along with controls at the Company, to achieve the Company’s service commitments and system requirements based on the applicable trust services criteria. The description presents the Company’s controls, the applicable trust services criteria, and the types of complementary subservice organization controls assumed in the design of the Company’s controls. The description does not disclose the actual controls at the subservice organization. Our examination did not include the services provided by the subservice organization, and we have not evaluated the suitability of the design of such complementary subservice organization controls. The description indicates that complementary user entity controls that are suitably designed are necessary, along with controls at the Company, to achieve the Company’s service commitments and system requirements based on the applicable trust services criteria. The description presents the Company’s controls, the applicable trust services criteria, and the complementary user entity controls assumed in the design of the Company’s controls. Our examination did not include such complementary user entity controls and we have not evaluated the suitability of the design of such controls. Service Organization’s Responsibilities FreshAddress is responsible for its service commitments and system requirements and for designing, implementing, and operating effective controls within the system to provide reasonable assurance that the Company’s service commitments and system requirements were achieved. FreshAddress has provided the accompanying assertion titled Assertion of FreshAddress, LLC

3

Management (assertion) about the description and the suitability of the design of controls stated therein. FreshAddress is also responsible for preparing the description and assertion, including the completeness, accuracy, and method of presentation of the description and assertion; providing the services covered by the description; selecting the applicable trust services criteria and stating the related controls in the description; and identifying the risks that threaten the achievement of the service organization’s service commitments and system requirements. Service Auditor’s Responsibilities Our responsibility is to express an opinion on the description and on the suitability of design of controls stated in the description based on our examination. Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, the description is presented in accordance with the description criteria and the controls stated therein were suitably designed to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. An examination of the description of a service organization’s system and the suitability of the design of controls involves the following:

Obtaining an understanding of the system and the service organization’s service

commitments and system requirements. Assessing the risks that the description is not presented in accordance with the description

criteria and that controls were not suitably designed. Performing procedures to obtain evidence about whether the description is presented in

accordance with the description criteria. Performing procedures to obtain evidence about whether controls stated in the description

were suitably designed to provide reasonable assurance that the service organization achieved its service commitments and system requirements based the applicable trust services criteria.

Evaluating the overall presentation of the description. Our examination also included performing such other procedures as we considered necessary in the circumstances. Inherent Limitations The description is prepared to meet the common needs of a broad range of report users and may not, therefore, include every aspect of the system that individual report users may consider important to meet their informational needs. There are inherent limitations in any system of internal control, including the possibility of human error and the circumvention of controls. The projection to the future of any conclusions about the suitability of the design of controls is subject to the risk that controls may become inadequate

4

because of changes in conditions or that the degree of compliance with the policies or procedures may deteriorate. Other Matter We did not perform any procedures regarding the operating effectiveness of controls stated in the description and, accordingly, do not express an opinion thereon. Opinion In our opinion, in all material respects,

a. The description presents the Company’s Email Services Platform system that was designed and implemented as of April 1, 2020, in accordance with the description criteria.

b. The controls stated in the description were suitably designed as of April 1, 2020, to provide reasonable assurance that the Company’s service commitments and system requirements would be achieved based on the applicable trust services criteria, if its controls operated effectively as of that date.

Restricted Use This report is intended solely for the information and use of FreshAddress, user entities of the Company’s Email Services Platform system as of April 1, 2020, business partners of the Company subject to risks arising from interactions with the Email Services Platform system, practitioners providing services to such user entities and business partners, prospective user entities and business partners, and regulators who have sufficient knowledge and understanding of the following:

The nature of the service provided by the service organization. How the service organization’s system interacts with user entities, business partners,

subservice organizations, and other parties. Internal control and its limitations. User entity responsibilities and how they may affect the user entity’s ability to effectively

use the service organization’s services. The applicable trust services criteria. The risks that may threaten the achievement of the service organization’s service

commitments and system requirements and how controls address those risks. This report is not intended to be, and should not be, used by anyone other than these specified parties.

Boston, Massachusetts April 16, 2020

SECTION 3

DESCRIPTION OF THE SYSTEM

5

Overview of FreshAddress, LLC Company Overview

FreshAddress, LLC (hereinafter “FreshAddress” or the “Company”) is an email marketing intelligence company that helps businesses clean, protect, and grow their email lists for maximum return on their investment. The Company was founded in 1999 and is based in Newton, Massachusetts. Since its inception, FreshAddress has cleaned over 12 billion email addresses for 2,000+ clients, including 25% of the Fortune 100. In March of 2018, FreshAddress partnered with private equity firm TZP Growth Partners to accelerate the company’s next phase of growth. Service offerings include the Company’s industry-leading, patented Email Change of Address (ECOA) service, SafeToSend® email validation, correction, and hygiene, and a full suite of appending services (together the “Email Services Platform”, “Service” or “System”). The Board of Directors meets quarterly and consists of five members; three from the TZP Group and two from FreshAddress (President and CEO). For more information, please visit www.freshaddress.com.

Mission Statement

To help email marketers and nonprofits build deeper relationships with their customers through superior email database solutions.

Services provided by a Third Party (Sub-Processor)

FreshAddress uses Microsoft Azure and Amazon Web Services for services, including cloud computing and backup/disaster recovery. Microsoft Azure and Amazon Web Services controls are reviewed annually via third party attestation reports to provide FreshAddress with comfort that the control environment deployed by Microsoft Azure and Amazon Web Services, on its behalf, aligns with the Company’s security framework. Depending on the type of Service being performed, FreshAddress uses sub-processors to reconfirm or further inform results. All client data is encrypted in transit and at rest and all data being transferred to a sub-processor is sent blind, meaning it is stripped of all client-specific information and thereby only identifiable by an internal FreshAddress job number. Components of the System

Overview of Systems

FreshAddress uses a core infrastructure of application and database servers as the backbone for the Company’s proprietary Service. The scope of report will cover the entire FreshAddress footprint including on-premise end user devices all the way through on-premise servers as well as all cloud instances.

6

Components of the System (Continued) Network diagram

Each type of Service offered can have variables as to which infrastructure it is using. Below is a complete overview of the different infrastructure a client data file will encounter across all Services.

Client data transfers

FreshAddress has a client portal website (which is hosted in Microsoft Azure) where clients can log in using unique usernames and passwords to manage all aspects of their FreshAddress account including uploading a file for processing. Alternatively, clients can upload their file to the FreshAddress SFTP server which is hosted at FreshAddress using unique client specific usernames and passwords. All connections to the SFTP server are only accessible if the IP of the client is whitelisted by FreshAddress. All results are posted back to the original upload location for the client to download.

7

Components of the System (Continued) Processing (Managed and Automated Services)

All of the servers for the Managed and Automated Services reside in the FreshAddress on-site datacenter in Newton, MA. The on-premise datacenter is protected by physical controls including a PIN code door lock with off hours access alerting and motion detection cameras. Additionally, there is monitoring and alerting for temperature, water, and smoke. The core infrastructure is a virtual environment with redundant host servers which store both application and database servers. All client data files are pulled from the transfer location onto encrypted database servers where they live for the lifetime of the job. Once the job is processed and the results are returned the client data is kept for a maximum of 90 days on the servers and then automatically deleted. All servers are backed up locally on a daily basis and replicated to a protected network in Microsoft Azure (US North Central datacenter) for disaster recovery and business continuity purposes. Processing (Real-Time)

The Company’s Real-Time service is hosted in Amazon Web Services (US East; Northern Virginia) datacenter. Client’s call the Company’s API Service which utilizes a cluster of load balanced servers to process and return the results. Software applications

All applications used to provide the Company’s Services is owned, developed, and maintained by FreshAddress. FreshAddress uses Microsoft SQL for database services. Types of data

FreshAddress primarily accepts email address lists on behalf of clients for processing. FreshAddress does offer a Postal Append service where clients can upload physical address lists to try and match the appropriate email address. Any other type of data provided will be deleted immediately. All data is encrypted throughout the entire process and all client data is deleted after a maximum of 90 days after processing by default.

8

Components of the System (Continued)

Organizational Structure

Overview of FreshAddress Control Activities Policies and Procedures

FreshAddress maintains a policy management program to help ensure policies and procedures: 1. Are properly communicated throughout the organization 2. Are properly owned, managed and supported 3. Clearly outline business objectives 4. Show commitment to meet regulatory obligations 5. Are focused on continual improvement 6. Provide for an exception process 7. Support the policy framework and structure All policies and changes are reviewed and approved by upper management. All policies are formally reviewed at least annually and additionally as needed. FreshAddress has a formal IT Security Policy which includes: - Acceptable Use Policy - Access Control Policy - Antivirus Policy - Application Security Policy - Change Management Policy - Clean Desk Policy - Configuration Management Policy - Data Classification Policy

9

Overview of FreshAddress Control Activities (Continued) Policies and Procedures (Continued)

- Development Training Policy - Encryption Policy - Incident Management Policy - Internal Privacy Policy - Physical Security Policy - Remote Access Policy - Risk Management Policy - Secure Disposal Policy - Security Awareness and Training Policy - Social Media Policy - User Account Management Policy - Visitor Policy - Vulnerability and Patch Management Policy FreshAddress also has additional policies and procedures outside of the formal IT Security Policy as follows: - Backup Policy (Disaster Recovery & Business Continuity) - Employee Handbook - Mobile Device Management - Development Policy (System Development Lifecycle)

Human Resources

FreshAddress has a set of HR Policies and Procedures which start with the pre-hiring process and continue all the way through the termination of an employee. Before any position is opened it is approved by the Board of Directors and job descriptions are all approved by upper management before posting. All candidates go through a thorough multi-round interview and approval process and final candidates must complete a comprehensive background check which covers:

• Social Security Number Trace • County Criminal Court Search (all counties) • Federal Criminal Court Search (all districts) • National Criminal Database Search • Sex Offender Registry Search • Wants & Warrants Search • Terrorist Watch List Search • Education Verification (one) • Employment Verifications (three)

Once the position is accepted the applicable hiring manager is required to fill out an IT Access Request form in order for the employee to gain access to the systems needed for their role. The hiring manager is the head of the department in which the position falls under. The IT Team (Director of Data Systems & Security and the System Administrator) tickets the request and makes sure the access granted is appropriate for the role. Once the user is created it is reviewed and signed off on by the President, who also acts as the Compliance Officer.

10

Overview of FreshAddress Control Activities (Continued) Human Resources (Continued) On an employee’s first day they are required to sign off on the following policies and agreements: -Confidentiality and Non-Compete -Acceptable Use -Clean Desk -Internal Privacy -Remote Access -Social Media The employee must also complete the IT security awareness training during the orientation process. This training covers confidentiality and data handling practices, threats such as phishing and ransomware, data protection laws, and best practices. Training is formally done for all employees on an annual basis or additionally as needed. Risk Assessment

FreshAddress has a risk management policy in place to identify risk, assess risk, and take steps to mitigate and reduce the level of risk across the Company’s Systems. FreshAddress also conducts third party assessments to determine potential risk associated with the Company’s IT systems including an annual penetration test and application security test on the client portal website.

Risk Management

FreshAddress utilizes a risk management process to evaluate and mitigate risk factors on a regular basis. Assessments are done either internally or by a third party and reviewed by the IT team, upper management, and the Board of Directors if necessary. The risk management policy utilizes these steps to complete the process and provide a necessary control: - System Characterization and Risk Scoping - Threat Identification - Vulnerability Identification - Control Analysis and Training - Likelihood Determination - Impact Analysis - Risk Determination - Control Recommendations - Results Documentation Information and Communication

FreshAddress proactively updates the customers and employees on their responsibilities as well as those of FreshAddress. Communication includes, but is not limited to, policies, guidelines, security, and product changes as well as system related alerts. FreshAddress uses the client portal website to communicate any announcements to clients, and if needed, email notifications are sent to the appropriate contacts. Client Notifications Include

-System changes that will affect delivery, processing, or results -System downtime -Security feature implementation or changes

11

Overview of FreshAddress Control Activities (Continued) Employee Notifications Include

-Policy changes -System updates -New security features for internal or external use -Application alerts and updates -Training material Notifications are escalated through the appropriate channels

-FreshAddress client portal -Email to client administrators (or preferred contact) -Phone call to client administrators (or preferred contact) Information Security

FreshAddress has over 2,000+ clients, which include 25% of the Fortune 100, who hold us to the strictest security standards. FreshAddress has a security program in place in order to keep client data safe and stay up to date with the current trends. Additionally, FreshAddress has annual third-party audits and penetration tests to test these standards. FreshAddress is willing to work with clients to make sure the Company meets every security requirement in order to keep their data safe.

FreshAddress has Security Controls including, but not limited to

Logical Access controls (including provisioning/de-provisioning, production access [internal and external], periodic user access reviews, use of multifactor authentication)

Change Management Deployment of Emergency Changes Security Training Secure Coding/Development Vulnerability Scanning Penetration Testing Application Security Test on Client Portal Endpoint Protection (Antivirus/Antimalware) Data Loss Prevention Firewalls Encryption Segregation of Duties Security Monitoring Security Incident Management (including reporting, escalation and resolution)

12

Controls at Subservice Organizations FreshAddress utilizes Microsoft Azure and Amazon Web Service as subservice organizations (sub-processors) to perform certain functions as described in the system description above. Rather than duplicate the control tests, controls at all sub-processors are not included in the scope of this report. All sub-processors have signed strict confidentiality and security agreements and are subject to the same security standards as FreshAddress. The affected criteria are included below along with the expected controls of all sub-processors:

Criteria

Reference

Expected Subservice Organization Controls

CC6.4 Access to data centers are restricted to authorized employees and contractors using card readers or other systems. Visitors to the data centers are required to sign a visitor log. Administrative access to the card reader or other system is limited to authorized and appropriate personnel. Data centers remain under camera surveillance which is monitored and retained for a reasonable period of time.

CC6.5 Client data remains confidential and is destroyed in accordance with retention policies, regardless of the method of storage.

CC6.6 Access to client data is limited to authorized and appropriate personnel. Client data is encrypted during transmission and during storage.

Complementary User Entity Controls FreshAddress designed its controls around the System with the assumption that certain controls will be the responsibility of its user entities (e.g. customers). The following is a representative list of controls that are recommended to be in operation at user entities to complement the controls at FreshAddress. This is not a comprehensive list of all controls that should be employed by user entities.

User entities are responsible for managing compliance with applicable laws / regulations.

User entities are responsible for creating accounts for members of their team in the Company’s client portal.

User entities are responsible for establishing appropriate controls over the use of their client portal accounts and passwords.

User entities are responsible for ensuring that user IDs and passwords are assigned to

authorized individuals.

User entities are responsible for ensuring the confidentiality of any user IDs and passwords used to access systems.

13

Complementary User Entity Controls (Continued)

User entities are responsible for disabling / deleting account access to their client portal upon employee and contractor role change or terminations.

User entities are responsible for notifying FreshAddress of any IP changes needed to access

the SFTP or Real Time service so the Company can be sure to have the latest IP address(es) whitelisted and remove those that are no longer needed in order to keep the Company’s Systems as secure as possible.

User entities are responsible for validating the accuracy and completeness of data contained

in their FreshAddress account.

User entities are responsible to have a backup copy of all data uploaded to FreshAddress.

User entities are responsible for downloading their results from FreshAddress within 30 days of completion of Service.

User entities are responsible for reviewing documentation provided by FreshAddress

related to implementation and changes to the System.

User entities are responsible for communicating any changes to data retention and disposal requirements to FreshAddress on a timely basis.

SECTION 4

APPLICABLE TRUST SERVICES CRITERIA AND RELATED CONTROL ACTIVITIES

Common Criteria Related to Control Environment

Criteria Criteria Description

CC1.1 Company demonstrates a commitment to integrity and ethical values.CC1.2 The board of directors demonstrates independence from management and exercises

oversight of the development and performance of internal control.CC1.3 Management establishes, with board oversight, structures, reporting lines, and

appropriate authorities and responsibilities in the pursuit of objectives.CC1.4 Company demonstrates a commitment to attract, develop, and retain competent

individuals in alignment with objectives.CC1.5 Company holds individuals accountable for their internal control responsibilities in

the pursuit of objectives.

Criteria Description of FreshAddress, LLC's Service Organization's Controls

Management monitors personnel commitment to integrity and ethical values throughmonitoring of customer and workforce member complaints and the use of ananonymous ethics email account. The Company's employee handbook, which isprovided to all employees upon being hired, includes a sexual harassment policy anddisciplinary policy. Both of these state action may be taken for violation of thepolicies including termination of employment if deemed applicable. The Company'sBoard of Directors and Management also set a tone at the top through their actionsand behavior that unethical behavior will not be accepted or tolerated.

Personnel are required to read, understand, and agree to adhere to multiple policiesupon their hire and to formally reaffirm them annually thereafter. These policiesinclude an Acceptable Use Policy, Clean Desk Policy, Internal Privacy Policy,Remote Access Policy, and a Social Media Policy. All employees must also signconfidentiality and non-compete agreements. Employees must also complete a fullorientation including IT security awareness training. The employee signs and datesthe acknowledgement that they agree to these policies. Personnel must pass background and reference checks before they may be hired,including checks against regulatory screening databases as needed.Management presents a board package on a quarterly basis including informationtechnology and development team updates to discuss potential threats that couldimpair system security, analysis of risk mitigation strategies and ongoing projectupdates. The Company's operating agreement outlines the independence rules and number ofmembers necessary to objectively evaluate and assist with decision making process.

Roles and responsibilities of key personnel with responsibility for the security of thesystem and the confidentiality of data are defined in written job descriptions andcommunicated to relevant personnel. The Company evaluates its organizational structure, reporting lines, authorities, andresponsibilities as part of its annual business planning process and as part of itsongoing risk assessment activities.

CC1.1

CC1.2

CC1.3

14

Job descriptions are reviewed by management on an as-needed basis for neededchanges and, when job duty changes are required necessary, changes to these jobdescriptions are also made.The Company evaluates its relationship with third parties on an annual basis. Allnew third party relationships are approved by the appropriate level of managementand third parties are required to fill out a security questionnaire, confidentiality andsecurity agreement. All data sent to third part subcontractors is sent blind and isencrypted.Before any position is opened it is approved by the Board of Directors and jobdescriptions are all approved by upper management before posting. The experienceand training of candidates for employment or assignment are evaluated before theyassume the responsibilities of their position.Management establishes requisite skillsets for technical personnel and providescontinued training about its commitments and requirements for personnel.Management monitors compliance with training requirements and also performs anannual IT Security Training as well as social engineering tests for all employees inthe form of phishing emails. Roles and responsibilities of key personnel with responsibility for the security of thesystem and the confidentiality of data are defined in written job descriptions andcommunicated to relevant personnel. Management monitors personnel commitment to integrity and ethical values throughmonitoring of customer and workforce member complaints. The Company'semployee handbook, which is provided to all employees upon being hired, includes asexual harassment policy and disciplinary policy. Both of these state action may betaken for violation of the policies including termination of employment if deemedapplicable. The Company's Board of Directors and Management also set a tone atthe top through their actions and behavior that unethical behavior will not beaccepted or tolerated. Management establishes an annual performance review process to evaluate theexisting employees as part of its commitment to retain competent individuals.

Common Criteria Related to Communication and Information


CC2.1 Company obtains or generates and uses relevant, quality information to support thefunctioning of internal control.

CC2.2 Company internally communicates information, including objectives andresponsibilities for internal control, necessary to support the functioning of internalcontrol.

CC2.3 Company communicates with external parties regarding matters affecting thefunctioning of internal control.

CC1.4

CC1.5

15


The Company maintains a formal information security policy to address identifiedinformation security risks. They also maintain procedural documents on the internalwiki that explains step-by-step actions for important infrastructure maintenance andupkeep.Policy and procedures documents for significant processes, which includeresponsibility for reporting operational failures, incidents, system problems,concerns, and customer complaints (and the process for doing so) are published andavailable to all appropriate personnel.The Company has a network diagram and descriptions for the internal network andthe client network. The network diagram is available to appropriate personnel.

Personnel are required to attend annual security awareness training, which includestopics covering confidentiality, safety of client data, real phishing examples toFreshAddress, what to do if employees receive or click on a phishing link andexamples of different trending threats.Personnel are required to read, understand, and agree to adhere to multiple policiesupon their hire and to formally reaffirm them annually thereafter. These policiesinclude an Acceptable Use Policy, Clean Desk Policy, Internal Privacy Policy,Remote Access Policy, and a Social Media Policy. All employees must also signconfidentiality and non-compete agreements. Employees must also complete a fullorientation including IT security awareness training. The employee signs and datesthe acknowledgement that they agree to these policies. Policy and procedures documents for significant processes, which includeresponsibility for reporting operational failures, incidents, system problems,concerns, and customer complaints (and the process for doing so) are published andavailable to all appropriate personnel.The Company maintains a formal information security policy to address identifiedinformation security risks. They also maintain procedural documents on the internalwiki that explains step-by-step actions for important infrastructure maintenance andupkeep.System changes to company systems that affect internal users' responsibilities or theCompany's commitments and system requirements relevant to security, availabilityand confidentiality are communicated to those users through internalcommunications mechanisms including meetings, ticketing systems, emailbroadcasts, and updated wikis.Customers are provided contact information for reporting security incidents on thecustomer-facing website and in customer contracts. The Company maintains a listingof all customer contacts in case there is an internal security incident that they mustreport to the customer base. Material changes made to systems are communicated and confirmed with customersthrough ongoing communications mechanisms and/or mutually agreed amendmentsto existing contracts. Global notifications with clients also get posted on theCompany's client portal site.

CC2.3

CC2.1

CC2.2

16

The Company evaluates its relationship with third parties on an annual basis. Allnew third party relationships are approved by the appropriate level of managementand third parties are required to fill out a security questionnaire, confidentiality andsecurity agreement. All data sent to third part subcontractors is sent blind and isencrypted.Policy and procedures documents for significant processes, which includeresponsibility for reporting operational failures, incidents, system problems,concerns, and customer complaints (and the process for doing so) are published andavailable to all appropriate personnel.

Common Criteria Related to Risk Assessment


CC3.1 Company specifies objectives with sufficient clarity to enable the identification andassessment of risks relating to objectives.

CC3.2 Company identifies risks to the achievement of its objectives across the Companyand analyzes risks as a basis for determining how the risks should be managed.

CC3.3 Company considers the potential for fraud in assessing risks to the achievement ofobjectives.

CC3.4 Company identifies and assesses changes that could significantly impact the systemof internal control.


The Company maintains a formal risk management policy which includes an annualrisk assessment, and ongoing risk management process. During this processmanagement identifies changes to business objectives, commitments andrequirements, internal operations, and external factors that threaten the achievementof business objectives and updates the potential threats to system objectives. Inresponse to the identification of such risks, management updates its policies,procedures, processes, and controls, as needed.The Company performs monthly vulnerability scans on its network, an annual thirdparty penetration test and an annual application security test on the client portalwebsite. The Company adds tickets for any vulnerabilities identified to ensure theyare properly tracked and remediated in accordance with the level of priority based onthe Company change management process.The Company reviews its IDS/IPS, antivirus/antimalware, and SIEM/UTMconfigurations on an as needed basis to ensure the current configuration in placeadequately reduces its level of risk an acceptable level. Updates for these systemsare automatically pushed out at least daily.

CC3.1

17

The Company has identified client facing websites and portals as a specific risk tothe business as these applications must run securely for the Company to meet itsobjectives with its clients. In order to address this risk, the Company whitelists all ofthe IP addresses relating to their SFTP to prevent unauthorized access to theirsystems. This IP Whitelisting is part of the onboarding process with their clients.The Client Portal is accessible to anyone, however, it requires a username/login fromthe client. The Company maintains a formal risk management policy which includes an annualrisk assessment, and ongoing risk management process. During this processmanagement identifies changes to business objectives, commitments andrequirements, internal operations, and external factors that threaten the achievementof business objectives and updates the potential threats to system objectives. Inresponse to the identification of such risks, management updates its policies,procedures, processes, and controls, as needed.The Company reviews its IDS/IPS, antivirus/antimalware, and SIEM/UTMconfigurations on an as needed basis to ensure the current configuration in placeadequately reduces its level of risk an acceptable level. Updates for these systemsare automatically pushed out at least daily. Personnel are required to attend annual security awareness training, which includestopics covering confidentiality, safety of client data, real phishing examples toFreshAddress, what to do if employees receive or click on a phishing link andexamples of different trending threats.The Company performs monthly vulnerability scans on its network, an annual thirdparty penetration test and an annual application security test on the client portalwebsite. The Company adds tickets for any vulnerabilities identified to ensure theyare properly tracked and remediated in accordance with the level of priority based onthe Company change management process.The Company maintains a formal risk management policy which includes an annualrisk assessment, ongoing risk management process and discussions surroundingfraud. During this process management identifies changes to business objectives,commitments and requirements, internal operations, and external factors thatthreaten the achievement of business objectives and updates the potential threats tosystem objectives. In response to the identification of such risks, managementupdates its policies, procedures, processes, and controls, as needed.

The Company reviews its IDS/IPS, antivirus/antimalware, and SIEM/UTMconfigurations on an as needed basis to ensure the current configuration in placeadequately reduces its level of risk an acceptable level. Updates for these systemsare automatically pushed out at least daily. Personnel are required to attend annual security awareness training, which includestopics covering confidentiality, safety of client data, real phishing examples toFreshAddress, what to do if employees receive or click on a phishing link andexamples of different trending threats.

CC3.2

CC3.3

18

The Company maintains a formal risk management policy which includes an annualrisk assessment, and ongoing risk management process. During this processmanagement identifies changes to business objectives, commitments andrequirements, internal operations, and external factors that threaten the achievementof business objectives and updates the potential threats to system objectives. Inresponse to the identification of such risks, management updates its policies,procedures, processes, and controls, as needed.The Company performs monthly vulnerability scans on its network, an annual thirdparty penetration test and an annual application security test on the client portalwebsite. The Company adds tickets for any vulnerabilities identified to ensure theyare properly tracked and remediated in accordance with the level of priority based onthe Company change management process.The Company uses an automated monitoring system to track performance andresource utilization. Employees with responsibility for security, availability, design,and maintenance of the system receive automated electronic alerts from monitoringtools. The Company's security team assesses the impact of system changes, includingnetwork, infrastructure, application, and database changes as part of the formalChange Management process.The Company evaluates its organizational structure, reporting lines, authorities, andresponsibilities as part of its annual business planning process and as part of itsongoing risk assessment activities.

Common Criteria Related to Monitoring


CC4.1 Company selects, develops, and performs ongoing and/or separate evaluations toascertain whether the components of internal control are present and functioning.

CC4.2 Company evaluates and communicates internal control deficiencies in a timelymanner to those parties responsible for taking corrective action, including seniormanagement and the board of directors, as appropriate.


The Company maintains a formal risk management policy which includes an annualrisk assessment, and ongoing risk management process. During this processmanagement identifies changes to business objectives, commitments andrequirements, internal operations, and external factors that threaten the achievementof business objectives and updates the potential threats to system objectives. Inresponse to the identification of such risks, management updates its policies,procedures, processes, and controls, as needed.Management periodically receives reports summarizing incidents, root cause ofincidents, and corrective action plans. Management monitors for completion ofcorrective action plans.

CC4.1

CC3.4

19

Policies and procedures, including those specific to information security, arereviewed/updated at least annually, or more frequently if required based on changesin the environment or based on results of management's risk assessment andmanagement processes.The Company performs monthly vulnerability scans on its network, an annual thirdparty penetration test and an annual application security test on the client portalwebsite. The Company adds tickets for any vulnerabilities identified to ensure theyare properly tracked and remediated in accordance with the level of priority based onthe Company change management process.

Common Criteria Related to Control Activities


CC5.1 Company selects and develops control activities that contribute to the mitigation ofrisks to the achievement of objectives to acceptable levels.

CC5.2 Company also selects and develops general control activities over technology tosupport the achievement of objectives.

CC5.3 Company deploys control activities through policies that establish what is expectedand in procedures that put policies into action.


The Company employs a configuration management software to ensure productionsystem components, including user endpoints are configured in compliance withcorporate minimum security baselines, and that operating system patches ofproduction system components and user endpoints are applied in a timely manner.

The Company maintains a formal risk management policy which includes an annualrisk assessment, and ongoing risk management process. During this processmanagement identifies changes to business objectives, commitments andrequirements, internal operations, and external factors that threaten the achievementof business objectives and updates the potential threats to system objectives. Inresponse to the identification of such risks, management updates its policies,procedures, processes, and controls, as needed.The Company maintains a formal information security policy to address identifiedinformation security risks. They also maintain procedural documents on the internalwiki that explains step-by-step actions for important infrastructure maintenance andupkeep.

CC5.2 The Company performs monthly vulnerability scans on its network, an annual thirdparty penetration test and an annual application security test on the client portalwebsite. The Company adds tickets for any vulnerabilities identified to ensure theyare properly tracked and remediated in accordance with the level of priority based onthe Company change management process.

CC5.1

CC4.2

20

The Company maintains a formal information security policy to address identifiedinformation security risks. They also maintain procedural documents on the internalwiki that explains step-by-step actions for important infrastructure maintenance andupkeep.Personnel are required to read, understand, and agree to adhere to multiple policiesupon their hire and to formally reaffirm them annually thereafter. These policiesinclude an Acceptable Use Policy, Clean Desk Policy, Internal Privacy Policy,Remote Access Policy, and a Social Media Policy. All employees must also signconfidentiality and non-compete agreements. Employees must also complete a fullorientation including IT security awareness training. The employee signs and datesthe acknowledgement that they agree to these policies. The Company has developed a Business Continuity and IT Disaster Recoveryprogram. The business continuity program enables an appropriate level ofpreparedness for a disruptive incident, as well as compliance with regulatoryguidelines. The Business Continuity and IT Disaster Recovery plan, tested annually,is updated as necessary based on testing results.

Common Criteria Related to Logical and Physical Access Controls


CC6.1 Company implements logical access security software, infrastructure, andarchitectures over protected information assets to protect them from security eventsto meet Company's objectives.

CC6.2 Prior to issuing system credentials and granting system access, Company registersand authorizes new internal and external users whose access is administered byCompany. For those users whose access is administered by Company, user systemcredentials are removed when user access is no longer authorized.

CC6.3 Company authorizes, modifies, or removes access to data, software, functions, andother protected information assets based on roles, responsibilities, or the systemdesign and changes, giving consideration to the concepts of least privilege andsegregation of duties, to meet Company’s objectives.

CC6.4 Company restricts physical access to facilities and protected information assets (forexample, data center facilities, back-up media storage, and other sensitive locations)to authorized personnel to meet Company’s objectives.

CC6.5 Company discontinues logical and physical protections over physical assets onlyafter the ability to read or recover data and software from those assets has beendiminished and is no longer required to meet Company’s objectives.

CC6.6 Company implements logical access security measures to protect against threats fromsources outside its system boundaries.

CC6.7 Company restricts the transmission, movement, and removal of information toauthorized internal and external users and processes, and protects it duringtransmission, movement, or removal to meet Company’s objectives.

CC6.8 Company implements controls to prevent or detect and act upon the introduction ofunauthorized or malicious software to meet Company’s objectives.

CC5.3

21


Management has enacted an Acceptable Use Policy governing logical access tocorporate networks and production systems which is reviewed and updated on anannual basis. Access to corporate resources is restricted via unique user ID and password andaccess control lists. User IDs are not reused.Access to migrate application changes to production is restricted to the authorizedmembers of the IT/Development teams and approvals are tracked.Corporate networks, systems, and applications enforce password complexityrequirements, session timeouts, and account lockouts.The Company uses Mimecast for email to protect clients from emailing client listsdirectly to them and not through the secure portal. Administrative access to in-scope corporate and production systems, including thelogs, is restricted to authorized personnel based on the least privilege concept inaccordance with the Company Information Security Policy.Access to backup data is restricted to authorized users based on least privilege. A firewall monitors incoming and outgoing traffic on the production system and userendpoints. Firewall monitoring alerts are sent to the IT Team. Client data isencrypted and kept on a separate VLAN and only accessible by those who needaccess. All Client data is deleted by default 90 days after processing (can beconfigured for 20, 60, or 90 days). The Company has a documented Access Control Policy that defines user accessmaintenance and system security controls and procedures based on the concepts ofrole-based access and the principle of least privilege.New employee access to the Company systems are initiated through the new hireprocess. Requests are reviewed for proper approval and appropriateness thencompleted by IT through the ticketing system for proper tracking.Change management forms are required for terminations or changes in access.These forms are reviewed and approved by the appropriate party and then completedby IT through the ticketing system for proper tracking. The company also reviews allusers bi-annually to make sure list is up to date.Access to backup data is restricted to authorized users based on least privilege. Access to corporate resources is restricted via unique user ID and password andaccess control lists. User IDs are not reused.Change management forms are required for terminations or changes in access.These forms are reviewed and approved by the appropriate party and then completedby IT through the ticketing system for proper tracking. The company also reviews allusers bi-annually to make sure list is up to date.The Company has a documented Access Control Policy that defines user accessmaintenance and system security controls and procedures based on the concepts ofrole-based access and the principle of least privilege.New employee access to the Company systems are initiated through the new hireprocess. Requests are reviewed for proper approval and appropriateness thencompleted by IT through the ticketing system for proper tracking.

CC6.1

CC6.2

CC6.3

22

CC6.4 The Company has door locks on its office location that can only be opened by a PINcode. Each employee is assigned there own unique PIN so the Company canmaintain a log of who enters each day. The server room is locked and includesequipment with smoke, humidity and water detectors as well as cameras. The officealso has cameras spread throughout. Only three employees have access to the serverroom. Server door has text alerts for off-hours and weekends. Alerts go to IT Teamand President. The Company maintains an Azure backup as a repository but theyhave a complete network that is live and connected to the Company firewall viaIPSec tunnel. Change management forms are required for terminations or changes in access.These forms are reviewed and approved by the appropriate party and then completedby IT through the ticketing system for proper tracking. The company also reviews allusers bi-annually to make sure list is up to date.The Company• locates and removes or redacts specified confidential information as required.• regularly and systematically destroys, erases, or makes anonymous confidentialinformation that is no longer required for the purposes identified in its confidentialitycommitments or system requirements.• erases or destroys records in accordance with the retention policies, regardless ofthe method of storage (for example, electronic, optical media, or paper based).• disposes of original, archived, backup, and ad hoc or personal copies of records inaccordance with its destruction policies.• documents the disposal of confidential information.A firewall monitors incoming and outgoing traffic on the production system and userendpoints. Firewall monitoring alerts are sent to the IT Team. Client data isencrypted and kept on a separate VLAN and only accessible by those who needaccess. All Client data is deleted by default 90 days after processing (can beconfigured for 20, 60, or 90 days). TLS 1.2 and other encryption technologies are used for defined points ofconnectivity and to protect communications between the Company systems and endusers connecting from within or external to customer networks.The Company uses Mimecast for email to protect clients from emailing client listsdirectly to them and not through the secure portal. A firewall monitors incoming and outgoing traffic on the production system and userendpoints. Firewall monitoring alerts are sent to the IT Team. Client data isencrypted and kept on a separate VLAN and only accessible by those who needaccess. All Client data is deleted by default 90 days after processing (can beconfigured for 20, 60, or 90 days).

CC6.7 Usage of removable media for members of the team is restricted to registered devicesand requires approval by management. When authorized, only encrypted removeablemedia is allowed.

CC6.6

CC6.5

23

TLS 1.2 and other encryption technologies are used for defined points ofconnectivity and to protect communications between the Company systems and endusers connecting from within or external to customer networks.The Company uses Mimecast for email to protect clients from emailing client listsdirectly to them and not through the secure portal. The ability to install software on corporate workstations and laptops is restricted bypolicy.The Company performs monthly vulnerability scans on its network, an annual thirdparty penetration test and an annual application security test on the client portalwebsite. The Company adds tickets for any vulnerabilities identified to ensure theyare properly tracked and remediated in accordance with the level of priority based onthe Company change management process.The Company reviews its IDS/IPS, antivirus/antimalware, and SIEM/UTMconfigurations on an as needed basis to ensure the current configuration in placeadequately reduces its level of risk an acceptable level. Updates for these systemsare automatically pushed out at least daily.

Common Criteria Related to System Operations


CC7.1 To meet its objectives, Company uses detection and monitoring procedures toidentify (1) changes to configurations that result in the introduction of newvulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.

CC7.2 Company monitors system components and the operation of those components foranomalies that are indicative of malicious acts, natural disasters, and errors affectingCompany's ability to meet its objectives; anomalies are analyzed to determinewhether they represent security events.

CC7.3 Company evaluates security events to determine whether they could or have resultedin a failure of Company to meet its objectives (security incidents) and, if so, takesactions to prevent or address such failures.

CC7.4 Company responds to identified security incidents by executing a defined incidentresponse program to understand, contain, remediate, and communicate securityincidents, as appropriate.

CC7.5 Company identifies, develops, and implements activities to recover from identifiedsecurity incidents.


Established Company standards exist for infrastructure and software hardening andconfiguration that include requirements for implementation of access controlsoftware, Company configuration standards, and standardized access control lists.

Logging and monitoring software is used to collect data from system infrastructurecomponents and endpoint systems; to monitor for potential security threats andvulnerabilities and to detect unusual system activity or service requests.

CC6.8

CC7.1

24

The Company performs monthly vulnerability scans on its network, an annual thirdparty penetration test and an annual application security test on the client portalwebsite. The Company adds tickets for any vulnerabilities identified to ensure theyare properly tracked and remediated in accordance with the level of priority based onthe Company change management process.Operations and security personnel follow defined protocols for resolving andescalating reported events. This includes root cause analysis that is escalated tomanagement as required.Logging and monitoring software is used to collect data from system infrastructurecomponents and endpoint systems; to monitor for potential security threats andvulnerabilities and to detect unusual system activity or service requests. Logging and monitoring software sends alerts which trigger a discussion in theTeams response channel. Tickets are opened if there are any changes needed to fixthe alert. For high severity incidents, a root cause analysis is prepared and reviewed byInformation Security team. Based on the root cause analysis, change requests areprepared and the Company's risk management process and relevant risk managementdata is updated to reflect the planned incident and problem resolution.

Operations and security personnel follow defined protocols for resolving andescalating reported events. This includes root cause analysis that is escalated tomanagement as required.For high severity incidents, a root cause analysis is prepared and reviewed byInformation Security team. Based on the root cause analysis, change requests areprepared and the Company's risk management process and relevant risk managementdata is updated to reflect the planned incident and problem resolution.

Operations and security personnel follow defined protocols for resolving andescalating reported events. This includes root cause analysis that is escalated tomanagement as required.The Company has developed a Business Continuity and IT Disaster Recoveryprogram. The business continuity program enables an appropriate level ofpreparedness for a disruptive incident, as well as compliance with regulatoryguidelines. The Business Continuity and IT Disaster Recovery plan, tested annually,is updated as necessary based on testing results.Operations and security personnel follow defined protocols for resolving andescalating reported events. This includes root cause analysis that is escalated tomanagement as required.

Common Criteria Related to Change Management


CC8.1 Company authorizes, designs, develops or acquires, configures, documents, tests,approves, and implements changes to infrastructure, data, software, and proceduresto meet its objectives.

CC7.3

CC7.2

CC7.5

CC7.4

25


The Company has a documented Change Management Policy for making changes toProduction systems, including applications, databases, and operating systems. ThePolicy defines the development methodology, required change authorization,required approvals, nature of testing, as well as deployment and secure codingrequirements. System change requests are evaluated to determine the potential effect of the changeon security, availability, and confidentiality commitments, and system requirementsthroughout the change management process.System change requests must be reviewed and approved by the IT Manager prior towork commencing on the requested change. Segregation of duties exists betweenthose responsible for authorizing changes and those responsible for implementingthem to Production.Separate environments are used for development and production. Developers do nothave access to implement changes into the production environment. Access to migrate application changes to production is restricted to the authorizedmembers of the IT/development teams and approvals are tracked.

Common Criteria Related to Risk Mitigation


CC9.1 Company identifies, selects, and develops risk mitigation activities for risks arisingfrom potential business disruptions.

CC9.2 Company assesses and manages risks associated with vendors and business partners.


The Company maintains a formal risk management policy which includes an annualrisk assessment, and ongoing risk management process. During this processmanagement identifies changes to business objectives, commitments andrequirements, internal operations, and external factors that threaten the achievementof business objectives and updates the potential threats to system objectives. Inresponse to the identification of such risks, management updates its policies,procedures, processes, and controls, as needed.The Company maintains a cyber insurance policy to help transfer some of the risk ofloss to a third party in the form of insurance.

CC9.2 The Company evaluates its relationship with third parties on an annual basis. Allnew third party relationships are approved by the appropriate level of managementand third parties are required to fill out a security questionnaire, confidentiality andsecurity agreement. All data sent to third part subcontractors is sent blind and isencrypted.

CC8.1

CC9.1

26

freshaddress, llc soc 2 type 1 report · 36 crafts street newton ma 02458 617.965.4500 ...

Documents