May 23, 2018 | accusoft |
Proprietary and Confidential Accusoft Type 1 SOC 2 2018 Proprietary and Confidential REPORT ON ACCUSOFT'S DESCRIPTION OF ITS SYSTEM AND ON THE SUITABILITY OF THE DESIGN OF ITS CONTROLS RELEVANT TO SECURITY AND CONFIDENTIALITY Pursuant to Reporting on Service Organization Controls 2 (SOC 2) Type 1 examination performed under AT-C 105 and AT-C 205 April 15, 2018 Proprietary and Confidential Table of Contents SECTION 1 INDEPENDENT SERVICE AUDITOR'S REPORT ................................................ 1 SECTION 2 MANAGEMENT OF ACCUSOFT'S ASSERTION REGARDING ITS SYSTEM AS OF APRIL 15, 2018 ................................................................................................................... 4 SECTION 3 DESCRIPTION OF ACCUSOFT'S SYSTEM AS OF APRIL 15, 2018 .................. 7 OVERVIEW OF OPERATIONS ............................................................................................... 8 Company Background ......................................................................................................... 8 Description of Services Provided ......................................................................................... 8 CONTROL ENVIRONMENT ..................................................................................................12 Integrity and Ethical Values ................................................................................................12 Commitment to Competence ..............................................................................................12 Management's Philosophy and Operating Style..................................................................12 Organizational Structure and Assignment of Authority and Responsibility ..........................13 Human Resources Policies and Practices ..........................................................................13 RISK ASSESSMENT .............................................................................................................13 TRUST SERVICES PRINCIPLES AND CRITERIA .................................................................14 COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIPLES ....................15 ADDITIONAL CRITERIA FOR CONFIDENTIALITY ............................................................32 MONITORING .......................................................................................................................35 INFORMATION AND COMMUNICATION SYSTEMS ............................................................35 COMPLEMENTARY USER ENTITY CONTROLS ..................................................................35 SECTION 4 INFORMATION PROVIDED BY THE SERVICE AUDITOR .................................37 GUIDANCE REGARDING INFORMATION PROVIDED BY THE SERVICE AUDITOR ..........38 Proprietary and Confidential 1 SECTION 1 INDEPENDENT SERVICE AUDITOR'S REPORT Proprietary and Confidential 2 INDEPENDENT SERVICE AUDITOR'S REPORT ON CONTROLS AT ACCUSOFT RELEVANT TO SECURITY AND CONFIDENTIALITY To Accusoft: We have examined the attached description titled "Description of Accusoft's SaaS - OnTask and PrizmDoc Hosted Services System as of April 15, 2018" (the description) and the suitability of the design of controls to meet the criteria for the security and confidentiality principles set forth in TSP section 100A, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (2016) (AICPA, Technical Practice Aids) (applicable trust services criteria), as of April 15, 2018. The description indicates that certain applicable trust services criteria specified in the description can be achieved only if complementary user-entity controls contemplated in the design of Accusoft's ('Accusoft' or 'the Company') controls are suitably designed, along with related controls at the service organization. We have not evaluated the suitability of the design or operating effectiveness of such complementary user- entity controls. Accusoft uses Amazon Web Services ("subservice organization") for cloud hosting services. The description indicates that certain applicable trust services criteria can only be met if controls at the subservice organization are suitably designed. The description presents Accusoft's system; its controls relevant to the applicable trust services criteria; and the types of controls that the service organization expects to be implemented, and suitably designed at the subservice organization to meet certain applicable trust services criteria. The description does not include any of the controls implemented at the subservice organization. Our examination did not extend to the services provided by the subservice organization. Accusoft has provided the attached assertion titled "Management of Accusoft's Assertion Regarding Its SaaS - OnTask and PrizmDoc Hosted Services System as of April 15, 2018," which is based on the criteria identified in management's assertion. Accusoft is responsible for (1) preparing the description and assertion; (2) the completeness, accuracy, and method of presentation of both the description and assertion; (3) providing the services covered by the description; (4) specifying the controls that meet the applicable trust services criteria and stating them in the description; and (5) designing, implementing, and documenting the controls to meet the applicable trust services criteria. Our responsibility is to express an opinion on the fairness of the presentation of the description based on the description criteria set forth in Accusoft's assertion and on the suitability of the design of the controls to meet the applicable trust services criteria, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, (1) the description is fairly presented based on the description criteria, and (2) the controls were suitably designed to meet the applicable trust services criteria as of April 15, 2018. Our examination involved performing procedures to obtain evidence about the fairness of the presentation of the description based on the description criteria and the suitability of the design of those controls to meet the applicable trust services criteria. Our procedures included assessing the risks that the description is not fairly presented and that the controls were not suitably designed to meet the applicable trust services criteria. Our examination also included evaluating the overall presentation of the description. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. We did not perform any procedures regarding the operating effectiveness of the controls stated in the description and, accordingly, do not express an opinion thereon. Because of their nature and inherent limitations, controls at a service organization may not prevent, or detect and correct, all errors or omissions to meet the applicable trust services criteria. Also, the projection to the future of any evaluation of the fairness of the presentation of the description or conclusions about the suitability of the design of the controls to meet the applicable trust services criteria is subject to the risks that the system may change or that controls at a service organization may become inadequate or fail. Proprietary and Confidential 3 In our opinion, in all material respects, based on the description criteria identified in Accusoft's assertion and the applicable trust services criteria: a. the description fairly presents the system that was designed and implemented as of April 15, 2018, and b. the controls stated in the description were suitably designed to provide reasonable assurance that the applicable trust services criteria would be met if the controls operated effectively as of April 15, 2018, and user entities applied the complementary user-entity controls contemplated in the design of Accusoft's controls as of April 15, 2018 and the subservice organization applied, as of April 15, 2018, the types of controls expected to be implemented at the subservice organization and incorporated in the design of the system. This report is intended solely for the information and use of Accusoft; user entities of Accusoft's SaaS - OnTask and PrizmDoc Hosted Services System as of April 15, 2018; and prospective user entities, independent auditors and practitioners providing services to such user entities, and regulators who have sufficient knowledge and understanding of the following: The nature of the service provided by the service organization. How the service organization's system interacts with user entities, subservice organizations, or other parties. Internal control and its limitations. Complementary user-entity controls and how they interact with related controls at the service organization to meet the applicable trust services criteria. The applicable trust services criteria. The risks that may threaten the achievement of the applicable trust services criteria and how controls address those risks. This report is not intended to be and should not be used by anyone other than these specified parties. April 16, 2018 Tampa, Florida Proprietary and Confidential 4 SECTION 2 MANAGEMENT OF ACCUSOFT'S ASSERTION REGARDING ITS SYSTEM AS OF APRIL 15, 2018 Proprietary and Confidential 5 Management of Accusoft's Assertion Regarding Its System as of April 15, 2018 April 16, 2018 We have prepared the attached description titled "Description of Accusoft's SaaS - OnTask and PrizmDoc Hosted Services System as of April 15, 2018" (the description), based on the criteria in items (a)(i)(ii) below, which are the criteria for a description of a service organization's system in paragraphs 1.34.35 of the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (the description criteria). The description is intended to provide users with information about the SaaS - OnTask and PrizmDoc Hosted Services System, particularly system controls intended to meet the criteria for the security and confidentiality principles set forth in TSP section 100A, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (2016) (AICPA, Technical Practice Aids) (applicable trust services criteria). We confirm, to the best of our knowledge and belief, that: a. the description fairly presents the SaaS - OnTask and PrizmDoc Hosted Services System as of April 15, 2018, based on the following description criteria: i. The description contains the following information: (1) The types of services provided. (2) The components of the system used to provide the services, which are the following: Infrastructure. The physical structures, IT, and other hardware (for example, facilities, computers, equipment, mobile devices, and telecommunications networks). Software. The application programs and IT systems software that supports application programs (operating systems, middleware, and utilities). People. The personnel involved in governance, operation, and use of a system (developers, operators, entity users, vendor personnel, and managers). Processes. The automated and manual procedures. Data. Transaction streams, files, databases, tables, and output used or processed by a system. (3) The boundaries or aspects of the system covered by the description. (4) How the system captures and addresses significant events and conditions. (5) The process used to prepare and deliver reports and other information to user entities or other parties. (6) If information is provided to, or received from other parties, how such information is provided or received; the role of the other parties; and the procedures performed to determine that such information and its processing, maintenance, and storage are subject to appropriate controls. (7) For each principle being reported on, the applicable trust services criteria and the related controls designed to meet those criteria, including, as applicable, complementary user-entity controls contemplated in the design of the service organization's system. (8) Any applicable trust services criteria that are not addressed by a control at the service organization and the reasons therefore. (9) Other aspects of the service organization's control environment, risk assessment process, information and communication systems, and monitoring of controls that are relevant to the services provided and the applicable trust services criteria. Proprietary and Confidential 6 (10) Relevant details of changes to the service organization's system during the period covered by the description. ii. The description does not omit or distort information relevant to the service organization's system while acknowledging that the description is prepared to meet the common needs of a broad range of users and may not, therefore, include every aspect of the system that each individual user may consider important to his or her own particular needs. b. the controls stated in description were suitably designed throughout the specified period to meet the applicable trust services criteria. Jack Berlin CEO Accusoft Proprietary and Confidential 7 SECTION 3 DESCRIPTION OF ACCUSOFT'S SYSTEM AS OF APRIL 15, 2018 Proprietary and Confidential 8 OVERVIEW OF OPERATIONS Company Background Accusoft was founded as Pegasus Imaging Corporation in 1991 as a reseller of fractal image compression and decompression toolkits and digital image compression applications. Over the years, the company has made numerous acquisitions and has expanded its portfolio of software offers to include various document and imaging SDKs and hosted services. Accusoft provides a full range of tools that help build document management solutions in a variety of industries including Financial, Government, Legal, and Healthcare. Description of Services Provided OnTask and PrizmDoc Cloud are both cloud-based applications. OnTask is a web-based workflow automation solution that allows customers to make better use of their most valuable resourcetheir time. PrizmDoc is a suite of web services that are accessed using REST APIs which provide document & image processing functionality for the application, including: Viewing Annotation Redaction Compression OCR Forms with AutoField Detection Watermarking Conversion Infrastructure Primary infrastructure used to provide Accusoft's OnTask and PrizmDoc system includes the following: Primary Infrastructure Hardware Type Purpose Virtual Instances AWS Runs application code and web server Databases AWS Houses application data Object Storage AWS Stores document data Software Primary software used to provide Accusoft's OnTask and PrizmDoc system includes the following: Primary Software Software Operating System Purpose AWS Linux / Windows Provides virtual cloud infrastructure for hosting applications Zabbix Linux Monitoring application used to provide monitoring, alert and notification services formhosted applications AWS RDS Provides database services Proprietary and Confidential 9 People The Accusoft staff provides support for the above services in each of the following functional areas; Executive management - provides general oversight and strategic planning of operations Development team - responsible for delivering a responsive system that fully complies with the functional specification Quality assurance team - verifies that the system complies with the functional specification through functional testing procedures System administrators - responsible for effective provisioning, installation/configuration, operation, and maintenance of systems hardware and software relevant to the system Customer Support - serves customers by providing product and service information that includes resolving product and service issues Processes Formal IT policies and procedures exist that describe physical security, logical access, computer operations, change control, and data communication standards. All teams are expected to adhere to the Accusoft policies and procedures that define how services should be delivered. These are located on the Company's intranet and can be accessed by any Accusoft team member. Physical Security Purpose: The purpose of the Building Security Policy is to outline the many resources Accusoft utilizes to keep the building and employees safe. Key Access: All employees who are issued keys or key cards to the office are responsible for their safekeeping. These employees will sign an Acknowledgement of Receipt form upon receiving the key (See Onboarding Procedure). Alarms: Alarms sponsored by TYCO are located by the rear parking lot entrance at HQ and the east and west entrance at West Annex, and the east and west entrances at East Annex. To arm or disarm the alarm systems, refer to Arming/Disarming Alarm. Gates: There is a gate installed to the parking lot entrance at Poplar Street that is required to be locked at all times. Access to this parking lot through this gate is only permitted for deliveries or construction. To open/close, please see Gate Procedure. Security Cameras: Accusoft has eight (8) security cameras at West Annex, eight (8) security cameras at East Annex, and seven (7) around the entrances and premises of HQ used to monitor the facilities. Security cameras are supervised by the IS department. Intercom System: Entry access into the Tampa buildings is triggered by the intercom system. Access can be given by the receptionist and Accounting Department by picking up the phone, asking who it is, and if they are allowed entry, pressing. Once identity and purpose is verified, entry may be granted. Logical Access Accusoft uses role-based security architecture and requires users of the system to be identified and authenticated prior to the use of any system resources. Resources are protected through the use of native system security and add-on software products that identify and authenticate users and validate access requests against the users' authorized roles in access control lists. Proprietary and Confidential 10 Employees and approved vendor personnel sign on to the Accusoft network using an Active Directory user ID and password. Users are also required to separately sign on to any systems or applications that do not use the shared sign-on functionality of Active Directory. Passwords must conform to defined password standards and are enforced through parameter settings in the Active Directory. These settings are part of the configuration standards and disable the user ID's ability to access the system and components after a specified number of unsuccessful access attempts, and mask workstation screens, requiring reentry of the user ID and password after a period of inactivity. Upon hire, employees are assigned to a position in the HR management system. Seven days prior to the employees' start date, HR creates a report of employee user IDs to be created and access to be granted. The report is used by the IT help desk to create user IDs and access rules. Access rules have been pre- defined based on the defined roles. The system lists also include employees with position changes and the associated roles to be changed within the access rules. On a bi-annual basis, access rules for each role are reviewed by a working group composed of IT help desk, product Managers, and HR personnel. In evaluating role access, group members consider job description, duties requiring segregation, and risks associated with access. HR generates a list of terminated employees on a daily basis. This daily report is used by the IT help desk to delete employee access. On a bi-annual basis, HR runs a list of active employees. The IT help desk uses this list to suspend user IDs and delete all access roles from IDs belonging to terminated employees. Computer Operations - Backups Customer data is backed up and replicated via AWS RDS automated backup and S3 system redundancy. Computer Operations - Availability The incident response policy and procedure at Accusoft is designed to ensure rapid response and remediation of any information technology incidents. As part Accusoft's incident response there is a post- mortem step where the response team reviews the issue, analyzes the response and identifies system and software improvements to prevent a future incident. Accusoft uses Amazon Web Services (AWS) to support the OnTask and PrizmDoc Cloud products. AWS provides auto scaling, load balancing and monitoring of Accusoft's cloud infrastructure. Resource stability, capacity and load are monitored and managed using common AWS practices. Change Control Accusoft has a documented Scrum process used to guide personnel in documenting and implementing application and infrastructure changes. Change control procedures include change request and initiation processes, documentation requirements, development practices, quality assurance testing requirements, and required approval procedures. JIRA is utilized to document the change control procedures for changes in the application and implementation of new changes. Quality assurance testing results are documented and maintained with the associated change request. Development and testing are performed in an environment that is logically separated from the production environment. The Scrum team approves changes prior to migration to the production environment. Data Communications Firewall systems are in place to filter unauthorized inbound network traffic from the Internet and deny any type of network connection that is not explicitly authorized. Network address translation (NAT) functionality is utilized to manage internal IP addresses. Administrative access to the firewall is restricted to authorized employees. Proprietary and Confidential 11 Redundancy is built into the system infrastructure supporting the data center services to help ensure that there is no single point of failure that includes firewalls, routers, and servers. In the event that a primary system fails, the redundant hardware is configured to take its place. Authorized employees may access the system from the Internet through the use of SSL VPN technology. Employees are authenticated through the use of Active Directory authentication. Data Customer data is managed, stored and processed in accordance with confidentiality and privacy policies for each product. Customer data is captured which is utilized by Accusoft in delivering its PrizmDoc Cloud and OnTask services. Such data includes but is not limited to, the following: Email addresses First and Last Name Documents used in transactions with the system User data entered into workflows Boundaries of the System The scope of this report includes OnTask and PrizmDoc Cloud services provided by Accusoft. This report does not include the hosting services provided by AWS facilities. Significant Events and Conditions Accusoft has implemented health checks, CloudWatch alerts, dashboards, Zabbix alerts and AWS logging to detect, monitor and capture incidents. Please see the attached documentation for information on these items. Preparation and Delivery of Reports and Data Accusoft utilizes the services and procedures described above to capture, prepare, and deliver reports and other information (described in the data section above) to user entities and other parties. Subservice Organizations The cloud hosting services provided by AWS are monitored by management; however, they have not been included in the scope of this review. The following criteria and controls are expected to be implemented by AWS. Subservice Organization Controls Principle Criteria Applicable Controls Security CC5.5 Physical access to facilities housing the production system is restricted to authorized personnel Criteria Not Applicable to the System All Common Security and Confidentiality criterion was applicable to the Accusoft OnTask and PrizmDoc Cloud system. Proprietary and Confidential 12 Significant Changes in the Last 12 Months OnTask has developed and released the following items to its users in the last 12 months: The ability to edit, comment and suggest on documents A self-service module where customers can sign up and start using OnTask services PrizmDoc Cloud has developed and released the following items to its users in the last 12 months: New version of the base PrizmDoc product with additional APIs and tools A new portal for the end users to manage their transactions and accounts CONTROL ENVIRONMENT Integrity and Ethical Values The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer, and monitor them. Integrity and ethical values are essential elements of Accusoft's control environment, affecting the design, administration, and monitoring of other components. Integrity and ethical behavior are the product of Accusoft's ethical and behavioral standards, how they are communicated, and how they are reinforced in practices. They include management's actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. They also include the communication of entity values and behavioral standards to personnel through policy statements and codes of conduct, as well as by example. Specific control activities that the service organization has implemented in this area are described below: Formally, documented organizational policy statements and codes of conduct communicate entity values and behavioral standards to personnel Policies and procedures require employees sign an acknowledgment form indicating they have been given access to the employee manual and understand their responsibility for adhering to the policies and procedures contained within the manual A confidentiality statement agreeing not to disclose proprietary or confidential information, including client information, to unauthorized parties is a component of the employee handbook Background checks are performed for employees as a component of the hiring process Commitment to Competence Accusoft's management defines competence as the knowledge and skills necessary to accomplish tasks that define employees' roles and responsibilities. Management's commitment to competence includes management's consideration of the competence levels for particular jobs and how those levels translate into the requisite skills and knowledge. Specific control activities that the service organization has implemented in this area are described below: Management has considered the competence levels for particular jobs and translated required skills and knowledge levels into written position requirements Training is provided to maintain the skill level of personnel in certain positions Management's Philosophy and Operating Style Accusoft's management philosophy and operating style encompass a broad range of characteristics. Such characteristics include management's approach to taking and monitoring business risks, and management's attitudes toward information processing, accounting functions, and personnel. Proprietary and Confidential 13 Specific control activities that the service organization has implemented in this area are described below: Management is periodically briefed on regulatory and industry changes affecting the services provided Executive management meetings are held to discuss major initiatives and issues that affect the business as a whole Organizational Structure and Assignment of Authority and Responsibility Accusoft's organizational structure provides the framework within which its activities for achieving entity- wide objectives are planned, executed, controlled, and monitored. Management believes establishing a relevant organizational structure includes considering key areas of authority and responsibility. An organizational structure has been developed to suit its needs. This organizational structure is based, in part, on its size and the nature of its activities. Accusoft's assignment of authority and responsibility activities include factors such as how authority and responsibility for operating activities are assigned and how reporting relationships and authorization hierarchies are established. It also includes policies relating to appropriate business practices, knowledge, and experience of key personnel, and resources provided for carrying out duties. In addition, it includes policies and communications directed at ensuring personnel understand the entity's objectives, know how their individual actions interrelate and contribute to those objectives, and recognize how and for what they will be held accountable. Organizational charts are in place to communicate key areas of authority and responsibility. These charts are communicated to employees and updated as needed. Human Resources Policies and Practices Accusoft's success is founded on sound business ethics, reinforced with a high level of efficiency, integrity, and ethical standards. The result of this success is evidenced by its proven track record for hiring and retaining top quality personnel who ensures the service organization is operating at maximum efficiency. Accusoft's human resources policies and practices relate to employee hiring, orientation, training, evaluation, counseling, promotion, compensation, and disciplinary activities. Specific control activities that the service organization has implemented in this area are described below: New employees are required to sign acknowledgement forms for the employee handbook and a confidentiality agreement following new hire orientation on their first day of employment Evaluations for each employee are performed on an annual basis Employee termination procedures are in place to guide the termination process and are documented in a termination checklist RISK ASSESSMENT Risk assessments are conducted on an annual basis. When conducting a risk assessment each risk will be added to the Risk Register. The Risk Register will track the following items: Risk Description - Descriptive text identifying the risk Impact - This is an impact score on a scale of 1-5 with 1 being the lowest and 5 the highest. An example of a 1 would be a single user getting an occasional error but they are able to proceed with their work. An example of a 5 would be all systems are down and there is no way for the customers to work Likelihood - This is how likely the event may happen on a scale of 1-5 with 1 being very unlikely and 5 being very likely. An example of a 1 would be the Tampa office being hit by a Tsunami. An example of a 5 would be, electricity going out in the Tampa office Severity - Impact multiplied by the Likelihood Mitigating Action - Actions that can be taken to mitigate the risk Status - The status of any mitigating actions for the identified risk Proprietary and Confidential 14 Each risk will then be assessed for its impact and likelihood as outlined above. These ratings will be multiplied together to calculate the overall severity of each risk in the register. Risks will then be ranked in order of severity from highest to lowest and triaged in order. During the triage process the risk assessment team will add mitigating actions designed to minimize the risk. After the risk assessment is complete the appropriate JIRA stories and IT tickets will be created for the mitigation actions so they can be prioritized with the Product Management Team and executed. Items created in JIRA should have the label Risk Assessment with the Year of the assessment. The risk team will update the risk assessment when items assigned to their product team are completed. TRUST SERVICES PRINCIPLES AND CRITERIA In-Scope Trust Services Principles Common Criteria (to all Security and Confidentiality Principles) The security principle refers to the protection of the system resources through logical and physical access control measures in order to enable the entity to meet its commitments and system requirements related to security, availability, processing integrity, confidentiality, and privacy. Controls over the security of a system prevent or detect the breakdown and circumvention of segregation of duties, system failure, incorrect processing, theft or other unauthorized removal of data or system resources, misuse of software, and improper access to, or use of, alteration, destruction, or disclosure of information. Confidentiality The confidentiality principle addresses the system's ability to protect information designated as confidential, including, its final disposition and removal from the system in accordance with management's commitments and system requirements. Information is confidential if the custodian (for example, an entity that holds or stores information) of the information is required to limit its access, use, and retention, and restrict its disclosure to defined parties (including those who may otherwise have authorized access within the boundaries of the system). Such requirements may be contained in laws or regulations, or commitments in user contracts. The need for information to be confidential may arise for many different reasons. For example, the information may be proprietary, intended only for entity personnel. Confidentiality is distinguished from privacy in that the privacy applies only to personal information, while the confidentiality principle applies to various types of sensitive information. In addition, the privacy principle addresses requirements regarding collection, use, retention, disclosure, and disposal of personal information. Confidential information may include personal information as well as other information, such as trade secrets and intellectual property. Integration with Risk Assessment The environment in which the system operates; the commitments, agreements, and responsibilities of Accusoft's OnTask and PrizmDoc system; as well as the nature of the components of the system result in risks that the criteria will not be met. Accusoft addresses these risks through the implementation of suitably designed controls to provide reasonable assurance that the criteria are met. Because each system and the environment in which it operates are unique, the combination of risks to meeting the criteria and the controls necessary to address the risks will be unique. As part of the design and operation of the system, Accusoft's management identifies the specific risks that the criteria will not be met and the controls necessary to address those risks. Proprietary and Confidential 15 Control Activities Specified by the Service Organization COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIPLES CC1.0 Common Criteria Related to Organization and Management Control Point Criteria Control Activity Specified by the Service Organization CC1.1 The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and system requirements as they relate to security and confidentiality. A documented organizational chart is in place to communicate organizational structures, lines of reporting, and areas of authority. Reporting relationships and organizational structures are reviewed as needed by management. Roles and responsibilities are defined in written job descriptions and communicated to personnel. Management reviews job descriptions on an as needed basis and makes updates, if necessary. CC1.2 Responsibility and accountability for designing, developing, implementing, operating, maintaining, monitoring, and approving the entity's system controls and other risk mitigation strategies are assigned to individuals within the entity with authority to ensure policies and other system requirements are effectively promulgated and implemented to meet the entity's commitments and system requirements as they relate to security and confidentiality. A documented organizational chart is in place to assign responsibility and delegate lines of authority to personnel. Roles and responsibilities are defined in written job descriptions and communicated to personnel. Management reviews job descriptions on an as needed basis and makes updates, if necessary. CC1.3 The entity has established procedures to evaluate the competency of personnel responsible for designing, developing, implementing, operating, maintaining, and monitoring the system affecting security and confidentiality and provides resources necessary for personnel to fulfill their responsibilities. Job requirements are documented in the job descriptions and candidates' abilities to meet these requirements are evaluated as part of the hiring or transfer evaluation process. The experience and training of candidates for employment or transfer are evaluated before they assess the responsibilities of their position. Employee evaluations are performed for employees on an annual basis. Employees are required to read and acknowledge information security policies/complete information security training upon hire and complete training on an annual basis as a part of training compliance. Management documents skills and continued training to establish the organization's commitments and requirements for employees. Management tracks and monitors compliance with training requirements. Proprietary and Confidential 16 COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIPLES CC1.0 Common Criteria Related to Organization and Management Control Point Criteria Control Activity Specified by the Service Organization CC1.4 The entity has established workforce conduct standards, implemented workforce candidate background screening procedures, and conducts enforcement procedures to enable it to meet its commitments and system requirements as they relate to security and confidentiality. An employee handbook and code of conduct are documented to communicate workforce conduct standards and enforcement procedures. Personnel are required to sign and accept the employee handbook and code of conduct upon hire. Personnel are required to complete a background check provided by a third-party vendor upon hire. Proprietary and Confidential 17 COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIPLES CC2.0 Common Criteria Related to Communications Control Point Criteria Control Activity Specified by the Service Organization CC2.1 Information regarding the design and operation of the system and its boundaries has been prepared and communicated to authorized internal and external users of the system to permit users to understand their role in the system and the results of system operation. System descriptions are communicated to authorized external users via the company website that delineate the boundaries of the system and describe relevant system components. A description of the system delineating the boundaries of the system is posted on a secure network drive and is available to personnel. A documented organizational chart is in place to communicate organizational structures, lines of reporting, and areas of authority. Reporting relationships and organizational structures are reviewed as needed by management. Roles and responsibilities are defined in written job descriptions and communicated to personnel. Customer responsibilities are outlined and communicated through the company website. CC2.2 The entity's security and confidentiality commitments are communicated to external users, as appropriate, and those commitments and the associated system requirements are communicated to internal users to enable them to carry out their responsibilities. Security and confidentiality commitments are communicated to external users via the company website. Policies and procedures are documented for significant processes and are available on the entity's intranet. Employees are required to read and acknowledge information security policies/complete information security training upon hire and complete training on an annual basis as a part of training compliance. Personnel are required to sign and accept the employee handbook and code of conduct upon hire. CC2.3 The responsibilities of internal and external users and others whose roles affect system operation are communicated to those parties. Policies and procedures are documented for significant processes and are available on the entity's intranet. Roles and responsibilities are defined in written job descriptions and communicated to personnel. Management reviews job descriptions on an as needed basis and makes updates, if necessary. Proprietary and Confidential 18 COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIPLES CC2.0 Common Criteria Related to Communications Control Point Criteria Control Activity Specified by the Service Organization Personnel are required to attend annual security and confidentiality training. Customer responsibilities are outlined and communicated through the company website. CC2.4 Information necessary for designing, developing, implementing, operating, maintaining, and monitoring controls, relevant to the security and confidentiality of the system, is provided to personnel to carry out their responsibilities. Processes are monitored through service level management procedures to help ensure compliance with service level commitments and agreements. Employees are required to read and acknowledge information security policies/complete information security training upon hire and complete training on an annual basis as a part of training compliance. CC2.5 Internal and external users have been provided with information on how to report security and confidentiality failures, incidents, concerns, and other complaints to appropriate personnel. The organization's security policies and code of conduct are communicated to employees in the employee handbook. Documented incident response policies and procedures are in place to guide personnel in the event of an incident. Policies and procedures are in place to guide personnel in the handling of customer support. Customer support is available to external users via the company website. CC2.6 System changes that affect internal and external users' responsibilities or the entity's commitments and system requirements relevant to security and confidentiality are communicated to those users in a timely manner. System changes are authorized, tested, and approved by management prior to implementation. Changes are communicated to both internal and external users. Proprietary and Confidential 19 COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIPLES CC3.0 Common Criteria Related to Risk Management and Design and Implementation of Controls Control Point Criteria Control Activity Specified by the Service Organization CC3.1 The entity (1) identifies potential threats that could impair system security and confidentiality commitments and system requirements (including threats arising from the use of vendors and other third parties providing goods and services, as well as threats arising from customer personnel and others with access to the system), (2) analyzes the significance of risks associated with the identified threats, (3) determines mitigation strategies for those risks. A master list of the entity's system components is maintained, accounting for additions and removals, for management's use. Documented policies and procedures are in place to guide personnel when performing the risk assessment process. A formal risk assessment is performed on an annual basis to identify threats that could impair systems security and confidentiality commitments and requirements. Identified risks are rated using a risk evaluation process and rating are reviewed by management. CC3.2 The entity designs, develops, implements, and operates controls, including policies and procedures, to implement its risk mitigation strategy; reassesses the suitability of the design and implementation of control activities based on the operation and monitoring of those activities; and updates the controls, as necessary. Management has defined a formal risk management process that specifies the process for evaluating risks based on identified threats and the specified tolerances. Disaster recovery plans are in place and tested on an annual basis. Management develops risk mitigation strategies to address risks identified during the risk assessment process. Proprietary and Confidential 20 COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIPLES CC4.0 Common Criteria Related to Monitoring Controls Control Point Criteria Control Activity Specified by the Service Organization CC4.1 The design and operating effectiveness of controls are periodically evaluated against the entity's commitments and system requirements as they relate to security and confidentiality, and corrections and other necessary actions relating to identified deficiencies are taken in a timely manner. Control self-assessments that include, but are not limited to, physical and logical access reviews, and backup restoration tests are performed on a bi-annual basis. Monitoring software is used to identify and evaluate ongoing system performance, security threats, changing resource utilization needs, and unusual system activity. The monitoring software is configured to alert IT personnel when thresholds have been exceeded. Proprietary and Confidential 21 COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIPLES CC5.0 Common Criteria Related to Logical and Physical Access Controls Control Point Criteria Control Activity Specified by the Service Organization CC5.1 Logical access security software, infrastructure, and architectures have been implemented to support (1) identification and authentication of authorized internal and external users; (2) restriction of authorized internal and external user access to system components, or portions thereof, authorized by management, including hardware, data, software, mobile devices, output, and offline elements; and (3) prevention and detection of unauthorized access to meet the entity's commitments and system requirements as they relate to security and confidentiality. Documented policies and procedures are in place regarding systems authentication, access, and security monitoring. Logical and physical access to systems is granted to an employee as a component of the hiring process. Logical and physical access to systems is revoked as a component of the termination process. Network Network user access is restricted via role based security privileges defined within the access control system. Network administrative access is restricted to user accounts accessible by authorized personnel. Network users are authenticated via individually- assigned user accounts and passwords. Networks are configured to enforce password requirements that include: Password history Password length Complexity Network account lockout policies are in place that include: Account lockout duration Account lockout threshold Account lockout counter reset Network audit policy configurations are in place that include: Account logon events Account management Network access reviews are completed by management on a bi-annual basis. Database Database user access is restricted via role based security privileges defined within the access control system. Database administrative access is restricted to user accounts accessible by authorized personnel. Proprietary and Confidential 22 COMMON CRITERIA TO ALL IN-SCOPE TRUST SERVICES PRINCIP
REPORT ON ACCUSOFT’S DESCRIPTION OF ITS SYSTEM AND ON THE SUITABILITY OF THE DESIGN OF ITS CONTROLS RELEVANT TO SECURITY AND CONFIDENTIALITY
Pursuant to Reporting on Service Organization Controls 2 (SOC 2) Type 1 examination performed under AT-C 105 and AT-C 205
April 15, 2018
Solving document lifecycle complexities with products built for developers.
Accusoft offers a robust portfolio of document and imaging tools created for developers. Our APIs and software development kits (SDKs) are built using patented technology, providing high performance document viewing, advanced search, image compression, conversion, barcode recognition, OCR, and other image processing tools for use in application and web development.
Accusoft provides a full spectrum of document, content and imaging solutions as fully supported, enterprise-grade, best-in-class client-server applications, mobile apps, cloud services and software development kits (SDKs). The company’s HTML5 viewing technology is available to the enterprise as PrizmDoc, in cloud-based SaaS versions, and in a version optimized for SharePoint integration.
Visit http://www.accusoft.com and download your free trial to see how our software can work for you.
4001 N Riverside Dr
Tampa, FL 33603
You must log in to comment