CLOUD SECURITY ALLIANCE STAR (SECURITY, TRUST AND ASSURANCE REGISTRY) SUBMISSION FOR THE HYLAND CLOUD

Transcription

1 CLOUD SECURITY ALLIANCE STAR (SECURITY, TRUST AND ASSURANCE REGISTRY) SUBMISSION FOR THE HYLAND CLOUD August 2017 About the Cloud Security Alliance The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing and provides education on the use of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. The Cloud Security Alliance (CSA) launched the Security, Trust & Assurance Registry (STAR) initiative at the end of The CSA STAR is the first step in improving transparency and assurance in the cloud. The CSA Security, Trust & Assurance Registry (STAR) is a publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with. Hyland places the highest emphasis on delivering secure, reliable cloud solutions and is delighted to be working with the CSA to deliver a transparent mechanism such as STAR to assist customers in their cloud-related decision making process.

2 Introduction to the Hyland Cloud When it comes to cloud deployments, experience matters. With experience comes more functionality, an established history of demonstrated service levels, proven security and a large, active customer community. The Hyland Cloud delivers that experience. In 2004, Hyland s enterprise content management (ECM) offering, OnBase, was the first mainstream online ECM solution to be deployed in the cloud. Hyland continues to pioneer innovative cloud solutions today. When deployed in the Hyland Cloud, the exact same ECM software is used for 700+ hosted OnBase customers as is used for Hyland s on-premises OnBase deployments. The solution is offered via our world-class hosting environments, located in several locations around the globe. The Hyland Cloud provides a full technical infrastructure and software platform that allow organizations to harness the power of OnBase without purchasing or managing hardware and software on-premises. Hyland Cloud Provides Full ECM in the cloud with OnBase Stringent compliance with ISO 27001:2013, SOC 1, 2 and 3 as well as Privacy Shield standards Physical and network security with multiple network layers separated by multiple firewalls Burstable bandwidth for maximum upload and download speed Three copy replication management spread across multiple physical locations Disaster recovery processes and business continuity commitments Software performance optimization including load-balanced application and web servers Environment operating system purchase, maintenance and licensing Solution availability, optimization and assurance needed to support the OnBase application Database software purchase, maintenance and licensing needed to support the OnBase application Centralized server management and upgrades Functionality When you deploy a cloud-based ECM solution, you don t want to sacrifice functionality. However, many other cloud-based ECM solutions provide less functionality than their on-premises equivalents. Other solutions do not have the flexibility, nor are they advanced enough to provide a fully featured ECM suite.

3 This is not the case with OnBase in the Hyland Cloud. Users enjoy full functionality of ECM, capture, business process management, enterprise file sync and share, mobility, integration and case management. It s so seamless that many users don t even realize they are working on systems and data stored in the cloud. Software Since 2004, Hyland has offered users the ability to use the OnBase application as a service in the Hyland Cloud. With our hosted offering, customers choose the features and functionality they want, then the OnBase experts create that solution and provide access to it in the cloud. Your OnBase solutions is available when and where you need it. In addition, our SLAs provide clear and concise details of available remedies should availability be compromised at any point.

4 The Hyland Cloud features one of the most powerful server and networking infrastructure topologies in the market. OnBase experts maintain the infrastructure and deploy and upgrade your solution, freeing up your IT resources for other strategic initiatives. Plus, you can change and grow your cloud solution when and how you need to. Data Center Infrastructure Worldwide Data Centers Hyland provides you with complete details of where all copies of your data and systems are stored and operated through a completely transparent data location policy. Customers have a designated primary location in one of Hyland s worldwide data centers typically in the data center physically closest to them (but accommodated to their preferences if necessary). We have data centers across the U.S., as well as in London, England; Amsterdam, the Netherlands; Queretaro, Mexico; Sydney and Melbourne, Australia; and Auckland and Wellington, New Zealand.

5 Network Infrastructure and Connectivity The Hyland Cloud maintains access to the global IP backbone via dual-access routers connected to multiple backbone nodes. Back-end connectivity and network service facilities include asynchronous transfer mode (ATM), frame relay and circuit-switching. These capabilities provide high-speed internet access with burstable WAN bandwidth as part of the service classes, ensuring your content is uploaded to the system and put to use as quickly as possible. Private, Managed, Multi-Instance Cloud The Hyland Cloud provides an environment that delivers high-availability and high-performance ECM in the cloud. Each organization deployed to the Hyland Cloud receives their own instance of the OnBase software. Each solution includes dedicated resources for each customer and their data. In addition, Hyland fully manages critical daily maintenance functions of all infrastructure, hardware and software associated with the environment. This all comes together to create a unique, secure and resilient ECM in the cloud solution. Environmental Controls All data centers are equipped with standard computer room environmental systems, including: Computer room air conditioning (CRAC) units

6 Environmental monitoring system Fire detection units Fire suppression units Water detection system Raised floor Emergency power off (EPO) switches or equivalent procedures These controls ensure that the hardware infrastructure running your OnBase solution remains in optimum condition at all times, minimizing the potential for downtime due to equipment failure or environmental incidents. Compliance The Hyland Cloud serves more than 700 lifetime customers worldwide, many of whom depend on the solution to meet a number of stringent regulatory demands including HIPAA, GLBA, SOX, SEC 17a-4 and international data sovereignty requirements. The success of the Hyland Cloud is driven by customer trust. Customers entrust the handling of their vital business information and processes to the Hyland Cloud every day. In return, Hyland backs this trust with product certifications and audits undertaken on associated data centers and processes. The Hyland Cloud meets the following certifications and audits: ISO ISO is a globally recognized information security standard that tests an organization s information security risks, taking account of threats, vulnerabilities and impacts. It is considered a coherent and comprehensive suite of information security controls. ISO certification has been achieved for Hyland s cloud operations in New South Wales, Australia. Expanding this certification scope across Hyland s global footprint is a component of Hyland s compliance roadmap. SOC 1, 2 & 3 SOC standards are among the most stringent standards of security measurement for an operations center or data center. All Hyland Cloud data centers boast SOC 1, SOC 2 and/or SOC 3 certification. Additionally, Hyland s Cloud Services undertakes SOC 2 and SOC 3 audits annually, and performs quarterly internal audits and ongoing penetration and vulnerability tests.

7 Security Physical and Network Security All Hyland Cloud data centers are staffed by security personnel and covered by surveillance cameras. Hyland limits physical access to pre-authorized staff and visitors, who are provided with access via multifactor authentication that limits them to authorized areas only. Hardware is physically separated from any other hosting provided in the data center. Hardware is physically secured using separate cages and locking cabinets. Man traps, air locks, multiple access doors and other security measures prevent unauthorized access. Biometric controls and other cutting-edge technologies are utilized. Access to hardware is via multi-factor authentication. Network infrastructure components and services such as routing, switching and bandwidth are monitored 24/7. Certified engineers are available to resolve any issues as per the customer s chosen service class. Automated network intrusion monitoring procedures operate 24/7. Transport Security Communication between OnBase clients and the Hyland Cloud is encrypted using up to AES-256 bit TLS 1.2 or higher and SSH2. This ensures that content and operations are secure from interference or interception en route. Power Hyland provides redundant uninterruptible power supplies (UPS) with multiple modules synchronized to work in unison or independently. Each data center also has multiple, redundant generators to provide alternative power should the electricity fail. The switchover from commercial power to generator power is managed and covered by the UPS system to ensure that there is no loss of power to Hyland Cloud servers. Application Security Hyland Cloud users automatically receive access to new version upgrades when they are available. However, no upgrade is performed without customer knowledge nor are upgrades forced. End users elect when they prefer to upgrade to a more recent version. Upgrades can be performed in such a way that limited downtime is experienced by users. Customers can also request test environments to perform appropriate testing on new versions (or any other aspect of the solution).

8 Hyland Global Cloud Services Staff Selection Hyland carefully selects and screens staff managing the Hyland Cloud against numerous government and criminal checks. Hyland provides Cloud Services staff with detailed, customized and ongoing training, and they are rigorously audited and certified every year. Business Continuity Availability and Disaster Recovery The Hyland Cloud service classes allow you to select exactly how your service is managed and measured in terms of both availability and recovery time. Availability defines what percentage of time the service is online (i.e., accessible by users). Downtime will have a negative effect on any organization, but the impact of that downtime will vary based on the type of organization and the content managed within the system. OnBase in the Hyland Cloud is delivered with a choice of four service classes: Silver, Gold, Platinum and Double Platinum. Pricing for these service classes is combined with the hosting fee ensuring a clear and simple monthly cost. Availability commitments are as high as 99.9%. Any hosting service needs to be both reliable and resilient. However, there is a risk of failure with any system, and the speed and comprehensive ability to recover from any unexpected failure is a key aspect of a cloud solution. The Hyland Cloud delivers two important elements to support business continuity: Recovery Point Objective: If the system unexpectedly goes down without warning, a certain amount of data may be lost between the point of failure and the last backup. The recovery point objective is the amount of time that elapses during which data cannot be recovered and is defined by the service class selected by the customer. Recovery Time Objective: When a system experiences downtime, the relevant technical team requires a period of time to not only restart the systems, but also to identify and fix any lingering issues with the infrastructure software or otherwise. The recovery time objective represents the time required to restore the Hyland Cloud services and is defined by the service class selected by the customer.

9 Hyland Cloud Response to the CSA Cloud Controls Matrix Contents Chapter 1: Application & Interface Security...11 Chapter 2: Audit Assurance & Compliance...12 Chapter 3: Business Continuity & Operational Resilience...14 Chapter 4: Change Control & Configuration...19 Chapter 5: Data Security & Lifecycle...22 Chapter 6: Datacenter Security...24 Chapter 7: Encryption & Key...27 Chapter 8: Governance and Risk...29 Chapter 9: Human Resources...33 Chapter 10: Identity & Access...36 Chapter 11: Infrastructure & Virtualization Security...42 Chapter 12: Interoperability & Portability...46 Chapter 13: Mobile Security...48

10 Chapter 14: Security Incident, E-Discovery & Cloud...52 Chapter 15: Supply Chain, Transparency and Accountability...54 Chapter 16: Threat and Vulnerability...58

11 Chapter 1: Application & Interface Security Control Group Control ID Control Specification Hyland Response Application & Interface Security Application Security Application & Interface Security Customer Access Requirements AIS-01 AIS-02 Applications and programming interfaces (APIs) shall be designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations. Prior to granting customers access to data, assets, and information systems, identified security, contractual, and regulatory requirements for customer access shall be addressed. Applications and code not developed by Hyland Software, Inc is reviewed and tested by Hyland's Global Cloud Services (GCS) department before deployed in the Hyland Cloud Platform. Testing of applications developed by Hyland Software, Inc is completed by the Hyland Development Team on the Corporate network in accordance with industry best practices for security. Customer administrators control user access, user permissions, and data retention with respect to their Hosted Solutions. Application & Interface Security Data Integrity AIS-03 Data input and output integrity routines (i.e., reconciliation and edit checks) shall be implemented for application interfaces and databases to prevent manual or systematic processing errors, corruption of data, or misuse. Customer maintains ownership of all customer data uploaded to their Hosted Solution through the full lifecycle period. Hyland employee access to customer data is restricted to authorized users and requires valid business justification.

12 Chapter 2: Audit Assurance & Compliance Control Group Control ID Control Specification Hyland Response Audit Assurance & Compliance Audit Planning AAC-01 Audit plans shall be developed and maintained to address business process disruptions. Auditing plans shall focus on reviewing the effectiveness of the implementation of security operations. All audit activities must be agreed upon prior to executing any audits. GCS maintains an internal audit program that focuses on developing, implementing, maintaining, and reassessing security controls to support risk mitigation strategies. The areas of focus include, but are not limited to, policy and procedure, logical and physical access, and business continuity. Quarterly internal audit results are compiled by the Governance, Risk and Compliance team and sent to the Associate Vice President of Hyland Global Cloud Services. Audit Assurance & Compliance Independent Audits Audit Assurance & Compliance Information System Regulatory Mapping AAC-02 AAC-03 Independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligations. Organizations shall create and maintain a control framework which captures standards, regulatory, legal, and statutory requirements relevant for their business needs. The control framework shall be reviewed at least annually to ensure changes that could affect the business processes are Audit program and testing plans are developed based on industry best practices and standards, including ISO 27001, AICPA Trust Services Criteria, NIST, FFIEC. Auditing plans are established annually and approved by the Associate Vice President of Global Cloud Services. Auditing plans including selected controls, testing frequency, and scope. The Hyland Cloud Platform is SOC 2 and SOC 3 audited on an annual basis. These reports are provided to customers with confidentiality agreements in place. Hyland Global Cloud Services maintains an internal audit program that conducts reviews of the Hyland Cloud Platform on at least a quarterly basis. Risk Assessments are conducted on an annual basis. Customers have the ability to conduct reviews of the Hyland Cloud Platform at their sole expense and within defined and mutually agreed upon parameters. Audit program and testing plans are developed based on industry best practices and standards, including ISO 27001, AICPA Trust Services Criteria, NIST, FFIEC. Auditing plans are established annually and approved by the Associate Vice President of Global Cloud Services. Auditing plans including selected controls, testing

13 reflected. frequency, and scope. The GCS GRC Team monitors regulatory changes within the relevant jurisdictions. When applicable, modifications are made to the ISMS and the Internal Audit Program to ensure continued compliance with all applicable legislative and regulatory requirements. Chapter 3: Business Continuity & Operational Resilience Control Group Control ID Control Specification Hyland Response Business Continuity & Operational Resilience Business Continuity BCR-01 A consistent unified framework for business continuity planning and plan development shall be established, documented, and adopted to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security Hyland Global Cloud Services maintains a documented policy that outlines the disaster recovery procedures. Disaster Recovery (DR) tests that include failover tests are performed at least annually against the Hyland Cloud platform.

14 Planning Business Continuity & Operational Resilience Business Continuity Testing BCR-02 requirements. Requirements for business continuity plans include the following: Defined purpose and scope, aligned with relevant dependencies Accessible to and understood by those who will use them Owned by a named person(s) who is responsible for their review, update, and approval Defined lines of communication, roles, and responsibilities Detailed recovery procedures, manual work-around, and reference information Method for plan invocation Business continuity and security incident response plans shall be subject to testing at planned intervals or upon significant organizational or environmental changes. Incident response plans shall involve impacted customers (tenant) and other business relationships that represent critical intra-supply chain business process dependencies. Hyland Global Cloud Services maintains a near real-time data replication process to back up customer data stored within the Hyland Cloud Platform production environment. The data replication process and data backup objectives are reviewed on at least an annual basis as part of the internal system review process by the Associate Vice President of Hyland Global Cloud Services. Access to modify the backup configuration is limited to authorized individuals. GCS maintains a documented policy that outlines the disaster recovery procedures. Disaster Recovery (DR) tests that include failover tests are performed at least annually against the Hyland Cloud platform. GCS maintains documented incident reporting procedures. Incident reports are recorded and tracked to completion within Hyland's document management system. Customer notification is provided when applicable. Business Continuity & Operational Resilience Datacenter Utilities / Environmental BCR-03 Datacenter utilities services and environmental conditions (e.g., water, power, temperature and humidity controls, telecommunications, and internet connectivity) shall be secured, monitored, maintained, and tested for continual effectiveness at planned intervals to ensure protection from GCS maintains a Customer Process Manual which describes the Hyland Cloud platform, its boundaries, the obligations/commitments of each party as it concerns security and availability, customer notification of related incidents, and also the procedure for customers to report security and/or availability issues. The Customer Process Manual is updated and published annually by GCS directly to registered customers. The Hyland Cloud platform is housed within ISO certified and SOC 1 and SOC 3 audited data centers (or reasonable equivalent). GCS validates the each data center compliance certifications and applicable audit reports annually. Additionally documentation may be provided upon completion of a Non-

15 Conditions Business Continuity & Operational Resilience Documentation BCR-04 unauthorized interception or damage, and designed with automated fail-over or other redundancies in the event of planned or unplanned disruptions. Information system documentation (e.g., administrator and user guides, and architecture diagrams) shall be made available to authorized personnel to ensure the following: Configuring, installing, and operating the information system Effectively using the system s security features Disclosure Agreement. Customers may access the Hyland Cloud Portal which provides information regarding proper usage of their solution. Customers are provided access to documentation describing the applicable security features available within their Hosted Solution and specifically how to ensure increased security in the Hyland Cloud Platform. GCS maintains architecture diagrams of the Hyland Cloud Platform depicting the hosting environment and network. Customers may request specific diagrams of their solutions. Business Continuity & Operational Resilience Environmental Risks Business Continuity & Operational Resilience Equipment Location BCR-05 BCR-06 Physical protection against damage from natural causes and disasters, as well as deliberate attacks, including fire, flood, atmospheric electrical discharge, solar induced geomagnetic storm, wind, earthquake, tsunami, explosion, nuclear accident, volcanic activity, biological hazard, civil unrest, mudslide, tectonic activity, and other forms of natural or man-made disaster shall be anticipated, designed, and have countermeasures applied. To reduce the risks from environmental threats, hazards, and opportunities for unauthorized access, equipment shall be kept away from locations subject to high probability environmental risks and supplemented by redundant equipment located at a reasonable distance. Employee Process Manual is established to describe the system descriptions and its boundaries, obligations of users as well as system commitments, system standards and procedures, and the procedure for submitting feedback, complaints, and issues related to system availability and/or security and is distributed to Hyland Employees. The Hyland Cloud platform is housed within ISO certified and SOC 1 and SOC 3 audited data centers (or reasonable equivalent). GCS validates the each data center compliance certifications and applicable audit reports annually. Additional documentation may be provided upon completion of a Non-Disclosure Agreement. The Hyland Cloud platform is housed within ISO certified and SOC 1 and SOC 3 audited data centers (or reasonable equivalent). GCS validates the each data center compliance certifications and applicable audit reports annually. Additional documentation may be provided

16 Business Continuity & Operational Resilience Equipment Maintenance Business Continuity & Operational Resilience Equipment Power Failures BCR-07 BCR-08 Policies and procedures shall be established, and supporting business processes and technical measures implemented, for equipment maintenance ensuring continuity and availability of operations and support personnel. Protection measures shall be put into place to react to natural and man-made threats based upon a geographicallyspecific business impact assessment. upon completion of a Non-Disclosure Agreement. Hyland Cloud data centers are not located in areas with a high probability of environmental risks. All backup sites are located at least 200 miles from the production data center. GCS monitors system capacity and resource usage to support the capacity objectives as determined by the GCS system owners. On at least an annual basis, future system capacity projections are planned to limit disruptions to the Hyland Cloud platform and to prepare future growth trends. The Hyland Cloud platform is housed within ISO certified and SOC 1 and SOC 3 audited data centers (or reasonable equivalent). GCS validates the each data center compliance certifications and applicable audit reports annually. Additional documentation may be provided upon completion of a Non-Disclosure Agreement. Business Continuity & Operational Resilience Impact Analysis BCR-09 There shall be a defined and documented method for determining the impact of any disruption to the organization (cloud provider, cloud consumer) that must incorporate the following: Identify critical products and services Identify all dependencies, including processes, applications, business partners, and third party service providers Understand threats to critical products and services Determine impacts resulting from planned or unplanned disruptions and how these vary over time The Hyland Cloud environment is N+1 redundant, providing automatic failover of the components that comprise the Hyland Cloud platform. The data is also replicated to a second copy in the primary data center and tertiary copy in a secondary data center. System maintenance, classified as either planned or unplanned, which could affect the security and/or availability of the Hyland Cloud is communicated to affected customers per documented procedures outlined in the Customer Process Manual. GCS maintains documented incident reporting procedures. Incidents reports are recorded and tracked to completion within Hyland's document management system. Customer notification is provided when applicable. Hyland Cloud Platform customers may request a service availability report

17 Business Continuity & Operational Resilience Policy Business Continuity & Operational Resilience Retention Policy BCR-10 BCR-11 Establish the maximum tolerable period for disruption Establish priorities for recovery Establish recovery time objectives for resumption of critical products and services within their maximum tolerable period of disruption Estimate the resources required for resumption Policies and procedures shall be established, and supporting business processes and technical measures implemented, for appropriate IT governance and service management to ensure appropriate planning, delivery, and support of the organization's IT capabilities supporting business functions, workforce, and/or customers based on industry acceptable standards (i.e., ITIL v4 and COBIT 5). Additionally, policies and procedures shall include defined roles and responsibilities supported by regular workforce training. Policies and procedures shall be established, and supporting business processes and technical measures implemented, for defining and adhering to the retention period of any critical asset as per established policies and procedures, as well as applicable legal, statutory, or regulatory compliance obligations. Backup and recovery measures shall be incorporated as part of business continuity planning and tested accordingly for effectiveness. containing a list of service level availability (SLA) incidents that have been reported by Customer. The report will reflect each incident's confirmation or rejection by Hyland. GCS maintains a documented policy that outlines the disaster recovery procedures. Disaster Recovery (DR) tests that include failover tests are performed at least annually against the Hyland Cloud platform. GCS maintains an Employee Process Manual which describes the Hyland Cloud platform, its boundaries, the obligations/commitments of each party as it concerns security and availability, customer notification of related incidents, and also the procedures for employees to report security and/or availability issues. The Employee Process Manual is released to the GCS department using Hyland's document management system. GCS employees are required to acknowledge and accept the latest version of the process manual by electronic acknowledgement using Hyland's document management system. Customer maintains ownership of all customer data uploaded to their Hosted Solution through the full lifecycle period. Customer administrators control user access, user permissions, and data retention with respect to their Hosted Solutions. GCS maintains a real-time data replication process to back up customer data stored within the Hyland Cloud Platform production environment. The data replication process and data backup objectives are reviewed on at least an annual basis as part of the internal system review process by the AVP of GCS. Access to modify the backup configuration is limited to authorized individuals.

18 Hyland has documented policies and procedures which detail the retention period for its critical assets. Chapter 4: Change Control & Configuration Control Group Control ID Control Specification Hyland Response Change Control & Configuration New Development / Acquisition CCC-01 Policies and procedures shall be established, and supporting business processes and technical measures implemented, to ensure the development and/or acquisition of new data, physical or virtual applications, infrastructure network, and systems components, or any corporate, operations and/or datacenter facilities have been pre-authorized by the organization's business leadership or other accountable business role or function. The GCS Leadership Team is responsible for reviewing and approving new system acquisitions and significant modifications to systems and related components. GCS maintains documented change management procedures and records all change requests in Hyland's document management system. Change requests must be approved by an authorized employee and tested before changes can be implemented. System changes made in the case of an emergency and/or are noncompliant with policy are recorded as an exception and is subject to rollback procedures if approval is not granted. Logical access to system configuration, super user functionality, master passwords, powerful utilities and security devices

19 Change Control & Configuration Outsourced Development CCC-02 External business partners shall adhere to the same policies and procedures for change management, release, and testing as internal developers within the organization (e.g., ITIL service management processes). (including firewall configurations) is restricted to authorized individual GCS employees based on specific roles that are established and maintained based on job responsibilities. External parties are not used in administration of the Hyland Cloud Platform. Change Control & Configuration Production Changes Change Control & Configuration Quality Testing CCC-05 CCC-03 Policies and procedures shall be established for managing the risks associated with applying changes to: Business-critical or customer (tenant)- impacting (physical and virtual) applications and system-system interface (API) designs and configurations. Infrastructure network and systems components. Technical measures shall be implemented to provide assurance that all changes directly correspond to a registered change request, businesscritical or customer (tenant), and/or authorization by, the customer (tenant) as per agreement (SLA) prior to deployment. Organization shall follow a defined quality change control and testing process (e.g., ITIL Service ) with established baselines, testing, and GCS maintains a Customer Process Manual which describes the Hyland Cloud platform, its boundaries, the obligations/commitments of each party as it concerns security and availability, customer notification of related incidents, and also the procedure for customers to report security and/or availability issues. The Customer Process Manual is updated and released annually by GCS directly to registered customers through . GCS maintains documented change management procedures and records all change requests in Hyland's document management system. Change requests must be approved by an authorized employee and tested before changes can be implemented. System changes made in the case of an emergency or are noncompliant with policy are recorded as an exception and is subject to rollback procedures if approval is not granted. Changes made to a customer solution must have written documentation from the customer requesting the change. These changes are reviewed quarterly through the Internal Audit Program. All changes under a risk assessment, and when applicable are subject to documented roll back procedures. GCS defines the roles which are authorized to install software, hardware and other network devices within the Access Control policy. Access to these predefined roles is

20 release standards that focus on system availability, confidentiality, and integrity of systems and services. restricted using Active Directory user group policy settings. The GCS Leadership Team is responsible for reviewing and approving new system acquisitions and significant modifications to systems and related components. Change Control & Configuration Unauthorized Software Installations CCC-04 Policies and procedures shall be established, and supporting business processes and technical measures implemented, to restrict the installation of unauthorized software on organizationally-owned or managed user end-point devices (e.g., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components. Changes to Hyland Cloud platform can only be made by authorized individuals based on their assigned roles as documented in GCS policies. Changes to end user's Hosted solution is restricted to authorized individuals based on assigned roles. The GCS Leadership Team is responsible for reviewing and approving new system acquisitions and significant modifications to systems and related components. The Hyland Cloud Platform is built on virtualization technology and accessed through the use of virtual desktops. This prevents unauthorized installation of software. Privileged accounts are restricted to authorized users.

21 Chapter 5: Data Security & Lifecycle Control Group Control ID Control Specification Hyland Response Data Security & Information Lifecycle Classification Data Security & Information Lifecycle Data Inventory / Flows DSI-01 DSI-02 Data and objects containing data shall be assigned a classification by the data owner based on data type, value, sensitivity, and criticality to the organization. Policies and procedures shall be established, and supporting business processes and technical measures implemented, to inventory, document, and maintain data flows for data that is resident (permanently or temporarily) within the service's geographically distributed (physical and virtual) applications and infrastructure network and systems components and/or shared with other third parties to ascertain any regulatory, statutory, or supply chain agreement (SLA) compliance impact, and to address any other business risks associated with the data. Upon request, provider shall inform customer (tenant) of compliance impact and risk, especially if customer data is used as part of the services. GCS documents and maintains descriptions of the information used within the Hyland Cloud platform which includes customer data and system data classifications. These classifications are reviewed as part of the annual policy review process by the Associate Vice President of GCS. The Hyland Cloud uses firewalls to prevent unauthorized network access. Firewall standards are documented in the Operations Security Policy to only allow network access to specific protocols that are required to support end users solutions. Architectural components (e.g. networks, servers, co-location data centers) are logically separated between (1) any customer, including GCS and (2) Hyland, prevent unauthorized access by internal or external users. Customer Hosted Solutions exist in a private virtualized environment secured by firewall configurations.

22 Data Security & Information Lifecycle Ecommerce Transactions Data Security & Information Lifecycle Handling / Labeling / Security Policy DSI-03 DSI-04 Data related to electronic commerce (ecommerce) that traverses public networks shall be appropriately classified and protected from fraudulent activity, unauthorized disclosure, or modification in such a manner to prevent contract dispute and compromise of data. Policies and procedures shall be established for the labeling, handling, and security of data and objects which contain data. Mechanisms for label inheritance shall be implemented for objects that act as aggregate containers for data. GCS utilizes security transport encryption methods, such as SSL, for securing user authentication and session data when accessing the Hyland Cloud platform remotely. Connections to the Hyland platform are encrypted using HTTPS, PCOIPS, or Blast secure protocol. Access to encryption configuration is limited to authorized individuals. GCS documents and maintains descriptions of the information used within the Hyland Cloud platform which includes customer data and system data classifications. These classifications are reviewed as part of the annual policy review process by the Associate Vice President of GCS. Data Security & Information Lifecycle Non-Production Data Data Security & Information Lifecycle Ownership / Stewardship DSI-05 DSI-06 Production data shall not be replicated or used in non-production environments. Any use of customer data in non-production environments requires explicit, documented approval from all customers whose data is affected, and must comply with all legal and regulatory requirements for scrubbing of sensitive data elements. All data shall be designated with stewardship, with assigned responsibilities defined, documented, and communicated. GCS documents and maintains descriptions of all assets, including hardware, software, and data, used, held, and/or managed within the Hyland Cloud Platform which includes customer data and system data classification. These classifications are reviewed as part of the annual policy review process by the AVP of GCS. Customer production and non-production environments are logically separated. GCS does not input customer data into the nonproduction environment. These environments are separated using a domain authentication source (Active Directory). Customer maintains ownership of all customer data uploaded to their Hosted Solution through the full lifecycle period. GCS access to customer data is restricted to authorized users and requires valid business justification. Data Security & Information DSI-07 Policies and procedures shall be established with supporting business Customer administrators control user access, user permissions, and data retention with respect to their Hosted Solutions. When a storage device has reached the end of its useful life, Global Cloud Services

23 Lifecycle Secure Disposal processes and technical measures implemented for the secure disposal and complete removal of data from all storage media, ensuring data is not recoverable by any computer forensic means. procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. GCS uses the techniques recommended by the National Institute for Standards and Technology (NIST) to destroy data as part of the decommissioning process. If a hardware device is unable to be decommissioned using these procedures, the device will be virtually shredded or physically destroyed in accordance with industry-standard practices. Devices used in the administration of the customer s Hosted Solution that have been decommissioned will be subjected to these or equally effective standards. Chapter 6: Datacenter Security Control Group Control ID Control Specification Hyland Response Datacenter Security Asset Datacenter Security Controlled Access Points Datacenter Security Equipment Identification DCS-01 DCS-02 DCS-03 Assets must be classified in terms of business criticality, service-level expectations, and operational continuity requirements. A complete inventory of business-critical assets located at all sites and/or geographical locations and their usage over time shall be maintained and updated regularly, and assigned ownership by defined roles and responsibilities. Physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols) shall be implemented to safeguard sensitive data and information systems. Automated equipment identification shall be used as a method of connection authentication. Location-aware technologies may be used to validate connection authentication integrity An inventory of assets is established and maintained. Asset inventory lists document identifiable information for each asset listed, including vendor, version number, system owner and geographical location. The Hyland Cloud platform is housed within ISO certified and SOC 1 and SOC 3 audited data centers (or reasonable equivalent). Customer data is secured behind physical barriers to prevent unauthorized access. Only authorized personnel have access to the data centers, all others require special authorization from Hyland and data center staff and require an escort. The Hyland Cloud platform is housed within ISO certified and SOC 1 and SOC 3 audited data centers (or reasonable equivalent). Customer data is secured behind physical barriers to prevent

24 Datacenter Security Off-Site Authorization Datacenter Security Off-Site Equipment Datacenter Security Policy DCS-04 DCS-05 DCS-06 based on known equipment location. Authorization must be obtained prior to relocation or transfer of hardware, software, or data to an offsite premises. Policies and procedures shall be established for the secure disposal of equipment (by asset type) used outside the organization's premises. This shall include a wiping solution or destruction process that renders recovery of information impossible. The erasure shall consist of a full overwrite of the drive to ensure that the erased drive is released to inventory for reuse and deployment, or securely stored until it can be destroyed. Policies and procedures shall be established, and supporting business processes implemented, for maintaining a safe and secure working environment in offices, rooms, facilities, and secure areas storing sensitive information. unauthorized access. Only authorized personnel have access to the data centers, all others require special authorization from Hyland and data center staff and require an escort. Customer data will not be removed from the GCS data centers unless explicit written authorization from the customer. Relocation or transfer of hardware or software within the data center follows the GCS Change Procedures. When a storage device has reached the end of its useful life, Global Cloud Services procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. Hyland Global Cloud Services uses the techniques recommended by the National Institute for Standards and Technology (NIST) to destroy data as part of the decommissioning process. If a hardware device is unable to be decommissioned using these procedures, the device will be virtually shredded or physically destroyed in accordance with industry-standard practices. Devices used in the administration of the customer s hosted solution that have been decommissioned will be subjected to these or equally effective standards. Attestation letters to that effect can be provided to Customer, upon request. Access to the data centers is restricted to the pre-defined roles documented in the Access Policy. User access requests are subject to the change management procedures. Visitors to the data center must be escorted. Only authorized personnel, with a justified business need, are permitted inside the secure data centers unescorted. All other personnel must be escorted at all times, after demonstrating a valid business need and obtaining approval.

25 Datacenter Security Secure Area Authorization DCS-07 Ingress and egress to secure areas shall be constrained and monitored by physical access control mechanisms to ensure that only authorized personnel are allowed access. Access to the data centers is restricted to the pre-defined roles documented in the Access Policy. User access requests are subject to the change management procedures. Visitors to the data center must be escorted. Datacenter Security Unauthorized Persons Entry Datacenter Security User Access DCS-08 DCS-09 Ingress and egress points such as service areas and other points where unauthorized personnel may enter the premises shall be monitored, controlled and, if possible, isolated from data storage and processing facilities to prevent unauthorized data corruption, compromise, and loss. Physical access to information assets and functions by users and support personnel shall be restricted. Only authorized personnel, with a justified business need, are permitted inside the secure data centers unescorted. All other personnel must be escorted at all times, after demonstrating a valid business need and obtaining approval. Access to the data centers is restricted to the pre-defined roles documented in the Access Policy. User access requests are subject to the change management procedures. Visitors to the data center must be escorted. Only authorized personnel, with a justified business need, are permitted inside the secure data centers unescorted. All other personnel must be escorted at all times, after demonstrating a valid business need and obtaining approval. Access to the data centers is restricted to the pre-defined roles documented in the Access Policy. User access requests are subject to the change management procedures. Visitors to the data center must be escorted. Only authorized personnel, with a justified business need, are permitted inside the secure data centers unescorted. All other personnel must be escorted at all times, after demonstrating a valid business need and obtaining approval.

26 Chapter 7: Encryption & Key Control Group Control ID Control Specification Hyland Response Encryption & Key Entitlement EKM-01 Keys must have identifiable owners (binding keys to identities) and there shall be key management policies. GCS maintains a Cryptography Policy for cryptographic controls. Responsibility for effectively managing encryption keys is divided between the customer and Hyland. Knowledge of keys is split within Hyland. Encryption & Key Key Generation Encryption & Key Sensitive Data Protection EKM-02 EKM-03 Policies and procedures shall be established for the management of cryptographic keys in the service's cryptosystem (e.g., lifecycle management from key generation to revocation and replacement, public key infrastructure, cryptographic protocol design and algorithms used, access controls in place for secure key generation, and exchange and storage including segregation of keys used for encrypted data or sessions). Upon request, provider shall inform the customer (tenant) of changes within the cryptosystem, especially if the customer (tenant) data is used as part of the service, and/or the customer (tenant) has some shared responsibility over implementation of the control. Policies and procedures shall be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive GCS maintains a Cryptography Policy for cryptographic controls. Responsibility for effectively managing encryption keys is divided between the customer and Hyland. Knowledge of keys is split within Hyland. Encryption technologies, such as SFTP, SSL/TLS, are employed for data in transit. Customers are responsible for the data that outside the boundaries of our environment. Customer are made aware of their responsibilities for use of encryption technologies through the Customer Process Manual and specific guides related to encryption technologies they have purchased. GCS maintains a Cryptography Policy for cryptographic controls. Responsibility for effectively managing encryption keys is divided between the customer and Hyland. Knowledge of keys is split within Hyland.

27 data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations. Encryption technologies, such as SFTP, SSL/TLS, are employed for data in transit. Customers are responsible for the data that outside the boundaries of our environment. Customer are made aware of their responsibilities for use of encryption technologies through the Customer Process Manual and specific guides related to encryption technologies they have purchased. Encryption & Key Storage and Access EKM-04 Platform and data-appropriate encryption (e.g., AES-256) in open/validated formats and standard algorithms shall be required. Keys shall not be stored in the cloud (i.e., at the cloud provider in question), but maintained by the cloud consumer or trusted key management provider. Key management and key usage shall be separated duties. GCS utilizes security transport encryption methods, such as SSL, for securing user authentication and session data when accessing the Hyland Cloud platform remotely. Connections to the Hyland platform are encrypted using HTTPS, PCOIPS, or Blast secure protocol. Access to encryption configuration is limited to authorized individuals. GCS utilizes security transport encryption methods, such as SSL, for securing user authentication and session data when accessing the Hyland Cloud platform remotely. Connections to the Hyland platform are encrypted using HTTPS, PCOIPS, or Blast secure protocol. Access to encryption configuration is limited to authorized individuals.