SOC 3 for Security and Availability

Similar documents
Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

Google Cloud & the General Data Protection Regulation (GDPR)

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

Exploring Emerging Cyber Attest Requirements

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Automate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds

SDL Privacy Policy Cloud Services

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

ISACA Cincinnati Chapter March Meeting

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

SOC for cybersecurity

Level Access Information Security Policy

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

locuz.com SOC Services

Understanding and Evaluating Service Organization Controls (SOC) Reports

Workday s Robust Privacy Program

Introduction to AWS GoldBase

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

HITRUST CSF: One Framework

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Twilio cloud communications SECURITY

Independent Accountant s Report

REPORT OF THE INDEPENDENT ACCOUNTANT

Altius IT Policy Collection Compliance and Standards Matrix

SECURITY & PRIVACY DOCUMENTATION

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

SOC Lessons Learned and Reporting Changes

Healthcare Security Success Story

IT Attestation in the Cloud Era

Achieving third-party reporting proficiency with SOC 2+

PRIVACY STATEMENT +41 (0) Rue du Rhone , Martigny, Switzerland.

DeMystifying Data Breaches and Information Security Compliance

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Altius IT Policy Collection Compliance and Standards Matrix

On the Radar: IBM Resilient applies incident response orchestration to GDPR data breaches

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Your Trusted Partner in Europe European Business Reliance Centre

Emsi Privacy Shield Policy

Security and Compliance at Mavenlink

Tip Sheet: Safety Communications During Severe Weather

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Intermedia s Private Cloud Exchange

Protecting your data. EY s approach to data privacy and information security

Security Information & Policies

Management Assertion Logius 2013

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

The NIS Directive and Cybersecurity in

Why you should adopt the NIST Cybersecurity Framework

IT-CNP, Inc. Capability Statement

The SOC 2 Compliance Handbook:

REPORT OF INDEPENDENT CERTIFIED PUBLIC ACCOUNTANTS

OSIsoft PI Cloud Services Privacy Statement

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

MultiPlan Selects CyrusOne for Exceptional Colocation and Flexible Solutions

Appendix 3 Disaster Recovery Plan

CSF to Support SOC 2 Repor(ng

THE GDPR PCLOUD'S ROAD TO FULL COMPLIANCE

A company built on security

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

Smart Software Licensing tools and Smart Account Management Privacy DataSheet

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Privacy Shield Policy

AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE

Building YOUR Privacy Program: One Size Does Not Fit All. IBM Security Services

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

ADIENT VENDOR SECURITY STANDARD

Information Security Incident Response Plan

01.0 Policy Responsibilities and Oversight

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

WHITE PAPER. Title. Managed Services for SAS Technology

Business Continuity Management Program Overview

IT Consulting and Implementation Services

Cybersecurity & Privacy Enhancements

Continuous protection to reduce risk and maintain production availability

MEETING ISO STANDARDS

Data Processing Agreement for Oracle Cloud Services

Security Architecture

TRUE SECURITY-AS-A-SERVICE

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Peer Collaboration The Next Best Practice for Third Party Risk Management

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Cybersecurity The Evolving Landscape

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

General Data Protection Regulation (GDPR) and the Implications for IT Service Management

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Accelerate GDPR compliance with the Microsoft Cloud

Information Technology General Control Review

Information for entity management. April 2018

Building Trust in the Era of Cloud Computing

Maryland Health Care Commission

Transcription:

SOC 3 for Security and Availability Independent Practioner s Trust Services Report For the Period October 1, 2015 through September 30, 2016 Independent SOC 3 Report for the Security and Availability Trust Principles for Everbridge, Inc.

EVERBRIDGE, INC. INDEPENDENT PRACTIONER S TRUST SERVICES REPORT SOC 3 Table of Contents SECTION ONE: INDEPENDENT PRACTIONER S TRUST SERVICES REPORT... 1 SECTION TWO: EVERBRIDGE, INC. S ASSERTION REGARDING ITS EVERBRIDGE SUITE SYSTEM... 2 SECTION THREE: DESCRIPTION OF EVERBRIDGE, INC. S EVERBRIDGE SUITE SYSTEM... 3 1 OVERVIEW OF THE EVERBRIDGE OPERATIONS... 3 2 OVERVIEW OF THE SYSTEM AND APPLICATIONS... 3

SECTION ONE: INDEPENDENT PRACTIONER S TRUST SERVICES REPORT To the Management of Everbridge, Inc.: Pasadena, CA Scope We have examined management s assertion that during the period October 1, 2015 through September 30, 2016, Everbridge, Inc. (the Company ) maintained effective controls over its Everbridge Suite System, based on the American Institute of Public Accountants ( AICPA ) and CPA Canada trust services security and availability criteria to provide reasonable assurance that: the system was protected against unauthorized access (both physical and logical); and the system was available for operation and use, as committed or agreed. The Company is responsible for this assertion. Our responsibility is to express an opinion based on our examination. The Company s management description of the aspects of the Everbridge Suite System covered by their respective assertion is outlined within the report. Our examination was conducted in accordance with attestation standards established by the AICPA and, accordingly, included (1) obtaining an understanding of the Company s relevant controls over security and availability of the Everbridge Suite System; (2) testing and evaluating the operating effectiveness of the controls; and (3) performing such other procedures as we considered necessary during our examination. We believe that our examination provides a reasonable basis for our opinion. Because of the nature and inherent limitations of controls, the Company s ability to meet the aforementioned criteria may be affected. For example, controls may not prevent, or detect and correct errors or fraud, unauthorized access to systems and information, or failure to comply with internal and external policies or requirements. Also, the projection of any conclusions based on our findings to future periods is subject to the risk that changes may alter the validity of such conclusions. In our opinion, the Company s assertion referred to above are fairly stated, in all material respects, based on the AICPA and CPA Canada trust services security and availability criteria. Everbridge s use of the AICPA Service Organization logo constitutes a symbolic representation of the contents of this report and is not intended, nor should it be construed, to update this report or provide any additional assurance. SSAE 16 Professionals, LLP November 30, 2016 Orange, California 1

SECTION TWO: EVERBRIDGE, INC. S ASSERTION REGARDING ITS EVERBRIDGE SUITE SYSTEM November 30, 2016 During the period October 1, 2015 through September 30, 2016, the Company, in all material respects maintained effective controls over the Everbridge Suite System, as defined by the System Description attached within the report, to provide reasonable assurance that: The system is protected against unauthorized access, use, or modification to meet the entity's commitments and system requirements. The system is available for operation and use to meet the entity's commitments and system requirements. Further, the Company confirms that to the best of our knowledge and belief, that the controls related to the trust services criteria were suitably designed and operating effectively during the period October 1, 2015 through September 30, 2016, to achieve those control objectives. The criteria we used in making this assertion were that: The risks that threaten the achievement of the controls related to the trust services criteria have been identified by the Company; and The controls related to the trust services criteria would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives stated in the trust services criteria from being achieved. Everbridge, Inc. 2

SECTION THREE: DESCRIPTION OF EVERBRIDGE, INC. S EVERBRIDGE SUITE SYSTEM 1 Overview of the Everbridge Operations Everbridge is a global provider of SaaS based unified critical communications solutions. During mission critical business events or man made or natural disasters, the Everbridge platform enables customers to quickly and reliably deliver the right message and reach the right people, on the right device, in the right location, at the right time. Utilizing sophisticated communications technologies, Everbridge has the ability to deliver and verify messages in near real time to more than 100 different communication devices, in over 200 countries and territories, in multiple languages all simultaneously. Everbridge is based in Boston and Los Angeles, with additional offices in San Francisco, Beijing and London. 2 Overview of the System and Applications System Overview Since inception, the Everbridge SaaS based unified critical communications system (the platform) was architected on a single code base to deliver multi tenant capability and the speed, scale and resilience necessary to communicate globally when a serious event occurs. The Everbridge platform is designed to address both the emergency and operational components of a critical communications program. The Everbridge platform is capable of providing two way communications and verified delivery in accordance with our customers escalation policies. The platform has multimodal communications reach, including redundant global SMS and voice delivery capabilities, and is designed to comply with local, technical and regulatory requirements. The System is comprised of the following components: Infrastructure: The physical and virtual components of a Hybrid Cloud (facilities, server, storage, and networks); Software: The programs and operating software of a system (systems, applications, and utilities); Data: The information used and supported by a system (transaction streams, files, databases, and tables); People: The personnel involved in the operation and use of a system (developers, operators, users, and managers); and Procedures: The automated and manual procedures involved in the operation of a system. 3

Infrastructure To provide highly scalable and global solutions, Everbridge employs redundant, geographically diverse production implementations and built its platform infrastructure in multiple SOC 2 compliant data center facilities in North America and Europe. Within each data center, Everbridge utilizes a hybrid cloud architecture that allows us to enable on demand capacity and performance. Everbridge s hybrid cloud architecture enables its customers to select the location in which to store their contact data, allowing for compliance with local and international data privacy laws. The architecture also enables our platform to dynamically determine the best location from which to deliver critical communications on behalf of our customers and solves many international communications delivery challenges by utilizing in country or in region telephony, messaging and data communication providers. The Everbridge infrastructure is continuously maintained and monitored by dedicated engineers based in redundant network operations centers in the Los Angeles and Boston areas. Software & Applications Everbridge s unified critical communications platform delivers reliable enterprise ready applications that provide organizations with the ability to deliver contextual communications. Our applications include: Mass Notification a secure, scalable and reliable Mass Notification application is Everbridge s most established application and enables enterprises and governmental entities to send contextually aware notifications to individuals or groups to keep them informed before, during and after critical events. This application provides analytics, mapbased targeting, flexible group management, distributed contact data, language localization, multiple options for contact data management and a globally optimized approach to voice and SMS routing. Incident Communications an incident management application enables organizations to automate workflows and make their communications contextually relevant using drag and drop business rules to determine who should be contacted, how they should be contacted and what information is required. This application also supports cross account collaboration and situational intelligence sharing during crises for corporations and communities. IT Alerting an IT alerting application enables IT professionals to alert and communicate with key members of their teams during an IT incident or outage, including during a cyber security breach. The application integrates with IT service management platforms and uses automatic escalation of alerts, on call scheduling and mobile alerting to automate manual tasks and keep IT teams collaborating during an incident. This application also provides shift calendars with integrated on call notifications to help users better manage employee resources and get the right message to the right person, at the right time through automated staffing. Secure Mobile Communications (HipaaBridge and SecureBridge) secure mobile messaging applications meet the compliance and security requirements of organizations that need to provide an alternative way for their employees to communicate and share nonpublic information. HipaaBridge, which is designed for medical professionals, facilitates HIPAA compliant communications that eliminates the need for pagers and other single use 4

devices. HipaaBridge also facilitates telemedicine by allowing medical professionals to hold video conferences with patients and other medical professionals as well as share medical imaging, lab results and other critical information. SecureBridge, enables financial services organizations employees and customers to securely communicate via text, voice, and video, while remaining Financial Industry Regulator Authority (FINRA) compliant. Internet of Things an IoT Communications application enables customers to extend traditional machine to machine communication to people when required. Through the Everbridge secure communications channels, the Everbridge critical communications engines can integrate directly with medical devices, workplace security controls, public infrastructure and other systems to either activate the device, confirm activation, or mobilize people for interaction and response. Community Engagement a community engagement application integrates emergency management and community outreach by providing local governments with a unified solution to connect residents to both their public safety department, public information resources, and neighbors via social media and mobile applications. This creates a stronger and more engaged community improving the communication reach for emergency personnel, while providing residents with real time emergency and community information, and allows residents to anonymously opt in and provide tips. Data Everbridge customers can use the Everbridge platform to send notifications to recipients where the content of the notification or message is completely determined by the customer. For message recipients, the Everbridge system stores and processes the contact data for each recipient. The recipient contact data may be classified as Personally Identifiable Information (PII). This information may include: first name, last name, address, phone numbers (home, work, mobile, etc.), email addresses, fax and pager numbers as well as contact attributes associated with communication preferences, language spoken, technical certifications, on call status, etc. People Everbridge s operational functions are organized into the following departments: The SaaS Operations team includes system administrators, database administrators, application and technical analysts, release management, governance and security and the service desk which collectively are responsible for maintaining the availability, confidentiality, and integrity of all information systems. The Network Operations Center (NOC) team includes systems engineers which monitor the Everbridge solutions for faults and performance on a 24x7x 365 bases from redundant NOCs located in Boston and Los Angeles The Customer Technical Support team interfaces directly with customers during the on boarding and training process and addresses any and all issues quickly and with confidence to provide the outstanding customer service. 5

Software Development creates quality solutions that meet the business needs, maintain existing software components, support IT operations, and commit to continuous improvements. Quality Assurance utilizes several methodologies of testing to ensure the highest quality product is being delivered. The Product Management team is responsible for determining the strategy for the Product Portfolio based on the Everbridge organization s business goals as well as collecting and prioritizing system enhancements and discovered defects and defining requirements for approved projects. Procedures Everbridge s operational service procedures are based on the Information Technology Infrastructure Library (ITIL). These ITIL based procedures for service management are divided into procedures for the management of problems, incidents, service levels, availability, capacity, supplier, change/configuration, asset, and deployment. Everbridge s security and data privacy and protection procedures are based on the Federal Information Security Management Act (FISMA) risk management framework defined by the National Institute of Standards and Technology, or NIST, special publication, or SP, 800 37. To meet the rigorous standards of our enterprise and government customers, an independent and accredited third party security assessment firm annually verifies our compliance security and data protection requirements detailed in NIST SP 800 53. Through this process, we map our compliance with other security and data privacy frameworks including ISO 27001 and HIPAA. In addition, Everbridge complies with the EU U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Economic Area to the United States. The Everbridge unified critical communications platform received designation under the Support Anti terrorism by Fostering Effective Technology Act of 2002, or SAFETY ACT, and certification by DHS that places us on the approved product list for homeland security and provides Everbridge with the highest level of liability protection available under the SAFETY ACT. Everbridge also procedurally complies with the standards of the Cloud Security Alliance (CSA) Security, Trust and Assurance Registry (STAR). For more information on Everbridge Security and Data Protection programs visit http://www.everbridge.com/company/legal/ 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback