Procedures.


SSC security policies and processes are designed to maintain the security and availability, of its systems and of its customers’ data. Enterprise security policies have been established that detail the procedures for restricting logical and physical access to internal and customer data from unauthorized entities.

SSC SOC 2 implementation team is responsible for directing operations and establishing, communicating, and monitoring control policies and procedures for the customer organization.

Administrative, operational, and technology controls, processes and procedures are formally documented and are assigned to business owners to update and maintain accordingly. These documents are electronically organized, available to personnel, and updated on a regular basis and include the following:

  • Enterprise Information Security
  • Communication of Policies and Procedures
  • Physical Security
  • Environmental Security
  • Logical Access Control
  • Asset Control
  • Network Availability
  • Systems Design
  • Change Management
  • Incident Management
  • Backup and Restoration
  • Patch Management
  • Capacity Management
  • Business Continuity

Enterprise Information Security.


SSC has developed and documented formal policies and procedures, in accordance with ISO 27002, to guide personnel in security and incident handling and escalation procedures. ISO/IEC 27002:2005 is an international standard consisting of a comprehensive set of controls that includes information security best practices, and provides a solid security framework security professional who direct the company’s information security program.

Physical Security.


Documented physical standards and physical access policies and procedures will be implemented to guide personnel in physical security administration practices. Physical access to each data center facility may be controlled via multi-factor authentication mechanisms consisting of at least two of the following methods; badge reader access, personal identification number (“PIN”) codes, biometric readers, and physical man trap. The badge access system logs successful and failed access attempts to the data center facilities.

Visitors are required to sign a visitor log upon entering / exiting the data center facilities and provide a government issued photo identification as part of the process.

Environmental Security.


The data center facilities are designed with redundancy for key systems, including HVAC units, UPS systems, PDUs, and generators.

Preventive maintenance programs on environmental systems are performed at regular intervals. Site documentation covering facility infrastructure and maintenance activities is to be maintained at each data center facility. In regards to leak prevention, data center facility equipment is protected from water damage through the combination of elevated racks, water detection sensors, and / or elevated anti-static floors.

Logical Access Control.


SSC grants access in accordance with least access and privilege necessary to successfully accomplish assigned duties. SSC implements that customer and infrastructure environments are managed by separate IT groups who assign all passwords for their respective networked systems..

SSC requires customers to sign confidentiality agreements and statements that acknowledge their understanding and willingness to comply of all acceptable usage and enterprise information security policies.

Network Availability.


SSC implementation team design network infrastructure using industry best practices. The network architecture is comprised of three distinct layers: (1) an edge layer provides connectivity to geographically diverse internet backbone provider connections; (2) a core layer allows interconnectivity of all facilities and resources; and (3) a distribution layer provides connectivity for customer cabinets and cages.

Systems Design.


SSC controls and verifies product, service and design to help ensure that specified requirements are met. This process helps ensure that service or product design documentation agrees with the requestor documentation, and that designs are planned, controlled, verified, and validated prior to deployment requirements of design are documented. Design reviews are held as appropriate, and design changes are made and approved in accordance with documented procedures.

Change Control.


The change control process is designed to manage changes to internal and shared client systems with minimal disruptions, risk, and complexity, while maintaining agreed-upon service levels.

A change management tracking system is designed to centrally maintain, manage and monitor change control activities. The ability to request infrastructure software or hardware changes is restricted to pre-authorized customer representatives. For certain infrastructure change requests, operations personnel perform an impact assessment and develop a back out plan that is documented within the change management tracking application. The ability to implement changes to customer infrastructure software or hardware is restricted to user accounts accessible by authorized IT personnel.

Maintenance and Administration.


There are three levels of maintenance events that may occur, which are noted below.

Planned maintenance activities that may or may not disrupt service, in which the prescribed SOPs are followed.

Planned emergency maintenance is required to prevent a degradation or loss of service, in which separate procedures are followed.

Unplanned emergency maintenance required to prevent a degradation or loss of service, in which those SOPs are followed.

Backups.


Contracted customer data is backed up and monitored by operations personnel for completion and exceptions. In the event of an exception, operations personnel perform troubleshooting to identify the root cause and then re-run the backup job immediately or as part of the next scheduled backup job depending on customer indicated preference within the documented work instructions.

Backup infrastructure and on-site backup tape media are physically secured in locked cabinets and / or caged environments within the customer data center facilities. The backup infrastructure resides on private networks logically secured from other networks.