Cloud-FAQ - Reports

MetricStream Cloud
Frequently Asked Questions
1.0 Architecture & Environment…………………………………………………………………………..2
2.0 Service Level Agreement………………………………………………………………………………..8
3.0 High Availability & Scalability……………………………………………………………………….12
4.0 Backup & Disaster Recovery………………………………………………………………………….14
5.0 Data Security………………………………………………………………………………………………..18
6.0 Network Security…………………………………………………………………………………………..20
7.0 Physical Security & Infrastructure*……………………………………………………………….23
8.0 Operational Security…………………………………………………………………………………..…31
9.0 Security/ Audit Logs………………………………………………………………………………………34
1.0 Architecture & Environment
1.1 Does MetricStream operate its own hosting center?
MetricStream partners with multiple SSAE 16 Type II Audited Tier IV data centers with co-location facilities currently
located in California, New Jersey, and Missouri and London.
MetricStream is also in the process of partnering with datacenters in countries such as UAE and Canada in order to
expand its hosting locations.
1.2 Does MetricStream offer shared or dedicated server environments?
MetricStream does not multi-tenant. To eliminate the potential for co-mingling of data, each customer is provided
dedicated servers helping ensure MetricStream meets the compliance & regulatory requirements of industries like
Banking, Finance, Insurance, Life sciences, Healthcare, Energy, Utilities, etc.
1.3 What is the minimum and maximum duration for contracting Cloud services?
Typically, MetricStream requires a three (3) year contract commitment for our hosted services and term licenses, and
we are open to discussing maximum terms of five and seven years.
1.4 Describe MetricStream’s compliance with various laws, codes and regulations relating to security, privacy and
data protection.
The MetricStream Cloud solution and services include robust capabilities for security, access controls, identity
management, audit trails, electronic signatures, encryption, authorization and authentication. These cloud capabilities
ensure compliance with various international, national and regional regulations on record keeping, privacy, and
protection of the quality and integrity of data (such as HIPAA, PCI and 21 CFR Part 11).
MetricStream partners with SSAE 16 Type II Audited Tier IV data centers with state-of-the-art infrastructure and services
for serving our clients in North and South America, Europe, Asia and Africa. Beyond being widely adopted by small and
medium enterprises, even some of the world’s largest companies are using the MetricStream Cloud after rigorously
testing the security and reliability of our infrastructure.
In addition, MetricStream is SSAE 16 SOC 2 Type I compliant for its internal processes and hosting operations.
1.5 What is MetricStream’s HIPAA compliance statement.
MetricStream offers its GRC solutions on a Hosted or “Cloud” basis. When we provide our GRC solutions from the cloud,
each customer is assigned dedicated hardware for all of their tiers, and each customer’s environment is physically
separated from other customers. Our datacenters are SSAE 16 Type II compliant. MetricStream understands and
appreciates that our customers who are “covered entities” must enter into business associate agreements with
companies that perform functions or activities or provide certain services that involve access to protected health
information.
2
In accordance with 45 CFR 160.103:
(a) Such functions and activities include: claims processing or administration; data analysis, processing or administration;
utilization review; quality assurance; billing; benefit management; practice management; and repricing; and
(b)Such services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative;
accreditation; and financial.
MetricStream does not perform such functions and activities or provide such services when a customer opts to use our
GRC hosted solutions. MetricStream does not access or use any protected health information that the customer may
upload to the MetricStream cloud. The customer is in control of all protected health information. MetricStream does not
perform any of the listed functions and activities (and is not engaged in providing any of such services), on behalf of our
customers. We provide the software and infrastructure to enable our customers to perform their own functions and
activities such as data analysis in an environment dedicated solely to their use.
1.6 Describe the physical controls in place for delivering a secured environment, network, and data center.
MetricStream’s partner facilities are secured by four layers of physical security:
•
•
•
•
Entry to the data centers is limited to authorized personnel (carrying identification badges) requiring PIN for
access. Biometric hand scanners govern access to the offices and data center.
The computer data center takes a separate electronic key fob to enter, and servers can be configured in an
optional locking rack cabinet.
Customer personnel have access to their servers 24 X 7, but must be escorted at all times unless a colocation
suite with separate security precautions is established. All visits are logged.
Video surveillance of all ingress and egress, as well as rack activity is conducted 24 X 7. All logs are reviewed
periodically.
1.7 Describe the power redundancy setup to support the cloud infrastructure.
Data center environmental security includes redundant cooling, power, and fire suppression systems.
• The data centers are covered by a redundant UPS system and power distribution grid that includes UPS batteries
and a gas-powered generator farm that has a 3 day supply of gas and can be refueled during operations. The
facilities will never lose power.
• Air handling systems for the facilities are augmented by N+2 air-conditioning systems to keep over 1000 servers
on the floor cool. The data centers are regularly cleaned and maintained to ensure a safe and dust-free
environment.
1.8 Has the data center ever had any major power failures and how did the emergency systems perform?
MetricStream’s data center partners have never reported any major power failures. All emergency systems are
periodically tested.
1.9 Describe the network controls in place to maximize system uptime.
MetricStream’s partner data centers maintain multi-homed internet access to reduce single points of failure. They have
rich fiber connections to all major carriers, with scalable bandwidth capacity from OC3 to OC192.
3
1.10 What is the average or expected up time for the system in %?
MetricStream can support 99.5% system availability.
1.11Who (employees or contractors of the site) has physical and/or login access to the servers and applications that
hold customer data?
MetricStream does not employ contractors. While MetricStream employees manage the Cloud environment, Application
data cannot be altered, deleted, or retrieved by anyone other than users with appropriate privileges.
1.12 What industry standards has MetricStream adopted for securing application(s) and infrastructure (e.g. OWASP,
NIST, ISO, etc)
MetricStream applies its software security assurance process as part of its Software Development Life Cycle, to design
and develop applications. The SDLC helps to ensure that communication and collaboration services are highly secure even at the foundation level. MetricStream has adopted the OWASP Standard for Web applications.
1.13 Please describe MetricStream’s vulnerability assessment process.
AppSec Consulting, Inc., an independent information security firm, is periodically engaged to conduct extensive
penetration testing of the application based on PCI standards. The penetration tests are conducted with the following
primary objectives:
•
•
•
•
•
Identify and assess the controls in place to protect against both external and internal threats
Identify Web application and server configuration vulnerabilities that put sensitive information at risk and
impact PCI compliance
Test the application from the standpoint of unauthorized users attempting to gain access as well as authorized
users trying to escalate access
Provide a detailed risk analysis and remediation advice for each vulnerability identified
Detect any vulnerability after MetricStream has per formed remediation
In addition, in-house penetration testing is also conducted for every major release of the Platform using the Burp Suite
(an integrated platform for performing security testing of web applications).
During MetricStream’s scans, following key areas are covered:
•
•
•
•
•
•
•
Cross Site Scripting
SQL Injection
Session cookie management
Reliance on client side input validation
Excessive privileges for database account
Unsafe attachments may be uploaded
Complete Stack Trace error provided to user
4
1.14 How does MetricStream update security against emerging cyber security threats?
At MetricStream, security is considered as an important aspect throughout the SDLC. The following measures are
currently part of the development lifecycle:
•
•
•
•
Regular design/architecture review meetings to identify vulnerabilities around user permissions, logins, data
privacy and unauthorized accesses
Multi-level Code reviews – peer code review, lead code review and a review by the technical architect(if
required)
Detailed documentation/tech notes are maintained on any findings
On every major release MetricStream ensures that it carries out a security upgrade of all the 3rd party systems
and the OS. For every major release of the platform, Penetration tests are performed using the Burp tool and
any vulnerability found is addressed in the subsequent release:
















SQL Injection
Cross-Site Scripting (XSS)
Path Traversal
HTTP Response Splitting
Password returned in later response
Open redirection
Cleartext submission of password
Cookie without HttpsOnly flag set
TRACE method is enabled
Directory listing
Email addresses disclosed
Private IP addresses disclosed
Credit card numbers disclosed
HTML does not specify charset
Content type incorrectly stated
Request impersonalization
1.15 Does MetricStream track and report on attempts (both successful and unsuccessful to access hosted systems)?
The MetricStream application tracks the number of attempts at accessing a user account. If desired, a configurable
option allows for disabling an account after X number of unsuccessful login attempts.
1.16 What access controls are in place to prevent “improper use” (such as deleting data, altering data)?
System Administrators can configure Access Controls as follows:
• Feature Access Controls: Features such as digital dashboards, reports, and input forms have access controls and
rights that are allocated based on the user.
• Application Access Controls: The application modules (for example, Audits, Document Control, CAPA, NonConformance Management) have access controls and rights that are allocated based on user.
• Data Access Controls: These include Row Level Security and Column Level Security.
• Additionally, the MetricStream solution maintains a complete track record of changes, version history, and a
detailed audit trail of all activities and changes. The MetricStream solution records all data modifications within
the system, including user and system data:
• Any data field changes results in an auditable record of who, when, the old value and the new value.
5
•
•
•
Data is never deleted from the database, so a full and complete audit trail/history is always available. Since this
feature is a part of the MetricStream Platform, the system ensures integrity that all data changes at the
application level are recorded and available for audit purposes.
Reports can then be generated to display this audit history data in the appropriate views.
The system provides accurate time stamped audit trails with what, who, when and why information for task
creation, editing, modification, deletion.
1.17 Can MetricStream restrict user access (data and services) to certain IP addresses?
MetricStream can implement a rule in the firewall to only allow traffic from a pre-defined set of IP address subnets
(thereby limiting access to only those users from the customer’s internal networks), although this would prevent
legitimate users from accessing the services from the internet.
1.18 How is the authentication process controlled and protected?
The MetricStream platform provides multi-layered authentication capabilities such as electronic signatures, passwords,
system access via defined IP network rangers, automatic logging off after a period of inactivity, and disabling of user
accounts after repeated failures to log in.
All MetricStream applications have configurable rules for passwords, password complexity and expiry, as well as
authentication and signoffs at major transactional steps of business process workflows. The minimal security is to store
or transmit passwords in a one-way hashed format.
When integrated with an LDAP server, the MetricStream platform authenticates user identity against the LDAP server,
and does not keep a copy of user passwords in its repository. All user profile information is maintained only on the LDAP
server.
That way, users do not need to remember multiple passwords and e-signatures. They can also import authorization
information from the LDAP server, if required.
The platform supports integration with Single Sign-On (SSO) infrastructure. For instance, for SAML 2.0 (Security
Assertion Markup Language) based infrastructure in Oracle’s Identity Federation System, users can authenticate against
a Single- Sign-On infrastructure. Password entered by end user is authenticated on customer’s Active Directory server or
other LDAP servers /user repositories (depending on SSO implementation & standard) and gains access to all systems
without being prompted to log in again at each of them.
Organizations can also implement Active Directory Federated Services (ADFS) to use Single Sign-On (SSO) infrastructure
that enables users to authenticate to multiple web applications across multiple organizations or domains over a single
online session. Thus, users can use a single password to log in to MetricStream applications as well as other corporate
applications.
1.19 What audit trails and logs are created?
MetricStream’s platform records all data modifications within the system, including user and system data. Any data field
changes results in an auditable record of user, timestamp, the old value and the new value. Data is never deleted from
the database, so a full and complete audit trail/history is always available. Since this a feature a part of the MetricStream
platform, the system ensures integrity that all data changes at the application level are recorded and available for audit
purposes. Reports can then be generated to display this audit history data in the appropriate views.
6
1.20 Can a customer start with the SaaS solution and migrate to on-premise at a later date?
The MetricStream Cloud is the industry’s most robust offering. The solution enables companies to get their operations
up and running quickly, without requiring extensive internal IT resources. With MetricStream, the transition from ondemand to in-house deployment and vice versa is uniquely seamless, virtually eliminating risk in the solution acquisition
process. The entire migration can be completed over a weekend when planned with appropriate systems & software
over the two end points.
1.21 What practices are followed to keep the applications safe?
Following are the some of the software in place for prevention against Malicious code:






Ossec – Host based intrusion detection system which generates e-mail alerts based on the events in servers.
Nessus – Vulnerability Scanner
Alertbot - URL monitoring system.
Cacti – Network monitoring tool.
Symantec Endpoint Protection – Anti Malware
Cyberoam – Firewall & Network Security
Penetration tests are performed on every major release of the MetricStream platform, using industry standard tools such
as Burp. The platform is tested for a wide range of security attacks including Common web application vulnerabilities such
as SQL injection, cross-site scripting, path traversal, HTTP response splitting, request impersonalization and password
returned in later response, Brute force attacks against authentication schemes, Parameter manipulation, trawling for
hidden content and functionality, Session token sequencing and session hijacking Data mining, Concurrency attacks and
application-layer denial of-service attacks. Apart from that, MetricStream performs a third party application penetration
testing and vulnerability assessment test annually.
7
2.0 Service Level Agreement
2.1 Does MetricStream monitor the entire solution 24x7x365?
MetricStream works closely with its data center partners to provide 24x7x365 support and monitoring services.
Typically, automated monitoring tools poll the system on a periodic basis (usually every 5 minutes) and test such
connections as the web server, the J2EE server, the Oracle database, and various parts of the application layer as well.
HTTP requests are sent to various parts of the application and the response is monitored. If one of these connections
fails, an automated alert message is sent over email and/or pager to the data center’s help desk and/or the
MetricStream help desk.
2.2 Describe the service level agreement around response time and problem resolution time.
MetricStream provides a Service Level Agreement (SLA) around uptime, problem resolution time and can include
response time of the system (although there will be some dependencies on the customer’s network that has to be
factored into the contract).
2.3 Does MetricStream provide complete and regular reports on the interaction with the customer, including types of
calls, status of issues, and resolution times?
MetricStream offers a web-based customer support portal that is powered by MetricStream GRC Platform, where
customers can log issues, view the status of their open issues, and the current resolution status to those issues. All
issues, whether reported via phone, email or the customer support portal, are logged to the same TAR (Technical Action
Request) system and are viewable online via customer-specific reports and dashboards.
MetricStream can also provide these reports manually via preset customer meetings, as well as have these reports
automatically emailed to selected users if desired.
2.4 What is the average response and resolution time for problems encountered with the infrastructure; network,
operating systems, or data center?
The MetricStream Cloud SLA includes a response time of less than two (2) hours for critical and severe errors. For critical
errors, MetricStream will use commercially reasonable efforts, on a twenty-four (24) hour, seven (7) days per week
basis, to provide a workaround or error correction for such critical error. For other types of issues, MetricStream
generally resolves within four (4) hours.
2.5 Describe how technical issues are resolved.
MetricStream proposes three levels of support. Level 1 is typically provided by the customer. MetricStream’s technical
staff on its help desk area provides Level 2 support. If the help desk is unable to resolve an issue quickly, it is escalated to
Level 3 (the development staff and/or the original professional services staff that worked on the solution), based on the
type of issue. If further escalation is required, our CTO is the next path of escalation.
If a data center issue is determined to be the cause of the problem, they will contact the data center’s help desk, which
is 24x7 as well and has a similar escalation process.
8
2.6 Describe MetricStream’s escalation procedure. Are there tiered response layers? What happens at each stage?
MetricStream has a defined escalation procedure. In addition to escalating based on the type of issue, the help desk will
escalate issues based on if a problem remains unresolved for a specific duration.
This duration is different based on the severity of the issues, which are classified as critical, severe, moderate and minor.
For additional information on our support policies and procedures, please contact us for our support policies and
procedures manual.
2.7 Does the MetricStream SLA include provisions for a disaster recovery plan?
MetricStream has included provisions in our SLA for a disaster recovery plan and timeframe.
The specifics around the disaster recovery plan are created as part of the SLA contract and are dependent on customer
requirements such as standard backups and recovery, hot backup systems, redundant systems, etc.
2.8 Does MetricStream have documented change management procedures in place?
MetricStream’s Quality process includes a change management procedure that minimizes the impact to a customer
system while it ensures that a customer is aware of any changes being made to the system.
As part of the change management procedure, MetricStream can optionally offer and implement a ‘staging’ system that
emulates the production system. This allows MetricStream’s support and QA staff as well as our customers to test and
verify the software change before any change is applied to the production environment.
As part of the SLA contract, scheduled maintenance windows are also defined. MetricStream works with its customers
to define the maintenance window to match individual customers’ system downtime window for the other systems they
use.
2.9 How often are MetricStream customers scheduled down for routine maintenance? For how long?
Typically, maintenance of the system such as patches/upgrades and backups are performed in less than a couple of
hours.
2.10 How often are customers down for unscheduled maintenance? For what period of time?
MetricStream strives to minimize downtime as much as possible. Patches can often be applied in a hot-fix mode
supported by our architecture. If the system has been down outside the scheduled maintenance window, the system is
usually restored within 5 minutes on average after the call is reported to MetricStream’s help desk. Our standard SLA
provides for credit if the downtime exceeds 4 hours in a month.
Note: MetricStream has never encountered a downtime of this duration.
2.11 How does the customer retain access to its data and systems should MetricStream cease to operate?
To provide assurance to customers that they will still be able to use their system and access their data should
MetricStream cease to operate, contracts can been created between all parties involved specifically stating that the
customer owns the data. If desired, backups of the data and system files can also be provided to the customer on a
periodic basis. In addition, the source code for our software can be provided in an escrow account at the customer’s
costs so that our customers would have access to the complete system and software should MetricStream cease to
operate.
9
2.12 What are the procedures for creating user accounts?
The MetricStream Solution includes an administrative interface that will provide the customer and any other party it
may designate, the capability to add and delete user accounts and associated passwords, as well as define roles,
permissions and access rules for each such user account. Such roles, permissions, and access rules may be assigned to
individual user accounts or to a customer-defined group of user accounts. The customer can issue and administer
Authorized User access and passwords, including additions, deletions and changes in access levels of Authorized Users.
2.13 How are upgrades, patches, releases handled? What is the frequency?
Typically, a release is targeted for every six months, with a major release targeted every 18 months. Service Patches may
be released on an as-needed basis depending on the severity of any reported issues.
• Major release (X.0)
» Significant new functionality, data model changes, app impact
» Potential upgrade impact
» One major release every year
• Stabilization Minor Release (X.1)
» Few significant new features based on X.0 customers’ needs
» Minor upgrade impact
» Six months after major release
• Intermediate Minor Release (X.5)
» Some new features for analyst visibility, customer needs & differentiators
» Minor upgrade impact
» Six months after 1 minor release
Upgrades are provided at no additional cost beyond the annual support charge, although professional services may be
required to implement the upgrade in the customer environment.
Changes in a new release are made at the Platform level, and configuration changes made by the customer to their
application are usually preserved across releases and/or migration scripts are provided. While the upgrade time may
vary based on the particular release and the particular solution implementation, MetricStream typically estimates 1-2
weeks to perform the major upgrades, with the majority of the time spent testing the application to ensure that nothing
broke during the upgrade process.
All releases and patches come with comprehensive documentation describing the change(s), its impact, the steps to
apply it, and detailed test cases for the issues addressed in the release or patch.
The MetricStream Platform consists of several JAR files as well as platform metadata. The MetricStream application
consists of resource files (templates, properties files etc.) and application metadata. Upgrading the MetricStream
Platform does not affect the application resource files and application metadata, thus preserving all customizations.
Upgrades of the application are performed by using the IUP (Install Upgrade Patch) tool that migrate resource files as
well as application metadata.
10
The steps involved in upgrading and promoting the application into production include:
• Installation and/or upgrade of the new MetricStream Platform in the test instance
• Installation and/or upgrade of the application module in the test instance
• Installation of any patches specifically required
• Perform User Acceptance Testing and Validation (if required) of the application module on the test instance
• Transition from the test/staging instance to the production instance using the IUP
2.14 How does the customer participate in the upgrade/enhancement process?
As part of any upgrade/enhancement process, the customer usually participates at a minimum by performing the User
Acceptance Testing (UAT). This is usually conducted on a separate ‘staging’ system that emulates the production system
and allows our support and QA staff as well as our customers to test and verify the software change before any change
is applied to the production environment. Upgrades and enhancements are applied to the production environment only
after the UAT has been completed and approved by the customer.
When an upgrade/enhancement is targeted, the customer is involved in the installation planning, what will be
accomplished, the potential impact to any areas of the software, and what will be required from the customer.
11
3.0 High Availability & Scalability
3.1 Does MetricStream provide high-availability systems?
MetricStream’s solution is a web-based, J2EE n-tier application, using a database, application and web server
architecture. Our solutions can run on any hardware and operating systems.
High-availability deployment architecture is supported by MetricStream and can be used to provide fail-over capabilities.
• At the presentation and application server layers, MetricStream can be configured in a redundant manner with a
hot standby that automatically wakes up and starts accepting requests if the primary servers go down
• At the database layer, MetricStream recommends that it be configured using approaches outlined by Oracle for
high availability
3.2 Does the application support load balancing?
Load balancing mechanisms (static and dynamic, hardware and software) are supported by MetricStream. The solution
provides both horizontal scalability and vertical scalability to meet growth in number of concurrent users and queries as
well as to support growth in volume of data, record and document processing. The exact configuration and setup is
jointly determined by customers’ IT department and MetricStream Solution Architects.
The MetricStream solution can be configured to run in a clustered load-balanced configuration for scalability and highavailability.
• Multiple applications instances can be run on a single server to provide both application isolation and
redundancy.
• Multiple web servers can also be configured with a load balancer.
A typical load-balanced architecture is illustrated in the figure:
Load Balanced / High Availability Architecture
12
3.3 Describe how website availability is monitored.
Website availability is monitored as follows:
• Hosting provider pings for hardware availability
• MetricStream uses third party Alertbot to monitor application availability
The report from Alertbot provides the uptime, response time, and cause of any failure. MetricStream can also setup a
manual process to email a periodic report to the Customer
3.4 Describe any contingency plans should the primary host become unavailable.
All data on the MetricStream Cloud is backed up daily and weekly. All backups are encrypted on a per customer basis.
Additionally, MetricStream also maintains a DR site.
If primary servers become unavailable due to a hardware fault, MetricStream has SLAs in place to ensure components
are replaced within 4 hours and then the application can be subsequently restored. The hard drives are RAID5 or better
and such drive failures do not cause application outage.
When a complete new server needs to be recreated (application or database), the downtime can be up to two business
days. In such cases the RPO is < 24 hours.
If the data center is struck by natural disaster, then MetricStream will restore the application from its DR backup.
MetricStream’s DR SLA is as follows:
• Recovery Time Objective (RTO): < 1 day
• Recovery Point Objective (RPO): < 6 hours
The MetricStream Cloud can support mission-critical applications with RTO and RPO of 0 hours, if required.
13
4.0 Backup & Disaster Recovery
4.1 Is all the data and document stored at the hosting facility or through a third party storage area network?
Under our default hosting SLA, the data and documents are stored at the hosting facility on the primary database and
application servers, as well as the backup file servers (duplicate copies). In addition, tapes may be periodically made of
the backup file servers and stored offsite.
4.2 Is MetricStream capable of archiving historical data that is no longer necessary for day-to-day operations?
MetricStream Cloud has comprehensive data archive and restore capabilities.
The MetricStream Cloud supports usage of database functions for archiving and retention of all records and data. It
supports auto-archiving and manual archiving options. Using a Rules Engine users can setup rules / conditions to specify
when, whose, which, what type of artifacts / data (full system, partial system, specified system data or file areas) should
be archived. IT administrators can specify what type of compressed file formats should be used and the storage location
as well.
Archiving and purging can be scheduled at desired frequency and time intervals.
In addition, customers can archive data such as attachments, but will leave a subset of the data on the system
permanently so that they can be used for analysis purposes.
Typically, MetricStream’s customers store between 5-7 years worth of data on the server at a minimum before archiving
the data and they have not reported any performance degradation so far. Reports can also be set up to analyze the
archived data in a separate repository if that is desired.
4.3 What are MetricStream’s data retention and destruction policies?
MetricStream ensures full weekly and daily incremental backups of the database and file systems are backed up to a
dedicated backup file server.
Additional backup options include backing up to a duplicate backup file server at a second backup data center, hot
backup servers for the database and application servers, redundant failover servers for instant recovery, and redundant
systems at different data centers. Backup data can also be stored to tape on a frequency as often as every day and
stored at an offsite storage center such as Iron Mountain. All of these options are additional services that can be offered
by MetricStream.
On discontinuing the hosting contract with MetricStream, no data is retained on our infrastructure. MetricStream can
shred to meet specs ranging from simple one pass to DoD 5220.22-M to Guttman algorithm with 35 passes.
4.4 Does MetricStream have a Disaster Recovery plan and facility?
Our Disaster Recovery plan depends on the customer’s choice of hosting architecture. Broadly, DR sites range from
storage on the AWS Cloud for the basic offering, to a dedicated offsite data center for the premium and enterprise
offerings.
14
4.5 Describe MetricStream’s backup and recovery procedures.
This can vary based on specific customer requirements and selected options. By default, full weekly and daily
incremental backups of the database and file systems are backed up to a dedicated backup file server. Periodically, a
copy of this backup file server is recorded to tape and stored at an off-site location.
If a MetricStream System crashes, the hardware will be typically replaced within two hours. After this, the operating
system, databases and applications are reloaded, and the database restored to recover the system. Replacement of the
hardware and restoration of the data is expected to consume six hours. If desired, Oracle transaction logs can also be
enabled as an optional service that would allow up-to-minute recovery of the system in cases of system failures.
Additional backup options include backing up to a duplicate backup file server at a second backup data center, hot
backup servers for the database and application servers, redundant failover servers for instant recovery, and redundant
systems at different data centers.
Backup data can also be stored to tape. The frequency of storage to an offsite storage center such as Iron Mountain can
be as often as every day.
All of these options are additional services offered by MetricStream.
4.6 Can MetricStream roll back the entire database (or specific data) to a prior save point?
MetricStream schedules daily backups. The restore can be whole or partial.
4.7 Does MetricStream have separate backup & disaster recovery locations? How frequently is the recovery
procedures tested?
MetricStream maintains multiple co-location providers to provide backup hosting and disaster recovery. By default,
MetricStream tests the disaster recovery plan once a quarter to ensure that the backup policies and data are being
properly backed up.
4.8 Are backup tapes stored offsite in a secure facility?
Offsite Tape backup is offered optionally. If this option is chosen, the tapes would likely be stored by Iron Mountain, a
leading provider of tape storage facilities.
4.9 Are backup tapes encrypted?
Backup tapes can be provided and encrypted at additional cost.
4.10 Is the fail-over active/passive or active/active?
This depends on the type of cloud architecture implemented. For the Enterprise OnDemand Offering, fail-over is Active/
Passive
4.11 How is the fail-over implemented?
MetricStream implements a manual fail-over to the DR site.
15
4.12 Customer requires service providers to comply with all aspects of the FFIEC Examination Handbook on Business
Continuity Planning and the US Federal Reserve Sound Practices White Paper on systemic risk within the financial
industry. This will include the following:
• Identify all business critical activities;
• Demonstrate the ability to recover Customer’ operations from any eventuality within a two hour timescale [I
understand a different recovery SLA has been agreed]. Note: the solution must address the ability to survive an
incident that may affect people, technology, utilities and buildings; for each the service provider must demonstrate
out of region full functionality.
• Maintain geographically dispersed resources [Assets and Personnel] to meet recovery timescales
• Conduct robust and regular testing to demonstrate a high level of confidence in continuity plans.
MetricStream provides dedicated DR setup in a different datacenter as a standard feature in its Premium Hosting option.
This option provides for a Real time Data replication to the DR site and if production is down, DR site kicks in
automatically. The Recovery point objective (RPO) is less than or equal to 6 hours and Recovery time objective (RTO) for
the services is less than or equal to 1 day. It’s also noteworthy that beyond the datacenters, their staff and
MetricStream staff there is no other operational dependency to execute DR protocols.
As a SSAE 16 Type IV data enter, the standard business continuity protocols followed by BAIS are in compliance with the
FFIEC examination handbook on Business continuity planning and US Federal Reserve Sound Practices White Paper on
systemic risk within the financial industry.
MetricStream and BAIS can work with Customer to enable the DR site with data and Application to test and validate the
business continuity plan before going –live with the application.
4.13 What is the cost for additional storage?
For additional storage, 4 $ is charged per GB.
4.14 Enter any additional details:
Following are some of the additional features of the BAIS datacenter to ensure the business continuity and physical &
environmental protection:
Tier IV Datacenter
•
•
•
•
•
•
•
Carrier neutral
Fully Redundant, N+1
83,000 square foot facility
30,000 square foot datacenter (expandable to 45,000 sqft)
30 inch raised floor
1.25 Seismic Importance Rating
Comprehensive Mechanical and Electrical Building Monitoring
16
Over 1000 High Density Cabinets
•
•
•
•
•
47U (82” high) 43” deep, 19” wide
4-point door locking mechanism
Combination lock system
Perforated doors allowing for up to 83% airflow
Prewired to 3 independent power sources to support up to 12 KW
4.15 List how Datacenter storage specific monitoring is performed.
SSAE 16 Datacenter teams proactively monitors key system components, up to and including the Fiber Channel switches
and storage array, 24 hours a day, seven days a week. The datacenter utilizes a state-of-the-art Enterprise System
Management (ESM) monitoring solution that includes monitoring tools that track critical storage-infrastructure
components. These tools include:




Host-based SNMP software.
Windows Management Instrumentation (WMI).
Hardware agents from the storage and SAN switch vendors.
Purpose-built monitoring platform called Collaborative Application Management (CAM).
These tools enable Datacenters to perform threshold-based, proactive monitoring and to respond to events quickly. The
tools often provide notification before a real problem occurs. By monitoring critical parameters, Datacenters can
proactively notify the appropriate responsible party about detected or potential problems.
4.16 List the compliances of MetricStream partner datacenters.
Datacenter:
Primary/
Secondary
Primary
Primary
Primary
Primary
Secondary
Secondary
Name of the Datacenter
VxChnge
QTS
Telehouse
Etisalat, JADC
Cybercon
Amazon Web Services (AWS)
Compliances
SOC2
SOC2, HIPAA
ISO, PCI, etc.
ISO
SOC2
SOC3, HIPAA, ISO
17
5.0 Data Security
5.1 If Mobile devices are supported, describe the access restrictions.
The MetricStream Solution is 100% web-enabled and can be accessed from any internet-enabled web-browser. The
system can therefore be accessed from a Mobile device’s browser. No mobile access restrictions apply.
5.2 What types and levels of data encryption are supported? If encryption is used, what type and what key length?
The MetricStream platform protects data through advanced encryption functionalities based on encryption algorithms
such as AES with 256-bit keys and transport layer protocols including SSL and HTTPS. It also enables companies to build
their own specific encryption and decryption plug-ins using industry-standard algorithms such as RSA and PKCS.
Data encryption is enabled for both data at rest (database/ files) and data in transit:
Data-at-rest encryption:
A key feature in the security foundation within the Platform is the provision to encrypt file attachments uploaded to the
MetricStream application. Once this functionality has been enabled, the MetricStream Platform provides transparent
attachment file encryption while uploading. Subject to role based authorization controls, when a user downloads the
attachment, the file contents will be decrypted as well. File attachment encryption is a critical piece of Data-At-Rest
security requirements especially important for Internet facing application. A complete solution for Data-At-Rest security
also entails Oracle database encryption leveraging Oracle TDE options available with Oracle Enterprise edition. SSL in
combination with file/database encryption ensures that Data in motion (network) and at rest (filesystem/Database) is
encrypted thereby safeguarding any sensitive information that flows through the MetricStream application and
addressing one of the most important security vulnerabilities with any Internet facing application.
Data-in-transit encryption:
For data in motion, the platform leverages SSL or HTTPS technology for encryption. Therefore, any sensitive information
flowing through a MetricStream application is safeguarded, even if the application is Web-based. The MetricStream
application proxy server can be specially configured to address regional data security requirements in a distributed setup. It enables file attachments to be flagged as confidential or Client Identifying Data (CID), and stored only in the
regional proxy server – not in the distributed or central server. That means that users outside the region will not be able
to access the attachments.
5.3 Describe how MetricStream provides Data-encryption-at-rest.
In the MetricStream solution, application data is stored in two places. Each has a separate mechanism for Dataencryption-at-rest:
• File attachments uploaded through the application are stored as raw files on the server. These are encrypted
using 3DES or a better algorithm when storing on the server.
• Oracle database is enabled with a feature called Transparent Data Encryption (TDE). Using this, all database
columns that need encryption are appropriately enabled during implementation phase. This requires Oracle
Enterprise Edition.
18
5.4 Is authentication information encrypted (e.g. passwords)?
For data in motion, the platform leverages SSL or HTTPS technology for encryption.
5.5 Describe the teams and roles that have access (physical/ logical) to systems holding customer data.
MetricStream will have no access either to server-side components or to the client data of the production environment.
However, access to development and testing environment is usually maintained or provided as needed for any support
requirements.
It is not possible for Customer application data to be altered / deleted or retrieved by anyone other than authorized
users.
5.6 How is data segregation managed? Specifically address segregating third parties from seeing internal Customer
data and other third parties’ data.
Each customer’s data is on their own server(s). Physical, Application, and network security schemes prevent customers
from accessing data other than their own.
MetricStream employs a number of documented controls to ensure the security and segregation of customer data.
These controls provide defense in depth and include data at rest encryption, method filtering at the application tier, and
data access enforcement at the database tier. This ensures segregating third parties from seeing internal Customer data
and other third parties’ data.
19
6.0 Network Security
6.1 What interfaces does customer data have to the outside world (IP addresses, ports, and protocols. For example,
HTTPS, XML, upload or download to financial systems)?
The MetricStream platform’s data integration services consists of powerful and flexible adapters called “Infolets” that
execute periodic (scheduled or on-demand) queries and functions on external systems to extract relevant data.
Infolets enable the platform to seamlessly connect to external applications and communicate through appropriate
technologies such as SQL, APIs, executable programs, text files, Web Services and XML.
MetricStream supports integration with external systems in a “configurable” fashion, with no source code changes made
to the MetricStream GRC Platform.
All relevant data can be pushed or pulled in real-time or on a scheduled-basis between the MetricStream repository and
an external system. Customers can also use Secure FTP for batch uploads.
6.2 Which network access methods are employed?
MetricStream provides access to its servers over HTTP or HTTPS (SSL 128-bit protocol), based on customer
requirements. Access from the application to the database server may be on a separate network, and access to the file
backup servers is usually on a separate network.
6.3 What program(s) need to be installed on a user’s computer in order to use the MetricStream Application?
None. MetricStream’s Solution is 100% web-based and can be accessed from any internet-enabled web-browser
6.4 Can the end customer monitor bandwidth usage to the data center.
If a customer opts for a dedicated server / database as part of the installation then bandwidth usage charts can be
provided through a secure login to the customer.
6.5 Are firewalls shared across several customers or does each customer have its own firewall?
Each customer is provided with a dedicated software firewall.
6.6 Describe the intrusion detection systems in place.
MetricStream maintains Intrusion Detection (IDS) at the firewall and software based Intrusion Detection on the server.
Intrusion detection is typically alerted over email. A dedicated IDS is optional.
6.7 Describe the mitigation strategies for “Distributed Denial of Service Attacks (DDoS)”.
A firewall is configured to protect against intrusions and security attacks. If necessary, the upstream router from the
data center can also be configured to protect against DDoS attacks.
We have 2 layers of protection. One layer is in the perimeter layer, which is managed and monitored by Data Center
team. Another layer is network layer, managed and monitored by MetricStream CloudOps team.
20
6.8 Describe endpoint protection used.
MetricStream implements measures to protect customer data against viruses, worms, trojan horses, and other harmful
elements designed to disrupt the orderly operation of, or impair the integrity of Hosted Data. Our endpoint protection
ensures that the security of the MetricStream system, the client data, and other transmissions through the
MetricStream system is not compromised for any reason.
6.9 Are all components of the architecture secured?
Based on customer specifications, all our architectural components can be secured by one of the following technology
options: Basic, LDAP connect, or SAML connect.
6.10 Are all components hardened and locked down?
The installation/configuration steps will ensure that the system is hardened and locked down. This is done across the
deployment stack – Operating System Level (File Permissions, Ports), Java Virtual Machine level (Security Policies) and
Application level authentication & authorization controls.
6.11 Describe how the database is secured.
The database server is never exposed on the Internet. Port hardening is diligently undertaken. For database access only
Port 1521 is open for internal network access. RDP/ SSH controlled access is enabled to the servers from internal
networks for ongoing maintenance.
6.12 Are internal application middleware interfaces secured?
Internal application middleware interfaces are secured through secure web services and digital signature based
integration mechanisms.
6.13 Are network access controls implemented to restrict access from the internet to the application and components
to certain ports?
MetricStream uses two layers of firewalls:
• Firewall devices deployed on the network perimeter
• Software firewalls that run on each server that hosts components of the solution.
6.14 Does MetricStream have non-Internet facing integrations (e.g. site-to-site VPN)?
For non-internet facing integrations, SSO/ SAML is the preferred choice. VPN is optional with added cost.
6.15 Does remote access to the MetricStream network require 2 factor authentication.
No, there is no direct remote access to the production network. MetricStream does not maintain any access to the
customer production network by default. Explicit permission is sought from the customer for the access which is asked
for only in an important and critical situation. MetricStream Business network is enabled for remote access for
authorized employees through Secure VPN with 2-factor authentication.
6.16 Is out-of-band management of servers performed?
MetricStream performs out-of-band management by deploying remote access cards.
21
6.17 How is Network security maintained?
Network security is maintained by:






Secure administrative access using VPN access with RSA tokens
Layer 2 (switch) security using VLAN tagging and MAC address lockdowns
Only required ports opened
Protocol fix-ups that restrict only certain commands inside an application/protocol
Updating software code on network devices to the latest stable version
Dedicated or shared firewalls with documented firewall policies (customer selected option)
6.18 How is Network Security monitoring performed?
Network security monitoring is performed using a combination of firewalls and periodic vulnerability assessments, which
are discussed further below.
Logging is enabled on the network firewalls to capture current activity (for example, spoofing, denial of service attacks).
These activity logs are retained for subsequent review in case further evaluation is required (for example, for forensic
purposes).
Network vulnerability assessments are also performed on selected customer systems to identify potential vulnerabilities
resulting from viruses and/or malicious acts. These assessments help identify weaknesses within the network
configuration, systems that have not been updated with the latest service packs and security patches, or systems that
still require specific hardening techniques. To accomplish this, broad range non-intrusive assessments are performed for
a range of addresses for a selected number of hosts on the network.
Results of the assessments described above are reviewed by Datacenter’s Networking and Engineering department and
posted internally. If necessary, a ticket is created and assigned to the customer or Datacenter system owners for
investigation and is then tracked through to resolution.
In connection with the network monitoring processes, Datacenters also implement a formal anti-virus management
process to monitor and remediate both Windows-based and email-based virus vulnerabilities.
The Windows anti-virus software is configured to monitor virus activity and detect/prevent virus signatures contained in
data or files being transmitted; the Exchange/SMTP (email) anti-virus software is configured to monitor mail-related
traffic and detect/prevent the transmission of data or files via email that contain certain virus signatures.
The anti-virus agent on each Windows server routinely receives pattern updates from the anti-virus management server,
which is configured to download virus definitions from the vendor’s site daily to ensure virus definitions are current.
22
7.0 Physical Security & Infrastructure*
7.1 Company and Private Areas must be located entirely within [Data Centre] Public Space. Access to these areas
must only be from building areas that the general public does not have access to. How do you comply with this
requirement?
Bay Area Internet Solutions (BAIS) facility is located on a private area demarcated and secured by perimeter security
fences on all sides. All access points into the facility are manned 24X7 along with constant CCTV monitoring both inside
and outside the building. All access points are secured and monitored using a combination of manual security and hand
geometry based access control and pin code based access control
7.2 Company and Private Areas must have an owner clearly identified. How do you comply with this requirement? Bay
Area Internet Solutions (BAIS) facility is located on area with a clearly identified ownership pattern. The ownership
structure of the area can be provided based on specific request to BAIS.
7.3 Company and Private Areas must be locked, even when attended. How do you comply with this requirement? All
areas within the facility are locked and manned on a 24X7 basis. The locking system is a combination lock system
consisting of hand geometry based access control and pin code based access control.
7.4 Company and Private Areas must be locked, even when attended
All areas within the facility are locked and manned on a 24X7 basis. The locking system is a combination lock system
consisting of hand geometry based access control and pin code based access control.
* This section has been considered with reference to Bay Area Internet Solutions (BAIS) and MetricStream Infrastructure. Upon
request, same information can be provided for other MetricStream partner data centers.
23
7.5 Access to Company and Private Areas must be restricted to only those individuals authorized by the area owner.
Note 1: Persons with authorised access must have a current business requirement for access and be authorized by the
area owner. The area owner is expected to make the determination of what constitutes a business requirement and
be able to establish that such a determination was made.
Note 2: Persons allowed temporary access by an authorized person are considered to have one-time authorized
access. How do you comply with this requirement?
Following Security guidelines are in place in BAIS to comply with the above requirements for customers and vendors:
 Customers must submit CCI forms before being listed in NetSuite, the customer relationship management
system.
 Only customer contacts listed in NetSuite with Co-Lo access can be registered in the Security System.
 Once registered in the security system customers must always PIN and Bio Scan in before entering the data
center.
 Customers from the same company must all PIN & Bio in separately
 Customers are asked to PIN & Bio in to prove they are who they say they are and that they are still authorized or
‘active’ contacts for their company.
 All retail side co-lo customers are assigned a ‘Base’ level of access.
 Customer access levels are not be changed without operations management approval.
 Customers are not authorized to enter the warehouse, service aisles or other restricted areas of the facility
without an escort.
 Customers whose badges are in a ‘frozen’ state are not allowed to enter the data center.
 Frozen badges are not to be unfrozen without management approval.
 All vendors must submit Certificates of liability insurance before they are listed in NetSuite as authorized.
 Any vendor wanting access to the facility must be listed by name in NetSuite.
 Approved vendors are given temporary badges to gain access to the areas of the facility that they are approved
to enter.
 Vendors must be signed in and turn over their driver’s license to obtain a temporary access badge.
 Vendors are assigned specific access levels based on the nature of their work.
 Vendors should not be given badges with access levels higher than authorized (in NetSuite) without
management approval.
7.6 You are required to have a process for quarterly revalidation of Private room access list. This list must be
verified and signed [hard-copy or electronically] by the area owner. On an annual basis, the area owner is to follow a
locally defined process for reviewing continued business need for access by the individuals on the access list. How do
you comply with this requirement?
Yes, the access list is validated with the owner on a quarterly basis as a standard process
7.7 You must have a process for periodic review of the access list of controlled areas and “timely” removal of
employees from the access list when necessary due to termination of employment or loss of business need? How do
you comply with this requirement?
24
Yes, the access list is validated with the owner on a quarterly basis. Apart from that, the client can also send a request
for addition or removal of a employee from the list based on requirement. Based on a designated workflow process,
such termination or addition requests can be considered.
7.8 Access to Company and Private Areas must only be allowed from Data Centre Public space. How do you comply
with this requirement?
Yes, the unauthorized access is restricted using perimeter security fence as well as concrete walls and Air plenum
corridor which surrounds the data enter facility. Within the premises following security measures prevent unauthorized
access:





24x7 Manned Facility
24x7 Check in required
CCTV Camera Monitoring inside and outside the Building
Secure, Monitored Doors to all Entrances
Hand Geometry Biometrics and Pin Code Access
7.9 Exterior windows are not permitted in ground floor Private areas constructed after July 1, 1992 unless
polycarbonate glazing or other shatter resistant glass is used. How do you comply with this requirement?
Yes, all windows wherever provided comply with the requirement
7.10 Private areas must include either slab-to-slab barriers or intrusion detection. How do you comply with this
requirement?
Intrusion detection is facilitated by following measures:





24x7 Manned Facility
24x7 Check in required
CCTV Camera Monitoring inside and outside the Building
Secure, Monitored Doors to all Entrances
Hand Geometry Biometrics and Pin Code Access
7.11 Access to Private areas must be controlled by an electronically controlled access system (CAS), unless
specifically exempted by the area owner’s Director or equivalent level executive. How do you comply with this
requirement?
Bay Area Internet Solutions (BAIS) has a electronically controlled access system based on a combination of the following:
 Hand Geometry Biometrics and Pin Code Access
 4 point door locking mechanism
 Combination locking system
25
7.12 Emergency exits for Private areas must have working, audible and monitored alarms. For both safety and
security reasons, the alarms must operate on emergency power and alarm events must initiate investigative actions.
Do you conduct periodic verification of these requirements and can you show documented proof?
In BAIS facility, all alarms are pre-wired to 3 independent power sources to support upto 12 KW. Periodic verifications
and testing of all equipment involved is carried out and documented proof of the same can be shared with the client.
7.13 Private area owners must keep an accurate, current log of non-routine access that reflects the visitor’s name,
time of entry, escort or authoriser, and the fact of exit. Do you maintain such a log at the entrance of all your Private
rooms?
Yes, entry of all personnel (routine and non-routine) is maintained along with details and documentation of the rooms
accessed and timings.
7.14 Systems which are essential to supporting the Customer business process must be in a Private area. How do
you comply with this requirement?
Yes, by default, all datacenter systems supporting the clients are in private and secured areas only
7.15 All Customer systems must be in a Private area. How do you comply with this requirement?
Yes. By default, all datacenter systems supporting the clients are in private and secured areas only
7.16 All other systems covered by this Standard must be in a Company area, or in an office room that is locked when
unattended. NOTE: Systems and components owned by third parties [e.g. network providers] must be located in a
Private area. How do you comply with this requirement?
Yes, the BAIS datacenter is self-contained with all network management components as well as other business critical
systems housed within the perimeter fence.
7.17 Network management systems must be in Company area, or in an office room which is locked when
unattended. NOTE: Systems and components owned by ATT must be located in a Private area. How do you comply
with this requirement?
All network management components as well as other business critical systems are housed within the perimeter fence.
7.18 Network Communication Control Units, Bridges, Gateways, Repeaters, Routers, Wiring hubs and Wiring closets
must be in a Company area. NOTE: Systems and components owned by ATT must be located in a Private area.
How do you comply with this requirement?
All network communication control units and related equipment and wiring hubs are housed with the perimeter fence
of the BAIS premises.
26
7.19 Modems must have the same physical access protection requirement as the system or infrastructure
components to which they are connected. How do you comply with this requirement?
Modem units are also housed under the access control regime wherein only authorized personnel are allowed to access
the system. The access is controlled using a combination of number lock and biometric identification.
7.20 Please describe how separacy and diversity of High Voltage power is achieved from sub-station to HV switch
room then via transformers to Project Hosts equipment via PDU.
Following are some the key facets of the Tier IV Electrical System enabling the BAIS infrastructure:
 N+1 Electrical System:
o Utility Feeders
o Uninterruptable Power Supplies (UPS)
o Backup Power Generators
o Automatic Transfer Switches (ATS)
 Designed and Engineered for:
o 3 x 9 Megawatt Feeders
 12 KVA Feeders
 8 Cummins, 2 Mega Watts generators, 4000 gallons each
o 14 x 800 KVA UPSs
 EPS-8000 UPS systems from MGE, highest efficiency rating
 Up to 300 watts/sqft with an average of 150 watts/sqft
 300 KVA PDUs
o With STS (static switches) for failover
 Exceptional Power Quality
o Separation of IT and Mechanical Load
o Distributed, Redundant Power Distribution through the ATS & STS systems
o Branch Circuit Monitoring
 Complete Electrical System Monitoring
 1.3 Power Usage Efficiency (PUE)
7.21 Please describe local arrangements for Continuous Power Supply [e.g. diesel generators]; include redundancy,
fuel storage and resupply arrangements, testing and maintenance.
Bay Area Internet Solutions (BAIS) has a Tier IV electrical system which consists of the following:





Utility Feeders
Uninterruptable Power Supplies (UPS)
Backup Power Generators
Automatic Transfer Switches (ATS)
3 x 9 Megawatt Feeders
o 12 KVA Feeders
o 8 Cummins, 2 Mega Watts generators, 4000 gallons each
27


f. 14 x 800 KVA UPSs
EPS-8000 UPS systems from MGE, highest efficiency rating
7.22 Please describe local arrangements for fire detection and suppression within the Data Centre; please include a
description of testing and maintenance coverage.
Following are the arrangements for Fire Detection and Suppression at the datacenter:




Pre-action, Double-interlocked, Dry-pipe, Suppression Fire System
VESDA (Very Early Smoke Detection System) above and below the floor
Detection and Suppression Systems in the Datacenter, Electrical, and Mechanical areas
Economizer Automatic Shutoff, if smoke is detected outside of building
The maintenance and testing schedules are maintained and published by the BAIS. The results and test coverage
scenarios can be made available to the client on special request.
7.23 Please describe the local manned security presence, if any; number of guards, hours, coverage, patrol
arrangements; dedicated or contracted? If contracted, name of the provider.
The NOC also functions as a SOC and is manned 24 x 7 x 365 by BAIS employees. There are scores of surveillance
cameras (the exact number is confidential) deployed throughout the property to monitor all ingress/egress points, the
data center, the electrical/mechanical locations, the warehouse, the perimeter of the facility, and more. Multiple
camera views are displayed on the consoles where the stationary guard is located. There are roving patrols and
predefined security inspections performed up to 4 times per 8 hour shifts. The security person stationed in the NOC is
responsible for monitoring the surveillance cameras, verifying access authorization for visitors and vendors, and taking
any corrective action on security breaches. The NOC is equipped with radio and cell phone communication and has a
predefined escalation protocol with BAIS management. It must be noted that physical security is audited as a part of
standard third party audit every year.
7.24 Please describe Data Centre external and internal CCTV coverage and monitoring processes; e.g. are images
monitored locally or remotely? How long are they stored for? How is the quality of the images assured?
There is video surveillance of the data center ingress/egress. All access and exit of the data center is enabled by a
combination of a unique PIN and bio-metric authorization. Each aisles and entry point of each POD is monitored via
camera. The camera views are monitored on site by BAIS security personnel. There are two camera resolutions
employed: (1) Low resolution- 352 x 240, (2) High resolution – 704 x 480. Camera images are stored locally on video
servers and can be reviewed on demand. These videos are stored for at least 6 months. Each camera is checked for
video quality and accurate time/date stamps on a daily basis per our staff procedures.
28
7.25 Please describe how separacy and diversity of communications circuits are achieved from WAN Points of
Presence to the Data Centre and from the agreed delivery interface / “demark” to MetricStream equipment
Bay Area Internet Solutions (BAIS) provides Metro GigE (Gigabit Ethernet) Internet access solution that connects to the
Internet in a fully-meshed, vendor neutral manner. The connection is a 2 VLAN port from 2 different switches connected
in a clustered manner. They maintain direct connections into four Tier-1 Internet backbone providers - Level3,
AboveNet, TW Telecom, and Cogent. At the next step of network MetricStream maintains HA Firewalls. All network and
server systems run on dual power supplies and appropriate redundancies.
7.26 Cabinets and the equipment they contain must not identify Customer. How do you comply with this
requirement?
Yes, this is a standard practice in BAIS
7.27 Customer cabinets must be locked and the physical key[s] properly managed [e.g. retained securely and their use
logged]. How do you comply with this requirement?
Yes, the cabinets are locked using combination lock mechanism
7.28 All under-floor Customer cables must be protected by secure trunking. How do you comply with this
requirement?
Yes, this is a standard practice in BAIS.
7.29 Router modems must be disconnected. How do you comply with this requirement?
Yes, this is standard practice in BAIS.
7.30 Provide Datacenter specifications.
The Datacenter specifications are listed below:
Space







High density solutions from 1.8 kW/m 2
24x7x365 building operation
750mm raised floor
Secure managed delivery bay with goods lift
Floor loading 10KN per square meter
Datacenter 24x7 Remote Hands Support on site
Total of 2,000 square feet of data space and 1,000 square feet of office space
Power



Mains power supplied via 2 x 132kV incomers 84MVA
N + N or N + 1 power solutions can be tailor-made to meet customer requirements
Minimum N + N Uninterrupted Power Supply (UPS) with battery back-up
29


Backup generators
Refueling contracts to ensure timely replacement
Environment/Cooling




Primary cooling infrastructure, centrally managed and linked to BMS
Room air conditioning units
Regulated humidity
Minimum N + 1 standby on all cooling systems (free cooling) and DX options
Monitoring
Fire Detection/Control System





Three-stage fire detection systems in all plant areas- Novec Gas suppression
VESDA (Very Early Smoke Detection Apparatus)
Fire detection in all rooms, below raised floors and in ceiling voids
Double interlocked pre-action gas suppression to technical areas – Novec Gas suppression
Fire detection and suppression systems interconnected to central BMS
Security









24x7 onsite security
Door access controls at site and building entrances
Proximity cards to authorize access levels including mantrap access
External and internal CCTV
Intruder detection alarms
4 meter secure perimeter fence with trembler wire
SEAP 3 rated
Vehicle lock to site entrance
X-ray scanners
Building Management System




Power monitoring and building monitored systems to provide alarms
Power surge management
Dedicated in-house 24x7 facilities management team
Planned preventative maintenance programs
Network





Diverse cable routing into facility
Diverse cable routing through raised floor to each suite
Strict cable management policy
Access to multiple telecommunication providers including: Telestra, Abovenet, BT, COLT, Easynet, Virgin Media,
Vtesse, Verizon, Exponential-e
2 Dedicated secure Meet Me rooms
30
8.0 Operational Security
8.1 Detail your change control policy and procedure. This should also include the process used to re-assess risks as a
result of changes and clarify whether the outputs are available to end customers.
MetricStream’s Cloud Services are managed by a dedicated MetricStream CloudOps team which handles any changes as
well as risk mitigation strategies associated with day to day Cloud operations. All these changes are governed by
MetricStream Hosted Application Standard Operating Procedure. As per the policy, all changes are periodically reviewed
by VP, Technology Operations and CTO, as per the significance of changes.
8.2 Detail your remote access policy.
By default, there is no remote access used to production network. In case of any other access requirements, remote
access will be used through a secure VPN channel.
8.3 Detail your risk assessment policies.
A risk assessment program approved by management is available for securing the tenant information and assets. This is
standard part of the SSAE 16 Audit conducted annually for our partner hosting centers. It must be noted that
MetricStream only partners with SSAE 16 Type II Audited Tier IV data centers for the hosting services. The latest SSAE 16
Audit Certificate can be shared with the client upon specific request.
8.4 Do you maintain documented operating procedures for information systems?
Yes, operating procedures for information systems are documented, by default.
8.5 Detail your monitoring and logging procedures.
MetricStream works closely with its data center partners to provide 24x7x365 support and monitoring services. Typically,
automated monitoring tools poll the system on a periodic basis (usually every 5 minutes) and test such connections as
the web server, the J2EE server, the Oracle database, and various parts of the application layer as well.
HTTP requests are sent to various parts of the application and the response is monitored. If one of these connections
fails, an automated alert message is sent over email and/or pager to the data center’s help desk and/or the
MetricStream help desk.
In addition, Website availability is monitored as follows:
• Hosting provider pings for hardware availability
• Metricstream uses third party Alertbot to monitor application availability
The report from Alertbot provides the uptime, response time, and cause of any failure. MetricStream can also setup a
manual process to email a periodic report to the Customer.
In addition, monitoring and logging procedures are documented in the MetricStream Hosted Applications Standard
Operating Procedure.
31
MetricStream Application’s system administration module has functionality to monitor failed logins and depending on
the threshold set, the user can be temporarily disabled as per the business rules enabled. An alert is also sent to the
system administrator based on the threshold breach.
Malicious activity such as DOS & DDOS attacks are prevented using tools like IDS which will warn and isolate such
attacks. Also the monitoring tools & the Data Center team will alert of such attacks and we will immediately be notified
of it. Right action is then taken based on the nature of the issue. The Data Center team continues to monitor any such
incidents on a proactive basis.
In case of any incident, as per the standard procedure, MetricStream will notify the key customer authorized contact in
case of incident and breach. The incidents are typically handled based on standard operating procedures setup which
details the corrective actions, key personnel to be involved and informed as well as risk mitigations to be put in place.
MetricStream will in most cases immediately isolate the respective V-LAN or Server or set of servers. MetricStream will
first arrest the breach and notify both Data Center and end customer. The modality of notification is normally the POC
within the customer and others in their team. The Production Engineering and CloudOps team will work in tandem until
the incident is solved and respective notifications are done and acknowledged by the customer team(s).
8.6 Is there a staged environment to reduce risk, e.g. development, test and operational environments, and are they
separated?
Yes, staged environment is maintained and by default, all environments are separated.
8.7 Define the host and network controls employed to protect the systems hosting the applications and information for
the end customer.
MetricStream implements measures to protect customer data against viruses, worms, trojan horses, and other harmful
elements designed to disrupt the orderly operation of, or impair the integrity of Hosted Data. Our endpoint protection
ensures that the security of the MetricStream system, the client data, and other transmissions through the MetricStream
system is not compromised for any reason.
8.8 Specify the controls used to protect against malicious code.
MetricStream has well-defined processes in place for detection, prevention and recovery controls to protect against
malicious code. By default, MetricStream represents and warrants that it will use commercially reasonable efforts to
protect the MetricStream System and the Managed Services against viruses, worms, Trojan horses, and other harmful
elements designed to disrupt the orderly operation of or impair the integrity of Hosted Data. MetricStream will take
commercially reasonable precautions to ensure that the security of the MetricStream System, the Hosted Data, and
other transmissions through the MetricStream System is not compromised for any reason.
8.9 Detail policies and procedures for backup. This should include procedures for the management of removable
media and methods for securely destroying media no longer required.
MetricStream has well-defined policies and procedures for backup documented as part of MetricStream Hosting
Application Standard Operating Procedure. By default, all hosted applications are backed up for Configuration and Data
on a periodic basis as per SLA with the customer.
32
8.10 Detail procedures and controls for management of firewalls. Is the least privilege principle followed?
MetricStream’s dedicated CloudOps team manages firewalls as per industry standard and best practices and least
privilege principle is used in terms of access.
33
9.0 Security/ Audit Logs
9.1 Please detail what information is recorded within audit logs.
• For what period is this data retained?
• Is it possible to segment data within audit logs so they can be made available to the end customer
and/ or law enforcement without compromising other customers and still be admissible in court?
• What controls are employed to protect logs from unauthorized access or tampering?
• Are logs encrypted?
What method is used to check and protect the integrity of audit logs?
Audit logs are maintained with accurate time stamped audit trails with what, who, when and why information for task
creation, editing, modification, deletion. Data is never deleted and then archived later. Data can be segmented within
audit logs as reports can be generated to display this audit history data in the appropriate views. By default, tamperproof logs are maintained to protect logs from unauthorized access. In addition, logs are encrypted and stored in the
centralized server with limited access to authorized users such as Client System Administrators and no edit privilege is
available for audit log modifications.
9.2 How are audit logs reviewed? What recorded events result in action being taken?
Audit logs are reviewed by CloudOps team and in case of any security incidents, full root cause and remediation is
performed and shared with the customer at the earliest.
9.3 What time source is used to synchronize systems and provide accurate audit log time stamping?
Time stamped information is relied on system clock and can be configured to use Network Time Protocol (NTP).
Contact Us: MetricStream, Inc., 2600 E. Bayshore Road, Palo Alto, CA 94303, USA. | Phone: 650-620-2955 | Email: info@metricstream.com
© 2014 MetricStream Inc., All Rights Reserved.
34