Professional Documents
Culture Documents
Cloud FAQ
Cloud FAQ
Cloud FAQ
Architecture & Environment Service Level Agreement High Availability & Scalability Backup & Disaster Recovery Data Security Network Security
Pg1
1.8 Has the data center ever had any major power failures and how did the emergency systems perform? MetricStreams data center partners have never reported any major power failures. All emergency systems are periodically tested. 1.9 Describe the network controls in place to maximize system uptime. MetricStreams partner data centers maintain multi-homed internet access to reduce single points of failure. They have rich ber connections to all major carriers, with scalable bandwidth capacity from OC3 to OC192. 1.10 What is the average or expected up time for the system in %? MetricStream can support 99.5% system availability. 1.11Who (employees or contractors of the site) has physical and/or login access to the servers and applications that hold customer data? MetricStream does not employ contractors. While MetricStream employees manage the Cloud environment, Application data cannot be altered, deleted, or retrieved by anyone other than users with appropriate privileges. 1.12 What industry standards has MetricStream adopted for securing application(s) and infrastructure (e.g. OWASP, NIST, ISO, etc) MetricStream applies its software security assurance process as part of its Software Development Life Cycle, to design and develop applications. The SDLC helps to ensure that communication and collaboration services are highly secure -even at the foundation level. MetricStream has adopted the OWASP Standard for Web applications. 1.13 Please describe MetricStreams vulnerability assessment process. AppSec Consulting, Inc., an independent information security rm, is periodically engaged to conduct extensive penetration testing of the application based on PCI standards. The penetration tests are conducted with the following primary objectives: Identify and assess the controls in place to protect against both external and internal threats Identify Web application and server conguration vulnerabilities that put sensitive information at risk and impact PCI compliance Test the application from the standpoint of unauthorized users attempting to gain access as well as authorized users trying to escalate access Provide a detailed risk analysis and remediation advice for each vulnerability identied Detest any vulnerability after MetricStream has per formed remediation In addition, in-house penetration testing is also conducted for every major release of the Platform using the Burp Suite (an integrated platform for performing security testing of web applications). During MetriStreams scans, we cover the following key areas: Cross Site Scripting Excessive privileges for database account SQL Injection Unsafe attachments may be uploaded Session cookie management Complete Stack Trace error provided to user Reliance on client side input validation
Pg2
1.14 How does MetricStream update security against emerging cyber security threats? At MetricStream, security is considered as an important aspect throughout the SDLC. The following measures are currently part of the development lifecycle: Regular design/architecture review meetings to identify vulnerabilities around user permissions, logins, data privacy and unauthorized accesses Multi-level Code reviews peer code review, lead code review and a review by the technical architect(if required) Detailed documentation/tech notes are maintained on any ndings On every major release we ensure that we carry out a security upgrade of all the 3rd party systems and the OS. For every major release of the platform, Penetration tests are performed using the Burp tool and any vulnernability found is addressed in the subsequent release :
SQL Injection Cross-Site Scripting (XSS) Path Traversal HTTP Response Splitting Password returned in later response Open redirection Cleartext submission of password Cookie without HttpsOnly ag set TRACE method is enabled Directory listing Email addresses disclosed Private IP addresses disclosed Credit card numbers disclosed HTML does not specify charset Content type incorrectly stated Request impersonalization
1.15 Does MetricStream track and report on attempts (both successful and unsuccessful to access hosted systems)? The MetricStream application tracks the number of attempts at accessing a user account. If desired, a congurable option allows for disabling an account after X number of unsuccessful login attempts. 1.16 What access controls are in place to prevent improper use (such as deleting data, altering data)? System Administrators can congure Access Controls as follows: Feature Access Controls: Features such as digital dashboards, reports, and input forms. have access controls and rights that are allocated based on the user. Application Access Controls: The application modules (for example, Audits, Document Control, CAPA, Non-Conformance Management) have access controls and rights that are allocated based on user. Data Access Controls: These include Row Level Security and Column Level Security. Additionally, the MetricStream solution maintains a complete track record of changes, version history, and a detailed audit trail of all activities and changes. The MetricStream solution records all data modications within the system, including user and system data: Any data eld changes results in an auditable record of who, when, the old value and the new value. Data is never deleted from the database, so a full and complete audit trail/history is always available. Since this feature is a part of the MetricStream Platform, the system ensures integrity that all data changes at the application level are recorded and available for audit purposes. Reports can then be generated to display this audit history data in the appropriate views. The system provides accurate time stamped audit trails with what, who, when and why information for task creation, editing, modication, deletion. 1.17 Can MetricStream restrict user access (data and services) to certain IP addresses? MetricStream can implement a rule in the rewall to only allow trafc from a pre-dened set of IP address subnets (thereby limiting access to only those users from the customers internal networks), although this would prevent legitimate users from accessing the services from the internet.
Pg3
1.18 How is the authentication process controlled and protected? The MetricStream platform provides multi-layered authentication capabilities such as electronic signatures, passwords, system access through dened IP network rangers, automatic logging off after a period of inactivity, and disabling of user accounts after repeated failed login attempts. All MetricStream applications have congurable rules for passwords, password complexity and expiry, as well as authentication and signoffs at major transactional steps of business process workows. Passwords are never stored and/ or transmitted in clear text. The minimal security is to store or transmit passwords in a one-way hashed format. The platform also supports stronger encryption algorithms like AES/ DES. Bit strength is congurable based on requirement. When integrated with an LDAP server, the MetricStream platform authenticates user identity against the LDAP server, and does not keep a copy of user passwords in its repository. All user prole information is maintained only on the LDAP server. That way, users do not need to remember multiple passwords and e-signatures. They can also import authorization information from the LDAP server, if required. The platform also supports integration with Single Sign-On (SSO) infrastructure. Thus, users can use a single password to log in to MetricStream applications as well as other corporate accounts. 1.19 What audit trails and logs are created? MetricStreams platform records all data modications within the system, including user and system data. Any data eld changes results in an auditable record of user, timestamp, the old value and the new value. Data is never deleted from the database, so a full and complete audit trail/history is always available. Since this a feature a part of the MetricStream platform, the system ensures integrity that all data changes at the application level are recorded and available for audit purposes. Reports can then be generated to display this audit history data in the appropriate views. 1.20 Can a customer start with the SaaS solution and migrate to on-premise at a later date? The MetricStream Cloud is the industrys most robust offering. The solution enables companies to get their operations up and running quickly, without requiring extensive internal IT resources. With MetricStream, the transition from on-demand to in-house deployment and vice versa is uniquely seamless, virtually eliminating risk in the solution acquisition process. The entire migration can be completed over a weekend when planned with appropriate systems & software over the two end points.
Pg4
Pg5
2.8 Does MetricStream have documented change management procedures in place? MetricStreams Quality process includes a change management procedure that minimizes the impact to a customer system while it ensures that a customer is aware of any changes being made to the system. As part of the change management procedure, MetricStream can optionally offer and implement a staging system that emulates the production system. This allows MetricStreams support and QA staff as well as our customers to test and verify the software change before any change is applied to the production environment. As part of the SLA contract, scheduled maintenance windows are also dened. MetricStream works with its customers to dene the maintenance window to match individual customers system downtime window for the other systems they use. 2.9 How often are MetricStream customers scheduled down for routine maintenance? For how long? Typically, maintenance of the system such as patches/upgrades and backups are performed in less than a couple of hours. 2.10 How often are customers down for unscheduled maintenance? For what period of time? MetricStream strives to minimize downtime as much as possible. Patches can often be applied in a hot-x mode supported by our architecture. If the system has been down outside the scheduled maintenance window, the system is usually restored within 5 minutes on average after the call is reported to MetricStreams help desk. Our standard SLA provides for credit if the downtime exceeds 4 hours in a month. Note: MetricStream has never encountered a downtime of this duration. 2.11 How does the customer retain access to its data and systems should MetricStream cease to operate? To provide assurance to customers that they will still be able to use their system and access their data should MetricStream cease to operate, contracts can been created between all parties involved specically stating that the customer owns the data. If desired, backups of the data and system les can also be provided to the customer on a periodic basis. In addition, the source code for our software can be provided in an escrow account at the customers costs so that our customers would have access to the complete system and software should MetricStream cease to operate. 2.12 What are the procedures for creating user accounts? The MetricStream Solution includes an administrative interface that will provide the customer and any other party it may designate, the capability to add and delete user accounts and associated passwords, as well as dene roles, permissions and access rules for each such user account. Such roles, permissions, and access rules may be assigned to individual user accounts or to a customer-defined group of user accounts. The customer can issue and administer Authorized User access and passwords, including additions, deletions and changes in access levels of Authorized Users.
Pg6
2.13 How are upgrades, patches, releases handled? What is the frequency? Typically, a release is targeted for every six months, with a major release targeted every 18 months. Service Patches may be released on an as-needed basis depending on the severity of any reported issues. Major release (X.0) Significant new functionality, data model changes, app impact Potential upgrade impact One major release every year Stabilization Minor Release (X.1) Few significant new features based on X.0 customers needs Minor upgrade impact Six months after major release Intermediate Minor Release (X.5) Some new features for analyst visibility, customer needs & differentiators Minor upgrade impact Six months after 1 minor release Upgrades are provided at no additional cost beyond the annual support charge, although professional services may be required to implement the upgrade in the customer environment. Changes in a new release are made at the Platform level, and conguration changes made by the customer to their application are usually preserved across releases and/or migration scripts are provided. While the upgrade time may vary based on the particular release and the particular solution implementation, MetricStream typically estimates 1-2 weeks to perform the major upgrades, with the majority of the time spent testing the application to ensure that nothing broke during the upgrade process. All releases and patches come with comprehensive documentation describing the change(s), its impact, the steps to apply it, and detailed test cases for the issues addressed in the release or patch. The MetricStream Platform consists of several JAR les as well as platform metadata. The MetricStream application consists of resource les (templates, properties les etc.) and application metadata. Upgrading the MetricStream Platform does not affect the application resource les and application metadata, thus preserving all customizations. Upgrades of the application are performed by using the IUP (Install Upgrade Patch) tool that migrate resource les as well as application metadata. The steps involved in upgrading and promoting the application into production include: Installation and/or upgrade of the new MetricStream Platform in the test instance Installation and/or upgrade of the application module in the test instance Installation of any patches specically required Perform User Acceptance Testing and Validation (if required) of the application module on the test instance Transition from the test/staging instance to the production instance using the IUP 2.14 How does the customer participate in the upgrade/enhancement process? As part of any upgrade/enhancement process, the customer usually participates at a minimum by performing the User Acceptance Testing (UAT). This is usually conducted on a separate staging system that emulates the production system and allows our support and QA staff as well as our customers to test and verify the software change before any change is applied to the production environment. Upgrades and enhancements are applied to the production environment only after the UAT has been completed and approved by the customer. When an upgrade/enhancement is targeted, the customer is involved in the installation planning, what will be accomplished, the potential impact to any areas of the software, and what will be required from the customer.
Pg7
Pg8
3.3 Describe how website availability is monitored. Website availability is monitored as follows: Hosting provider pings for hardware availability Metricstream uses third party Alertbot to monitor application availability The report from Alertbot provides the uptime, response time, and cause of any failure. MetricStream can also setup a manual process to email a periodic report to the Customer 3.4 Describe any contingency plans should the primary host become unavailable. All data on the MetricStream Cloud is backed up daily and weekly. All backups are encrypted on a per customer basis. Additionally, MetricStream also maintains a DR site. If primary servers become unavailable due to a hardware fault, MetricStream has SLAs in place to ensure components are replaced within 4 hours and then the application can be subsequently restored. The hard drives are RAID5 or better and such drive failures do not cause application outage. When a complete new server needs to be recreated (application or database), the downtime can be up to two business days. In such cases the RPO is < 24 hours. If the data center is struck by natural disaster, then MetricStream will restore the application from its DR backup. MetricStreams DR SLA is as follows: Recovery Time Objective (RTO): < 1 day Recovery Point Objective (RPO): < 6 hours The MetricStream Cloud can support mission-critical applications with RTO and RPO of 0 hours, if required.
Pg9
Pg10
4.7 Does MetricStream have separate backup & disaster recovery locations? How frequently are the recovery procedures tested? MetricStream maintains multiple co-location providers to provide backup hosting and disaster recovery. By default, MetricStream tests the disaster recovery plan once a quarter to ensure that the backup policies and data are being properly backed up. 4.8 Are backup tapes stored offsite in a secure facility? Offsite Tape backup is offered optionally. If this option is chosen, the tapes would likely be stored by Iron Mountain, a leading provider of tape storage facilities. 4.9 Are backup tapes encrypted? Backup tapes can be provided and encrypted at additional cost. 4.10 Is the fail-over active/passive or active/active? This depends on the type of cloud architecture implemented. For the Enterprise OnDemand Offering, fail-over is Active/ Passive 4.11 How is the fail-over implemented? MetricStream implements a manual fail-over to the DR site.
Pg11
Pg12
Pg13
6.11 Describe how the database is secured. The database server is never exposed on the Internet. Port hardening is diligently undertaken. For database access only Port 1521 is open for internal network access. RDP/ SSH controlled access is enabled to the servers from internal networks for ongoing maintenance. 6.12 Are internal application middleware interfaces secured? Internal application middleware interfaces are secured through secure web services and digital signature based integration mechanisms. 6.13 Are network access controls implemented to restrict access from the internet to the application and components to certain ports? MetricStream uses two layers of rewalls: Firewall devices deployed on the network perimeter Software rewalls that run on each server that hosts components of the solution. 6.14 Does MetricStream have non-Internet facing integrations (e.g. site-to-site VPN)? For non-internet facing integrations, SSO/ SAML is the preferred choice. VPN is optional with added cost. 6.15 Does remote access to the MetricStream network require 2 factor authentication. No. There is no direct remote access to the production network. 6.16 Is out-of-band management of servers performed? MetricStream performs out-of-band management by deploying remote access cards.
Contact Us: MetricStream, Inc., 2600 E. Bayshore Road, Palo Alto, CA 94303, USA. | Phone: 650-620-2900 | Email: info@metricstream.com
31029210 Pg14