MetricStream Cloud Frequently Asked Questions

Architecture & Environment Service Level Agreement High Availability & Scalability Backup & Disaster Recovery Data Security Network Security

1-4 5-7 8-9 10-11 12 13-14

1.0 Architecture & Environment

1.1 Does MetricStream operate its own hosting center? MetricStream partners with multiple SSAE 16 Type II Audited Tier IV data centers. 1.2 Does MetricStream offer shared or dedicated server environments? MetricStream does not multi-tenant. To eliminate the potential for co-mingling of data, each customer is provided dedicated servers helping ensure we meet the compliance & regulatory requirements of industries like Banking, Finance, Insurance, Life sciences, Healthcare, Energy, Utilities, etc. 1.3 What is the minimum and maximum duration for contracting Cloud services? Typically, we require a three (3) year contract commitment for our hosted services and term licenses, and we are open to discussing maximum terms of ve and seven years. 1.4 Describe MetricStreams compliance with various laws, codes and regulations relating to security, privacy and data protection. The MetricStream Cloud solution and services include robust capabilities for security, access controls, identity management, audit trails, electronic signatures, encryption, authorization and authentication. These cloud capabilities ensure compliance with various international, national and regional regulations on record keeping, privacy, and protection of the quality and integrity of data (such as HIPAA, PCI and 21 CFR Part 11). MetricStream partners with SSAE 16 Type II Audited Tier IV data centers with state-of-the-art infrastructure and services for serving our clients in North and South America, Europe, Asia and Africa. Beyond being widely adopted by small and medium enterprises, even some of the worlds largest companies are using the MetricStream Cloud after rigorously testing the security and reliability of our infrastructure. 1.5 What is MetricStreams HIPAA compliance statement. MetricStream understands that some of its customers that are considered covered entities under HIPAA may transmit or store Protected Health Information (PHI) in connection with the Hosting Services provided by MetricStream. However, MetricStream does not use or access PHI in order to provide the Services. Furthermore, MetricStream is not conducting a function or activity regulated by the Administrative Simplication Rules on behalf of such covered entities. Instead MetricStream is merely storing PHI data and records using techniques and processes that meet or exceed the requirements of such covered entities. Given the foregoing, MetricStream does not believe that the HIPAA regulations apply in its provision of the Services. 1.6 Describe the physical controls in place for delivering a secured environment, network, and data center. MetricStreams partner facilities are secured by four layers of physical security: Entry to the data centers is limited to authorized personnel (carrying identication badges) requiring PIN for access. Biometric hand scanners govern access to the ofces and data center. The computer data center takes a separate electronic key fob to enter, and servers can be congured in an optional locking rack cabinet. Customer personnel have access to their servers 24 X 7, but must be escorted at all times unless a colocation suite with separate security precautions is established. All visits are logged. Video surveillance of all ingress and egress, as well as rack activity is conducted 24 X 7. All logs are reviewed periodically. 1.7 Describe the power redundancy setup to support the cloud infrastructure. Data center environmental security includes redundant cooling, power, and re suppression systems. The data centers are covered by a redundant UPS system and power distribution grid that includes UPS batteries and a gas-powered generator farm that has a 3 day supply of gas and can be refueled during operations. The facilities will never lose power. Air handling systems for the facilities are augmented by N+2 air-conditioning systems to keep over 1000 servers on the oor cool. The data centers are regularly cleaned and maintained to ensure a safe and dust-free environment.

2013 MetricStream Inc., All Rights Reserved.

Pg1

1.8 Has the data center ever had any major power failures and how did the emergency systems perform? MetricStreams data center partners have never reported any major power failures. All emergency systems are periodically tested. 1.9 Describe the network controls in place to maximize system uptime. MetricStreams partner data centers maintain multi-homed internet access to reduce single points of failure. They have rich ber connections to all major carriers, with scalable bandwidth capacity from OC3 to OC192. 1.10 What is the average or expected up time for the system in %? MetricStream can support 99.5% system availability. 1.11Who (employees or contractors of the site) has physical and/or login access to the servers and applications that hold customer data? MetricStream does not employ contractors. While MetricStream employees manage the Cloud environment, Application data cannot be altered, deleted, or retrieved by anyone other than users with appropriate privileges. 1.12 What industry standards has MetricStream adopted for securing application(s) and infrastructure (e.g. OWASP, NIST, ISO, etc) MetricStream applies its software security assurance process as part of its Software Development Life Cycle, to design and develop applications. The SDLC helps to ensure that communication and collaboration services are highly secure -even at the foundation level. MetricStream has adopted the OWASP Standard for Web applications. 1.13 Please describe MetricStreams vulnerability assessment process. AppSec Consulting, Inc., an independent information security rm, is periodically engaged to conduct extensive penetration testing of the application based on PCI standards. The penetration tests are conducted with the following primary objectives: Identify and assess the controls in place to protect against both external and internal threats Identify Web application and server conguration vulnerabilities that put sensitive information at risk and impact PCI compliance Test the application from the standpoint of unauthorized users attempting to gain access as well as authorized users trying to escalate access Provide a detailed risk analysis and remediation advice for each vulnerability identied Detest any vulnerability after MetricStream has per formed remediation In addition, in-house penetration testing is also conducted for every major release of the Platform using the Burp Suite (an integrated platform for performing security testing of web applications). During MetriStreams scans, we cover the following key areas: Cross Site Scripting Excessive privileges for database account SQL Injection Unsafe attachments may be uploaded Session cookie management Complete Stack Trace error provided to user Reliance on client side input validation

2013 MetricStream Inc., All Rights Reserved.

Pg2

1.14 How does MetricStream update security against emerging cyber security threats? At MetricStream, security is considered as an important aspect throughout the SDLC. The following measures are currently part of the development lifecycle: Regular design/architecture review meetings to identify vulnerabilities around user permissions, logins, data privacy and unauthorized accesses Multi-level Code reviews peer code review, lead code review and a review by the technical architect(if required) Detailed documentation/tech notes are maintained on any ndings On every major release we ensure that we carry out a security upgrade of all the 3rd party systems and the OS. For every major release of the platform, Penetration tests are performed using the Burp tool and any vulnernability found is addressed in the subsequent release :
SQL Injection Cross-Site Scripting (XSS) Path Traversal HTTP Response Splitting Password returned in later response Open redirection Cleartext submission of password Cookie without HttpsOnly ag set TRACE method is enabled Directory listing Email addresses disclosed Private IP addresses disclosed Credit card numbers disclosed HTML does not specify charset Content type incorrectly stated Request impersonalization

1.15 Does MetricStream track and report on attempts (both successful and unsuccessful to access hosted systems)? The MetricStream application tracks the number of attempts at accessing a user account. If desired, a congurable option allows for disabling an account after X number of unsuccessful login attempts. 1.16 What access controls are in place to prevent improper use (such as deleting data, altering data)? System Administrators can congure Access Controls as follows: Feature Access Controls: Features such as digital dashboards, reports, and input forms. have access controls and rights that are allocated based on the user. Application Access Controls: The application modules (for example, Audits, Document Control, CAPA, Non-Conformance Management) have access controls and rights that are allocated based on user. Data Access Controls: These include Row Level Security and Column Level Security. Additionally, the MetricStream solution maintains a complete track record of changes, version history, and a detailed audit trail of all activities and changes. The MetricStream solution records all data modications within the system, including user and system data: Any data eld changes results in an auditable record of who, when, the old value and the new value. Data is never deleted from the database, so a full and complete audit trail/history is always available. Since this feature is a part of the MetricStream Platform, the system ensures integrity that all data changes at the application level are recorded and available for audit purposes. Reports can then be generated to display this audit history data in the appropriate views. The system provides accurate time stamped audit trails with what, who, when and why information for task creation, editing, modication, deletion. 1.17 Can MetricStream restrict user access (data and services) to certain IP addresses? MetricStream can implement a rule in the rewall to only allow trafc from a pre-dened set of IP address subnets (thereby limiting access to only those users from the customers internal networks), although this would prevent legitimate users from accessing the services from the internet.

2013 MetricStream Inc., All Rights Reserved.

Pg3

1.18 How is the authentication process controlled and protected? The MetricStream platform provides multi-layered authentication capabilities such as electronic signatures, passwords, system access through dened IP network rangers, automatic logging off after a period of inactivity, and disabling of user accounts after repeated failed login attempts. All MetricStream applications have congurable rules for passwords, password complexity and expiry, as well as authentication and signoffs at major transactional steps of business process workows. Passwords are never stored and/ or transmitted in clear text. The minimal security is to store or transmit passwords in a one-way hashed format. The platform also supports stronger encryption algorithms like AES/ DES. Bit strength is congurable based on requirement. When integrated with an LDAP server, the MetricStream platform authenticates user identity against the LDAP server, and does not keep a copy of user passwords in its repository. All user prole information is maintained only on the LDAP server. That way, users do not need to remember multiple passwords and e-signatures. They can also import authorization information from the LDAP server, if required. The platform also supports integration with Single Sign-On (SSO) infrastructure. Thus, users can use a single password to log in to MetricStream applications as well as other corporate accounts. 1.19 What audit trails and logs are created? MetricStreams platform records all data modications within the system, including user and system data. Any data eld changes results in an auditable record of user, timestamp, the old value and the new value. Data is never deleted from the database, so a full and complete audit trail/history is always available. Since this a feature a part of the MetricStream platform, the system ensures integrity that all data changes at the application level are recorded and available for audit purposes. Reports can then be generated to display this audit history data in the appropriate views. 1.20 Can a customer start with the SaaS solution and migrate to on-premise at a later date? The MetricStream Cloud is the industrys most robust offering. The solution enables companies to get their operations up and running quickly, without requiring extensive internal IT resources. With MetricStream, the transition from on-demand to in-house deployment and vice versa is uniquely seamless, virtually eliminating risk in the solution acquisition process. The entire migration can be completed over a weekend when planned with appropriate systems & software over the two end points.

2013 MetricStream Inc., All Rights Reserved.

Pg4

2.0 Service Level Agreement

2.1 Does MetricStream monitor the entire solution 24x7x365? MetricStream works closely with its data center partners to provide 24x7x365 support and monitoring services. Typically, automated monitoring tools poll the system on a periodic basis (usually every 5 minutes) and test such connections as the web server, the J2EE server, the Oracle database, and various parts of the application layer as well. HTTP requests are sent to various parts of the application and the response is monitored. If one of these connections fails, an automated alert message is sent over email and/or pager to the data centers help desk and/or the MetricStream help desk. 2.2 Describe the service level agreement around response time and problem resolution time. MetricStream provides a Service Level Agreement (SLA) around uptime, problem resolution time and can include response time of the system (although there will be some dependencies on the customers network that has to be factored into the contract). 2.3 Does MetricStream provide complete and regular reports on the interaction with the customer, including types of calls, status of issues, and resolution times? MetricStream offers a web-based customer support portal that is powered by MetricStream GRC Platform, where customers can log issues, view the status of their open issues, and the current resolution status to those issues. All issues, whether reported via phone, email or the customer support portal, are logged to the same TAR (Technical Action Request) system and are viewable online via customer-specic reports and dashboards. We can also provide these reports manually via preset customer meetings, as well as have these reports automatically emailed to selected users if desired. 2.4 What is the average response and resolution time for problems encountered with the infrastructure; network, operating systems, or data center? The MetricStream Cloud SLA includes a response time of less than two (2) hours for critical and severe errors. For critical errors, MetricStream will use commercially reasonable efforts, on a twenty-four (24) hour, seven (7) days per week basis, to provide a workaround or error correction for such critical error. For other types of issues, we generally resolve within four (4) hours. 2.5 Describe how technical issues are resolved. We propose three levels of support. Level 1 is typically provided by the customer. MetricStreams technical staff on its help desk area provides Level 2 support. If the help desk is unable to resolve an issue quickly, it is escalated to Level 3 (the development staff and/or the original professional services staff that worked on the solution), based on the type of issue. If further escalation is required, our CTO is the next path of escalation. If a data center issue is determined to be the cause of the problem, they will contact the data centers help desk, which is 24x7 as well and has a similar escalation process. 2.6 Describe MetricStreams escalation procedure. Are there tiered response layers? What happens at each stage? MetricStream has a dened escalation procedure. In addition to escalating based on the type of issue, the help desk will escalate issues based on if a problem remains unresolved for a specic duration. This duration is different based on the severity of the issues, which are classied as critical, severe, moderate and minor. For additional information on our support policies and procedures, please contact us for our support policies and procedures manual. 2.7 Does the MetricStream SLA include provisions for a disaster recovery plan? MetricStream has included provisions in our SLA for a disaster recovery plan and timeframe. The specifics around the disaster recovery plan are created as part of the SLA contract and are dependent on customer requirements such as standard backups and recovery, hot backup systems, redundant systems, etc.

2013 MetricStream Inc., All Rights Reserved.

Pg5

2.8 Does MetricStream have documented change management procedures in place? MetricStreams Quality process includes a change management procedure that minimizes the impact to a customer system while it ensures that a customer is aware of any changes being made to the system. As part of the change management procedure, MetricStream can optionally offer and implement a staging system that emulates the production system. This allows MetricStreams support and QA staff as well as our customers to test and verify the software change before any change is applied to the production environment. As part of the SLA contract, scheduled maintenance windows are also dened. MetricStream works with its customers to dene the maintenance window to match individual customers system downtime window for the other systems they use. 2.9 How often are MetricStream customers scheduled down for routine maintenance? For how long? Typically, maintenance of the system such as patches/upgrades and backups are performed in less than a couple of hours. 2.10 How often are customers down for unscheduled maintenance? For what period of time? MetricStream strives to minimize downtime as much as possible. Patches can often be applied in a hot-x mode supported by our architecture. If the system has been down outside the scheduled maintenance window, the system is usually restored within 5 minutes on average after the call is reported to MetricStreams help desk. Our standard SLA provides for credit if the downtime exceeds 4 hours in a month. Note: MetricStream has never encountered a downtime of this duration. 2.11 How does the customer retain access to its data and systems should MetricStream cease to operate? To provide assurance to customers that they will still be able to use their system and access their data should MetricStream cease to operate, contracts can been created between all parties involved specically stating that the customer owns the data. If desired, backups of the data and system les can also be provided to the customer on a periodic basis. In addition, the source code for our software can be provided in an escrow account at the customers costs so that our customers would have access to the complete system and software should MetricStream cease to operate. 2.12 What are the procedures for creating user accounts? The MetricStream Solution includes an administrative interface that will provide the customer and any other party it may designate, the capability to add and delete user accounts and associated passwords, as well as dene roles, permissions and access rules for each such user account. Such roles, permissions, and access rules may be assigned to individual user accounts or to a customer-defined group of user accounts. The customer can issue and administer Authorized User access and passwords, including additions, deletions and changes in access levels of Authorized Users.

2013 MetricStream Inc., All Rights Reserved.

Pg6

2.13 How are upgrades, patches, releases handled? What is the frequency? Typically, a release is targeted for every six months, with a major release targeted every 18 months. Service Patches may be released on an as-needed basis depending on the severity of any reported issues. Major release (X.0) Significant new functionality, data model changes, app impact Potential upgrade impact One major release every year Stabilization Minor Release (X.1) Few significant new features based on X.0 customers needs Minor upgrade impact Six months after major release Intermediate Minor Release (X.5) Some new features for analyst visibility, customer needs & differentiators Minor upgrade impact Six months after 1 minor release Upgrades are provided at no additional cost beyond the annual support charge, although professional services may be required to implement the upgrade in the customer environment. Changes in a new release are made at the Platform level, and conguration changes made by the customer to their application are usually preserved across releases and/or migration scripts are provided. While the upgrade time may vary based on the particular release and the particular solution implementation, MetricStream typically estimates 1-2 weeks to perform the major upgrades, with the majority of the time spent testing the application to ensure that nothing broke during the upgrade process. All releases and patches come with comprehensive documentation describing the change(s), its impact, the steps to apply it, and detailed test cases for the issues addressed in the release or patch. The MetricStream Platform consists of several JAR les as well as platform metadata. The MetricStream application consists of resource les (templates, properties les etc.) and application metadata. Upgrading the MetricStream Platform does not affect the application resource les and application metadata, thus preserving all customizations. Upgrades of the application are performed by using the IUP (Install Upgrade Patch) tool that migrate resource les as well as application metadata. The steps involved in upgrading and promoting the application into production include: Installation and/or upgrade of the new MetricStream Platform in the test instance Installation and/or upgrade of the application module in the test instance Installation of any patches specically required Perform User Acceptance Testing and Validation (if required) of the application module on the test instance Transition from the test/staging instance to the production instance using the IUP 2.14 How does the customer participate in the upgrade/enhancement process? As part of any upgrade/enhancement process, the customer usually participates at a minimum by performing the User Acceptance Testing (UAT). This is usually conducted on a separate staging system that emulates the production system and allows our support and QA staff as well as our customers to test and verify the software change before any change is applied to the production environment. Upgrades and enhancements are applied to the production environment only after the UAT has been completed and approved by the customer. When an upgrade/enhancement is targeted, the customer is involved in the installation planning, what will be accomplished, the potential impact to any areas of the software, and what will be required from the customer.

2013 MetricStream Inc., All Rights Reserved.

Pg7

3.0 High Availability & Scalability

3.1 Does MetricStream provide high-availability systems? MetricStreams solution is a web-based, J2EE n-tier application, using a database, application and web server architecture. Our solutions can run on any hardware and operating systems. High-availability deployment architecture is supported by MetricStream and can be used to provide fail-over capabilities. At the presentation and application server layers, MetricStream can be congured in a redundant manner with a hot standby that automatically wakes up and starts accepting requests if the primary servers go down At the database layer, MetricStream recommends that it be congured using approaches outlined by Oracle for high availability 3.2 Does the application support load balancing? Load balancing mechanisms (static and dynamic, hardware and software) are supported by MetricStream. The solution provides both horizontal scalability and vertical scalability to meet growth in number of concurrent users and queries as well as to support growth in volume of data, record and document processing. The exact conguration and setup is jointly determined by customers IT department and MetricStream Solution Architects. The MetricStream solution can be congured to run in a clustered load-balanced conguration for scalability and high-availability. Multiple applications instances can be run on a single server to provide both application isolation and redundancy. Multiple web servers can also be configured with a load balancer . A typical load-balanced architecture is illustrated in the gure:

Load Balanced / High Availability Architecture

2013 MetricStream Inc., All Rights Reserved.

Pg8

3.3 Describe how website availability is monitored. Website availability is monitored as follows: Hosting provider pings for hardware availability Metricstream uses third party Alertbot to monitor application availability The report from Alertbot provides the uptime, response time, and cause of any failure. MetricStream can also setup a manual process to email a periodic report to the Customer 3.4 Describe any contingency plans should the primary host become unavailable. All data on the MetricStream Cloud is backed up daily and weekly. All backups are encrypted on a per customer basis. Additionally, MetricStream also maintains a DR site. If primary servers become unavailable due to a hardware fault, MetricStream has SLAs in place to ensure components are replaced within 4 hours and then the application can be subsequently restored. The hard drives are RAID5 or better and such drive failures do not cause application outage. When a complete new server needs to be recreated (application or database), the downtime can be up to two business days. In such cases the RPO is < 24 hours. If the data center is struck by natural disaster, then MetricStream will restore the application from its DR backup. MetricStreams DR SLA is as follows: Recovery Time Objective (RTO): < 1 day Recovery Point Objective (RPO): < 6 hours The MetricStream Cloud can support mission-critical applications with RTO and RPO of 0 hours, if required.

2013 MetricStream Inc., All Rights Reserved.

Pg9

4.0 Backup & Disaster Recovery

4.1 Is all the data and document stored at the hosting facility or through a third party storage area network? Under our default hosting SLA, the data and documents are stored at the hosting facility on the primary database and application servers, as well as the backup le servers (duplicate copies). In addition, tapes may be periodically made of the backup le servers and stored offsite. 4.2 Is MetricStream capable of archiving historical data that is no longer necessary for day-to-day operations? MetricStream Cloud has comprehensive data archive and restore capabilities. The MetricStream Cloud supports usage of database functions for archiving and retention of all records and data. It supports auto-archiving and manual archiving options. Using a Rules Engine users can setup rules / conditions to specify when, whose, which, what type of artifacts / data (full system, partial system, specied system data or le areas) should be archived. IT administrators can specify what type of compressed le formats should be used and the storage location as well. Archiving and purging can be scheduled at desired frequency and time intervals. In addition, customers can archive data such as attachments, but will leave a subset of the data on the system permanently so that they can be used for analysis purposes. Typically, MetricStreams customers store between 5-7 years worth of data on the server at a minimum before archiving the data and they have not reported any performance degradation so far. Reports can also be set up to analyze the archived data in a separate repository if that is desired. 4.3 What are MetricStreams data retention and destruction policies? MetricStream ensures full weekly and daily incremental backups of the database and le systems are backed up to a dedicated backup le server. Additional backup options include backing up to a duplicate backup le server at a second backup data center, hot backup servers for the database and application servers, redundant failover servers for instant recovery, and redundant systems at different data centers. Backup data can also be stored to tape on a frequency as often as every day and stored at an offsite storage center such as Iron Mountain. All of these options are additional services that can be offered by MetricStream. On discontinuing the hosting contract with MetricStream, no data is retained on our infrastructure. We can shred to meet specs ranging from simple one pass to DoD 5220.22-M to Guttman algorithm with 35 passes. 4.4 Does MetricStream have a Disaster Recovery plan and facility? Our Disaster Recovery plan depends on the customers choice of hosting architecture. Broadly, DR sites range from storage on the AWS Cloud for the basic offering, to a dedicated offsite data center for the premium and enterprise offerings. 4.5 Describe MetricStreams backup and recovery procedures. This can vary based on specic customer requirements and selected options. By default, full weekly and daily incremental backups of the database and le systems are backed up to a dedicated backup le server. Periodically, a copy of this backup le server is recorded to tape and stored at an off-site location. If a MetricStream System crashes, the hardware will be typically replaced within two hours. After this, the operating system, databases and applications are reloaded, and the database restored to recover the system. Replacement of the hardware and restoration of the data is expected to consume six hours. If desired, Oracle translation logs can also be enabled as an optional service that would allow up-to-minute recovery of the system in cases of system failures. Additional backup options include backing up to a duplicate backup le server at a second backup data center, hot backup servers for the database and application servers, redundant failover servers for instant recovery, and redundant systems at different data centers. Backup data can also be stored to tape. The frequency of storage to an offsite storage center such as Iron Mountain can be as often as every day. All of these options are additional services offered by MetricStream. 4.6 Can MetricStream roll back the entire database (or specific data) to a prior save point? MetricStream schedules daily backups. The restore can be whole or partial.

2013 MetricStream Inc., All Rights Reserved.

Pg10

4.7 Does MetricStream have separate backup & disaster recovery locations? How frequently are the recovery procedures tested? MetricStream maintains multiple co-location providers to provide backup hosting and disaster recovery. By default, MetricStream tests the disaster recovery plan once a quarter to ensure that the backup policies and data are being properly backed up. 4.8 Are backup tapes stored offsite in a secure facility? Offsite Tape backup is offered optionally. If this option is chosen, the tapes would likely be stored by Iron Mountain, a leading provider of tape storage facilities. 4.9 Are backup tapes encrypted? Backup tapes can be provided and encrypted at additional cost. 4.10 Is the fail-over active/passive or active/active? This depends on the type of cloud architecture implemented. For the Enterprise OnDemand Offering, fail-over is Active/ Passive 4.11 How is the fail-over implemented? MetricStream implements a manual fail-over to the DR site.

2013 MetricStream Inc., All Rights Reserved.

Pg11

5.0 Data Security

5.1 If Mobile devices are supported, describe the access restrictions. The MetricStream Solution is 100% web-enabled and can be accessed from any internet-enabled web-browser. The system can therefore be accessed from a Mobile devices browser. No mobile access restrictions apply. 5.2 What types and levels of data encryption are supported? If encryption is used, what type and what key length? The MetricStream platform protects data through advanced encryption functionalities based on encryption algorithms such as AES with 256-bit keys and transport layer protocols including SSL and HTTPS. It also enables companies to build their own specic encryption and decryption plug-ins using industry-standard algorithms such as RSA and PKCS. Data encryption is enabled for both data at rest (database/ les) and data in transit: Data-at-rest encryption: A key feature in the security foundation within the Platform is the provision to encrypt file attachments uploaded to the MetricStream application. Once this functionality has been enabled, the MetricStream Platform provides transparent attachment file encryption while uploading. Subject to role based authorization controls, when a user downloads the attachment, the file contents will be decrypted as well. File attachment encryption is a critical piece of Data-At-Rest security requirements especially important for Internet facing application. A complete solution for Data-At-Rest security also entails Oracle database encryption leveraging Oracle TDE options available with Oracle Enterprise edition. SSL in combination with file/database encryption ensures that Data in motion (network) and at rest (filesystem/Database) is encrypted thereby safeguarding any sensitive information that flows through the MetricStream application and addressing one of the most important security vulnerabilities with any Internet facing application. Data-in-transit encryption: For data in motion, the platform leverages SSL or HTTPS technology for encryption. Therefore, any sensitive information flowing through a MetricStream application is safeguarded, even if the application is Web-based. The MetricStream application proxy server can be specially configured to address regional data security requirements in a distributed setup. It enables file attachments to be flagged as confidential or Client Identifying Data (CID), and stored only in the regional proxy server not in the distributed or central server. That means that users outside the region will not be able to access the attachments. 5.3 Describe how MetricStream provides Data-encryption-at-rest. In the MetricStream solution, application data is stored in two places. Each has a separate mechanism for Data-encryption-at-rest: File attachments uploaded through the application are stored as raw les on the server. These are encrypted using 3DES or a better algorithm when storing on the server. Oracle database is enabled with a feature called Transparent Data Encryption (TDE). Using this, all database columns that need encryption are appropriately enabled during implementation phase. This requires Oracle Enterprise Edition. 5.4 Is authentication information encrypted (e.g. passwords)? For data in motion, the platform leverages SSL or HTTPS technology for encryption. 5.5 Describe the teams and roles that have access (physical/ logical) to systems holding customer data. MetricStream will have no access either to server-side components or to the client data of the production environment. However, access to development and testing environment is usually maintained or provided as needed for any support requirements. It is not possible for Customer application data to be altered / deleted or retrieved by anyone other than authorized users. 5.6 How is data segregation managed? Specifically address segregating third parties from seeing internal Customer data and other third parties data. Each customers data is on their own server(s). Physical, Application, and network security schemes prevent customers from accessing data other than their own. MetricStream employs a number of documented controls to ensure the security and segregation of customer data. These controls provide defense in depth and include data at rest encryption, method ltering at the application tier, and data access enforcement at the database tier. This ensures segregating third parties from seeing internal Customer data and other third parties data.

2013 MetricStream Inc., All Rights Reserved.

Pg12

6.0 Network Security

6.1 What interfaces does customer data have to the outside world (IP addresses, ports, and protocols. For example, HTTPS, XML, upload or download to financial systems)? The MetricStream platforms data integration services consists of powerful and exible adapters called Infolets that execute periodic (scheduled or on-demand) queries and functions on external systems to extract relevant data. Infolets enable the platform to seamlessly connect to external applications and communicate through appropriate technologies such as SQL, APIs, executable programs, text files, Web Services and XML. MetricStream supports integration with external systems in a congurable fashion, with no source code changes made to the MetricStream GRC Platform. All relevant data can be pushed or pulled in real-time or on a scheduled-basis between the MetricStream repository and an external system. Customers can also use Secure FTP for batch uploads. 6.2 Which network access methods are employed? MetricStream provides access to its servers over HTTP or HTTPS (SSL 128-bit protocol), based on customer requirements. Access from the application to the database server may be on a separate network, and access to the le backup servers is usually on a separate network. 6.3 What program(s) need to be installed on a users computer in order to use the MetricStream Application? None. MetricStreams Solution is 100% web-based and can be accessed from any internet-enabled web-browser 6.4 Can the end customer monitor bandwidth usage to the data center. If a customer opts for a dedicated server / database as part of the installation then bandwidth usage charts can be provided through a secure login to the customer. 6.5 Are firewalls shared across several customers or does each customer have its own firewall? Each customer is provided with a dedicated software rewall. 6.6 Describe the intrusion detection systems in place. MetricStream maintains Intrusion Detection (IDS) at the rewall and software based Intrusion Detection on the server. Intrusion detection is typically alerted over email. A dedicated IDS is optional. 6.7 Describe the mitigation strategies for Distributed Denial of Service Attacks (DDoS) . A rewall is congured to protect against intrusions and security attacks. If necessary, the upstream router from the data center can also be congured to protect against DDoS attacks. 6.8 Describe endpoint protection used. MetricStream implements measures to protect customer data against viruses, worms, trojan horses, and other harmful elements designed to disrupt the orderly operation of, or impair the integrity of Hosted Data. Our endpoint protection ensures that the security of the MetricStream system, the client data, and other transmissions through the MetricStream system is not compromised for any reason. 6.9 Are all components of the architecture secured? Based on customer specications, all our architectural components can be secured by one of the following technology options: Basic, LDAP connect, or SAML connect. 6.10 Are all components hardened and locked down? The installation/conguration steps will ensure that the system is hardened and locked down. This is done across the deployment stack Operating System Level (File Permissions, Ports), Java Virtual Machine level (Security Policies) and Application level authentication & authorization controls.

2013 MetricStream Inc., All Rights Reserved.

Pg13

6.11 Describe how the database is secured. The database server is never exposed on the Internet. Port hardening is diligently undertaken. For database access only Port 1521 is open for internal network access. RDP/ SSH controlled access is enabled to the servers from internal networks for ongoing maintenance. 6.12 Are internal application middleware interfaces secured? Internal application middleware interfaces are secured through secure web services and digital signature based integration mechanisms. 6.13 Are network access controls implemented to restrict access from the internet to the application and components to certain ports? MetricStream uses two layers of rewalls: Firewall devices deployed on the network perimeter Software rewalls that run on each server that hosts components of the solution. 6.14 Does MetricStream have non-Internet facing integrations (e.g. site-to-site VPN)? For non-internet facing integrations, SSO/ SAML is the preferred choice. VPN is optional with added cost. 6.15 Does remote access to the MetricStream network require 2 factor authentication. No. There is no direct remote access to the production network. 6.16 Is out-of-band management of servers performed? MetricStream performs out-of-band management by deploying remote access cards.

Contact Us: MetricStream, Inc., 2600 E. Bayshore Road, Palo Alto, CA 94303, USA. | Phone: 650-620-2900 | Email: info@metricstream.com

2013 MetricStream Inc., All Rights Reserved.

31029210 Pg14