Quality in SAS Solutions OnDemand Title

Transcription

1 WHITE PAPER Quality in SAS Solutions OnDemand Title Providing Quality Analytic Cloud Solutions by Integrating High-Value Analytics, Optimized Infrastructure and the Right Expert at the Right Time

2 ii Contents Overview... 1 Quality Management System... 1 Management Controls... 2 Communication...3 Training... 3 Continuity of Business Controls... 4 Information Security Controls... 4 Data Privacy Controls...4 Logical Security Controls...5 Personnel Security Controls...6 Physical Security Controls...7 Supplier Management Controls... 8 Solution Delivery Controls... 8 Solutions Delivery Methodology (SDM)...8 Software Configuration Management (SCM)...10 Data Quality...10 Quality Management Methodology (QMM)...11 Software Quality Assurance (QA) Document Controls...15 Change Controls...16 Hosting Operations Controls...17 Remote Managed Software and Services (RMSS) Installation On-Call Support Monitoring Service-Level Availability Patch Management Maintenance...20 Backup and Restore Procedures Media Secure Storage for SAS Data Centers Media Handling by IaaS Providers Customer Care Controls...22 Incident and Problem Management Controls...23 Incident Management Problem Management Awards, Certifications and Quality Notes...25 Continual Service Improvement SOC 2/SOC 3 Type II Processes and Controls TRUSTe Privacy Certification/US-EU and Swiss-US Privacy Shield Certifications References...27 The information contained in this document is considered confidential and covered under the terms of any SAS agreements as executed by customer and SAS Institute Inc.

3 1 Overview SAS Solutions OnDemand provides SAS Cloud Analytics delivered as software as a service (SaaS), results as a service (RaaS), remote managed software and services (RMSS), enterprise hosting, and other cloud analytics support and services for customers worldwide who want to deploy SAS solutions rapidly. The OnDemand team is an international, customer-focused division that integrates quality processes and controls into all areas of its organization. For more than 15 years, SAS Solutions OnDemand has established a successful track record of providing organizations with state-of-the-art outsourced applications, as well as the subject-matter experts to manage them. Although policies, processes and procedures are always evolving, the SAS Solutions OnDemand commitment to quality is constant. The SAS Cloud Analytics offerings are: Based on the industry s leading business analytics. Rooted in industry best practices across a wide breadth of domains. Backed by a 99 percent uptime warranty for nearly around-the-clock availability for hosted solutions. Tailored to a customer s specific requirements. Quality Management System A quality management system encompasses the organizational structure, policies, processes, standards, procedures and resources needed to implement quality management. The SAS Solutions OnDemand quality management system (QMS) provides a framework for managing the activities that enable us to create solutions and provide services that consistently satisfy and exceed customer requirements. The QMS promotes a philosophy of continual improvement driven by quality objectives and customer feedback. The quality of SAS Solutions OnDemand products is maintained through systems of standardization and process control that are described in QMS documents. Activities affecting quality are documented in policies, processes, standards and procedures. Detailed instructions contain appropriate criteria to determine whether tasks are successfully completed. The QMS framework describes SAS Solutions OnDemand quality control checkpoints across the range of its business, including: Management controls. Continuity of business controls. Information security controls. Supplier management controls. Solution delivery controls. Document controls. Change controls. Hosting operations controls. Customer care controls. Incident and problem management controls.

4 2 Continual Service Improvement Service Operations Hosting Operations Controls Customer Care Controls Incident and Problem Management Controls Change Controls Service Strategy Continuity of Business Controls Service Transition Document Controls Solution Delivery Controls Management Controls Supplier Management Controls Information Security Controls Service Design Continual Service Improvement Figure 1: QMS categories Figure 1 illustrates how these quality control checkpoints operate within SAS Solutions OnDemand. QMS documents are monitored to assess their effectiveness and to identify opportunities for continual improvement. Monitoring includes assessments such as: Internal review of QMS methodologies, policies, standards and processes, often as a result of audit findings. Comparison of the QMS against industry best practices or regulatory requirements or both. Analysis of quality management metrics. The results of these assessments are documented and discussed with the QMS board and other senior managers. Decisions are made to update the QMS based on findings and recommendations. Management Controls Management communicates quality goals and objectives, reviews and revises the QMS, and provides the resources that are necessary to create and maintain the quality of SAS Solutions OnDemand. Members of SAS Solutions OnDemand senior management serve on the QMS board, along with representatives from SAS IT, SAS Global Information Security (GIS) and SAS Legal groups. QMS board members are responsible for discussing new QMS documents and approving changes, including retirement, to existing QMS documents. SAS Solutions OnDemand management is ultimately responsible for ensuring that the QMS is followed.

5 3 Communication Management is responsible for communicating all additions and changes to the QMS. Effective communication is an essential component of the SAS Solutions OnDemand comprehensive support model. To ensure that quality standards are met, processes and controls are in place that guide how information is shared and distributed, both internally and externally. SAS Solutions OnDemand assigns a project owner to each customer project to manage communications. The project owner for SAS Solutions OnDemand may be identified as a project manager or technical account manager (TAM), depending on the status of the project. In addition, written communication is facilitated through documentation. All documentation deliverables undergo a comprehensive review process to ensure that they are complete, understandable and appropriate for the audience. (See the Document Controls section on Page 15 for more details.) Regularly scheduled meetings serve as the primary driver for communicating project activities, status and risks throughout the solutions delivery methodology. SAS Solutions OnDemand project teams also use online tools for issue tracking and document management to easily: Collaborate. Report issues. Manage change. Share knowledge. Deliver and maintain documentation. Training SAS Solutions OnDemand requires that personnel have the necessary training, knowledge and skills to perform their jobs. To meet this requirement, management determines the training courses that personnel who work with SAS Solutions OnDemand must complete. Education and training activities expand the skills and knowledge of individuals so they can effectively and efficiently perform their roles. In addition to corporate educational opportunities, internal training focuses on the SAS Solutions OnDemand policies, processes, standards and procedures. Regulatory, privacy and security training provide SAS Solutions OnDemand staff with an understanding of the laws, regulations, guidelines and industry requirements that apply to SAS Solutions OnDemand activities. Personnel are required to take all training as new hires. Each year, personnel update their training and attest that they are following policies and procedures. All internal and external records of training, education and experience are documented and maintained within the corporate learning management system. Training is developed and managed to be specific to SAS Solutions OnDemand activities. The SAS Solutions OnDemand Quality and Compliance teams audit these records annually to ensure conformity with processes. Audit reports are provided to managers who use this information to assist employees in determining their training needs in order to be successful team contributors.

6 4 Continuity of Business Controls SAS maintains a Continuity of Business (COB) program aimed at protecting key SAS assets and continuing critical business functions upon the occurrence of a disruptive incident. The SAS COB Program Office provides a layer of program governance, formalizing roles and responsibilities and standardizing specific activities that include annual plan maintenance and testing, staff training and management reviews. For additional information about the SAS COB program, refer to sas.com/content/dam/sas/ en_us/doc/other1/continuity-of-business.pdf. SAS Solutions OnDemand, which is considered a critical function under SAS COB program, has a business resumption plan that provides a framework for managing the overall process for SAS Solutions OnDemand to return to normal, day- to-day operations. The focal point of the SAS Solutions OnDemand Business Resumption (BR) plan is providing customer communications support to restore the services upon which customers depend. Key SAS Solutions OnDemand COB activities that are completed annually include: Business impact analysis (review and update). BR plan maintenance (review and update). Staff training. Multiple testing activities, including global call tree and scenario testing. Executive management review. SAS Solutions OnDemand customers have the option to purchase enhanced Disaster Recovery Planning Services (DRPS) to define specific recovery requirements. For RMSS implementations, the COB program and policies are the responsibility of the customer. SAS Solutions OnDemand can cater to the customer s design to supplement the availability of the software once the prerequisite infrastructure is established. Information Security Controls Data Privacy Controls SAS Solutions OnDemand treats hosted customer content in accordance with the SAS Code of Ethics, SAS Solutions OnDemand Business Customer Privacy Policy, the SAS Solutions OnDemand Data Classification and Handling Policy (DCHP), the SAS Use and Disclosure of Confidential and Proprietary Information Policy and any relevant agreements between hosted customers and SAS Solutions OnDemand. Hosted content is treated as confidential and is made available only to authorized SAS personnel who require access to this information in the performance of their duties. Hosted content and associated computer or information assets must be protected and are not to be used, disclosed or accessed by SAS or its third-party suppliers or subcontractor personnel other than as required to perform the hosting services in accordance with the following: Customer agreements. As otherwise authorized by SAS customers. As required to comply with legally mandated reporting, disclosure or other legal process requirements.

7 5 Confidential information that resides within the SAS Solutions OnDemand hosting instance (dedicated to one customer) is kept logically separate from hosting instances of other customers unless otherwise defined in applicable agreements or hosted solution requirements. The SAS Solutions OnDemand hosted environment controls access to confidential information by user ID and password and only grants access to authorized individuals. For RMSS engagements, customers may also request that SAS and its personnel adhere to the customer s own data privacy controls and policies, and/or undergo customer-sponsored training. The SAS Solutions OnDemand project manager or TAM is responsible for managing compliance with any such requests. Logical Security Controls SAS system administrators take the following measures to protect the SAS Solutions OnDemand hosting environment from all known threats such as malware, viruses and unauthorized access: SAS manages firewalls and software-defined firewall functionality according to industry standards to prevent unauthorized access, disclosure, loss, misuse or theft of company information. Firewalls within the SAS data centers are located at the ingress and egress points in the customer environment. These devices are installed in redundant pairs and have implicit deny-all rules at the end of rule sets. Customer-hosted solutions are segmented and use firewall rules to control access to and from other environments. Access is controlled using access control lists (ACLs) to prevent unauthorized hosts from connecting to these devices. For infrastructure as a service (IaaS) providers, such as Amazon Web Services (AWS), firewall functionality is employed using industry standards to ensure secure, private networks within the public cloud. In AWS, a combination of security groups, subnets, VPCs and network ACLs are employed to provide equal, or better, security than physical firewalls. SAS IT hosting uses additional network security devices such as an intrusion detection/prevention system (IDS/IPS) to complement the firewalls and provide additional security. The IPS provides the ability to monitor, detect and block malicious traffic based on signatures, security intelligence feeds, anomalies or geographic location. Within IaaS networks, additional security tools may be deployed as well, depending on the environment. These additional security tools provide further visibility into the environments and allow SAS to monitor, detect and block malicious traffic based on signatures, security intelligence feeds, anomalies or geographic location. SAS Solutions OnDemand offers multiple methods for reliable, secure electronic file transfer, including FTP over SSL (FTP/S), Secure File Transfer Protocol (SFTP) and Hypertext Transfer Protocol Secure (HTTPS). These methods ensure that files are encrypted in transit as they are moved from their source location to the destination customer environment, and they have the benefit of simple auditability. Systems are hardened to ensure that no unnecessary services are exposed, and default device settings are changed to establish baseline configurations. All systems with a Microsoft operating system are configured with anti-virus software. Patches are maintained and applied by supported tools designed to facilitate patch management and tracking, where applicable.

8 6 To prevent unauthorized access to the SAS Solutions OnDemand hosting environment, all access is approved in advance, logged and recorded. Access levels are reviewed periodically (quarterly for elevated privileges). Access must be made through secure connections to ensure that no passwords are sent unencrypted over unsecure networks. To protect customer data from unauthorized download or loss, SAS Solutions OnDemand deploys data loss prevention (DLP) software in its US and certain other international offices on SAS end-client machines with access to hosting environments. The DLP software monitors data traffic and sends alerts when a potential violation of the Data Classification and Handling Policy is detected. SAS Solutions OnDemand uses two-factor authentication for appropriate SAS staff and SAS subcontractor access to systems hosted at the primary SAS data center and IaaS environment if required by regulation or customer contract. Two-factor authentication may also be required for SAS staff and subcontractors to access hosted customer websites and other services in the same network, with the exception of access to internet-facing services. Two-factor authentication is not required for customer access to solutions. On an annual basis, SAS engages a qualified, independent third party to perform a penetration test of its network. A letter of attestation regarding the results of the penetration test can be provided upon a customer s request. SAS GIS performs or coordinates third-party firms for required penetration testing. SAS GIS also evaluates individual application security vulnerabilities for risk, including likelihood and impact of exploitation, when providing guidance on vulnerability remediation after a penetration test is completed. The frequency of risk assessment, penetration testing or both, for any given application is driven by regulatory, contractual and policy requirements. In addition, SAS performs automated vulnerability scans of all internet-exposed assets on the SAS global perimeter every two weeks. Confirmed critical vulnerabilities detected during automated scans generate a record in the incident management system. Incident records are automatically assigned to SAS GIS, which then works with the appropriate teams to remediate the issue. For all RMSS implementations, the customer implements all logical security controls and provides SAS with access to the environment based on these controls. No customer data or other content is stored at the SAS data center. Personnel Security Controls Logical access to a SAS Solutions OnDemand hosting instance and SAS Solutions OnDemand gateway servers for RMSS implementations is available to users after successful completion of a multistep approval process. Only then can a user access the hosting instance with the use of unique credentials. Each user is assigned a unique user ID and password that must be changed regularly. All initial passwords that are supplied by SAS require that the password be changed through a secure web interface at first use. All passwords must be at least eight characters long and meet three of four complexity rules. In addition, a history of 24 passwords is kept to prevent reuse of those passwords.

9 7 Security policies and standards are documented in SAS Solutions OnDemand & IT Hosting Policies and Processes, which is updated annually. SAS requires that personnel with access to the SAS Solutions OnDemand hosting environment and access to gateways supporting remote customer environments receive training on the policies and processes that apply to the hosting environment. Personnel are required to take this training as new hires, and annually thereafter, and are also required to attest that they understand and will follow these policies and processes. Access, performance and relationship management for SAS Solutions OnDemand third-party suppliers are controlled by a formal SAS Solutions OnDemand Supplier Qualification and Management program. Refer to Supplier Management Controls on Page 8 for details. For RMSS implementations, SAS Solutions OnDemand immediately communicates SAS personnel departure to the customer so that timely revocation of access can occur, as appropriate. Physical Security Controls SAS data centers are secured using industry-approved and accepted physical safeguards. All data centers are housed in nondescript facilities. Physical access is controlled at the perimeter and at building ingress points by security staff using badge access, video surveillance intrusion detection systems and/or other electronic means that are appropriate to the data center location. All visitors are required to present identification and are signed in and escorted by authorized staff. Access to the SAS campus and the buildings that house the primary SAS data center at SAS world headquarters in Cary, NC, are controlled by SAS security personnel, badge readers and access control policies. Additional security authorization procedures limit physical access to the SAS data center and the SAS Solutions OnDemand hosting rooms. Access to the SAS data center and SAS Solutions OnDemand hosting rooms is restricted to authorized employees and subcontractors that support maintenance agreements for hardware, software, escorted cleaning crews and business partners that support specific business operations. Data center management is responsible for authorizing physical access to the IT data centers following management approval. Records are maintained of who has a badge, and all spare badges are inventoried and secured. The SAS data center management group is responsible for authorizing and reviewing physical access on a monthly basis. Badge readers are located at each entry point to hosting rooms, and badges must be worn and visible at all times within the SAS data center. The SAS Solutions OnDemand environment requires additional badge readers and personal identification number (PIN) codes. For RMSS implementations, physical security controls are typically the sole responsibility of the customer. See the Hosting Operations Controls section on Page 17 for information on global data centers that are located outside SAS world headquarters.

10 8 Supplier Management Controls SAS Solutions OnDemand maintains a Supplier Qualification and Management program that includes initial evaluation, approval, disapproval, continual improvement and management of the supplier base. All products and services purchased for SAS Solutions OnDemand are obtained from suppliers that maintain an acceptable risk rating. A supplier s risk rating is a function of: On-time delivery. Acceptable quality of components and material at delivery. Responsiveness to corrective and preventive action requests. Supplier risk assessment. Supplier assessment questionnaire. On-site audit (as needed). Suppliers are assessed on a regular, ongoing basis at minimum every two years based on risk, performance and ongoing need. Suppliers who fail to maintain acceptable risk ratings are consulted on the system elements necessary to maintain the status of Approved Supplier. Suppliers that consistently fail to maintain an acceptable quality rating are disapproved as suppliers to SAS Solutions OnDemand. Solution Delivery Controls The software delivery life cycle for an enterprise-hosted solution, SaaS solution, RaaS solution or RMMS implementation is divided into distinct phases: definition, design, build, test, implementation and closeout/maintain. SAS Solutions OnDemand staff use the solution delivery controls described in this section to ensure quality within all deployed hosted solutions. Solutions Delivery Methodology (SDM) The SAS Solutions OnDemand Solution Delivery Methodology (SDM) provides guidance for planning and managing SAS projects throughout the project life cycle. The SDM methodology enables all participants to contribute their skills to the solutions provided to customers. Rigorous, scalable processes help ensure effective planning and execution across all customer projects. Lessons learned continually update and improve this methodology. The SDM provides guidance for developing custom enterprise-hosted, SaaS solutions and RaaS solutions by forming a common foundation to build new solutions and to support its drive toward repeatable engagements. SAS Solutions OnDemand follows a patented, value-driven approach for analytic delivery (US Patent # US 8,887,128 B2). Collection, management and organization of data assets of an organization are key to successful decision-support system implementations. This approach is usually coupled with business analytics and includes, but is not limited to, analysis, querying, reporting and presentation needs. This method also includes tailored security controls that meet the needs of SAS Solutions OnDemand s regulated customers.

11 9 Analytic Delivery Approach US Patent #: US 8,887,128 B2 Project Initialization Prepare and Conduct Kickoff Scope / Define Project Identify Customer Data Sources to Analyze Mutually Agree with Customer on Data Properties (transfer, format, volume, etc.) Agree on Logistics, Timeline, etc. Install Software (Procure Hardware, if applicable) Deliver Project Scoping Documentation Requirements and Discovery Deliver Data Extract Data into Raw SAS Data Sets Possible Cycles Goal: Minimize Cycles Run Standard Validation Routines and Ensure Proper Transfer of Data Analysts Notified of Completion Continue to Collect Technical / Security Requirements (as necessary) Perform Exploratory Data Analysis / Q&A with Customer Iterative Design Analysts Continue to Cycle Per Iteration Iteratively Review Results with Customer Update, Deliver, Redeliver Requirements Matrix / Document Develop Prototype and Iterate Deliver Prototype, Prep Table(s) Handoff, Validations, Requirements General Iteration Timeline Production Design and Build Design Production Solution (Prototype and Requirements Artifacts Used) Deliver Design Document Develop Collection Data Mart / Regenerate Prep Tables Develop Alert Generation and GUI Data Mart Extend and Productionalize Prototype / GUI (as necessary) Develop Any Additional Features Promote to Appropriate Environment(s) Conduct UAT Release Items for Iterative QA Testing Provide System Documentation / Knowledge Transfer Conduct Handoff Development Resources Cycle Per Iteration Ongoing Support Legend SAS Team SAS Administration and IT System Administrators SAS Tech Developers SAS Analysts SAS ETL Resources SAS Technical Lead Customer Figure 2: Analytic Delivery Approach

12 10 The SDM incorporates processes for developing analytical models to understand and explain relationships that exist within large amounts of data. These models provide organizations with knowledge to help solve a wide range of business problems, such as reducing customer churn ratio, increasing direct marketing response rates, providing risk assessment accuracy, detecting fraud/waste/abuse, scoring credit card transactions and performing market basket analysis, among others. Software Configuration Management (SCM) The Software Configuration Management (SCM) process for SAS Solutions OnDemand projects involves establishing a baseline, as well as tracking and controlling changes made to the software that is implemented for SAS Solutions OnDemand customers. SCM incorporates a set of activities that are designed to control changes by: Identifying configuration types, configuration items and baselines. Identifying the items that have planned changes or are likely to change. Establishing relationships among configuration types and items. Defining mechanisms for managing different versions of these items. Auditing and reporting on the changes made to configuration items. This process applies to all software items delivered as a part of enterprise-hosted solutions, SaaS solutions, RaaS solutions or RMSS solutions (according to the contract), including each item used to build, maintain and report upon components. SAS Solutions OnDemand source code is maintained in a source management system during the development, quality assurance (QA) and production phases of a project. For RMSS implementations, SAS Solutions OnDemand works with customers to select a mutually agreed-upon source control platform and promotion policy. Release management activities are conducted by a release manager as appropriate to: Control release of fixes, changes and features to testing or production environments. Communicate details of the release. The quality lead for the project periodically conducts an audit to verify that the production versions of all items are consistent with approved requests for change through an audit process. Audits may involve a review of all items or a sampling of items in a particular repository. As appropriate, the quality lead may perform periodic spot checks to verify that only authorized changes were made in the last 24-hour period. Data Quality If requested and within the scope of the project, automated data quality processes are built into hosted solutions. These provide a foundation for profiling data sources, identifying data issues and designing processes and programs that address those data issues. The monitor component of the data quality package provides the ability to extend data quality processes beyond traditional project-based application, and ensures the accuracy and reliability of information sources over time. Monitoring may include simple data profiling trend analysis, or it may include specific, complex business rule analysis. By implementing rules that define acceptable data quality values, monitoring can be used to automatically identify records that violate quality standards and alert users of the violations.

13 11 Monitoring allows the team to take action well before the data anomaly affects business decisions, processes or projects, and thus improves data quality over time. Project Management Methodology (PMM) The SAS Solutions OnDemand Project Management Methodology uses the following five basic processes to support effective project management: Initiating. These processes authorize the project or phase. Planning. These processes define and refine objectives, and select the best alternative course of action to attain the project objectives. Executing. These processes coordinate people and other resources to carry out the plan. Controlling. These processes ensure that the project objectives are met by monitoring and measuring progress regularly to identify variances from plan so that corrective action can be taken when necessary. Transitioning. These processes are needed for projects that require ongoing operational support or are being closed out: Projects requiring managed services during the operational phase (postimplmentation) are transitioned to the SAS Solutions OnDemand Managed Services team and/or SAS Technical Support. Managed services include the day-today management of the SAS solution to ensure stable and efficient business continuity. Projects that have reached the end of a significant phase or have completed implementation go through a formalized acceptance process of the project or phase to conclude in an orderly manner. Quality Management Methodology (QMM) Quality management activities are part of every stage of software development. They include preparation of test plans and test cases, adherence to standards through reviews or inspections, procedures for error reporting and tracking, and proper management of documentation. These activities provide many benefits including, but not limited to: Program management guidelines and processes govern project implementations so that they are disciplined, well managed and consistent. Formal quality control reviews throughout the development process assist in problem prevention. Testing activities during every stage of development aid in problem detection. Development of standards and a solutions delivery methodology contribute to quality and consistency. Documented procedures ensure compliance with standards. Software Quality Assurance (QA) All hosted solutions that include custom software components undergo a rigorous quality assurance process throughout the solutions delivery methodology as illustrated in Figure 3. The quality assurance process follows the Quality Management Methodology as discussed in SAS Solutions OnDemand s Quality Management Methodology (QMM) documentation. QMM activities include the following steps:

14 12 Develop a quality plan that defines the quality tasks to be performed. Develop a test plan that provides additional detail about testing activities, which include: Describing the type of testing that is chosen. Specifying the testing environment and test data. Defining the features to be tested. Providing traceability to customer requirements. Identifying business or technical risks or both. Describing defect tracking. Execute multiple software testing activities, including: Installation testing. Installation testing is performed by SAS administrators as part of their standard process to verify that out of the box SAS software is installed properly. Deployment testing. Deployment testing is performed by SAS QA prior to releasing a new customer environment. The testing is conducted in the same environment that is to be released to the customer. This testing takes place before the creation of any additional software created by SAS for customized data load or analysis or both. Unit testing. This is the first testing event that occurs during project development. This testing begins after a single program module has been developed and continues while the program is under modification. Integration testing (as appropriate). This testing focuses on the relationship between pairs of components and groups of components within the system that is under test. Data load testing. Maintaining the integrity and accuracy of a data warehouse requires specific processes whose primary purpose is to verify at key points in the extract, transform and load process that data is complete and in balance. Separate test scripts and cases are needed to ensure these processes function correctly. These tests are typically part of integration and system test plans, but might be documented as a separate test plan, if needed. Performance (load) testing. Some projects might require separate test plans for the performance features of their system, if the performance requirements are lengthy or complex. This type of testing could involve recording certain measures of performance under various conditions of data volume, concurrent users or transaction types. Special software or system resources may be required to test performance adequately. SAS or the customer conducts any needed performance testing to verify performance requirements are met. Peer reviews. Reviews are completed by a peer or colleague developer following completion of program coding. SAS uses peer reviews to verify the correctness and completeness of SAS software before any actual testing takes place. Security testing. In situations where security measures are required, special tests of only the security components may be performed to verify that requirements have been met. Security testing focuses on the preservation of information, where:

15 13 Confidentiality ensures accessibility only to those authorized to have access. Integrity safeguards the accuracy and completeness of information and processing methods. Availability ensures access for authorized users to information and associated assets when required. Note: Information on SAS security assurance is available at: company-information/security. html. System verification. System testing represents the final set of tests performed before SAS delivers a system, to assure that the application opens with all basic functionality intact before being released to the customer. A system test ensures that all components are tested together. User acceptance testing (UAT). This testing verifies that the system meets all stated business requirements and design specifications, as defined by the customer and agreed to by SAS. The customer defines, manages and conducts all UAT activities, including the documentation of UAT plans and results, unless otherwise specified in the contract. UAT is performed in a customer location (environment) that is agreed upon by SAS and the customer. During UAT, the customer records identified problems. The customer works with SAS to determine issue priorities and timing for resolution. Code Unit Test Code Review Integration Test System Test Quality Plan Test Case Specification (Unit Testing) Code Walkthrough Integration Test Plan Test Case Specification System Test Plan Test Case Specification Who When Why QA/PM/Tech Lead Solution Def. Phase Identity Testing Objectives and Inspection Points Developer Program Completion Validate Program Logic Developer/Peer Developer After Coding/Unit Test Determine Code Defects/ Optimize Code/Tune QA/PM/Tech Lead/Developer Completion of Modules/Subsystem Verify Integration of Program Modules QA/PM/Tech Lead/Developer Completion of All Modules/Subsystem Ensure System Is Stable and Ready for Customer Use Who When Why User Acceptance Test User Acceptance Test Plan Test Case Specification Project Manager/Tech Lead Development of All Modules/Subsystems Completed Validate Requirements and Ensure System Satisfies Critical Success Factors Systems Requirement Review Quality Control Inspection Points Requirements Phase Design Phase Build Phase Testing Phase Data Quality Design Review Code Walkthrough Software Testing Review QA Data Quality System Design Data Model Unit Testing Code Review Integration Testing System Testing Change Controls UAT Figure 3: Quality control inspection points.

16 14 SAS provides support to customers during UAT by performing the following tasks: Providing the customer with the SAS Solutions OnDemand Quality Assurance documentation (quality and test plans, test scripts, logs, output, workbooks and more). Providing the customer with SAS Quality Assurance templates for test plans, workbooks and more. Training the customer on using the SAS Solutions OnDemand tracking system to monitor issues and create UAT reports. Investigating problems that are identified during UAT and fixing them, as appropriate. Testing fixes for problems that are identified during UAT. When SAS resolves the problems identified by the customer during the testing period, and the customer has verified the fixes are satisfactory, then UAT is concluded. Conduct quality control inspections to validate that project deliverables and review cycles have been completed. These inspections are described below: Code walkthroughs and reviews monitor compliance with development methodologies and standards. A system requirements review involves an evaluation of the system requirements specification provided by the customer. A system design review involves an evaluation of a series of design documents that collectively define the complete solution for meeting customer requirements. A test results review is conducted at the conclusion of each type of testing. This review evaluates the results to ensure that all testing was completed as planned. Implement automated monitoring and scheduled QA checks after a project moves to production to ensure the following: Service-level agreement (SLA) obligations are met. The system is functioning as expected. Data loads are completed as expected. Problem reporting during testing ensures all testing-related issues and defects are managed in a consistent and effective manner. This includes the recording, tracking and disposition of system issues and defects. SAS Solutions OnDemand maintains a change management process that provides the following capabilities: Records defect information. Establishes severity and priority. Assigns responsibility for resolution. Records expected completion date for resolution. Tracks ongoing status. Provides notification on defect status. Documents the resolution. Defects are recorded as soon as practicable after discovery. Technical leads assign defects to application developers for resolution. Quality assurance and development resources meet on a regular basis to review and assign priority and severity for each

17 15 new defect, review the status of each unresolved defect and determine additional testing needed after a defect is corrected. Quality assurance resources also work with developers to help identify the root causes. A final disposition of reported defects is made before the system under test is certified for release to production. SAS and the customer project and program management teams review test results and defect disposition and provide final approval for release to production. QA metric reports are available that provide graphical representation of defects and test cases over time, as well as summary listings that provide one row per defect with a textual summary of the defect. The QMM lists several strategies for writing test cases with the highest probability of detecting the most errors, including, but not limited to: Black-box testing and white-box testing. Performance testing. Security testing. Data load testing. Document Controls In order to ensure consistency and efficiency in documentation, SAS Solutions OnDemand has established, defined and controlled: Methodologies. Policies. Standards. Processes. Procedures. Guidelines. Plans. Templates. Document controls exist to ensure consistency in document templates, documentation structure and content, naming conventions and version control. All documents follow an iterative document development cycle, which includes: 1. Document setup and initial development. 2. Document internal review. 3. Document delivery. 4. Document revision. 5. Document finalization and acceptance. 6. Document archive and removal.

18 16 Change Controls The change management process identifies, measures and controls the addition, modification or removal of hardware, software, processes and other IT services. Controlling the life cycle of all changes minimizes the risk of disruption to IT services. The objectives of change management include: Responding to customers changing business requirements while maximizing value and reducing incidents, disruption and rework. Responding to the business and IT requests for change that align the services with the business needs. Ensuring that changes are recorded and evaluated, and that authorized changes are prioritized, planned, tested, implemented, documented and reviewed in a controlled manner. Ensuring that all changes to configuration items (CIs) are recorded in a configuration management database (CMDB) as applicable. RMSS engagements typically require the use of the customer s change management system. Customers or SAS can request changes based on required functionality or maintenance of the hosted environment for the following categories, as applicable: Application. Database. Operating system. Hardware. Infrastructure. Software-defined infrastructure. The change requestor initiates the change management process in the appropriate system. The change requestor s responsibilities include the following, when appropriate: Identify the business, service or technical need for change. Propose the change solution in business or technical terms, when appropriate. Propose a date by which the change will be implemented. Identify the affected, known parties that need to be notified. Submit change request tickets for approvals. Changes are typically classified according to risk and impact, as described below: Standard changes are low-risk, occur on a frequent basis, are adequately documented and are typically pre-approved (e.g., a password reset or reboot of servers during the scheduled monthly maintenance activities). New requests for designating a standard change are submitted through the appropriate ticketing system.

19 17 An emergency change is usually executed during an incident to: Ensure SLA requirements are met. Resolve issues negatively affecting the use of the system not resulting in SLA violations. Ensure appropriate security of the hosted solution. Emergency changes are completed during non-peak hours, if possible. Advanced approval is not required for emergency changes. Instead, approvals are captured retroactively, as appropriate, within a prompt timeframe. A normal change has defined risk that requires documentation and advanced approval. When appropriate, SAS Solutions OnDemand project owners perform the following change management activities: Inform customers of changes that might affect hosting instances and their associated risks. Evaluate change requests on a per-customer contract basis with project and customer personnel. Ensure that changes are tracked and documented with required information. After the change is reviewed for completeness and approved, the change implementer executes the change based on the information in the change request. SAS IT or SAS Solutions OnDemand personnel test/verify that the change is successful, as appropriate, and ensure it is properly documented in the CMDB, change management or ticketing system(s). RMSS engagements typically require the use of the customer s change management processes and system. Hosting Operations Controls In addition to the primary SAS data center located at SAS world headquarters in Cary, NC, SAS uses other data centers that are strategically located around the world to support SAS Solutions OnDemand customers. Those data centers are operated in partnership with established third parties. These providers are qualified through SAS Supplier Management Program and maintain relevant certifications (e.g., ISO or SOC 2/3), as appropriate. Global data centers maintain certifications, policies and standards that vary by location. To ensure the integrity of the hosted solutions, hosting controls are in place for software installation, on-call support, monitoring, service-level availability, patch management, maintenance, media secure storage, and data backup and restore procedures. SAS security and compliance resources review and assess hosting controls to ensure effectiveness. From the customer contracting process through the implementation and maintenance of the hosted or RMSS solution, these groups provide guidance regarding the policies, standards and practices implemented by SAS Solutions OnDemand. In addition to the day-to-day operations, these resources facilitate continual improvement through programs such as supplier audits, risk assessment documentation reviews and hosting customer audits.

20 18 Remote Managed Software and Services (RMSS) For RMSS implementations, customers provide all necessary infrastructure to operate and maintain the system in the customer s data center, including, but not limited to: Servers. Operating system. Storage. Required third-party software, including databases, tape drives, off-site storage, power, uninterruptible power systems (UPS) protection, physical and firewall security, environmental considerations (AC) and fire suppression. In addition, customers are responsible for: Providing all support and ongoing maintenance of hardware and associated operating system software. Allowing the installation and ongoing operation of SAS application monitoring software on the customer s hardware. Providing regularly scheduled backups. Enabling network connectivity and configuration between the customer and SAS. Installation For each hosted application instance or RMSS implementation, standardized installation procedures are performed according to a documented plan to install and verify that the SAS Solutions OnDemand system is: Delivered for the intended purpose. Fully operational. After the installation and verification procedures are completed, the system is declared ready for production. Following formal approval, the new customer instance is promoted to production. Monitoring begins to: Ensure compliance with the SLA. Provide alerts to SAS Solutions OnDemand on-call staff. At this point, formal event, incident, problem and change management processes are followed. These processes align with industry best practices for production systems. On-Call Support All new hosting instances require a support model, which defines appropriate support teams and on-call rotation groups according to the customer, contractual requirements and the RMSS connectivity method. These teams monitor and provide support after SAS Hosting Operations places the new instance into production status. The designated on-call group is then responsible for the primary support of the environment. SAS production monitoring ensures that automated notifications are sent to the appropriate staff member during an event.

21 19 Monitoring SAS teams, as appropriate, maintain systems that detect anomalies or malicious, unauthorized activities within network device and server systems using active and passive network monitoring devices. These devices assist with detecting potential networkbased logical intrusions. SAS uses these applications that run on the servers to monitor server health. The monitored components can include metrics of server and solution availability, such as: Server uptime in days. Disk usage per file system. Database operational/listener status. Recent list of user IDs that last logged onto server. List of user IDs that are currently logged onto the server. Network interface status. List of processes currently running. Total disk usage. Completion of successful backups. CPU specifications. Memory utilization. Monitoring alerts are sent to SAS CMDB to be forwarded to the appropriate on-call group for triage and resolution. SAS Solutions OnDemand also performs enhanced monitoring, as appropriate, to confirm the effective operation of hosted applications. Checks, which must be nonintrusive, involve navigation and key functionality according to role for each applicable environment. Service-Level Availability SAS Solutions OnDemand measures monthly service-level availability as the amount of time (excluding scheduled maintenance) that hosting services are available as defined in the applicable customer agreement. SAS Solutions OnDemand contracts typically provide 99 percent SLA, unless otherwise negotiated in the customer contract. SAS Solutions OnDemand uses standard templates that define the alerts and the rules related to the hosted infrastructure entities. SAS Solutions OnDemand works with individual service owners to configure SAS Solutions OnDemand hosting systems and forward all monitoring alerts to the SAS IT Service Management system. Patch Management SAS Solutions OnDemand patches servers as quickly as possible for critical vulnerabilities based on a risk assessment. The timing of the application of the patches depends on the security vulnerability, the assessed business and technical risk, and how quickly an outage can be scheduled, if required. The need to implement a patch is formally communicated to the customer by the SAS Solutions OnDemand project manager or TAM. Implementation of the patch is also tracked, including the specification of which customer-hosted servers and services are affected, as well as the scheduling of any required outages.

22 20 SAS GIS assesses the criticality of client and server operating system patches with the relevant IT and SAS Solutions OnDemand teams. The risk assessment results are delivered to all SAS system administrators. Patches are tested before they are released to production, as appropriate. Patches are maintained and applied by supported tools designed to facilitate patch management and tracking, where applicable. SAS application hot fixes or patches, including those implemented as part of an RMSS engagement, are applied based on customer need and impact, and according to SAS R&D release schedules. Note: For RMSS implementations, SAS only patches the SAS application. The customer is responsible for the operating system and third-party components. Patches for critical security issues identified by SAS GIS, SAS R&D or SAS Solutions OnDemand management may be implemented during nonstandard maintenance windows, depending on the severity of the issue. Patch schedules may differ for infrastructure and other systems hosted at global data center locations. Maintenance SAS Solutions OnDemand schedules periodic outages to make nonemergency changes, such as maintenance on operating environments of servers, networks and web connectivity devices. System maintenance enables SAS Solutions OnDemand to: Maintain a robust environment in accordance with manufacturer specifications and organizational requirements. Meet contractual SLA requirements. Perform maintenance with minimal impact to customers. Provide adequate notification to customers. For system maintenance activities in which the system is unavailable to the customer (e.g., during applicable third-weekend maintenance activities), SAS Solutions OnDemand project owners typically provide customers with advance notices (e.g., three days) prior to the system maintenance, unless the customer requires earlier scheduling to comply with contract requirements. Examples of system maintenance activities that may require advance notification include the following: Installation of client software. Installation of server patches. Replacement of hot-swappable components. Storage expansions or allocations. Required server reboots. Hardware changes. Maintenance of data center environmental equipment per preventive maintenance schedules. Change/addition of IP address values. Note: Maintenance schedules may differ for infrastructure and other systems hosted at global data center locations.