I. PROJECT BACKGROUND... 3 A. Background... 3 B. Objective of This Project... 3 C. Scope... 3 D. Approach... 3 II. EXECUTIVE SUMMARY...

Transcription

1 ZOCCAM Infrmatin Systems General Cntrls and Security Review April 1, 2016

2 I. PROJECT BACKGROUND... 3 A. Backgrund... 3 B. Objective f This Prject... 3 C. Scpe... 3 D. Apprach... 3 II. EXECUTIVE SUMMARY... 4 III. ZOCCAM BACKGROUND... 5 A. Prduct Platfrm Descriptin... 5 B. Operatins Platfrm Descriptin... 6 IV. CONTROL DESCRIPTIONS... 8 V. RESULTS... 10

3 I. PROJECT BACKGROUND A. BACKGROUND Security f technlgy assets is an imprtant pririty within the financial industry. As threats t data and systems have evlved, s have the requirements fr safeguarding client and rganizatin infrmatin. The prcesses and peple that supprt the security f technlgy are the key cmpnents in prtecting these valuable business assets. Likewise, it is imprtant t measure the security f technlgy assets t understand the ability t defend against threats. B. OBJECTIVE OF THIS PROJECT The primary bjective was t perfrm the infrmatin systems (IS) general cntrls and security review f ZOOCAM s internally managed and third-party managed applicatins. The management f ZOCCAM is respnsible fr establishing and maintaining internal cntrls. The bjective f this review is t prvide management an assessment n the design f their internal cntrls. In establishing cntrls related t IS, estimates and judgments by management are required t assess the expected benefits and related csts f cntrls. CONFIDENTIAL PRELIMINARY DRAFT Subject t Change Because f inherent limitatins in any cntrls, errrs r fraud may ccur and nt be detected. Als, prjectin f any evaluatin f the cntrls t future perids is subject t the risk that the cntrls may becme inadequate because f changes in the cntrl envirnment, r that the degree f cmpliance with the cntrls may deterirate. Duplicatin Prhibited C. SCOPE The IS general cntrls and security review included reviewing requested dcumentatin and interviewing ZOOCAM persnnel t assess IS general cntrls and security related t the ZOOCAM envirnment. The applicatins cnsidered in the scpe f the review included the fllwing: Managed by ZOCCAM Active Directry ZOCCAM Applicatin Third-Party Managed Jack Henry PrfitStars Micrsft Azure D. APPROACH T accmplish the bjective f this engagement, ZOCCAM cntrls were assessed t determine design apprpriateness and 3 rd party SOC reprts were reviewed t determine if thse reprts were qualified in nature, r cntained any significant cntrl deficiencies which culd impact ZOCCAM s custmers r clients.

4 II. EXECUTIVE SUMMARY Our IS general cntrls and security review was designed t answer the fllwing questins fr ZOCCAM: What is the assessment f ZOCCAM IS general cntrls? Based n a review f the results f ur activities, I believe verall, yur Infrmatin Security Prgram and IS general cntrls are satisfactry as f the date f the review. A satisfactry designatin indicates that while there may be cntrl imprvements identified, ZOOCAM appears t have taken apprpriate actin t ensure IS general cntrls are designed apprpriately. The prjectin f any evaluatin f these cntrls t future perids is subject t the risk that the cntrls may becme inadequate because f changes in the cntrl envirnment r that the degree f cmpliance with the cntrls may deterirate. N review f cntrls r security can ever prvide ttal assurance r 100 percent prtectin against pssible cntrl failures r security intrusins n yur systems. The ptential effectiveness f specific cntrls and security measures is subject t inherent limitatins and, accrdingly, errrs r fraud may ccur and nt be detected. Furthermre, infrmatin netwrks, applicatins and cntrl envirnments are extremely dynamic in nature and ur examinatin f yur cntrl and security methds and prcedures are cnducted and dcumented as f the fllwing specific perid in time: Assessment Service Start Date End Date IS General Cntrls and Security Review 03/28/ /01/2016 As a result, the prjectin f any cnclusins, based n ur examinatin, t future perids is subject t the risk that (1) changes are made t the systems r cntrls; (2) changes are made in prcessing requirements; (3) changes are required because f the passage f time; r (4) new security explits are discvered that may alter the validity f such cnclusins. Therefre, I take n respnsibility fr any lack f specific cntrls, cntrl failures, breach f security, r ther errrs r fraud related t any part f yur business envirnment. Any subsequent cntrl r security issues that may arise within thse areas examined r any cntrl r security issues that are present at the time f this examinatin, but that are utside the scpe f the examinatin, are slely the respnsibility f ZOCCAM.

5 III. ZOCCAM BACKGROUND A. PRODUCT PLATFORM DESCRIPTION Zccam s payment services platfrm cnsist f fur majr cmpnents laid ut in a three-tier architecture: (1) the mbile applicatin, (2) the web applicatin, (3) the web services, and (4) the database. 1. Mbile Applicatin (tier 1) The mbile applicatin runs n the end-users mbile device. We first identify the end user thrugh realtr license number f invitatin cde frm anther user and a device identificatin cde sent t the mbile number they prvide. The user creates a PIN fr subsequent lgin t the applicatin. User registratins are manually reviewed and accunts are disabled when the user requests terminatin f service. As its primary functin, the mbile applicatin captures real estate cntract metadata and images f the check t be depsited as part f the real estate transactin and passes this infrmatin securely t the ZOCCAM web services, but never stres this infrmatin n the mbile device. CONFIDENTIAL PRELIMINARY DRAFT As payment fr the transactin, the user prvides a credit card number and expiratin date which the app passes t ZOCCAM web services fr authenticatin and prcessing. Subject t Change Duplicatin Prhibited N persnal identifying infrmatin, payment infrmatin, r financial transactin infrmatin is ever stred n the device. 2. Web Applicatin (tier 1) Fr sme functins, users access the ZOCCAM applicatin website. All access t the website is secured with 2048 bit high-encryptin SSL. N user name/passwrd is required fr access t static prduct infrmatin. One-time-use cdes are issued thrugh ntificatins fr reference t transactin infrmatin and access t the site functins is nly allwed with these cde. The applicatin website is the user-facing tier f the applicatin besides the mbile applicatin. It is hsted n Micrsft Azure Platfrm-as-a-Service (PaaS) where Micrsft maintains the physical security f the servers, the currency and digital security f the platfrm, and Internet prtcl security (IPSec) f the applicatin, platfrm, and servers. N applicatin r user infrmatin is stred in the web applicatin. All infrmatin is maintained and prcessed by the secnd tier, the secure Web Services. 3. Web Services (tier 2) The mbile and web applicatins leverage the secnd tier, Web Services, t manage all business lgic prcessing and persistent data access. This cmpnent prvides an intermediary t access infrmatin and prvide any cre platfrm prcessing. The web services are als hsted n Micrsft Azure PaaS where Micrsft maintains full currency f the underlying hardware and sftware, physical and IP security, and

6 transparent ge-physical redundancy and recvery in the case f underlying hardware failure r even data center disaster. Access t the web services is secured using 2048 bit high-encryptin SSL cnnectins and prgrammatically authenticated with a tken issued upn user authenticatin in the mbile app with either mbile phne identificatin (SMS cde) r user ID & PIN cmbinatin. The web services (nt directly accessible by end users) cmprise the nly sftware cmpnent with direct access t the platfrm database. This tier als mediates secure cnnectins t ther service prvider including Jack Henry PrfitStars EPS (check prcessing), JetPay payment services (credit card prcessing), Ggle web services (ge calculatins and maps), Mandrill fr , and Twili fr SMS. Access t each f these ther services is secured with SSL and authenticated with private access keys that prevent misuse f ZOCCAM services accunts. The private access keys are stred securely in the Azure services prtal where they are prgrammatically accessed. Keys are rtated every six mnths r accrding t the service prvider plicies, whichever is mre frequent, by the ZOCCAM administratr. 4. Database (tier 3) The ZOCCAM database is the final lgical cmpnent and the third tier in the three-tier architecture. The database huses ZOCCAM user and applicatin infrmatin and run in a Micrsft SQL Azure deplyment with full autmatic backup and ge-replicatin fr disaster resiliency. The SQL Azure platfrm is fully maintained by Micrsft just as their ther PaaS prducts are. Access t the database is limited t applicatin and administrative accunts via ID/passwrd that are nt shared with anyne utside f key ZOCCAM persnnel. Direct database access is nly used fr special data inspectin r manipulatin fr custmer supprt purpses. All access t the database is lgged autmatically with the SQL Azure Audit Lgs feature. Audit event data is stred in a separate Azure Strage Table and retained fr 365 days. SQL Azure als emplys a white-list security mdel where even authrized users cannt access the database frm unknwn IP addresses. B. OPERATIONS PLATFORM DESCRIPTION 1. Business Platfrm The ZOCCAM business emplys a number f sftware-as-a-service (SaaS) prducts t perate efficiently. Each is managed by the ZOCCAM principals and maintained as needed t grant/revke end-user permissins t ther ZOCCAM representatives. The fllwing is a nn-exhaustive list. GDaddy.cm fr dmain hsting and SSL certificate issuance Micrsft Office 365 fr business prductivity sftware, hsting, dcument management, etc. Weebly fr website hsting ZenDesk fr custmer supprt functins PhneBth fr VOIP telephny & answering service

7 MailChimp fr marketing Micrsft Azure fr hsting the prduct/platfrm and cllecting analytics 2. Prduct Develpment Platfrm a. Sftware Develpment Lifecycle (SDLC) The ZOCCAM prduct develpment team fllws an agile Scrum methd fr planning and tracking wrk. In Scrum, wrk t be accmplished is first listed in a priritized backlg, then decmpsed int tasks that are tracked thrugh stages f wrk and cmpletin. The ZOCCAM prduct team grms the backlg and plans wrk fr each iteratin n a weekly basis. b. Tls and External Sevices The ZOCCAM technlgy team uses sme key tls and services t deliver its prduct. Each f these services is administered by ZOCCAM principals with end-user access granted t/revked frm ther ZOCCAM persnnel as required by business prcesses. Nte that publishing functins are accessed exclusively by ZOCCAM principals. CONFIDENTIAL PRELIMINARY DRAFT Micrsft Visual Studi Team Services (VSTS) fr wrk item management, surce cntrl, and team cmmunicatin. VSTS prvides web access with limited permissins where the ZOCCAM prduct manager updates the prduct backlg during planning, develpers and the prduct manager tgether create tasks t track wrk, and develpers check cde int surce cntrl where each cmmit is assciated with a task fr review and auditing purpses. Subject t Change Duplicatin Prhibited Micrsft Develper Netwrk (MSDN) fr access t develpment tls and knwledge base Apple Develper Cnsle fr creatin and distributin f publishing certificates Apple itunes Cnnect fr publishing ios applicatin binaries Ggle Play Develper Cnsle fr publishing Andrid applicatin binaries Micrsft Azure fr publishing web applicatin and service binaries Prduct publishing prcedures (withut passwrds) are dcumented in Micrsft OneNte files stred in the ZOCCAM Office 365 SharePint dcument management prtal. All service accunt administratin user IDs and passwrds are stred securely in Lastpass passwrd management tl in a managed flder nly accessible by ZOCCAM principals.

8 IV. CONTROL DESCRIPTIONS ZOCCAM Cntrls: Backup and recvery cntrls: Cntrl Objective BK1: Data has been backed-up and is recverable. Cntrl Descriptin BR-1: All prduct, peratinal, and develpment infrmatin stred in SaaS systems with frequent cyclical backup prcedures. Operatinal cntrls: Cntrl Objective OP1: Physical access t cmputer hardware is limited t apprpriate individuals. Cntrl Descriptin PS-1: Persnal cmputers are kept in lcked ffices. Develper laptps emply full-hard drive encryptin. Cntrl Objective OP2: Database access is mnitred. SDLC: Cntrl Descriptin PS-2: All access t the database is lgged autmatically. Audit event data is stred and retained fr 365 days. Cntrl Objective SD1: Changes are authrized. Cntrl Descriptin CM-1: Change requests are initiated and apprved by apprpriate members f management. Cntrl Objective SD2: Changes are tested. Cntrl Descriptin CM-2: All changes made t prductin prgrams, cnfiguratins and data are tested. Cntrl Objective SD3: Changes are apprved. Cntrl Descriptin CM-3: All changes made t prductin prgrams, cnfiguratins and data are apprved by apprpriate members f management befre being prmted t prductin. Access cntrls: Cntrl Objective AC1: Segregatin f duties/access t prductin prgrams. Cntrl Descriptin AM-1: Access t applicatin cnfiguratin parameters and data restricted t authrized persnnel. Cntrl Objective AC1: Segregatin f duties/access t prductin prgrams. Cntrl Descriptin AM-2: Access t databases is limited apprpriate members f IT.

9 Cntrl Objective AC3: Access t privileged IT functins is limited t apprpriate individuals. Cntrl Descriptin AM-3: Access rights f terminated emplyees are disabled n a timely basis. Cntrl Objective AC4: Access t privileged IT functins is limited t apprpriate individuals. Cntrl Descriptin AM-4: The number f peple with administratr privileges is limited apprpriately. Cntrl Objective AC5: User access is authrized and apprpriately established Cntrl Descriptin AM-5: Access rights f users and IT persnnel are dcumented and apprved by apprpriate members f management. Cntrl Objective AC6: Lgical access prcess is mnitred. CONFIDENTIAL Cntrl Descriptin AM-6: User and IT persnnel access rights are peridically reviewed and apprved by management. PRELIMINARY DRAFT Subject t Change Cntrl Objective AC7: User access is mnitred. Cntrl Descriptin AM-7: User registratins are manually reviewed and accunts are disabled when the user requests terminatin f service Duplicatin Prhibited 3 rd Party SOC Reprts: Jack Henry and Assciates, Inc. Reprt n JHA s Descriptin f its Systems related t Enterprise Payment Slutins Systems and the Suitability f the Design and Operatins Effectiveness f Cntrls fr the perid frm Octber 1, 2014 r September 30, Micrsft Azure Independent Service Auditr s Reprt fr the perid frm January 15, 2015 t July 31, Reprting We kept yu infrmed f ur prgress thrughut the engagement thrugh peridic frmal and infrmal status reprts and meetings as apprpriate. Upn cmpletin f the review, we prepared this written reprt f ur findings and recmmendatins.

10 V. RESULTS ZOCCAM Cntrls: IT general cntrls listed abve were fund t be designed apprpriately as f April 1, rd Party SOC Reprt Review: Jack Henry The SOC reprt fr the perid tested was reviewed and fund t be unqualified in nature and cntained n exceptins nted fr any f the cntrl bjectives tested by the independent auditr. Micrsft Azure - The SOC reprt fr the perid tested was reviewed and fund t be unqualified in nature. The independent auditr nted that fr the perid tested, reasnable assurance was prvided that The system was prtected against unauthrized access, use r mdificatin, The system was available fr peratin and use as cmmitted r agreed, Infrmatin within the system, designated as cnfidential, was prtected as cmmitted r agreed, and The system prcessing was cmplete, valid, accurate, timely, and authrized

11 April 1, 2016 Ashley Ck, CEO ZOCCAM 5950 Berkshire Lane, Suite 1460 Dallas, Texas Dear Ms. Ck: This reprt cntains the results related t the infrmatin technlgy (IS) general cntrls and security review perfrmed fr ZOCCAM. N assessment f cntrls r security can ever prvide ttal assurance r 100 percent prtectin against pssible cntrl failures r security intrusins n yur systems. The ptential effectiveness f specific cntrls and security measures is subject t inherent limitatins and, accrdingly, errrs r fraud may ccur and nt be detected. Furthermre, infrmatin netwrks, applicatins and cntrl envirnments are extremely dynamic in nature and ur examinatin f yur cntrl and security methds and prcedures are cnducted and dcumented as f the fllwing specific perid in time: CONFIDENTIAL PRELIMINARY DRAFT Subject t Change Assessment Service Start Date End Date IS General Cntrls and Security Review 03/28/ /01/2016 Duplicatin Prhibited As a result, the prjectin f any cnclusins, based n ur examinatin, t future perids is subject t the risk that (1) changes are made t the systems r cntrls; (2) changes are made in prcessing requirements; (3) changes are required because f the passage f time; r (4) new security explits are discvered that may alter the validity f such cnclusins. Therefre, I take n respnsibility fr any lack f specific cntrls, cntrl failures, breach f security, r ther errrs r fraud related t any part f yur business envirnment. Any subsequent cntrl r security issues that may arise within thse areas examined r any cntrl r security issues that are present at the time f this examinatin, but that are utside the scpe f the examinatin, are slely the respnsibility f ZOCCAM. This reprt is intended slely fr use by the management f ZOCCAM. I appreciate the curtesies and cperatin extended t me during this prject and the pprtunity t be f service t ZOCCAM. Please cntact Matthew Sargent at if yu have any questins regarding this reprt. Sincerely, Matthew Sargent, CFE, CISSP, CISA, CRISC

12