US Internet Corp.
Colocation Services
Independent Service Auditor’s Report on Controls Placed in
Operation and Tests of Operating Effectiveness
For the Period of April 30, 2010, to May 31, 2011
Attestation and Compliance Services
Proprietary & Confidential
Reproduction or distribution in whole or in part
without prior written consent is strictly prohibited.
TABLE OF CONTENTS
SECTION 1 INDEPENDENT SERVICE AUDITOR’S REPORT ................................................................. 1
SECTION 2 DESCRIPTION OF CONTROLS PLACED IN OPERATION .................................................. 3
OVERVIEW OF OPERATIONS ................................................................................................................ 4
Company Background .......................................................................................................................... 4
Description of Services Provided ......................................................................................................... 4
CONTROL ENVIRONMENT..................................................................................................................... 6
Integrity and Ethical Values .................................................................................................................. 6
Commitment to Competence................................................................................................................ 6
Management’s Philosophy and Operating Style .................................................................................. 7
Organizational Structure and Assignment of Authority and Responsibility .......................................... 7
Human Resource Policies and Practices ............................................................................................. 7
RISK ASSESSMENT ................................................................................................................................ 8
CONTROL OBJECTIVES AND RELATED CONTROL ACTIVITIES........................................................ 8
MONITORING .......................................................................................................................................... 8
INFORMATION AND COMMUNICATION SYSTEMS.............................................................................. 9
Information Systems............................................................................................................................. 9
Communication Systems...................................................................................................................... 9
COMPLEMENTARY CONTROLS AT USER ORGANIZATIONS ............................................................. 9
SECTION 3 TESTING MATRICES............................................................................................................ 11
PHYSICAL SECURITY........................................................................................................................... 12
ENVIRONMENTAL SECURITY ............................................................................................................. 16
MONITORING ........................................................................................................................................ 20
US Internet Corp.
Proprietary and Confidential
i
SECTION 1
INDEPENDENT SERVICE AUDITOR’S REPORT
US Internet Corp.
1
INDEPENDENT SERVICE AUDITOR’S REPORT
To US Internet Corp.:
We have examined the accompanying description of controls related to the colocation services of US
Internet Corp. (“US Internet” or the “service organization”) performed at the Minnetonka, Minnesota,
facility. Our examination included procedures to obtain reasonable assurance about whether (1) the
accompanying description presents fairly, in all material respects, the aspects of US Internet’s controls
that may be relevant to a user organization’s internal control as it relates to an audit of financial
statements; (2) the controls included in the description were suitably designed to achieve the control
objectives specified in the description, if those controls were complied with satisfactorily, and user
organizations applied the controls contemplated in the design of US Internet’s controls; and (3) such
controls had been placed in operation as of May 31, 2011. The control objectives were specified by the
management of US Internet. Our examination was performed in accordance with standards established
by the American Institute of Certified Public Accountants and included those procedures we considered
necessary in the circumstances to obtain a reasonable basis for rendering our opinion.
In our opinion, the accompanying description of the aforementioned colocation services presents fairly, in
all material respects, the relevant aspects of US Internet’s controls that had been placed in operation as
of May 31, 2011. Also, in our opinion, the controls, as described, are suitably designed to provide
reasonable assurance that the specified control objectives would be achieved if the described controls
were complied with satisfactorily and user organizations applied the controls contemplated in the design
of US Internet’s controls.
In addition to the procedures we considered necessary to render our opinion as expressed in the previous
paragraph, we applied tests to specific controls, listed in Section 3 (the “Testing Matrices”), to obtain
evidence about their effectiveness in meeting the control objectives, described in the Testing Matrices,
during the period from April 30, 2010, to May 31, 2011. The specific controls and the nature, timing,
extent, and results of the tests are listed in the Testing Matrices. This information has been provided to
user organizations of US Internet and to their auditors to be taken into consideration, along with
information about the internal control at user organizations, when making assessments of control risk for
user organizations. In our opinion, the controls that were tested, as described in the Testing Matrices,
were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the
control objectives specified in the Testing Matrices were achieved during the period from April 30, 2010,
to May 31, 2011.
The relative effectiveness and significance of specific controls at US Internet and their effect on
assessments of control risk at user organizations are dependent on their interaction with the controls and
other factors present at individual user organizations. We have performed no procedures to evaluate the
effectiveness of controls at individual user organizations.
The description of controls at US Internet is as of May 31, 2011, and information about tests of the
operating effectiveness of specific controls covers the period from April 30, 2010, to May 31, 2011. Any
projection of such information to the future is subject to the risk that, because of change, the description
may no longer portray the controls in existence. The potential effectiveness of specific controls at US
Internet is subject to inherent limitations and, accordingly, errors or fraud may occur and not be detected.
Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the
risk that changes made to the system or controls, or the failure to make needed changes to the system or
controls, may alter the validity of such conclusions.
This report is intended solely for use by the management of US Internet, its user organizations, and the
independent auditors of its user organizations.
May 31, 2011
US Internet Corp.
2
SECTION 2
DESCRIPTION OF CONTROLS PLACED IN OPERATION
US Internet Corp.
Proprietary and Confidential
3
OVERVIEW OF OPERATIONS
Company Background
Founded in 1995, US Internet Corp. (US Internet) is an international provider of Internet, hosting, and
application services for government, institutions, businesses, and consumers worldwide. US Internet was
founded with the principle of utilizing the newest advancements in technology to provide cutting-edge
services to businesses both big and small. This philosophy is paramount in providing growing businesses
with the edge necessary to compete in the ever expanding global economy. US Internet has since grown
to be one of the largest privately held Internet service providers in the country. With product lines ranging
from dial-up and e-mail to international consulting and corporate Internet protocol (IP) networking
services, US Internet encompasses a talent pool of technical support technicians, network engineers,
application developers, and product specialists. With local technical support available 24 hours per day,
seven days per week, backed by a seasoned technology group that understands the needs and issues of
today's business, US Internet is focused on providing the highest level of service possible.
In 1996, US Internet was the first company in the world to broadcast live commercial radio over the
Internet. In 2008, the wholly-owned subsidiary, USI Wireless, successfully deployed the largest Wi-Fi
wireless network in the world, covering an area of 60 square miles. Also in 2008, utilizing traditional
digital subscriber line (DSL) technology in conjunction with cutting-edge microwave wireless broadband,
US Internet reinvented delivery of DSL services to residents of high-rise buildings and was able to offer
the first consumer available 100 megabit connectivity in the Minneapolis area.
Throughout the years, US Internet has released a number of self-developed applications and services
that have resulted in the formation of off-shoot companies, many of which have gone on to claim large
market shares within their environment.
Description of Services Provided
Colocation / Disaster Recovery
US Internet provides a networking environment for customers’ equipment. The services are designed for
businesses of all sizes in US Internet’s state-of-the-art data center. Customers can choose from shared
colocation, dedicated colocation, or managed colocation. Services include, but are not limited to, the
following:

Standard 19” secure rack-mount enclosures

Dedicated connection to the Internet backbone

Four 1-gigabit connections from different telecommunications companies

Dual electrical feeds

Multiple backup generators

Multiple uninterruptible power supply (UPS) systems

Inert gas fire suppression system (FM-200)

24 hours per day, seven days per week monitoring and technical support

Biometric encoded access

Video surveillance

Multiple air conditioning and humidity controls

24 hours per day, seven days per week secure monitored access to equipment
US Internet Corp.
Proprietary and Confidential
4
Application Hosting
US Internet has developed an enterprise-level hosting platform that provides a comprehensive end-to-end
application management solution designed specifically for the Microsoft product range and Windowsbased software. Their application hosting solution provides small to mid-sized businesses with a fully
managed service that integrates hosting capabilities with full management of the application and a single
point of contact to administer the solution. Services include, but are not limited to, the following:

US Internet’s data center with multi-redundant Internet access points

Enterprise-level data storage capabilities

Guaranteed service level agreement including 99.9% uptime on data center core services, such
as electrical power, Internet access, and bandwidth scalability

Ultimate technology platform (Windows 2000, SQL 2000, .Net architecture)

24 hours per day, seven days per week system monitoring

Advanced anti-virus and anti-intrusion protection

Daily backups and off-site storage

Access to 16-, 32-, or 64-bit Windows-based applications from a variety of desktops

Anywhere access from any Internet-enabled device
Web Hosting
US Internet provides dedicated hosting or shared hosting services for customers’ Internet, Intranet, and
Extranet needs. Customers’ web presence is managed in a secure environment 24 hours per day, seven
days per week, in US Internet’s state-of-the-art data center.
Secure Server
US Internet delivers critical infrastructure services with increased Internet security to help customers
prove their sites are authentic and that transactions or data captured is secured by secure sockets layer
(SSL) encryption. Services include, but are not limited to, the following:

Secured web page(s) under customers’ security certificates

Secure specific web page(s) using US Internet’s certificate

Secure server setup by customers in US Internet’s data center
Web Stats Reporting
US Internet delivers tracking information to help customers better understand their website traffic.
Customers can view unique visitors, hits, visitors’ sessions, and previous site visited. In addition,
customers can track campaigns and measure conversion with easy custom reporting. Services include,
but are not limited to, the following:

Available as a hosted service or installable software

Full suite of live, rich, and interactive reports

Trace visitor paths

Powerful custom reporting to track marketing campaigns, website conversions, uniform resource
locator (URL) parameters, and visitor scenarios
US Internet Corp.
Proprietary and Confidential
5

Rich and interactive visualization

Complete out-of-the-box software
File Transfer Protocol (FTP) Site
US Internet provides solutions for customers’ FTP hosting needs. Rather than e-mailing large files via the
Internet or sending a CD-ROM via a courier, customers can leverage US Internet’s enterprise-level
hosting infrastructure to avoid attachment size limitations, system resource drain, and security and data
corruption issues.
CONTROL ENVIRONMENT
Integrity and Ethical Values
The effectiveness of controls cannot rise above the integrity and ethical values of the people who create,
administer, and monitor them. Integrity and ethical values are essential elements of US Internet’s control
environment, affecting the design, administration, and monitoring of other components. Integrity and
ethical behavior are the products of US Internet’s ethical and behavioral standards, how they are
communicated, and how they are reinforced in practices. US Internet’s management team strives to
maintain a professional culture that empowers talented, hard-working team members to deliver leadingedge technology and high quality services to its customers. Specific control activities that the service
organization has implemented in this area are described below.

Organizational policy statements and codes of conduct are documented and communicate entity
values and behavioral standards to personnel.

Employees are required to sign an acknowledgment form indicating that they have been given
access to the employee handbook and understand their responsibility for adhering to the policies
and procedures contained within the handbook.

Employees are required to sign a confidentiality statement agreeing not to disclose proprietary or
confidential information, including client information, to unauthorized parties.

Background checks are performed for employment candidates as a component of the hiring
process.
Commitment to Competence
US Internet’s management defines competence as the knowledge and skills necessary to accomplish
tasks that define employees’ roles and responsibilities. US Internet’s commitment to competence
includes management’s consideration of the competence levels for particular jobs and how those levels
translate required skills and knowledge levels into written position requirements. US Internet focuses on
hiring experienced employees for the various positions required for the business. Specific control
activities that the service organization has implemented in this area are described below.

Management has considered the competence levels for particular jobs and translated the
required skills and knowledge levels into written position requirements.

A training program is in place to help maintain the skill level of personnel.
US Internet Corp.
Proprietary and Confidential
6
Management’s Philosophy and Operating Style
US Internet’s management philosophy and operating style encompass a broad range of characteristics.
Such characteristics include management’s approach to taking and monitoring business risks and
management’s attitudes toward information processing, accounting functions, and personnel. US
Internet’s management team is hands-on and involved in the day-to-day operations of the business.
Management team members are expected not only to lead but to make hands-on contributions and to
know the details within their part of the business. Specific control activities that the service organization
has implemented in this area are described below.

Management is briefed on regulatory and industry changes affecting services provided on a
periodic basis and as required.

Management meetings are held on a periodic basis to discuss operational issues.
Organizational Structure and Assignment of Authority and Responsibility
US Internet’s organizational structure provides the framework within which its activities for achieving
entity-wide objectives are planned, executed, controlled, and monitored. US Internet’s management
believes that establishing a relevant organizational structure includes considering key areas of authority
and responsibility and lines of reporting. US Internet has developed an organizational structure suited to
its needs. This organizational structure is based, in part, on its size and the nature of its activities.
Specific control activities that the service organization has implemented in this area are described below.

Organizational charts are in place to communicate key areas of authority, responsibility, and lines
of reporting to personnel. These charts are communicated to employees and updated as
needed.

Management has considered the reporting structure and accountability for certain business
functions and segregated responsibilities by functional area.
Human Resource Policies and Practices
US Internet’s human resources policies and procedures relate to employee hiring, orientation, training,
evaluation, promotion, compensation, and disciplinary activities. Upon hiring, each manager defines a
professional development plan for each team member to document their job description and to set
personal development goals that align with the company’s overall goals. The management team then
provides professionals ongoing feedback to help ensure they are delivering on their objectives with formal
reviews occurring at least annually to review performance, recognize achievement, and to identify areas
that need further improvement. Specific control activities that the service organization has implemented
in this area are described below.

Established screening procedures are performed for employment candidates as a component of
the hiring process.

Performance evaluations are performed for personnel on an annual basis and the results are
documented and maintained in the employee’s personnel file.

Established termination procedures are performed for terminated employees as a component of
the termination process.
US Internet Corp.
Proprietary and Confidential
7
RISK ASSESSMENT
US Internet has placed into operation a risk assessment process to identify and manage risks that could
affect the organization's ability to provide reliable colocation services for user organizations. This process
requires management to identify significant risks in their areas of responsibility and to implement
appropriate measures to address those risks. Risks can arise or change due to circumstances such as
the following:

Changes in operating environment

New personnel

New or revamped information systems

Rapid growth

New technology

New business models, products, or activities

Corporate restructurings

Expanded operations

New accounting pronouncements
CONTROL OBJECTIVES AND RELATED CONTROL ACTIVITIES
US Internet’s control objectives and related control activities are included in Section 3 (the “Testing
Matrices”) of this report to eliminate the redundancy that would result from listing the items in this section
and repeating them in the Testing Matrices. Although the control objectives and related control activities
are included in the Testing Matrices, they are, nevertheless, an integral part of US Internet’s description
of controls.
The description of the service auditor’s tests of operating effectiveness and the results of those tests are
also presented in the Testing Matrices, adjacent to the service organization’s description of controls. The
description of the tests of operating effectiveness and the results of those tests are the responsibility of
the service auditor and should be considered information provided by the service auditor.
MONITORING
Management monitors controls to consider whether they are operating as intended and that the controls
are modified appropriately for changes in conditions. US Internet’s management performs monitoring
activities to continuously assess the quality of internal control over time. Necessary corrective actions are
taken as required to correct deviations from company policy and procedures. Employee activities and
adherence to company policies and procedures are also monitored. This process is accomplished
through ongoing monitoring activities, separate evaluations, or a combination of the two.
Management’s close involvement in US Internet’s operations helps to identify significant variances from
expectations regarding internal controls. Upper management immediately evaluates the specific facts
and circumstances related to any suspected control breakdowns.
US Internet Corp.
Proprietary and Confidential
8
INFORMATION AND COMMUNICATION SYSTEMS
Information Systems
US Internet’s high speed network consists of connections to the Internet using four 1-gibabit per second
connections carried by the following carriers: XO, Layer3, Time Warner Telecom, and Cogent. In
addition, US Internet offers firewall and layer 4 switching technology for maximum availability and uptime.
All core services are complete and n+1 redundant, providing maximum fault tolerance.
US Internet data center facilities are powered by two separate power grids and equipped with multiple
redundant full-time inline UPS systems. In addition, three diesel generators are located on-site in the
event of a sustained electrical outage.
The organization monitors daily operations utilizing both the WhatsUp Gold and Cacti monitoring
systems.
US Internet does not record, process, summarize, or report the financial transactions of its user
organizations. Additionally, US Internet does not maintain accountability for any client assets, liabilities,
or equity.
Communication Systems
Management is involved with day-to-day operations and is able to provide employees with an
understanding of their individual roles and responsibilities pertaining to internal controls. This includes
the extent to which personnel understand how their activities relate to the work of others and the means
of reporting exceptions to an appropriate higher level within the organization. Management believes that
open communication channels help ensure that exceptions are reported and resolved. For that reason,
formal communication tools such as organizational charts and employee handbooks are in place.
Communication activities are made electronically, verbally, and through the actions of management.
COMPLEMENTARY CONTROLS AT USER ORGANIZATIONS
US Internet’s colocation services are designed with the assumption that certain controls will be
implemented by user organizations. Such controls are called complementary user organization controls.
It is not feasible for all of the control objectives related to US Internet’s services to be solely achieved by
US Internet’s control activities. Accordingly, user organizations, in conjunction with the colocation
services, should establish their own internal controls or procedures to complement those of US Internet.
The following complementary user organization controls should be implemented by user organizations to
provide additional assurance that the control objectives described within this report are met. As these
items represent only a part of the control considerations that might be pertinent at the user organizations’
locations, user organizations’ auditors should exercise judgment in selecting and reviewing these
complementary user organization controls.
Complementary User Organization Controls:
1.
User organizations are responsible for understanding and complying with their contractual
obligations to US Internet.
2.
User organizations are responsible for completing scoping questionnaires accurately and
completely.
3.
User organizations are responsible for maintaining their own system(s) of record.
4.
User organizations are responsible for notifying US Internet of required changes to their solutions.
US Internet Corp.
Proprietary and Confidential
9
5.
User organizations are responsible for notifying US Internet of changes to their escalation
procedures.
6.
User organizations are responsible for informing US Internet of any regulatory issues that may
affect the services provided by US Internet.
7.
User organizations are responsible for notifying US Internet of changes made to technical or
administrative contact information.
8.
User organizations are responsible for notifying US Internet of any additions, changes, or
deletions to facility access lists.
9.
User organizations are responsible for notifying US Internet of terminated employees.
10.
User organizations are responsible for notifying US Internet of on-site visits of non-listed
personnel prior to their arrival to the facilities.
11.
User organizations are responsible for developing policies and procedures to protect their
systems from unauthorized or unintentional use, modification, addition, or deletion.
12.
User organizations are responsible for determining whether US Internet’s security infrastructure is
appropriate for its needs and for notifying US Internet of any requested modifications.
13.
User organizations are responsible for defining any encryption methodology utilized in relation to
US Internet’s systems and services.
14.
User organizations are responsible for immediately notifying US Internet of any actual or
suspected information security breaches.
15.
User organizations are responsible for responding to known or suspected incidents reported by
US Internet personnel.
16.
User organizations are responsible for adhering to the US Internet physical security and safety
procedures.
17.
User organizations are responsible for developing backup policies and procedures for their data
as required based on contracted services.
18.
User organizations are responsible for developing their own disaster recovery and business
continuity plans that address the inability to access or utilize US Internet’s services.
US Internet Corp.
Proprietary and Confidential
10
SECTION 3
TESTING MATRICES
US Internet Corp.
Proprietary and Confidential
11
MATRIX 1
PHYSICAL SECURITY
Control Objective Specified
by the Service Organization:
Control activities provide reasonable assurance that business premises and information systems are protected from unauthorized
access, damage and interference.
Control
Point
Control Activity Specified
by the Service Organization
Test Applied by the Service Auditor
Test Results
1.1
Documented physical security policies and
procedures are in place to guide personnel in
physical security administration practices.
Inspected the physical security policy and
procedural documentation to determine that
documented physical security policies and
procedures were in place to guide personnel in
physical security administration practices.
No relevant exceptions noted.
1.2
The main entrance to the facility is monitored and
controlled by a receptionist.
Observed the receptionist at the main entrance to
the facility to determine that the main entrance to
the facility was monitored and controlled by a
receptionist.
No relevant exceptions noted.
1.3
Visitors are required to sign a visitor log upon
entering the facility.
Inspected the facility visitor log for a nonstatistical
sample of dates during the review period to
determine that a visitor log was available for each
date sampled.
No relevant exceptions noted.
1.4
A badge access system is utilized to control
access to the facility.
Observed the facility entrances to determine that a
badge access system was utilized to control
access to the facility.
No relevant exceptions noted.
1.5
Visitors are required to register at the security
desk and present a valid form of identification prior
to gaining access to the data center.
Observed the visitor access process to determine
that visitors were required to register at the
security desk and present identification prior to
gaining access to the data center.
No relevant exceptions noted.
1.6
Visitors are required to sign an additional visitor
log upon entering the data center.
Inspected the data center visitor log for a
nonstatistical sample of dates during the review
period to determine that a visitor log was available
for each date sampled.
No relevant exceptions noted.
US Internet Corp.
Proprietary and Confidential
12
MATRIX 1
PHYSICAL SECURITY
Control Objective Specified
by the Service Organization:
Control activities provide reasonable assurance that business premises and information systems are protected from unauthorized
access, damage and interference.
Control
Point
Control Activity Specified
by the Service Organization
Test Applied by the Service Auditor
Test Results
1.7
Visitors are required to wear a color-coded visitor
badge while in the facility and the data center.
Observed the visitor access process to determine
that visitors were required to wear a color-coded
visitor badge while in the facility and the data
center.
No relevant exceptions noted.
1.8
A two-factor authentication system that requires
both a badge access card and a biometric
credential for entry is utilized to control access to
the data center.
Observed the data center entrances to determine
that a two-factor authentication system that
required both a badge access card and a
biometric credential for entry was utilized to
control access to the data center.
No relevant exceptions noted.
1.9
Predefined security groups are utilized to assign
role-based access within the facility and the data
center.
Inspected the two-factor authentication system
user and group listing to determine that predefined
security groups were utilized to assign role-based
access within the facility and the data center.
No relevant exceptions noted.
1.10
The two-factor authentication system logs both
successful and unsuccessful access attempts.
Access attempts are traceable to specific
employee accounts.
Inquired of the setup technician and the director of
special projects regarding logging and monitoring
to determine that logs generated by the two-factor
authentication system were monitored during the
review period.
No relevant exceptions noted.
Inspected example logs generated by the twofactor authentication system during the review
period to determine that the two-factor
authentication system logged both successful and
unsuccessful access attempts and access
attempts were traceable to specific employee
accounts.
No relevant exceptions noted.
US Internet Corp.
Proprietary and Confidential
13
MATRIX 1
PHYSICAL SECURITY
Control Objective Specified
by the Service Organization:
Control activities provide reasonable assurance that business premises and information systems are protected from unauthorized
access, damage and interference.
Control
Point
Control Activity Specified
by the Service Organization
Test Applied by the Service Auditor
Test Results
1.11
Two-factor authentication system users are
authenticated via a user account and password
prior to performing access administration.
Inspected the two-factor authentication system
login prompt to determine that users were
authenticated via an authorized user account and
password prior to performing access
administration.
No relevant exceptions noted.
1.12
Administrative access privileges to the two-factor
authentication system are restricted to user
accounts accessible by persons holding the
following positions:
Inspected the two-factor authentication system
administrator listing to determine that
administrative access privileges to the two-factor
authentication system were restricted to user
accounts accessible by persons holding the
following positions:
No relevant exceptions noted.

Director of information technology

Setup technicians (2)

Director of information technology

Setup technicians (2)
1.13
Systems administration personnel revoke physical
access privileges as a component of the
employee termination process.
Inspected the termination checklist and two-factor
authentication system user listing for a
nonstatistical sample of employees terminated
during the review period to determine that
systems administration personnel revoked
physical access privileges for each terminated
employee sampled.
No relevant exceptions noted.
1.14
A video surveillance system is in place to monitor
activity to and throughout the data center.
Observed the video surveillance system to
determine that a video surveillance system was in
place to monitor activity to and throughout the
data center.
No relevant exceptions noted.
1.15
The video surveillance system maintains video
footage for a minimum of 30 days.
Inspected the archived video surveillance images
recorded during the review period to determine
that the video surveillance system maintained
video footage for a minimum of 30 days.
No relevant exceptions noted.
US Internet Corp.
Proprietary and Confidential
14
MATRIX 1
PHYSICAL SECURITY
Control Objective Specified
by the Service Organization:
Control activities provide reasonable assurance that business premises and information systems are protected from unauthorized
access, damage and interference.
Control
Point
Control Activity Specified
by the Service Organization
Test Applied by the Service Auditor
Test Results
1.16
Customer hardware is stored in locked cabinets
and cages.
Observed the data center to determine that
customer hardware was stored in locked cabinets
and cages.
No relevant exceptions noted.
1.17
Customer cabinets and cages are free of signage
that would identify the equipment as belonging to
a particular customer.
Observed the data center to determine that
customer cabinets and cages were free of signage
that would identify the equipment as belonging to
a particular customer.
No relevant exceptions noted.
1.18
The data center walls extend from the real floor to
the real ceiling.
Observed the data center to determine that the
data center walls extended from the real floor to
the real ceiling.
No relevant exceptions noted.
1.19
The data center does not contain exterior
windows.
Observed the data center to determine that the
data center did not contain exterior windows.
No relevant exceptions noted.
US Internet Corp.
Proprietary and Confidential
15
MATRIX 2
ENVIRONMENTAL SECURITY
Control Objective Specified
by the Service Organization:
Control activities provide reasonable assurance that critical information technology infrastructure is protected from certain
environmental threats.
Control
Point
Control Activity Specified
by the Service Organization
Test Applied by the Service Auditor
Test Results
2.1
Documented environmental security procedures
are in place to guide personnel in the
maintenance of environmental control systems.
Inspected the environmental security procedural
documentation to determine that documented
environmental security procedures were in place
to guide personnel in the maintenance of
environmental control systems.
No relevant exceptions noted.
2.2
The data center is equipped with fire detection
and suppression devices that include the
following:
Observed the data center to determine that the
data center was equipped with the following fire
detection and suppression devices:
No relevant exceptions noted.
Fire and smoke detectors

Fire and smoke detectors

Audible and visual alarms

Audible and visual alarms

Hand-held fire extinguishers

Hand-held fire extinguishers

FM-200 suppression system

FM-200 suppression system

2.3
A third party vendor inspects the fire detection and
suppression equipment on an annual basis to help
ensure proper functioning.
Observed the fire detection and suppression
equipment inspection tags to determine that a
third party vendor inspected the fire detection and
suppression equipment during the review period.
No relevant exceptions noted.
2.4
Dedicated heating, ventilation, and air conditioning
(HVAC) units are in place to help regulate
temperature and humidity levels within the data
center.
Inquired of the director of special projects
regarding the HVAC units to determine that
dedicated HVAC units were in place to help
regulate temperature and humidity levels within
the data center.
No relevant exceptions noted.
Observed the HVAC units to determine that HVAC
units were in place.
No relevant exceptions noted.
US Internet Corp.
Proprietary and Confidential
16
MATRIX 2
ENVIRONMENTAL SECURITY
Control Objective Specified
by the Service Organization:
Control activities provide reasonable assurance that critical information technology infrastructure is protected from certain
environmental threats.
Control
Point
Control Activity Specified
by the Service Organization
2.5
A third party vendor inspects the HVAC units on a
quarterly basis to help ensure proper functioning.
Inspected the HVAC inspection report for a
nonstatistical sample of quarters during the review
period to determine that a third party vendor
inspected the HVAC units for each quarter
sampled.
No relevant exceptions noted.
2.6
Operations personnel inspect the HVAC units on a
daily basis to help ensure proper functioning.
Inspected the operations checklist for a
nonstatistical sample of dates during the review
period to determine that operations personnel
inspected the HVAC units for each date sampled.
No relevant exceptions noted.
2.7
Redundant UPS systems are in place to provide
temporary electricity in the event of a power
outage and mitigate the risk of power surges
impacting infrastructure in the data center.
Inquired of the director of special projects
regarding the UPS systems to determine that
redundant UPS systems were in place to provide
temporary electricity in the event of a power
outage and mitigate the risk of power surges
impacting infrastructure in the data center.
No relevant exceptions noted.
Observed the UPS systems to determine that UPS
systems were in place.
No relevant exceptions noted.
Inspected the UPS inspection report for a
nonstatistical sample of quarters during the review
period to determine that a third party vendor
inspected the UPS systems for each quarter
sampled.
No relevant exceptions noted.
2.8
A third party vendor inspects the UPS systems on
a quarterly basis to help ensure proper
functioning.
US Internet Corp.
Test Applied by the Service Auditor
Test Results
Proprietary and Confidential
17
MATRIX 2
ENVIRONMENTAL SECURITY
Control Objective Specified
by the Service Organization:
Control activities provide reasonable assurance that critical information technology infrastructure is protected from certain
environmental threats.
Control
Point
Control Activity Specified
by the Service Organization
2.9
Operations personnel inspect the UPS systems on
a daily basis to help ensure proper functioning.
Inspected the operations checklist for a
nonstatistical sample of dates during the review
period to determine that operations personnel
inspected the UPS systems for each date
sampled.
No relevant exceptions noted.
2.10
Generators are in place to provide power to the
data center in the event of a power outage.
Inquired of the director of special projects
regarding the generators to determine that
generators were in place to provide power to the
data center in the event of a power outage.
No relevant exceptions noted.
Observed the generators to determine that
generators were in place.
No relevant exceptions noted.
Test Applied by the Service Auditor
Test Results
2.11
A third party vendor inspects the generators on a
quarterly basis to help ensure proper functioning.
Inspected the generator inspection report for a
nonstatistical sample of quarters during the review
period to determine that a third party vendor
inspected the generators for each quarter
sampled.
No relevant exceptions noted.
2.12
Operations personnel inspect the generators on a
daily basis to help ensure proper functioning.
Inspected the generator checklist for a
nonstatistical sample of dates during the review
period to determine that operations personnel
inspected the generators for each date sampled.
No relevant exceptions noted.
2.13
The data center is equipped with raised flooring to
facilitate cooling and protect equipment from
localized flooding.
Observed the data center to determine that the
data center was equipped with raised flooring.
No relevant exceptions noted.
US Internet Corp.
Proprietary and Confidential
18
MATRIX 2
ENVIRONMENTAL SECURITY
Control Objective Specified
by the Service Organization:
Control activities provide reasonable assurance that critical information technology infrastructure is protected from certain
environmental threats.
Control
Point
Control Activity Specified
by the Service Organization
Test Applied by the Service Auditor
Test Results
2.14
Water detection sensors are located throughout
the data center beneath the raised floor.
Observed a nonstatistical sample of water
detection sensors to determine that water
detection sensors were located throughout the
data center beneath the raised floor.
No relevant exceptions noted.
2.15
An environmental monitoring system is utilized to
monitor environmental conditions within the data
center that include, but are not limited to, the
following:
Inspected the environmental monitoring system
console to determine that an environmental
monitoring system was utilized to monitor the
following environmental conditions within the data
center:
No relevant exceptions noted.
2.16

Temperature

Humidity
The environmental monitoring system is
configured to alert network operations center
(NOC) personnel via onscreen alert notifications
when predefined thresholds are exceeded for
monitored devices.
US Internet Corp.

Temperature

Humidity
Inspected the environmental monitoring system
configurations and an example onscreen alert
notification generated during the review period to
determine that the environmental monitoring
system was configured to alert NOC personnel via
onscreen alert notifications when predefined
thresholds were exceeded for monitored devices.
No relevant exceptions noted.
Proprietary and Confidential
19
MATRIX 3
MONITORING
Control Objective Specified
by the Service Organization:
Control activities provide reasonable assurance that customer colocation services are monitored for performance deviations.
Control
Point
3.1
3.2
Control Activity Specified
by the Service Organization
Documented incident response and support
procedures are in place to guide personnel in
processes that include, but are not limited to, the
following:

Severity level definitions

Escalation procedures

Response time requirements for service
alerts
Enterprise monitoring applications are utilized to
monitor the network, associated devices, and
services for performance metrics that include, but
are not limited to, the following:

3.3
Availability of the network, host services,
and ports

Bandwidth utilization and performance

Central processing unit (CPU) and hard
disk utilization
The enterprise monitoring applications are
configured to notify NOC personnel via onscreen
alert notifications when predefined thresholds are
exceeded on monitored devices.
US Internet Corp.
Test Applied by the Service Auditor
Inspected the incident response and support
procedural documentation to determine that
documented incident response and support
procedures were in place to guide personnel in
the following processes:

Severity level definitions

Escalation procedures

Response time requirements for service
alerts
Inspected the enterprise monitoring application
consoles to determine that enterprise monitoring
applications were utilized to monitor the network,
associated devices, and services for the following
performance metrics:

Availability of the network, host services,
and ports

Bandwidth utilization and performance

CPU and hard disk utilization
Inspected the enterprise monitoring application
configurations and example onscreen alert
notifications generated during the review period to
determine that the enterprise monitoring
applications were configured to notify NOC
personnel via onscreen alert notifications when
predefined thresholds were exceeded on
monitored devices.
Test Results
No relevant exceptions noted.
No relevant exceptions noted.
No relevant exceptions noted.
Proprietary and Confidential
20
MATRIX 3
MONITORING
Control Objective Specified
by the Service Organization:
Control activities provide reasonable assurance that customer colocation services are monitored for performance deviations.
Control
Point
Control Activity Specified
by the Service Organization
Test Applied by the Service Auditor
Test Results
3.4
An automated issue management system is
utilized to document, prioritize, escalate, and
resolve problems affecting customer services.
Inspected the issue management console and an
example incident ticket generated during the
review period to determine that an automated
issue management system was utilized to
document, prioritize, escalate, and resolve
problems affecting customer services.
No relevant exceptions noted.
3.5
Operations personnel utilize predefined severity
levels to categorize and escalate outages.
Inspected the incident response and support
procedural documentation to determine that
operations personnel utilized predefined severity
levels to categorize and escalate outages.
No relevant exceptions noted.
3.6
NOC personnel are scheduled 24 hours per day
for the monitoring and resolution of problems
affecting customer services.
Inspected the staffing schedule to determine that
NOC personnel were scheduled 24 hours per day
for the monitoring and resolution of problems
affecting customer services.
No relevant exceptions noted.
3.7
Spare hardware parts are maintained to provide
redundancy in the event of hardware issues.
Observed the spare hardware parts to determine
that spare hardware parts were maintained to
provide redundancy in the event of hardware
issues.
No relevant exceptions noted.
US Internet Corp.
Proprietary and Confidential
21