System and Organization Controls 2

Report (SOC 2) Type 1

Description of InShared’s Software as a Service (SaaS) Solution and on

the suitability of the design and implementation of its controls to
meet the applicable Trust Services Criteria
and Cloud Controls Matrix Criteria.

Prepared in accordance with International Standard on Assurance

Engagements 3000 (ISAE 3000)1
31 May 2020

1 This report, including the description of test of controls and results thereof, is intended solely for the information and use of user entities of InShared’s SaaS

solution and the independent auditors of such user entities, who have a sufficient understanding to consider it, along with other information including infor-

mation about controls implemented by user entities themselves. This report is not intended to be and should not be used by anyone other than these speci-

fied parties.
 Table of contents
Section 1 - Management of InShared’s assertion regarding its CynoSure
Platform
1 Management Assertion 7

Section 2 - Independent Service Auditor’s Report for the applicable Trust

Service Criteria and CCM Criteria
2 Independent Service Auditor’s Report 9

Section 3 - InShared’s description of the CynoSure platform and SaaS solution

services as at 31 May, 2020
3 Description of Cynosure Platform 14
3.1 Business Description 14
3.2 Applicability of Report 14
3.3 CynoSure Report Scope Boundary 15
3.3.1 Front-end 15
3.3.2 Portals 15
3.3.3 Back-end 15
3.3.4 Integration 16
3.4 InShared Teams 16
3.5 Locations of InShared 17
3.5.1 Locations Datacentres 17
3.5.2 Locations Software Development, Operations and NOC 17
3.5.3 Locations SOC 18
3.6 Communications 18
3.6.1 Policies 18
3.6.2 Service Level Agreements 18
3.6.3 Customer Communication 18

4 InShared enterprise architecture 19

4.1 TOGAF (Infrastructure and Software) 19
4.1.1 Internal Infrastructure Services 19
4.1.2 Virtual Infrastructure 22
4.1.3 Application services 24
4.1.4 Presentation services 25
4.2 JERICHO (People) 25
4.2.1 Integrity and Ethical Values 25

2
4.2.2 Risk Management Program 26
4.2.3 Information Security Program 28
4.2.4 Operational Access 30
4.2.5 Directory and Organizational Identity Services Access Management 32
4.2.6 Vulnerability Management 32
4.2.7 Continuity and resiliency 34
4.2.8 Baseline Configuration 35
4.2.9 Monitoring 35
4.3 ITIL (procedures) 36
4.3.1 Change Management 36
4.3.2 Software Development 38
4.3.3 Incident Management 40
4.3.4 Logical Access 41
4.3.5 Asset Management 42
4.4 SABSA (Data) 43
4.4.1 Data 43
4.4.2 Data ownership 43
4.4.3 Data Classification and Confidentiality Policy 43
4.4.4 Cryptographic controls 43
4.4.5 Backup 43
4.4.6 Data Redundancy and Replication 44
4.4.7 Data Segregation 44
4.4.8 Platform Communication 44
4.4.9 CynoSure Platform Communication 44
5 Complementary User Entity Control (CUEC) 45
6 Complementary Subservice Organization Controls (CSOCs) 46

Section 4 - Applicable Trust Services Criteria and CCM Criteria, Related Controls
and Results of PwC's Tests of Design Effectiveness and Implementation
7 Part A: Trust Service Criteria, The controls established and specified by InShared and Test results
provided by PwC 52
7.1.1 Control Environment 52
7.1.2 Communication and Information 56
7.1.3 Risk assessment 59
7.1.4 Monitoring activities 65
7.1.5 Control activities 67
7.1.6 Logical & Physical Access Controls 74
7.1.7 System Operations 90
7.1.8 Change Management 99

3
7.1.9 Risk Mitigation 101
7.1.10 Additional Criteria for Availability 103
7.1.11 Additional Criteria for Confidentiality 106

8 Part B: Cloud control matrix Criteria, The controls established and specified by InShared and Test
results provided by Pwc 109
8.1.1 Application & Interface Security (AIS) 109
8.1.2 Audit Assurance and Compliance (AAC) 113
8.1.3 Business Continuity Management and Operational Resilience (BCR) 115
8.1.4 Change Control and Configuration Management (CCC) 123
8.1.5 Datacentre Security (DCS) 127
8.1.6 Data Security and Information Lifecycle Management (DSI) 131
8.1.7 Encryption and Key Management (EKM) 136
8.1.8 Governance and Risk Management (GRM) 139
8.1.9 Human Resources (HRS) 147
8.1.10 Identity and Access Management (IAM) 153
8.1.11 Infrastructure and Virtualization Security (IVS) 170
8.1.12 Interoperability and Portability (IPY) 183
8.1.13 Security Incident Management, E-Discovery & Cloud Forensics (SEF) 186
8.1.14 Supply Chain Management, Transparency and Accountability (STA) 189
8.1.15 Threat and Vulnerability Management (TVM) 198

9 Part C: description of the tests performed by PwC to determine whether InShared’s controls were
effectively designed and sufficiently implemented and the results of testing 201
9.1.1 Entity Level (ELC) 201
9.1.2 Information Security Program (IS) 202
9.1.3 Logical Customer Access (LA) 205
9.1.4 Operator Access (OA) 206
9.1.5 Data Security (DS) 210
9.1.6 Change Management (CM) 213
9.1.7 Software Development (SDL) 215
9.1.8 Vulnerability Management (VM) 216
9.1.9 Incident Management (IM) 218
9.1.10 Physical and Environmental Security (PE) 219
9.1.11 Business Continuity and Resilience (BC) 220
9.1.12 Processing integrity (PI) 222
9.1.13 SOC2 223
9.1.14 CCM 226

4
Appendices
Appendix 1: CSA Enterprise Architecture 228
Appendix 2: Enterprise architecture vs description criteria 229

5
 Section 1

Management of
InShared’s assertion
regarding its CynoSure
Platform

6
1 MANAGEMENT ASSERTION

May 31, 2020

We have prepared the description titled, “Section 3 - InShared’s description of the CynoSure platform and
SaaS solution services”, (the “Description”), based on the criteria for a description of a service organiza-
tion’s system defined in DC Section 200, Description Criteria for a Description of a Service Organization’s
System in a SOC 2 Report (the “Description Criteria”). The description is intended to provide users with in-
formation about the CynoSure platform infrastructure, particularly system controls intended to meet the
criteria for the Security criteria (applicable 2017 Trust Services Criteria) set forth in TSP Section 100, and the
applicable criteria set forth in the CSA Cloud Controls Matrix (CCM) Version 3.0.1 control specifications
(CCM Criteria).

InShared uses subservice organizations to provide services for security operations and datacenter services.
The description indicates that complementary subservice organization controls that are effectively de-
signed and sufficiently implemented are necessary, along with controls at InShared, to achieve InShared’s
service commitments and system requirements based on the applicable Trust Services Criteria and CCM
Criteria. The description presents InShared’s controls, the applicable Trust Services Criteria and CCM Crite-
ria, and the types of complementary subservice organization controls assumed in the design of InShared’s
controls. The description does not disclose the actual controls at the subservice organization. The descrip-
tion indicates that complementary user entity controls that are effectively designed and sufficiently imple-
mented are necessary, along with controls at InShared, to achieve InShared’s service commitments and sys-
tem requirements based on the applicable Trust Services Criteria and CCM Criteria. The description pre-
sents InShared’s controls, the applicable Trust Services Criteria and CCM Criteria, and the complementary
user entity controls assumed in the design of InShared’s controls.

We confirm, to the best of our knowledge and belief, that

a. the description fairly presents the CynoSure platform infrastructure as at May 31, 2020, based on
the following description criteria:
i. The description contains the following information:
 The types of services provided.
 The components of the system used to provide the services, which are the follow-
ing:
a) Infrastructure. The physical and hardware components of a system (facili-
ties, equipment, and networks)
b) Software. The programs and operating software of a system (systems, ap-
plications, and utilities)
c) People. The personnel involved in the operation and use of a system (de-
velopers, operators, users, and managers)
d) Procedures. The automated and manual procedures involved in the opera-
tion of a system

7
 e) Data. The information used and supported by a system (transaction
streams, files, databases, and tables).
 The boundaries or aspects of the system covered by the description.
 How the system captures and addresses significant events and conditions.
 The process used to prepare and deliver reports and other information to user enti-
ties or other parties.
 Services performed by subservice organizations, including whether the carve-out
method or the inclusive method has been used in relation to them.
 For subservice organizations presented using the carve-out method, the nature of
the services provided by the subservice organization; each of the applicable trust
services criteria that are intended to be met by controls at the subservice organiza-
tion, alone or in combination with controls at the service organization, and the
types of controls expected to be implemented at carved-out subservice organiza-
tions to meet those criteria.
 Controls that we assumed, in the design of the system, would be implemented by
clients, and which, if necessary, to achieve control objectives stated in the accom-
panying description, are identified in the description along with the specific control
objectives that cannot be achieved by InShared alone.
 Any applicable trust services criteria that are not addressed by a control at the ser-
vice organization and the reasons therefore.
 Other aspects of InShared’s control environment, risk assessment process, infor-
mation and communication systems, and monitoring of controls that are relevant
to the services provided and the applicable trust services criteria.
ii. The description does not omit or distort information relevant to the InShared’s system
while acknowledging that the description is prepared to meet the common needs of a
broad range of users and may not, therefore, include every aspect of the system that each
individual user may consider important to his or her own particular needs.

b. the controls stated in the description were suitably designed as at May 31, 2020, to meet the appli-
cable trust services criteria and the CCM criteria, including that:
i. the risks that threatened achievement of the control objectives stated in the description
were identified; and
ii. the identified controls would, if operated as described, provide reasonable assurance that
those risks did not prevent the stated control objectives from being achieved.

Marcel Viester Peter Toonen

Managing Director IT Director
InShared Holding B.V. InShared Holding B.V.

8
2 INDEPENDENT SERVICE AUDITOR’S REPORT

Section
2

Independent Service Auditor’s

Report for the Applicable
Trust Service Criteria and
CCM Criteria
Assurance report of the independent auditor

To: the management of InShared Holding B.V.

Type 1 Independent assurance report on Security, Availability

and Confidentiality Trust Services Criteria and Cloud Controls
Matrix Criteria for InShared’s CynoSure platform and SaaS solu-
tion services
Our opinion
In our opinion, in all material aspects, based on the description criteria identified in the management of In-
Shared’s Assertion and the applicable Trust Services Criteria and Cloud Controls Matrix Criteria,
a. the description fairly presents the system that was designed and implemented as at May 31, 2020;

b. the controls stated in the description were suitable designed to provide reasonable assurance that the
applicable Trust Services Criteria and Cloud Controls Matrix Criteria would be met if the controls
operated effectively as at May 31, 2020; and

c. the controls stated in the description were implemented as at May 31, 2020.

What we have examined

We have examined the description in the section titled, “Section 3 - InShared’s description of the CynoSure
platform and SaaS solution services as at 31 May, 2020”, (the “Description”), based on the criteria for a de-
scription of a service organization’s system defined in DC Section 200, Description Criteria for a Description
of a Service Organization’s System in a SOC 2 Report (the “Description Criteria”) and the suitability of the
design and implementation of controls described therein as at 31 May, 2020 (the “Controls”) to meet the cri-
teria for the Security, Availability and Confidentiality criteria (applicable 2017 Trust Services Criteria) set
forth in TSP Section 100, and the applicable criteria set forth in the CSA Cloud Controls Matrix (CCM) Ver-
sion 3.0.1 control specifications (CCM Criteria) (the “Control Objectives”).

InShared uses subservice organizations to provide services for security operations and datacenter services.
The description indicates that complementary subservice organization controls that are effectively designed
and sufficiently implemented are necessary, along with controls at InShared, to achieve InShared’s service
commitments and system requirements based on the applicable Trust Services Criteria and CCM Criteria.
The description presents InShared’s controls, the applicable Trust Services Criteria and CCM Criteria, and
the types of complementary subservice organization controls assumed in the design of InShared’s controls.
The description does not disclose the actual controls at the subservice organization. Our examination did not
include the services provided by the subservice organization, and we have not evaluated the effectiveness of
the design or implementation of such complementary subservice organization controls.

The basis for our opinion

We conducted our examination in accordance with Dutch law, including the Dutch Standard 3000A Assur-
ance engagements, other than audits or reviews of historical financial information (attestation-engage-
ments). This engagement is aimed to provide reasonable assurance. Our responsibilities under this standard
are further described in the section ‘Our responsibilities for the examination’ of our report.
We believe that the assurance information we have obtained is sufficient and appropriate to provide a basis
for our opinion.

Independence and quality control

We are independent of InShared B.V. in accordance with the ‘Verordening inzake de onafhankelijkheid van
accountants bij assurance opdrachten’ (ViO, Code of Ethics for Professional Accountants, a regulation with
respect to independence) and other relevant independence requirements in the Netherlands. Furthermore,
we have complied with the ‘Verordening gedrags- en beroepsregels accountants’ (VGBA, Code of Ethics for
Professional Accountants, a regulation with respect to rules of professional conduct).

We apply the ‘Nadere voorschriften kwaliteitssystemen’ (NVKS, Regulations for quality systems) and accord-
ingly maintain a comprehensive system of quality control including documented policies and procedures re-
garding compliance with ethical requirements, professional standards and other applicable legal and regula-
tory requirements.

Inherent limitations
Because of the inherent limitations of any internal control structure it is possible that, even if the controls are
suitably designed and implemented as designed, once the controls are in operation the control objectives
may not be achieved so that fraud, error, or non-compliance with laws and regulations may occur and not be
detected.

An assurance engagement on the implementation of controls at a specified date does not provide assurance
on whether the controls operated effectively as designed or will operate effectively in the future. Any projec-
tion of the outcome of the evaluation of the suitability of the design of controls to future periods is subject to
the risk that the controls may become unsuitable because of changes in conditions.

Restriction on use and distribution

Our report is addressed to and intended for the exclusive use by the management of InShared, to report to
(prospective) customers of the CynoSure platform and SaaS solution services and may not be used for any
other purpose. This report is not to be relied on by any third parties (other parties) as such parties are not
aware of the purpose of the services and they could interpret the results incorrectly. The assurance report (or
any part of it) may not be made available in any form to third parties without our prior written consent. We
do not accept or assume and deny any liability, duty of care or responsibility to any parties other than the ad-
dressee of this assurance report.

Responsibilities
Responsibilities of management
Management of InShared B.V. has provided its accompanying assertion titled “Section 1 – Management of
InShared’s Assertion Regarding its CynoSure platform and SaaS solution services” regarding the fairness of
the presentation of the description based on the description criteria and suitability of the design and imple-
mentation of the controls described therein to meet the applicable Trust Services Criteria and the Cloud Con-
trols Matrix Criteria. Management of InShared is responsible for:

a. preparing the description and the assertion;

b. the completeness, accuracy, and method of presentation of both the description and assertion;

c. providing the services covered by the description;

 d. specifying the controls that meet the applicable Trust Services Criteria and the Cloud Controls Matrix
Criteria and stating them in the description; and

e. designing, implementing, and documenting the controls to meet the Trust Services Criteria and the
Cloud Controls Matrix Criteria.

Our responsibilities
Our responsibility is to plan and perform our examination in a manner that allows us to obtain sufficient and
appropriate evidence to provide a basis for our opinion. Our opinion aims to provide reasonable assurance
about whether, in all material respects, the Description is fairly presented based on the Description Criteria
and the controls where suitably designed and implemented to meet the applicable Trust Services Criteria and
Cloud Controls Matrix Criteria, as at 31 May 2020. Reasonable assurance is a high but not absolute level of
assurance, which makes it possible that we may not detect all material misstatements. Misstatements may
arise due to fraud or error.

We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our
opinion.

Procedures performed
An assurance engagement includes, amongst others, examining appropriate. We have exercised professional
judgement and have maintained professional scepticism throughout the examination in accordance with the
Dutch Standard 3000A, ethical requirements and independence requirements. The specific controls tested,
and the nature, timing, and results of those tests are presented in the section titled, “Section 4 - Applicable
Trust Services Criteria and CCM Criteria, Related Controls and Results of PwC's Tests of Design Effectiveness
and Implementation” of this type 1 report.

Amsterdam, 10 July 2020

PricewaterhouseCoopers Accountants N.V.

Original has been signed by M.R. Pauw RE

 Section 3

InShared’s description
of the CynoSure plat-
form and SaaS solution
services as at 31 May,
2020
3 DESCRIPTION OF CYNOSURE PLATFORM

3.1 Business Description

InShared designed and built an insurance platform from the ground. CynoSure, the in-house built platform,
allows various modules to be installed and switched on and off as desired. InShared offers this SaaS solu-
tion to allow tenants to adjust the platform based on brand, customers, and market situation, increasing
customer satisfaction and lowering costs significantly.

3.2 Applicability of Report

Service commitments to tenants are documented and communicated in Service Level Agreements (SLAs)
and other customer agreements such as the contract, as well as in the description of the service offering
provided online. As a minimum InShared should comply with the applicable control specifications from the
Cloud Security Alliance Cloud Controls Matrix CCM 3.0.1. InShared has established operational require-
ments that support the achievement of service commitments, relevant laws and regulations, and other sys-
tem requirements. Such requirements are defined in InShared’s system policies and procedures as de-
scribed within section “InShared enterprise architecture”.

This service organization control report has been prepared to provide information on
InShared’s internal controls of the CynoSure platform and SaaS solution services, that is considered rele-
vant to customers pursuing the Security Trust Service Criteria and Cloud Security Alliance Cloud Controls
Matrix Criteria. InShared has considered the principal service commitments, which is as a minimum to com-
ply with the applicable control specifications from the Cloud Security Alliance Cloud Controls Matrix CCM
3.0.1, to determine applicability of the 2017 Trust Service Criteria. Based on the guidance from AICPA, the
following are the applicability considerations:

Trust Services Criteria Description

Security Addresses risks related to potential abuse, theft, misuse and improper access
to system components

Availability Addresses risks related to system accessibility for processing, monitoring and
maintenance

Confidentiality Addresses risks related to unauthorized access or disclosure of specific infor-

mation designated as “confidential” within contractual arrangements

As such, the detail herein is limited to operational controls supporting the platform as defined in the scope
boundary described in the next section.

14
3.3 CynoSure Report Scope Boundary
The CynoSure platform elements that are in scope for this report are divided in the front-end (3.3.1) portals
(3.3.2), the back-end (3.3.3) and the integration (3.3.4).

3.3.1 Front-end

CynoSure offers a framework for creating websites and web portals. For white label solutions this means a
highly customizable responsive front-end framework.

3.3.2 Portals

The four portals offer functionality to support insurance processes.

 CynoClaim, the claims handling portal provides functionality for reporting and handling of claims
on insurance policies. The CynoClaim portal supports all aspects of the claims process from online
notification to claims handling and settlement. Claims processing is fully automated. Straight-
through processing is employed throughout the whole CynoSure platform, there is an automated
change for no-claims bonuses and the adjustment and payment of claims. The online policy map
provides customers with all possible assistance and information they need to streamline the pro-
cess. A call centre has access to all data if needed.
 CynoAssist, the customer service portal, provides functionality for answering customer questions.
CynoAssist is the integrated single customer and product view for client contracts.
 CynoCTRL, the application management portal, provides functionality for maintaining variables in
the platform. The CynoCTRL portal is a way to manage portals and change all possible variables,
such as products, rating models, and underwriting rules. Controlled by functional and data access
profiling, which is all built on flexible webservices.
 CynoLytics, the analytics portal, is the real-time analysis and reporting of website usage, customer
search behaviour, and sales funnel conversion. CynoSure presents an integrated and constant view
of all customer interactions and all aspects of the platform through the web.

3.3.3 Back-end

The CynoSure platform provides a back-end solution where functionality is accessed via webservices. The
platform can be integrated with third-party software. The platform offers a range of portals, through which
the platform functionality is available (via webservices). More specifically, the platform offers its functional-
ity through four components:

 The CynoSure component is the heart of the platform and offers functionalities for customer ad-
ministration, quotations, underwriting, insurance, invoicing.
 The CynoClaim component offers functionality for the reporting and adjusting of claims.
 The CynoDocs component offers functionality for sending, receiving, archiving, retrieving and pre-
senting documents.
 The Cynolytics component offers functionality for collecting, storing, retrieving, reporting and, ana-
lysing the available data of the platform.

15
3.3.4 Integration

The facilities offered to the tenant to interface with the CynoSure platform services are as follows:

 Data exchange API: the platform can be integrated with databases needed to support the insurance
processes.
 Webservice catalogue: for the development of the tenant website, the tenant will need to inte-
grate with the platform. For this purpose, InShared makes available a set of webservices for devel-
opers through a catalogue, which can be accessed by browser and the right login credentials in
combination with an SSL certificate. In the catalogue the documentation about these webservices
are available in order to have a smooth development supported.

3.4 InShared Teams

InShared is comprised and supported by the following teams who are responsible for the delivery and man-
agement of the CynoSure platform:
InShared CIO

Inforamtion
security office

Operations

Team Team Team Team Team

Team Finance Team Data Team Claims
Templates Documents Frontend Insurance Infrastructure

Workplace
management

NOC

SOC

16
3.5 Locations of InShared

The locations where data, that is covered in this report, is processed are divided in three focus area’s; the
datacentres (3.5.1), software development, operations and NOC services (3.5.2) and SOC services (3.5.3)

Datacenters

Software development, operations and NOC

SOC

3.5.1 Locations Datacentres

The CynoSure production platform is in globally distributed datacentres. These datacentres deliver the core
physical infrastructure that includes physical security, power supply and internet access.
These datacentres are managed, monitored, and operated by Equinix and Digital Realty delivering online
services with 24x7 continuity. The datacentres in scope for the purposes of this report are:
 Equinix AM5 Schepenbergweg 42, 1105 AT Amsterdam, The Netherlands
 Equinix TR2 45 Parliament St, Toronto, ON M5A 2Y5, Canada
 Digital Realty H.J.E. Wenckebachweg 127, 1096 AM Amsterdam, The Netherlands

3.5.2 Locations Software Development, Operations and NOC

All hardware asset management, security, data protection, and networking services are managed, moni-
tored, and operated by InShared delivering online services with 24x7 continuity. The infrastructure moni-
toring is supported by SPS B.V.:

 The office of InShared is located at Leusderend 56, 3832 RC Leusden, The Netherlands.
 The office of SPS B.V. is located at Buitenomweg 17, 2811 BM Reeuwijk, The Netherlands

17
3.5.3 Locations SOC

In addition to datacentre, network, and personnel security practices, the CynoSure insurance platform also
incorporates security practices at the application and platform layers to enhance security for application
development and service administration. The security of the platform is monitored using a Security Intru-
sion and Event Management (SIEM) system and monitoring service. This service is executed by Tesorion:

 The office of Tesorion is located at Fokkerstraat 4, 3833 LD Leusden, The Netherlands

3.6 Communications

3.6.1 Policies

InShared maintains communication with employees using corporate intranet sites, email, training and (cor-
porate) meetings. The communications include, but are not limited to, InShared policies and procedures,
corporate events, new initiatives, and awareness on security.

3.6.2 Service Level Agreements

InShared details commitments made regarding delivery or performance of services. These details are in-
cluded in the Service Level Agreements (SLAs) available for each client as an appendix of their contract.

3.6.3 Customer Communication

Communication with customers is primarily achieved through the following options:

 Service Desk
 Service Level Reports
 Email
 Telephone

The InShared Security Office (ISO) monitors, responds to, and resolves security incidents and vulnerabilities
in the CynoSure platform. The ISO is on constant alert for security threats, monitoring security newsgroups,
and responding to reported vulnerabilities. Customers and other third parties are encouraged to report sus-
pected vulnerabilities by emailing [email protected].

18
4 INSHARED ENTERPRISE ARCHITECTURE
InShared uses the best practice enterprise architecture method of the Cloud Security Alliance, the CSA En-
terprise Architecture. The CSA Enterprise Architecture (see appendix 1) is divided in 4 areas: TOGAF (see
4.1), JERICHO (see 4.2), ITIL (see 4.3) and SABSA (see 4.5).

Each area describes the Enterprise Architecture with a different perspective. In the CSA Enterprise Architec-
ture, the focus per area is the cloud service delivery. The Trust Services Criteria regarding the components
of the CynoSure platform include the following aspects: infrastructure, software, people, procedures and
data divided upon the areas.

4.1 TOGAF (Infrastructure and Software)

TOGAF is based on four interrelated areas of specialization called architecture domains: business architec-
ture, data architecture, application architecture and technical / technology architecture. The TOGAF archi-
tecture is described in this paragraph and displayed in the appendix.

4.1.1 Internal Infrastructure Services

The internal infrastructure consists of facility services, availability services, servers, storage and network.

19
4.1.1.1 Facility security at the InShared headquarters

The headquarters of InShared is in Leusden. Access to the office of the team servicing the CynoSure plat-
form is limited to IT personnel only. Cleaning staff is only granted access during office hours on Wednesday.
All visitors must log their access in the visitor logbook. Headquarters has a dedicated connection with data-
centre Equinix in Amsterdam. This connection is redundant using a fallback internet VPN connectivity.

4.1.1.2 Facility security at the datacentres

InShared uses three datacentres to facilitate the infrastructure for the CynoSure platform. The infrastruc-
ture is owned and managed by InShared. Two datacentres are in Amsterdam (Equinix and Digital Realty)
and one datacentre is in Toronto. A risk assessment has been executed for the distance between both data-
centres in Amsterdam. The net risk is within the risk appetite of the CynoSure platform.

The datacentres have implemented operational procedures to restrict physical access to only authorized
employees, contractors, and visitors. Temporary or permanent access requests are tracked using a ticketing
system. Badges are either issued or activated for personnel requiring access after verification of identity.
The Datacentre Management Team is responsible for reviewing datacentre access on a regular basis and
for conducting a quarterly audit to verify individual access requirements.

The Infrastructure Team of InShared can request physical access to the datacentres. Prior to the visit a
ticket must be generated by the team. Main access to the datacentre facilities are typically restricted to a
single point of entry that is managed by security personnel. At the reception all visitors must identify them-
selves (official ID) and bring along the ticket (QR code) and share a bio print (hand or finger). Access is only
granted for visitors to the areas which are included in the ticket. Rooms within the datacentres that contain
critical systems (servers, generators, electrical panels, network equipment, etc.) are restricted through vari-
ous security mechanisms, such as electronic card access control, keyed lock on each individual door, man
traps, and / or biometric devices.

Employees of the datacentres have no access to the machines of InShared as the cabinet of InShared is
locked. Only the Infrastructure Team can unlock the cabinet. In case of an emergency where the Infrastruc-
ture Team can not physically visit the location in time, especially in Toronto, Equinix provides a smart hands
service. This service can enter the cabinet using a strict procedure to execute physical action such as plug-
ging a network cable or to accompany a supplier during equipment maintenance. This service is audited via
the SOC2 certification.

Datacentre surveillance systems monitor critical datacentre areas like datacentre main entry / exit, data-
centre co-locations entry / exit, cages, locked cabinets, aisle ways, shipping and receiving areas, critical en-
vironments, perimeter doors, and parking areas. Surveillance recordings are retained for 90 days or as the
local law dictates.

The datacentre facilities have power backup and environmental protection systems. The Datacentre Man-
agement Team or the contracted vendor performs regular maintenance and testing of these systems.

20
4.1.1.3 Facility certification

All datacentres are certified for several security standards including ISO27001 and SOC2. These certifica-
tions are reviewed annually by InShared to verify that the controls which are transferred are effective.

The datacentres provision the facility including 24x7 security personnel, power supply, physical security and
heating, ventilation, and air conditioning (HVAC). Datacentre physical security management reviews and
approves the incident response procedures on a yearly basis. The incident security response procedures
detail the appropriate steps to be taken in the event of a security incident and the methods to report secu-
rity weaknesses. Within the facility all provisioning are redundant (N+1). The internet connectivity is facili-
tated by the datacentre as the datacentre uses several providers and provides high availability.

4.1.1.4 Datacentre availability services

All datacentres are mutually connected. In Amsterdam dark fibre is used via two physical separated routes.
Between Amsterdam and Toronto, the cloud exchange connection is provided by Equinix.

In each datacentre InShared has one cabinet where the equipment is installed. All devices (servers,
switches, storage, backup-devices, connections) are registered in the InShared Net box application.

All components in the cabinet are redundant by design, including the internet power supply. If one compo-
nent is failing, the availability is not influenced. If the complete cabinet is not available, the disaster recov-
ery plan is activated using the zert0 recovery technique at the secondary datacentre:
Label Primary location Secondary location Offsite Backup location

Onlia Equinix Toronto Equinix Amsterdam Azure Canada

Zurich Equinix Amsterdam Digital Realty Amsterdam Digital Realty Amsterdam

4.1.1.5 Servers, storage and network

The internal infrastructure of the InShared platform consists of the following elements:
 InShared uses virtual Windows and Linux servers to provide the CynoSure platform. All are running
on Cisco blade servers in a chassis. The virtualisation is managed using VMware.
 All data is stored using Pure Storage solid state array. The storage facilitates encryption and redun-
dancy.
 InShared uses Cisco switches for networking and storage access. FortiGate firewalls separate the
network between segments, between the network and the internet and, additionally, provides Net-
work Time Protocol (NTP).
 Certificates and load balancing are managed using Big IP provided by F5.

Patch management uses a planner to execute all periodic patches upon all components. Security patches
and updates are monitored by the Infrastructure Team using the security news groups and supplier news-
letters. Windows servers are updated upon the monthly update cycle (WSUS). Linux is updated using Ansi-
ble and Spacewalk.

21
4.1.2 Virtual Infrastructure

The virtual infrastructure consists of virtual machines built in different zones granting a private access path
per client of the CynoSure platform.

22
4.1.2.1 Steppingstones

InShared uses steppingstones to protect its most valuable systems and data. The most valuable data is
stored in the core environment (zone 4). To gain access to the core environment you must pass from zone 0
to zone 4. Each zone has a higher level of security and is divided using authorisation, firewalling and seg-
mentation. Prior to access zone 4, access must be granted to all other zones step by step.

4.1.2.2 Logical access path CynoSure platform client

The CynoSure platform is hosted upon virtual servers (Windows and Linux), virtual storage (LUN) and virtual
network segments. Each client of the CynoSure platform is provided a separated dataset (storage) and a
private connection using VPN and certificates. The logical access path from zone 0 to zone 4 is built per cli-
ent in a private path as follows:

ClientVPN

or Frontend
Loadbalancing PHP
Database
and filtering Framework
Frontend webservice
(Cloud
Exchange)

23
4.1.2.3 Logical access path CynoSure platform

The logical access path of InShared (database and infrastructure) administrators is limited using different
perimeters:
 IP blocking, whitelisting and certificates, only certain IPs can access the machines in zone 4.
 Wi-Fi blocking, the machines in zone 4 are not accessible by Wi-Fi or mobile devices.

4.1.3 Application services

During the development of and changes to the CynoSure platform, security baselines and standards are
used to provide security by design. The Security Incident and Event Monitoring (SIEM) system serviced by
an external Security Operations Centre (SOC), monitors the security of the CynoSure platform during opera-
tions. The physical security of the datacentres is implemented by the datacentres Equinix, Digital Realty and
the Azure backup proven by their certification (SOC2, ISO27001). Data exchange between the clients of In-
Shared and the CynoSure platform is managed using webservices. These webservices are built using the
OWASP security standards and input /output validation controls.

The development process starts with the requests and incidents in Jira. Code is managed, inspected, tested
and released using Bitbucket and Bamboo. After release the application servers are tested by the external
vulnerability tester who tests the CynoSure platform four times per year (two internal and two external
tests).

24
4.1.4 Presentation services

The presentation of the CynoSure platform for insured customers is via the frontends. The end user can ac-
cess the portals. The key users also have access and contact to the service desk and the Jira portal for re-
quests and incidents. An FTP service can be used to exchange information between the client and InShared,
for example for external leads.

4.2 JERICHO (People)

The most important concept of Jericho is de-parameterization: information cannot be protected by safely
shielding it using firewalls and demilitarized zones (DMZ), but information must be protected at the level of
the data elements themselves. Security and Risk Management are key in this architecture.

4.2.1 Integrity and Ethical Values

Corporate governance at InShared starts with an independent managing board that establishes, maintains,
and monitors standards and policies for ethics, business practices, and compliance that span across the
company. Corporate governance at InShared serves several purposes:

1. To establish and preserve management accountability by appropriately distributing rights and re-
sponsibilities among management team members, managers, and shareholders;
2. To provide a structure through which management and the Board set and attain objectives and
monitor performance;
3. To strengthen and safeguard a culture of business integrity and responsible business practices;

25
 4. To encourage efficient use of resources and to require accountability for stewardship of these re-
sources.

Further information about InShared’s general corporate governance is described in the Risk Management
Policy and Integrity Policy.

4.2.1.1 InShared Integrity Policy

The InShared Integrity Policy reflects a commitment to ethical business practices and regulatory compli-
ance. These summarize the principles and policies that guide InShared’s business activities and provide in-
formation about InShared’s Systematic Integrity Risk Assessment (SIRA). Integrity training is integrated
within the InShared Academy.

4.2.1.2 Accountability

All InShared staff are accountable for understanding and adhering to the guidance contained in the In-
Shared Security Policy and any applicable supporting procedures. Individuals not employed by InShared,
but allowed to access, manage, or process information assets of the CynoSure environment and datacen-
tres, are also accountable for understanding and adhering to the guidance contained in the Security Policy
and standards.

4.2.1.3 Internal communication

Responsibilities around internal controls are communicated broadly through the quarterly RMO (Risk Man-
agement Overleg) meetings, the InShared Academy, InSharedOut (the intranet) and a yearly Shared Talk
regarding privacy and security.

4.2.1.4 Internal Audit Department

InShared is internally audited by Achmea. Achmea is the 100% shareholder (mother company) of InShared
Holding BV. Achmea has an Internal Audit (IA) function that reports directly to the Management of In-
Shared, the Supervisory Board (SB) of InShared and to the Achmea Holding BV. Responsibilities of IA include
performing audits and reporting issues and recommendations to Management and the SB of InShared.

4.2.2 Risk Management Program

Governance of risk and compliance follows the Risk and Compliance Policy of InShared. This policy includes
the risk appetite PDCA cycle of the Risk Management Program. Vendor management assures that the risk
management of InShared is also applied by the vendors. The awareness program assures that employees
are actively involved in managing risks.

The Risk Team, the second line of defence, monitors the risks and issues each week in the RO meeting (Risk
Overleg) and reports each quarter to the Management Team of InShared during the RMO. The Board of Di-
rectors receives the meeting minutes of the RMO as part of their supervisory role.

26
4.2.2.1 Practices for identification of risk

The Risk Team of InShared provides management and accountability of InShared’s short- and long-term
risks. This team collaborates with the following parties to perform risk assessments.
Party Formal meetings periodicity Risk assessment type

Risk Team including Com- Risk Overleg (RO) Weekly Dashboard with heatmap
pliance Officer

Management Team In- Risk Management Overleg Quarterly Risk map

Shared (RMO)

Internal Audit Achmea & Risk & Compliance Overleg Quarterly Internal Audits
Risk Achmea (RCO)

Management Team of In- Business Impact Analyse Yearly Business Impact Analysis
Shared assessment

4.2.2.2 Periodical risk assessment

On a weekly basis risks are discussed in the RO, facilitated and participated by the Risk Team. Quarterly,
identified risks are assessed in the RMO facilitated by the Risk Team and participated by the Management
Team of InShared.

The second line of defence performs a yearly risk assessment (business impact analysis) with the key man-
agers of InShared. The assessment is reviewed by Senior Management.

4.2.2.3 Fraud risks

The Management Team of InShared is responsible for detection and mitigation of internal fraud risks. Inter-
nal fraud is mitigated by implementing effective segregation of duties during software development and
deployment.

4.2.2.4 Risk responsibility

The responsibility for risks is distributed throughout the organization based on the individual group’s ser-
vices. The Risk Team, including the Information Security Office and Compliance Office, represents enter-
prise risk management. By quarterly and year-end reviews, the CFO reviews the disclosures and issues that
may have arisen.

27
4.2.3 Information Security Program

InShared has established an Information Security Program that provides documented management direc-
tion and support for implementing information security within the CynoSure platform. The design and im-
plementation of applicable controls are defined in the InShared IT controls framework.

The objective of the Information Security Program is to maintain the Confidentiality, Integrity, and Availa-
bility (CIA) of information while complying with applicable legislative, regulatory, and contractual require-
ments.

The Information Security Program consists of the following components:

1) Policy, Standards and Procedures

2) Risk Assessment
3) Training and Awareness
4) Security Implementation
5) Review and Compliance
6) Management Reporting

The Information Security Program is based on the International Organization of Standards (ISO) Codes of
Practice for information security management ISO / IEC27001:2013 standard. Its accompanying policies and
processes provide a framework to assess risks to the CynoSure environment, develop mitigating strategies
and implement security controls. In addition, procedures are developed to provide implementation details
for carrying out specific operational tasks in the following areas:

Core processes Steering cycles Supporting processes

oChange Management oManage the Business oPurchase Products & Services

oRelease Management oRisk & Compliance oEnter Employees
oIncident Management Management oExit Employees
oRequest Management oData Governance oMaintain Qualified Employees
oMonitor Business oBusiness Continuity oCustomer - Supplier Exit
oDisasters & Recovery Management Procedure
Management oSecurity Management oEncryption Key Policy
oSecurity Incident Response oService Level Management oAuthorization Management
Management oSupplier Contracts oWorkplace Management
Management

28
4.2.3.1 InShared Security Policy

The InShared Security Policy outlines the high-level objectives related to information security, defines risk
management requirements and information security roles and responsibilities. The Security Policy contains
rules and requirements that are met by the CynoSure platform and InShared staff in the delivery and opera-
tions of the platform. The Security Policy is derived from the ISO / IEC 27001:2013 standard and is aug-
mented to address relevant regulatory and industry requirements for the platform.

The policy is reviewed and updated, as necessary, at least annually, or more frequently, in case of a signifi-
cant security event, or upon significant changes to the service or business model, legal requirements, or-
ganization or platform.

Each management-endorsed version of the InShared Security Policy and all subsequent updates are distrib-
uted to all relevant stakeholders using the RMO and the InShared intranet.

4.2.3.2 Roles and responsibilities

Information security roles and responsibilities have been defined. The Security Office, part of the Risk
Team, facilitates implementation of security controls and provides security guidance to the IT teams. The
Risk Team also coordinates with representatives from compliance, legal affairs and Human Resources (per-
sonnel security) on additional information regarding security related activities impacting the services.

4.2.3.3 Personnel

InShared performs employee background screening. InShared also employs a formal performance review
process to ensure employees adequately meet the responsibilities of their position. Hiring managers may,
at their discretion, initiate corrective actions, up to and including immediate termination, if any aspect of
an employee's performance and conduct is not satisfactory.

InShared works with Achmea to perform the required background check on each new employee before
they are granted access to the InShared assets containing customer data.

Corporate policies are communicated to employees and relevant external parties during the onboarding
process and as part of the annual security training and awareness education program. Non-disclosure
Agreements (NDAs) are signed by employees and relevant external parties upon engagement with In-
Shared. Disciplinary actions are defined for persons who violate the InShared Security Policy or commit a
security breach. Employees are also required to comply with relevant laws, regulations and provisions re-
garding information security. This remains valid if the area of responsibility changes or the employment re-
lationship is terminated. Security Policy and non-disclosure requirements are reviewed periodically to vali-
date appropriate protection of information.

29
4.2.3.4 Training and awareness

Information security training and awareness is provided to employees, contractors and third parties on an
ongoing basis to educate them on applicable policies, standards and information security practices. Aware-
ness training on security, availability and confidentiality of information is provided to employees at the time
of joining as part of induction. In addition, all staff participate in a mandatory security, compliance, and pri-
vacy training periodically.

Employees receive information security training and awareness through different programs such as new
employee orientation, computer-based training, and periodic communication (e.g., shared talk). These in-
clude training and awareness pertaining to the platform, in the security, availability, confidentiality, and
integrity domains. In addition, job-specific training is provided to personnel, where appropriate.

4.2.3.5 Compliance requirements

InShared maintains reasonable and appropriate technical and organizational measures, internal controls,
and information security routines intended to help protect customer data against accidental loss, destruc-
tion, or alteration; unauthorized disclosure or access; or unlawful destruction.

InShared compliance requirements are monitored and reviewed regularly by the Compliance Officer, as ap-
plicable. Members of the Risk Team update relevant IT teams in order to remain in-line with compliance
requirements.

The Security Policy requires a periodic review of the performance of policies and procedures governing in-
formation security. The Risk Team coordinates audits which evaluate systems and control owners for com-
pliance with security policies, standards, and other requirements. Audit activities are planned and agreed
upon in advance by stakeholders.

4.2.3.6 Security risks external parties

Security risks related to external parties (such as customers, contractors and vendors) are identified and
addressed within the CynoSure platform based on InShared’s corporate procurement process. Designated
responsibilities are defined to coordinate with relevant corporate groups (e.g., compliance, procurement)
in reviewing risks associated with external parties and establishing relevant agreements.

4.2.4 Operational Access

4.2.4.1 Production infrastructure access management

Infrastructure team members and deploy managers who manage the production infrastructure gain access
to the production infrastructure via identification management primarily managed using the Active Direc-
tory including security groups and is supported by two step verification using the VPN with corresponding
access rights. Authentication is managed by the Authorisation Procedure, including the role-based access,
periodic review and strict onboarding.

30
Non infrastructure team members and deploy managers have no access to the production infrastructure as
the authorisation is not granted and the steppingstones of the architecture guard the higher level of secu-
rity towards the critical machines in zone 4 segregated by strict firewalling and IP blocking, whitelisting and
certificates.

4.2.4.2 Identity and access management (InShared personnel)

The Security Policy establishes the access control requirements for requesting and provisioning user access
for accounts and services. The policy requires that access be denied by default, follow least privilege princi-
ple, and be granted only upon business need.

InShared uses a corporate Active Directory infrastructure for centralized authentication and authorization
to restrict access to the systems and services within the InShared environment. Each user account is unique
and is identifiable to an individual user.

Domain-account management requests are routed to the Infrastructure Manager to established account
provisioning and de-provisioning processes for approval. Typically, access is controlled through addition of
individual user accounts to established domain security groups within the Active Directory.

Manual periodic reviews of individual accounts and security group memberships on assets are performed
by authorized individuals, as appropriate, to evaluate whether access is still required. Remediation action is
taken, as necessary, based on the review.

Policies and standards have been established and implemented to enforce appropriate user account pass-
word expiration, length, complexity, and history. InShared personnel are required to follow the InShared
password policy.

4.2.4.3 Access to CynoSure components

Access to the CynoSure components is divided between administrators and portal users. Portal users are
added and removed by the client.

Administrators of the CynoSure components require user account in the central CynoControl for authenti-
cation via the Authorisation Procedure. Deploy managers can update the code of the CynoSure compo-
nents via Bamboo.

4.2.4.4 Packet filtering

InShared has implemented segmentation ascertain that the untrusted VMs cannot generate spoofed traffic,
cannot receive traffic not addressed to them, cannot direct traffic to protected infrastructure endpoints,
and cannot send or receive inappropriate broadcast traffic.

4.2.4.5 Virtual Local Area Network isolation

Virtual Local Area Networks (VLANs) are used as partition networks such that no communication is possible
between VLANs without passing through a router. The InShared network in any datacentre is logically seg-
regated into the InShared VLAN and VLAN that houses the customer VMs that deliver the CynoSure plat-
form.

31
4.2.4.6 Access to customer virtual machines by InShared personnel

Infrastructure team members and deploy managers who manage the virtual machines gain access to the
virtual machines via identification management primarily managed using the Active Directory including se-
curity groups (Windows) and SSH-keys (Linux) with corresponding access rights. Authentication is managed
by the Authorisation Procedure, including the role-based access, periodic review and strict onboarding.

4.2.5 Directory and Organizational Identity Services Access Management

4.2.5.1 Customer authentication credentials

Each customer with portal access or Jira access is assigned a unique identity. Appropriate password hashing
algorithms are in place to ensure that the authentication credential data stored is protected and is unique
to a customer.

4.2.5.2 Remote Desktop Connection

Production servers are configured to authenticate via AD. Directory and Organizational Identity Services’
production servers require domain password to gain access to the Directory Services production servers
using the Remote Desktop Connection application and from remote additional two-factor authentication
using a token (VPN). Remote Desktop Connection has encryption settings enforced. These settings are con-
trolled using the domain group policy within the production servers. The settings enforce Remote Desktop
Connections made to the production server to be encrypted.

4.2.6 Vulnerability Management

Vulnerabilities are tested four times per year by an external penetration tester, twice internal and twice
external. The results of the tests are reported to the RO (Risk Overleg) and RMO (Risk Management Over-
leg). Security incidents and events are monitored by the SIEM and reported by the external SOC using the
dashboard, monthly reporting and in case of an incident the direct incident response procedure as agreed
upon in the SLA with the SOC service provider.

4.2.6.1 Logging and monitoring

The Infrastructure Team has implemented monitoring of the infrastructure within the InShared environ-
ment to provide automated logging and alerting capabilities. The monitoring system detects potential un-
authorized activity and security events such as the creation of unauthorized local users and local groups.
The monitoring agents are responsible for monitoring a defined set of user and administrator events, ag-
gregating log events and sending the aggregated abnormal log information to a centralized log repository at
the Security Operations Centre (SOC) either at regular intervals or in real-time.

The SOC and Security Office determine the specific events that need to be captured. As such, InShared net-
work components are configured to use Universal Time Coordinated (UTC) and the clocks are synchronized
with the NTP server.

32
For network devices the SOC Team monitors, logs, and reports on critical / suspicious activities. Predefined
events are reported, tracked, and followed up on and security data is available. The logs are retained cen-
trally, analysis and access to the logs follows the same procedures defined under the Operator Access sec-
tion above.

The SOC Team has implemented a system to provide real-time alerting through automatic generation of
emails and alarms based on the log information captured by the monitoring infrastructure. The team is re-
sponsible for configuring the events to be alerted. The event and warning logs are routinely examined for
anomalous behaviour by the SOC Team and when necessary, appropriate actions are taken in accordance
with the incident handling procedures described in the Incident Management Section. The Infrastructure
and Security Team manage response to malicious events, including escalation to and engaging specialized
support groups.

4.2.6.2 System monitoring tools

1) The security office of InShared uses for monitoring an external Security Incident and Event Monitoring
system (SIEM) providing logging and alerting capabilities upon detection of breaches or attempts to
breach CynoSure platform trust boundaries. Critical security event logs generated are configured to
alert through SIEM. The SOC monitors key security parameters to identify potential malicious activity
on InShared nodes.
2) Windows Defender guards against malware and helps improve security of the InShared endpoints for
laptops and desktops.
3) TrendMicro Apex One guards against malware and helps improve security of the Windows servers.
4) ClamAV is implemented to monitor for malicious software in the Linux based server environment. If
malware is detected, the endpoint protection agent automatically acts to remove the detected threat.

In addition, the InShared Infrastructure Team uses third-party external monitoring services to monitor ser-
vice health and performance.

33
4.2.6.3 Vulnerability scanning

The Infrastructure Team carries out frequent internal and external scans to identify vulnerabilities and as-
sess the effectiveness of the patch management process. Services are scanned for known vulnerabilities;
new services are added to the next timed quarterly scan, based on their date of inclusion. These scans are
used to ensure compliance with baseline configuration templates, validate that relevant patches are in-
stalled and identify vulnerabilities. The scanning reports are reviewed by appropriate personnel and reme-
diation efforts are conducted in a timely manner.

4.2.6.4 Patching

The Infrastructure Team is notified by vendors and security news sites upon identification of technical vul-
nerabilities applicable to the InShared components. The applicable security patches are applied immedi-
ately or during a scheduled release to the CynoSure platform based on the severity of the vulnerability.

Processes are in place to evaluate patches and their applicability to the CynoSure platform. Once patches
have been reviewed and their criticality level determined, the applicable teams together with the Release
Manager determine the release cadence for implementing patches without service disruption.

All changes are reviewed and tested, at a minimum, for their quality, performance, impact on other sys-
tems, recovery objectives and security features before they are moved into production using a defined re-
lease process.

Patches are released through the periodic OS release cycle in accordance with change and release manage-
ment procedures. Emergency out-of-band security patches (e.g., Software Security Incident Response Pro-
cess patches) are expedited for more immediate release.

4.2.7 Continuity and resiliency

InShared has established a Disaster & Recovery Steering Cycle that defines the lines of communication,
roles, and responsibilities during a disaster. As soon as anyone is informed of the emergency (>1-hour out-
age of the CynoSure environment, not to be resolved within 4 hours) the Business Continuity Manager
(BCM) in conjunction with the Chief Review Officer (CRO) if available activate and implement the IT Conti-
nuity Plan. The Disaster & Recovery Management process is reviewed annually and updated as necessary.
The IT Continuity Plan defines the Continuity Architecture and detailed procedures for recovery and recon-
stitution of systems to a known state per defined Recovery Time Objectives (RTOs) and Recovery Point Ob-
jectives (RPOs). The RTO and RPO are in line with risk assessments (BIARAMA). The distance of datacentres
within 50 KM are analysed in a separate risk assessment.

Continuity of the office is defined in the Business Continuity Plan.

4.2.7.1 Capacity Management

The Network Operations Centre (NOC) is supported by a third-party to continually monitor the network to
ensure availability and to address capacity issues in a timely manner. Actions identified by the NOC are as-
signed for appropriate resolution.

34
4.2.7.2 Third-party Management

Third parties undergo a review process by the Procurement Team (part of the Risk Team). Purchase orders
to engage a third-party require a Legal Department review. In addition, a signed NDA is also required. Ven-
dors which are classified critical or important need to be approved by the Management Team, Legal De-
partment and Supervisory Board.

4.2.8 Baseline Configuration

4.2.8.1 Baseline security configuration for services

Technical standards and baselines have been established and communicated for OS deployments. Auto-
mated mechanisms and periodic scanning have been deployed to detect and troubleshoot exceptions and /
or deviations from the baseline in the production environment. The Infrastructure Team reviews and up-
dates configuration settings and baseline configurations at least annually.

4.2.8.2 Network Configuration

The Infrastructure Team has implemented procedural and technical standards for the deployment of net-
work devices. These standards include baseline configurations for network devices and approved protocols
and ports. The Infrastructure Team regularly monitors network devices for compliance with technical
standards and potential malicious activities.

4.2.9 Monitoring

4.2.9.1 Security and compliance monitoring

InShared maintains reasonable and appropriate technical and organizational measures, internal controls,
and information security routines intended to help protect customer/tenant data against accidental loss,
destruction, or alteration; unauthorized disclosure or access; or unlawful destruction.

4.2.9.2 Business conduct hotline

Employees are instructed that it is their duty to promptly report any concerns of suspected or known viola-
tions of the Security Policy, Privacy Policy or Integrity Policy. The procedures to be followed for such a re-
port are outlined in InSharedOut, the intranet of InShared.

There is an incident hotline available for employees to report issues. The hotline is accessible 24x7 through
email, phone and intranet.

4.2.9.3 Internal Audit

Achmea Internal Audit Department provides support to management across the company by inde-
pendently and objectively assessing whether the objectives of management are adequately performed, and
by facilitating process improvements, and the adoption of business practices, policies, and controls.

35
4.3 ITIL (procedures)

All automated and manual (ITIL) procedures implemented by InShared related to the CynoSure platform
are listed in the process landscape as listed below. The core processes describe the processes directly re-
lated to the service delivery of the CynoSure Platform. The supporting processes are indirectly related to
the service delivery, the steering cycles monitor and steer the core and supporting processes. Each process
is described in a policy.

Beside these policies, several technical policies are in use at InShared to serve the CynoSure Platform.
These are all listed in the TOGAF architecture and part of the control system.

4.3.1 Change Management

The Change Management Process has been established to plan, schedule, approve, apply, distribute, and
track changes to the production environment through designated responsibilities with the objective of min-
imizing risk and customer impact. It further controls the integrity and reliability of the environment while
maintaining the pace of change required for business purposes.

4.3.1.1 Separation of environments

InShared has implemented segregated environments for development, test, acceptance test and produc-
tion. Furthermore, segregation of duties is implemented to prevent unauthorized changes to production.

Deployment of software to production must meet testing criteria at each development stage and be ap-
proved prior to release to acceptance and production by the Release Manager.
36
4.3.1.2 Segregation of duties

Segregation of duties is established on critical functions within the InShared environment, to minimize the
risk of unauthorized changes to production systems. Responsibilities for requesting, approving and imple-
menting changes to the production environment are segregated among designated roles.

4.3.1.3 Software and configuration changes

Software and configuration changes within the production environments, including major releases, minor
releases and hot fixes, are managed through a formal Change and Release Management Procedure, and
tracked using a centralized ticketing system. Changes are requested, approved, tracked and implemented
throughout the release lifecycle, which includes planning, release management and deployment and post-
deployment support phases. Change requests are documented, assessed for their risks and evaluated / ap-
proved for acceptance by the designated teams. Software releases to acceptance and production environ-
ments are discussed, planned, and approved through the weekly coordinated meetings with appropriate
representatives from InShared and the customers.

Changes that are made to the source code are controlled through an internal source code repository.

Quality assurance testing is performed by the teams prior to the software release to acceptance environ-
ments. The software release is tested and approved prior to release to production environments by the
customer. Once deployed, changes are monitored for success and post-deployment support is given.

4.3.1.4 Hardware changes

Hardware changes are managed through formal Change and Release Management Procedures and a cen-
tralized ticketing system. The infrastructure changes are approved by a designated role. If applicable, com-
munication of down-time is communicated to the customers.

4.3.1.5 Network changes

Network changes are managed through formal Change and Release Management Procedures and a central-
ized ticketing system. Network changes include configuration changes, emergency changes, Access Control
Lists (ACLs) changes, patches, and new deployments. The infrastructure changes are approved by a desig-
nated role. If applicable, communication of down-time is communicated to the customers.

37
4.3.2 Software Development

4.3.2.1 Secure development

Secure development is fundamental for building the InShared applications. The following requirements are
in place:

 There is documented agreement on access levels to the source code and deployment;
 Submission of change request is only possible by authorized users;
 Impact analyses for identification of code, information, database entities involved in or impacted by
change;
 Formal approval prior to commencement of work;
 Authorized user acceptance prior to implementation;
 Version control with pull requests for all code changes;
 Audit trail of all change requests;
 Timing of changes to prevent or minimize business impact.

4.3.2.2 Framework

Security is also part of the underlying generic framework developed by InShared. All webservices built are
published by this generic framework. Validation, Authentication, Authorization, Soap Standards are built in
the core of this framework.

4.3.2.3 Development environment

A secure development environment is provided per developer. InShared develops a code on a dedicated
virtual machine deployed per developer. These virtual machines are deployed in the datacentre in Amster-
dam to meet all security requirements. The virtual machine is the only environment where an instance of
the code can exist for development purposes. The code cannot be deployed on laptops or desktop work-
stations.

With this setup InShared controls:

 Segregation between every development environment;

 Access to development environment;
 Monitoring of change to the environment and code stored therein;
 Storage of backups;
 Movement of data to and from the environment.

38
4.3.2.4 Testing

 Security functionality is tested throughout the development process;

 Test environments are used which ensures realistic approximation of the production environment
without introducing vulnerabilities into the production environment;
 Code analysis tools are used;
 Unit testing, automated testing and regression testing is used.

4.3.2.5 Source code control

At InShared all code is stored on-premise in Bitbucket Server. Bitbucket is a code management solution
based on GIT that makes it possible for teams to collaborate on code. InShared uses a GitFlow based re-
lease cycle on code. In short InShared has a protected master branch with the current state of the produc-
tion code. Developers branch feature branches from master, make changes in feature branch and merge
the feature back to release branches. Release branches are merged back to production by users with spe-
cial permissions. Every step is supported by pull requests/code reviews, role-based deployment, Jira ticket-
ing and test procedures.

39
4.3.2.6 Deployment

InShared uses Bamboo Server as a build and deployment solution. With Bamboo it is possible to configure
advanced build and deployment plans. A feature of Bamboo is running test suites in its build plan. InShared
uses Bamboo to run Unit tests on code on every new commit from the developers. This makes it possible to
automatically reject code by a failing Unit test. It is role based so there are special roles for deployment to
production and to staging and test environments.

4.3.3 Incident Management

In order to respond to incidents effectively, InShared has implemented an Incident Management Process.
Therefor a centralized ticket and tracking tool for incidents and service requests is available.

4.3.3.1 Security incident - internal monitoring and communication

Security incidents, both raised internally or through the customer, are flagged and reviewed by the Security
Manager. If applicable, this role communicates the necessary information to the concerned parties.

4.3.3.2 Incident handling

InShared has a telephone number for all Level 1 and 2 incidents. Customers can call this number in case
there is such an incident. Both internal employees and customers must report an incident through the
available tool (Service Desk). The first line support will try to establish the cause and, based on the cause,
contact the concerned team(s) to find a solution. If the first line support is not able to establish the cause of
the incident, the second line support is asked for help.

The concerned team(s) hotfix the cause if possible and, if needed, make a change for the long-term solution
(see Change Management).

4.3.3.3 Incident post-mortem

Post-mortem activities are conducted for customer impacting security incidents or incidents with high se-
verity ratings during the Security Incident Test Procedure. The post-mortems are reviewed by the Security
Officer. Where necessary, the CynoSure platform or Security Program may be updated to incorporate im-
provements identified as a result of incidents.

40
4.3.4 Logical Access

4.3.4.1 Customer Data and Systems Access Management (customers)

Customer Data and Systems Access Management is done through the Authorization Process. At the start of
the service contract key users are appointed within the customer organization who have rights to give addi-
tional rights to other members of the organization. Through a separate Authorization Service Desk portal
authorization can be added, deleted or changed. Only the appointed key users have access to this portal.

Access Management is applicable for CynoAssist, CynoClaim, CynoLytics and Service Desk. The key user can
add people to, change or delete people within the different roles presented within the different applica-
tions as mentioned above. The roles determine what this person can and cannot do.

4.3.4.2 Identity and Access Management

For internal employees the IT Manager is eligible for adding people to, change or delete people to the dif-
ferent roles within the IT Department. This is done through a separate Authorization Service Desk for inter-
nal employees. Every six months a check is done to see if the authorizations are in line with the actual and
correct situation.

4.3.4.3 Password management – portal users

The first time, a password is generated by CynoControl which is used in the Authorization Process. This
password is a randomized sequence of at least 8 characters consisting of numbers, letters and characters
(@-?+!#&=). This password is sent to the user by mail.

Users of the CynoClaim and CynoAssist portals have the possibility to reset their passwords themselves
without calling an administrator or helpdesk for support. When they do, a mail is sent to the user with a
new generated password.

4.3.4.4 Password management – Jira users

The first time, a mail is sent to the user with a personal link to the Service Desk to set the password. This
link is valid for 24 hours.

Passwords are required to be at least 10 characters long and use at least 3-character types including at
least 1 special character. Passwords are rejected that are even slightly similar to the previous password or
the user's public information.

Users of the Service Desk portal have the possibility to reset their passwords themselves without calling an
administrator or helpdesk for support. When they do, a mail is sent to the user with a new link where they
can set a new password.

41
4.3.5 Asset Management

A Data Classification Policy has been established and communicated that defines the classification of data
and systems and the security requirements for each classification level. The following classification levels
are defined:

0 1 2 3

Availability Basic Low Middle High

Integrity Unknown Assumed Correct Verified Correct Proven correct

Confidentiality Public Low Middle High

Privacy Not personal Low Middle High

In accordance with the Data Classification Policy customer data is classified as Availability Level 2, Integrity
Level 2, Confidentiality Level 2 and Privacy Level 2. In addition, the CynoSure platform facilitates a classifica-
tion mechanism which can be used by the client depending on customer needs.

The Data Classification Policy is reviewed annually and updated as necessary.

42
4.4 SABSA (Data)

SABSA is a model and a methodology for developing risk-driven enterprise information security architec-
tures and for delivering security infrastructure solutions that support critical business initiatives. The pri-
mary characteristic of the SABSA model is that everything must be derived from an analysis of the business
requirements for security, especially those in which security has an enabling function through which new
business opportunities can be developed and exploited.

4.4.1 Data

Tenants upload data for storage or processing within the services or applications that are hosted on the Cy-
noSure insurance platform. In addition, certain types of data are provided by the tenants or generated on
the tenant’s customer’s behalf to enable the usage of the insurance platform. InShared only uses tenant
data in order to support the provisioning of the services subscribed to by the customers in accordance with
the Service Level Agreements (SLAs).

4.4.2 Data ownership

InShared does not claim data ownership over the customer information entered the insurance platform.

4.4.3 Data Classification and Confidentiality Policy

All critical data is stored in the databases in Zone 4 of the steppingstone infrastructure. This contains all
data related to the insurances, claims, client communication and related services including the terms &
conditions, the calculations and the decision tree for straight through processing. All data to and from the
clients of InShared are managed using webservices upon SOAP and using WSDL. The data in the databases
is owned by the client, the basic classification and related security is included in the Data Classification Pro-
cedure.

4.4.4 Cryptographic controls

Cryptographic controls and approved algorithms are used for information protection within the CynoSure
platform and implemented based on the Encryption Policy. Cryptographic keys are managed throughout
their lifecycle (e.g., ownership, generation, storage, distribution, periodic rotation and revocation) in ac-
cordance with established key management procedures.

4.4.5 Backup

Processes have been implemented for the backup of critical CynoSure components and data. Backups are
managed by the Infrastructure Team and scheduled on a regular frequency. The Infrastructure Team moni-
tors backup processes for failures and resolves them to meet required backup frequency and retention. The
team also conducts integrity checks. Further, production data is encrypted on backup media.

Access to backup data follows the same procedures defined under the Operator Access section above.

43
4.4.6 Data Redundancy and Replication

InShared provides data redundancy to minimize disruptions to the availability of customer data. Data re-
dundancy is achieved through Redundant Array of Independent Disks (RAID) high availability structure us-
ing symmetric active/active array architecture technology upon the storage devices.

Critical components that support delivery of the CynoSure platform have been designed to maintain high
availability through redundancy and automatic failover to another instance with minimal disruption.

Agents on each VM monitor the health of the VM. If the agent fails to respond, the hypervisor reboots the
VM. In case of hardware failure, the hypervisor moves the role instance to a new hardware node and repro-
grams the network configuration for the service role instances to restore the service to full availability.

Every computer node is monitored by the chassis controller. In case of hardware failure, the chassis con-
troller moves the role instance to a new hardware node and reprograms the network configuration identi-
cal to the previous configuration.

InShared maintains a replica of VM local at the Canada site and an offsite storage blob for archiving. This
storage blob is in Canada. The two datacentres in Amsterdam replicate to each other. Data of the VM is al-
ways on two different locations.

4.4.7 Data Segregation

Each client of the CynoSure platform has a separate environment, with webservices specific for their own
environment, providing each tenant a segregated and partitioned environment.

4.4.8 Platform Communication

Data integrity is a key component of the CynoSure Platform. The customer facing portals and APIs only al-
low access to the CynoSure platform over a secure channel based on the service.

4.4.9 CynoSure Platform Communication

Internal communication between key CynoSure components where customer data is transmitted and in-
volved is secured using SSL certificates. There is a combination of public and client-certificate used for au-
thenticating. For external connections there is always an extra layer of security. This can be an VPN or an
extra self-signed certificate for authenticating the connection.

44
5 COMPLEMENTARY USER ENTITY CONTROL (CUEC)

Management of InShared assumes that, in the design of its system, that certain controls would be imple-
mented by user entities, and those controls are necessary, in combination with controls at InShared, to pro-
vide reasonable assurance that InShared’s service commitments and system requirements would be
achieved. The following complementary user entity controls (CUECs) are considered necessary to be imple-
mented by customers of the CynoSure platform and SaaS solution services, to achieve the regarding Trust
Service Criteria or Cloud Controls Matrix Criteria:

 CCM Criteria SEF-01: User entities should have implemented appropriate controls to ensure that
points of contact for applicable regulation authorities, national and local law enforcement, and other
legal jurisdictional authorities are maintained and regularly updated to ensure direct compliance li-
aisons and to be prepared for a forensic investigation requiring rapid engagement with law enforce-
ment.
 CCM Criteria SEF-04: User entities should have implemented appropriate controls to ensure that all
evidence, and its specification, which is required during forensic investigations after an information
security incident to support potential legal action is communicated to InShared.
 CCM Criteria LA-01: User entities should have implemented appropriate controls to ensure that only
authorized user access (change) requests are communicated to InShared.

45
6 COMPLEMENTARY SUBSERVICE ORGANIZATION CONTROLS (CSOCS)

InShared uses Tesorion, Equinix and Digital Realty as a subservice organization to provide services for Secu-
rity Operations Center services and datacenter services (see also 3.6).

The following Trust Service Criteria and Cloud Controls Matrix Criteria are intended to be achieved by the
controls at the subservice organization(s), in conjunction with the controls and testing results summarized
in “Section 4 - Applicable Trust Services Criteria and CCM Criteria, Related Controls and Results of PwC's
Tests of Design Effectiveness and Implementation”:

Trust Services Criteria Tesorion Equinix AMS Equinix TOR Digital

SOC Datacentre Datacentre Realty
Datacentre
CC1.1 COSO Principle 1: The entity demonstrates X X X X
a commitment to integrity and ethical values.
CC2.1 COSO Principle 13: The entity obtains or X X X X
generates and uses relevant, quality information
to support the functioning of internal control.
CC2.3 COSO Principle 15: The entity communi- X X X X
cates with external parties regarding matters af-
fecting the functioning of internal control.
CC3.2 COSO Principle 7: The entity identifies risks X X X X
to the achievement of its objectives across the
entity and analyses risks as a basis for determin-
ing how the risks should be managed.
CC3.3 COSO Principle 8: The entity considers the X X X X
potential for fraud in assessing risks to the
achievement of objectives.
CC4.1 COSO Principle 16: The entity selects, de- X X X X
velops, and performs ongoing and/or separate
evaluations to ascertain whether the compo-
nents of internal control are present and func-
tioning.
CC4.2 COSO Principle 17: The entity evaluates X X X X
and communicates internal control deficiencies
in a timely manner to those parties responsible
for taking corrective action, including senior
management and the board of directors, as ap-
propriate.
CC6.4 The entity restricts physical access to facili- X X X X
ties and protected information assets (for exam-
ple, data centre facilities, back-up media storage,
and other sensitive locations) to authorized per-
sonnel to meet the entity’s objectives.
CC6.5 The entity discontinues logical and physical X X X X
protections over physical assets only after the
ability to read or recover data and software from
those assets has been diminished and is no
longer required to meet the entity’s objectives.
CC7.2 The entity monitors system components X X X X
and the operation of those components for

46
Trust Services Criteria Tesorion Equinix AMS Equinix TOR Digital
SOC Datacentre Datacentre Realty
Datacentre
anomalies that are indicative of malicious acts,
natural disasters, and errors affecting the entity's
ability to meet its objectives; anomalies are ana-
lysed to determine whether they represent secu-
rity events.
CC7.3 The entity evaluates security events to de- X X X X
termine whether they could or have resulted in a
failure of the entity to meet its objectives (secu-
rity incidents) and, if so, takes actions to prevent
or address such failures.
CC7.4 The entity responds to identified security X X X X
incidents by executing a defined incident re-
sponse program to understand, contain, remedi-
ate, and communicate security incidents, as ap-
propriate.
CC7.5 The entity identifies, develops, and imple- X X X X
ments activities to recover from identified secu-
rity incidents.
CC9.1 The entity identifies, selects, and develops X X X X
risk mitigation activities for risks arising from po-
tential business disruptions.
CC9.2 The entity assesses and manages risks as- X X X X
sociated with vendors and business partners.
A1.1 The entity maintains, monitors, and evalu- X X X X
ates current processing capacity and use of sys-
tem components (infrastructure, data, and soft-
ware) to manage capacity demand and to enable
the implementation of additional capacity to help
meet its objectives.
A1.2 The entity authorizes, designs, develops or X X X X
acquires, implements, operates, approves, main-
tains, and monitors environmental protections,
software, data backup processes, and recovery
infrastructure to meet its objectives.
A1.3 The entity tests recovery plan procedures X X X X
supporting system recovery to meet its objec-
tives.

47
CCM Criteria Tesorion Equinix AMS Equinix TOR Digital
SOC Datacentre Datacentre Realty
Datacentre
BCR-01 Business Continuity Planning X X X

BCR-02 Business Continuity Testing X X X

BCR-03 Power / Telecommunications X X X

BCR-05 Environmental Risks X X X

BCR-06 Equipment Location X X X

BCR-07 Equipment Maintenance X X X

BCR-08 Equipment Power Failures X X X

CCC-04 Unauthorized Software Installations X X X

DCS-02 Controlled Access Points X X X

DCS-06 Policy X X X

DCS-07 Secure Area Authorization X X X

DCS-08 Unauthorized Persons Entry X X X

DCS-09 User Access X X X

GRM-04 Management Program X X X X

IAM-01 Audit Tools Access X

IAM-02 User Access Policy X

IAM-09 User Access Authorization X

IVS-01 Audit Logging and Intrusion Detection X

IVS-13 Network Architecture X

SEF-02 Incident Management X

STA-05 Third-party Agreements X X X X

STA-06 Supply Chain Governance Review X X X X

STA-07 Supply Chain Metrics X X X X

STA-08 Third-party Assessments X X X X

48
 CCM Criteria Tesorion Equinix AMS Equinix TOR Digital
SOC Datacentre Datacentre Realty
Datacentre
STA-09 Third-party Audits X X X X

TVM-01 Antivirus / Malicious Software X

InShared has an established monitoring program over controls which have been outsourced to subservice
organizations. Assessment of these activities has been performed in relation to control “IS-8 The assurance
report(s) and relevant certification(s) of the datacenters and SOC are reviewed in line with the reporting
frequency, to determine that the scope of the control objectives and controls are sufficient for the services
outsourced to the regarding datacenters and to verify if any noted deviations can impact InShared's control
objectives.”.

49
 Section 4

Applicable Trust Services Criteria

and CCM Criteria, Related
Controls and Results of PwC's
Tests of Design Effectiveness
and Implementation
INTRODUCTION SECTION 4
Section 4 presents the following information provided by InShared:
 The controls established and specified by InShared to achieve the applicable Trust Service Criteria for Security, Availability and Confidentiality and
the applicable CCM criteria.

Also included in this section is the following information provided by PwC:

 A description of the tests performed by PwC to determine whether InShared’s controls were effectively designed and sufficiently implemented to
achieve the applicable Trust Service Criteria for Security, Availability and Confidentiality and the applicable CCM criteria.
 The results of PwC’s tests of design effectiveness and implementation.

The information is provided in three parts:

 Part A: Contains the applicable Trust Service Criteria, the controls established and specified by InShared to achieve the applicable Trust Service Crite-
ria for Security, Availability and Confidentiality and the results of PwC’s tests of design effectiveness and implementation to achieve the applicable
Trust Service Criteria for Security, Availability and Confidentiality
 Part B: Contains the applicable CCM criteria, the controls established and specified by InShared to achieve the applicable CCM criteria and the re-
sults of PwC’s tests of design effectiveness and implementation to achieve the applicable CCM criteria.
 Part C: Contains a description of the tests performed by PwC to determine whether InShared’s controls were effectively designed and sufficiently
implemented to achieve the applicable Trust Service Criteria for Security, Availability and Confidentiality and the applicable CCM criteria.

51
7 PART A: TRUST SERVICE CRITERIA, THE CONTROLS ESTABLISHED AND SPECIFIED BY INSHARED AND TEST
RESULTS PROVIDED BY PWC
7.1.1 Control Environment
Trust service criteria
CC1.1 COSO Principle 1
The entity demonstrates a
commitment to integrity and
ethical values.
Controls specified by InShared Results of PwC’s
Testing
ELC-1 The InShared values are defined and an Integrity Policy has been established and communi- No exceptions noted
cated. The InShared values and Integrity Policy are accessible to employees via the Internal Plat-
form and are updated by management, as necessary.
IS-2 An information security education and awareness program has been established that includes
policy training and periodic security updates to InShared personnel. The results of the awareness
program are evaluated with management and follow-up actions are defined and implemented, as
necessary.
IS-3 Employees and contractors sign agreements that include non-disclosure provisions and asset
protection responsibilities, upon hire. Employees and contractors are provided an intranet page
which describes, in accordance with the Information Security Policy, the responsibilities and ex-
pected behaviour regarding information security. Employees are required to acknowledge agree-
ments to return InShared assets upon termination.
IS-4 Disciplinary actions are defined for employees and contingent staff that violate InShared's se-
curity policies and procedures.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
OA-4 All employment candidates and contractors are subject to pre-employment screening (PES).
Candidates and contractors are registered in Jira. Subsequently a PES ticket is generated automati-
cally within Jira to start PES process. Hardware and software (credentials) are only provided to
employees and contractors after PES clearance.
52
Trust service criteria
CC1.2 COSO Principle 2
The board of directors
demonstrates independence
from management and exer-
cises oversight of the develop-
ment and performance of in-
ternal control.
CC1.3 COSO Principle 3
Management establishes,
with board oversight, struc-
tures, reporting lines, and ap-
propriate authorities and re-
sponsibilities in the pursuit of
objectives.
Controls specified by InShared Results of PwC’s
Testing
ELC-2 Risk assessment results are reviewed and discussed quarterly during the Risk Management No exceptions noted
Meeting. Relevant risk assessment results are also reported to the Board of Directors on behalf of
senior management.
IS-5 A Risk and Compliance Policy has been established and communicated that defines the gov-
ernance of the risk management and compliance functions within the InShared group, the risk
strategy and risk appetite, the Risk Management Framework InShared (RMFI) and the methods
used to identify and treat risks. The Risk and Compliance Policy describes the three lines of de-
fence for the InShared group. The first line is operations, the second line is the Risk Management
department and the third line is Internal Audit Achmea. The Risk and Compliance Policy is made
operational in a Risk and Compliance year plan. The Risk and Compliance Policy is reviewed annu-
ally and updated as necessary.
IS-6 The Risk Management department (the second line of defence) reviews the effectiveness of
the implemented Information Security Management System (ISMS) on an annual basis, in accord-
ance with the defined audit activities within the approved risk management audit plan. Noncon-
formities are recorded, reviewed, prioritized and analysed, to be able to define and implement re-
mediation plans. The remediation plans are developed in the security dashboard of the Risk Com-
mittee. Internal Audit Achmea (the third line of defence) reviews the effectiveness of the imple-
mented ISMS on a 3-annual basis, in accordance with the defined audit activities within the ap-
proved internal audit plan. Nonconformities are recorded, reviewed, prioritized and analysed, to
be able to define and implement remediation plans. The remediation plans are registered in the
issue register and monitored by the Risk and Compliance Committee.
ELC-2 Risk assessment results are reviewed and discussed quarterly during the Risk Management No exceptions noted
Meeting. Relevant risk assessment results are also reported to the Board of Directors on behalf of
senior management.
IS-1 An Information Security Policy has been established and communicated that defines the In-
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The Infor-
mation Security Policy is reviewed annually and updated as necessary.
IS-3 Employees and contractors sign agreements that include non-disclosure provisions and asset
protection responsibilities, upon hire. Employees and contractors are provided an intranet page
53
Trust service criteria
CC1.4 COSO Principle 4
The entity demonstrates a
commitment to attract, de-
velop, and retain competent
individuals in alignment with
objectives.
Controls specified by InShared Results of PwC’s
Testing
which describes, in accordance with the Information Security Policy, the responsibilities and ex-
pected behaviour regarding information security. Employees are required to acknowledge agree-
ments to return InShared assets upon termination.
IS-5 A Risk and Compliance Policy has been established and communicated that defines the gov-
ernance of the risk management and compliance functions within the InShared group, the risk
strategy and risk appetite, the Risk Management Framework InShared (RMFI) and the methods
used to identify and treat risks. The Risk and Compliance Policy describes the three lines of de-
fence for the InShared group. The first line is operations, the second line is the Risk Management
department and the third line is Internal Audit Achmea. The Risk and Compliance Policy is made
operational in a Risk and Compliance year plan. The Risk and Compliance Policy is reviewed annu-
ally and updated as necessary.
ELC-1 The InShared values are defined and an Integrity Policy has been established and communi- No exceptions noted
cated. The InShared values and Integrity Policy are accessible to employees via the Internal Plat-
form and are updated by management, as necessary.
IS-2 An information security education and awareness program has been established that includes
policy training and periodic security updates to InShared personnel. The results of the awareness
program are evaluated with management and follow-up actions are defined and implemented, as
necessary.
IS-3 Employees and contractors sign agreements that include non-disclosure provisions and asset
protection responsibilities, upon hire. Employees and contractors are provided an intranet page
which describes, in accordance with the Information Security Policy, the responsibilities and ex-
pected behaviour regarding information security. Employees are required to acknowledge agree-
ments to return InShared assets upon termination.
IS-4 Disciplinary actions are defined for employees and contingent staff that violate InShared's se-
curity policies and procedures.
OA-4 All employment candidates and contractors are subject to pre-employment screening (PES).
Candidates and contractors are registered in Jira. Subsequently a PES ticket is generated
54
Trust service criteria
CC1.5 COSO Principle 5: The
entity holds individuals ac-
countable for their internal
control responsibilities in the
pursuit of objectives.
Controls specified by InShared Results of PwC’s
Testing
automatically within Jira to start PES process. Hardware and software (credentials) are only pro-
vided to employees and contractors after PES clearance.
IS-1 An Information Security Policy has been established and communicated that defines the In- No exceptions noted
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The Infor-
mation Security Policy is reviewed annually and updated as necessary.
IS-3 Employees and contractors sign agreements that include non-disclosure provisions and asset
protection responsibilities, upon hire. Employees and contractors are provided an intranet page
which describes, in accordance with the Information Security Policy, the responsibilities and ex-
pected behaviour regarding information security. Employees are required to acknowledge agree-
ments to return InShared assets upon termination.
IS-4 Disciplinary actions are defined for employees and contingent staff that violate InShared's se-
curity policies and procedures.
IS-5 A Risk and Compliance Policy has been established and communicated that defines the gov-
ernance of the risk management and compliance functions within the InShared group, the risk
strategy and risk appetite, the Risk Management Framework InShared (RMFI) and the methods
used to identify and treat risks. The Risk and Compliance Policy describes the three lines of de-
fence for the InShared group. The first line is operations, the second line is the Risk Management
department and the third line is Internal Audit Achmea. The Risk and Compliance Policy is made
operational in a Risk and Compliance year plan. The Risk and Compliance Policy is reviewed annu-
ally and updated as necessary.
55
7.1.2 Communication and Information
Trust service criteria
CC2.1 COSO Principle 13
The entity obtains or gener-
ates and uses relevant, quality
information to support the
functioning of internal con-
trol.
Controls specified by InShared Results of PwC’s
Testing
ELC-2 Risk assessment results are reviewed and discussed quarterly during the Risk Management No exceptions noted
Meeting. Relevant risk assessment results are also reported to the Board of Directors on behalf of
senior management.
IS-1 An Information Security Policy has been established and communicated that defines the In-
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The Infor-
mation Security Policy is reviewed annually and updated as necessary.
IS-5 A Risk and Compliance Policy has been established and communicated that defines the gov-
ernance of the risk management and compliance functions within the InShared group, the risk
strategy and risk appetite, the Risk Management Framework InShared (RMFI) and the methods
used to identify and treat risks. The Risk and Compliance Policy describes the three lines of de-
fence for the InShared group. The first line is operations, the second line is the Risk Management
department and the third line is Internal Audit Achmea. The Risk and Compliance Policy is made
operational in a Risk and Compliance year plan. The Risk and Compliance Policy is reviewed annu-
ally and updated as necessary.
IS-6 The Risk Management department (the second line of defence) reviews the effectiveness of
the implemented Information Security Management System (ISMS) on an annual basis, in accord-
ance with the defined audit activities within the approved risk management audit plan. Noncon-
formities are recorded, reviewed, prioritized and analysed, to be able to define and implement re-
mediation plans. The remediation plans are developed in the security dashboard of the Risk Com-
mittee. Internal Audit Achmea (the third line of defence) reviews the effectiveness of the imple-
mented ISMS on a 3-annual basis, in accordance with the defined audit activities within the ap-
proved internal audit plan. Nonconformities are recorded, reviewed, prioritized and analysed, to
be able to define and implement remediation plans. The remediation plans are registered in the
issue register and monitored by the Risk and Compliance Committee.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
56
Trust service criteria
CC2.2 COSO Principle 14
The entity internally com-
municates information, in-
cluding objectives and re-
sponsibilities for internal con-
trol, necessary to support the
functioning of internal con-
trol.
CC2.3 COSO Principle 15
The entity communicates with
external parties regarding
matters affecting the func-
tioning of internal control.
Controls specified by InShared Results of PwC’s
Testing
IS-1 An Information Security Policy has been established and communicated that defines the In- No exceptions noted
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The Infor-
mation Security Policy is reviewed annually and updated as necessary.
IS-2 An information security education and awareness program has been established that includes
policy training and periodic security updates to InShared personnel. The results of the awareness
program are evaluated with management and follow-up actions are defined and implemented, as
necessary.
IS-3 Employees and contractors sign agreements that include non-disclosure provisions and asset
protection responsibilities, upon hire. Employees and contractors are provided an intranet page
which describes, in accordance with the Information Security Policy, the responsibilities and ex-
pected behaviour regarding information security. Employees are required to acknowledge agree-
ments to return InShared assets upon termination.
IS-5 A Risk and Compliance Policy has been established and communicated that defines the gov-
ernance of the risk management and compliance functions within the InShared group, the risk
strategy and risk appetite, the Risk Management Framework InShared (RMFI) and the methods
used to identify and treat risks. The Risk and Compliance Policy describes the three lines of de-
fence for the InShared group. The first line is operations, the second line is the Risk Management
department and the third line is Internal Audit Achmea. The Risk and Compliance Policy is made
operational in a Risk and Compliance year plan. The Risk and Compliance Policy is reviewed annu-
ally and updated as necessary.
IM-1 An Incident Management Policy and a Security Incident Response Management Policy has No exceptions noted
been established and communicated with defined processes, roles and responsibilities for the de-
tection, escalation, response and reporting of incidents. These policies are reviewed annually and
updated as necessary.
IS-1 An Information Security Policy has been established and communicated that defines the In-
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The Infor-
mation Security Policy is reviewed annually and updated as necessary.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and
57
Trust service criteria Controls specified by InShared Results of PwC’s
Testing

controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.

PI-1 The performance indicators as defined within the customer SLAs are measured, reviewed, an-
alysed and reported to the customer in the SLR on a monthly basis.

SOC2-2 The applicable security, regulatory and contractual requirements and the related obliga-
tions are defined within the client contract. The client contract is signed by the client and In-
Shared, prior to granting access to the CynoSure Platform.

SOC2-3 Information system documentation to be able to configure, install and operate the Cyno-
Sure services and effectively use the platform's security features is available and shared with the
client via (live) training and mail.

SOC2-4 InShared maintains and notifies customers of potential changes and events that may im-
pact security or availability of the services. Changes to the security commitments and security ob-
ligations of InShared are communicated to customers in a timely manner via the SLR.

SOC2-5 Identified security incidents are reported to the CynoSure platform customer using the
Service Incident Report. Security incidents related to external parties are shared with the client
and reported in the SLR, in accordance with the Incident Management Policy and Security Incident
Response Management Policy.

58
7.1.3 Risk assessment
Trust service criteria
CC3.1 COSO Principle 6
The entity specifies objectives
with sufficient clarity to ena-
ble the identification and as-
sessment of risks relating to
objectives.
Controls specified by InShared Results of PwC’s
Testing
BC-1 A Disaster & Recovery Management Policy has been established and communicated that de- No exceptions noted
fines the lines of communication, roles, and responsibilities. Disasters & Recovery Management is
triggered by an emergency or disruption to the CynoSure Services. Continuity of the office is de-
fined in the Business Continuity Plan.
In case of an emergency or disruption, the Business Continuity Manager and/or Chief Review Of-
ficer activates the IT Continuity Plan, which is an integral part of the Business Continuity and Dis-
aster & Recovery Management plans. The IT Continuity Plan defines the continuity architecture
and detailed procedures for recovery and reconstitution of systems to a known state per defined
Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
The Disaster & Recovery Management, Business Continuity Plan and IT Continuity plan are re-
viewed annually and updated as necessary.
IS-1 An Information Security Policy has been established and communicated that defines the In-
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The Infor-
mation Security Policy is reviewed annually and updated as necessary.
IS-7 An Enterprise Architecture has been established and communicated that describes the cur-
rent and target architectures for the business, information, data, application and technology do-
mains governing the security principles as outlined in the Information Security Policy. The Enter-
prise Architecture drives process, services and technology changes necessary to execute strategies
for the CynoSure platform. The Enterprise Architecture is reviewed annually and updated as nec-
essary.
PE-2 The Continuity Architecture of InShared is redundant. Within the production datacentre the
infrastructure is redundant, and active-passive between the production site and the BCDR site. A
separate risk assessment is conducted for BCDR sites within 50 km distance of production sites.
SOC2-2 The applicable security, regulatory and contractual requirements and the related obliga-
tions are defined within the client contract. The client contract is signed by the client and In-
Shared, prior to granting access to the CynoSure Platform.
59
Trust service criteria
CC3.2 COSO Principle 7
The entity identifies risks to
the achievement of its objec-
tives across the entity and
analyses risks as a basis for
determining how the risks
should be managed.
Controls specified by InShared Results of PwC’s
Testing
BC-3 Business Impact Analyses, Risk Analyses and Risk Treatment Analyses are conducted annually No exceptions noted
to identify, analyse and assess business continuity risks related to CynoSure services and to define
and implement business continuity protection measures based on the risk appetite.
ELC-2 Risk assessment results are reviewed and discussed quarterly during the Risk Management
Meeting. Relevant risk assessment results are also reported to the Board of Directors on behalf of
senior management.
IM-2 The availability, capacity and performance of the network and resources are monitored by
third-party monitoring software. Alerts are reported by the third-party vendor and followed up
through the formal incident management procedures, as necessary.
IS-5 A Risk and Compliance Policy has been established and communicated that defines the gov-
ernance of the risk management and compliance functions within the InShared group, the risk
strategy and risk appetite, the Risk Management Framework InShared (RMFI) and the methods
used to identify and treat risks. The Risk and Compliance Policy describes the three lines of de-
fence for the InShared group. The first line is operations, the second line is the Risk Management
department and the third line is Internal Audit Achmea. The Risk and Compliance Policy is made
operational in a Risk and Compliance year plan. The Risk and Compliance Policy is reviewed annu-
ally and updated as necessary.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
PE-2 The Continuity Architecture of InShared is redundant. Within the production datacentre the
infrastructure is redundant, and active-passive between the production site and the BCDR site. A
separate risk assessment is conducted for BCDR sites within 50 km distance of production sites.
PE-3 A complete inventory of assets in the datacentres is maintained by the infrastructure team.
The inventory of assets is reviewed at least annually.
SOC2-1 A Data Classification Policy has been established and communicated that defines the clas-
sification of data and systems and the security requirements for each classification level. The
60
Trust service criteria Controls specified by InShared Results of PwC’s
Testing

following classification levels are defined:

- Availability: 0 Basic, 1 Low, 2 Middle, 3 High
- Integrity: 0 Unknown, 1 Assumed Correct, 2 Verified Correct and 3 Proven correct
- Confidentiality: 0 Public, 1 Low, 2 Middle and 3 High
- Privacy: 0 Not personal, 1 Low, 2 Middle and 3 High.

In accordance with the Data Classification Policy customer data is classified as Availability level 2,
Integrity level 2, Confidentiality Level 2 and Privacy Level 2. In addition, the CynoSure platform fa-
cilitates a classification mechanism which can be used by the client depending on customer needs.

The Data Classification Policy is reviewed annually and updated as necessary.

VM-1 Production and development webservers, database servers, mail servers, file servers, fire-
walls, domain controllers and other network devices are configured to log security events.

VM-2 Events, thresholds and metrics have been defined and configured in the third-party Security
Information and Event Management (SIEM) system to detect security incidents and to alert the
Security Operations Centre, which are also reported within the monthly SIEM report. Actual met-
rics and events trespassing thresholds are visible in the online SIEM monitoring dashboard.

VM-4 The Security Operations Centre (SOC) performs monitoring activities, including the escala-
tion and coordination of incidents. The activities are defined and agreed upon within the Service
Level Agreement (SLA).

VM-5 Semi-annually vulnerability assessments and semi-annually penetration testing activities are
performed by a third-party vendor on InShared's network and web applications (frontend,
backend, webservices, external web connections, CynoSure applications and the supporting infra-
structure). Identified vulnerabilities are analysed and followed-up in a timely manner, depending
on the severity of the vulnerability, in accordance with the Incident Management Policy, Change
Management Policy and Release Management Policy.

61
Trust service criteria
CC3.3 COSO Principle 8
The entity considers the po-
tential for fraud in assessing
risks to the achievement of
objectives.
Controls specified by InShared Results of PwC’s
Testing
BC-3 Business Impact Analyses, Risk Analyses and Risk Treatment Analyses are conducted annually No exceptions noted
to identify, analyse and assess business continuity risks related to CynoSure services and to define
and implement business continuity protection measures based on the risk appetite.
ELC-2 Risk assessment results are reviewed and discussed quarterly during the Risk Management
Meeting. Relevant risk assessment results are also reported to the Board of Directors on behalf of
senior management.
IM-2 The availability, capacity and performance of the network and resources are monitored by
third-party monitoring software. Alerts are reported by the third-party vendor and followed up
through the formal incident management procedures, as necessary.
IS-5 A Risk and Compliance Policy has been established and communicated that defines the gov-
ernance of the risk management and compliance functions within the InShared group, the risk
strategy and risk appetite, the Risk Management Framework InShared (RMFI) and the methods
used to identify and treat risks. The Risk and Compliance Policy describes the three lines of de-
fence for the InShared group. The first line is operations, the second line is the Risk Management
department and the third line is Internal Audit Achmea. The Risk and Compliance Policy is made
operational in a Risk and Compliance year plan. The Risk and Compliance Policy is reviewed annu-
ally and updated as necessary.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
PE-2 The Continuity Architecture of InShared is redundant. Within the production datacentre the
infrastructure is redundant, and active-passive between the production site and the BCDR site. A
separate risk assessment is conducted for BCDR sites within 50 km distance of production sites.
PE-3 A complete inventory of assets in the datacentres is maintained by the infrastructure team.
The inventory of assets is reviewed at least annually.
SOC2-1 A Data Classification Policy has been established and communicated that defines the clas-
sification of data and systems and the security requirements for each classification level. The
62
Trust service criteria Controls specified by InShared Results of PwC’s
Testing

following classification levels are defined:

- Availability: 0 Basic, 1 Low, 2 Middle, 3 High
- Integrity: 0 Unknown, 1 Assumed Correct, 2 Verified Correct and 3 Proven correct
- Confidentiality: 0 Public, 1 Low, 2 Middle and 3 High
- Privacy: 0 Not personal, 1 Low, 2 Middle and 3 High.

In accordance with the Data Classification Policy customer data is classified as Availability level 2,
Integrity level 2, Confidentiality Level 2 and Privacy Level 2. In addition, the CynoSure platform fa-
cilitates a classification mechanism which can be used by the client depending on customer needs.

The Data Classification Policy is reviewed annually and updated as necessary.

VM-1 Production and development webservers, database servers, mail servers, file servers, fire-
walls, domain controllers and other network devices are configured to log security events.

VM-2 Events, thresholds and metrics have been defined and configured in the third-party Security
Information and Event Management (SIEM) system to detect security incidents and to alert the
Security Operations Centre, which are also reported within the monthly SIEM report. Actual met-
rics and events trespassing thresholds are visible in the online SIEM monitoring dashboard.

VM-4 The Security Operations Centre (SOC) performs monitoring activities, including the escala-
tion and coordination of incidents. The activities are defined and agreed upon within the Service
Level Agreement (SLA).

VM-5 Semi-annually vulnerability assessments and semi-annually penetration testing activities are
performed by a third-party vendor on InShared's network and web applications (frontend,
backend, webservices, external web connections, CynoSure applications and the supporting infra-
structure). Identified vulnerabilities are analysed and followed-up in a timely manner, depending
on the severity of the vulnerability, in accordance with the Incident Management Policy, Change
Management Policy and Release Management Policy.

63
Trust service criteria
CC3.4 COSO Principle 9
The entity identifies and as-
sesses changes that could sig-
nificantly impact the system
of internal control.
Controls specified by InShared Results of PwC’s
Testing
BC-3 Business Impact Analyses, Risk Analyses and Risk Treatment Analyses are conducted annually No exceptions noted
to identify, analyse and assess business continuity risks related to CynoSure services and to define
and implement business continuity protection measures based on the risk appetite.
CM-2 Change requests are evaluated to determine the potential effect of the change on system
availability, confidentiality and integrity of CynoSure services and approved in line with the de-
fined roles and responsibilities with respect to the (pre-)authorization, as described within the
Change Management Policy. Changes classified as major require the approval of the Platform Ar-
chitecture Board.
ELC-2 Risk assessment results are reviewed and discussed quarterly during the Risk Management
Meeting. Relevant risk assessment results are also reported to the Board of Directors on behalf of
senior management.
IS-7 An Enterprise Architecture has been established and communicated that describes the cur-
rent and target architectures for the business, information, data, application and technology do-
mains governing the security principles as outlined in the Information Security Policy. The Enter-
prise Architecture drives process, services and technology changes necessary to execute strategies
for the CynoSure platform. The Enterprise Architecture is reviewed annually and updated as nec-
essary.
SOC2-4 InShared maintains and notifies customers of potential changes and events that may im-
pact security or availability of the services. Changes to the security commitments and security ob-
ligations of InShared are communicated to customers in a timely manner via the SLR.
64
7.1.4 Monitoring activities
Trust service criteria
CC4.1 COSO Principle 16
The entity selects, develops,
and performs ongoing and/or
separate evaluations to ascer-
tain whether the components
of internal control are present
and functioning.
CC4.2 COSO Principle 17
The entity evaluates and com-
municates internal control de-
ficiencies in a timely manner
to those parties responsible
for taking corrective action,
including senior management
and the board of directors, as
appropriate.
Controls specified by InShared Results of PwC’s
Testing
IM-4 Identified security incidents are post-mortem investigated and the security incident response No exceptions noted
procedures are tested annually to identify areas for improvement.
IS-6 The Risk Management department (the second line of defence) reviews the effectiveness of
the implemented Information Security Management System (ISMS) on an annual basis, in accord-
ance with the defined audit activities within the approved risk management audit plan. Noncon-
formities are recorded, reviewed, prioritized and analysed, to be able to define and implement re-
mediation plans. The remediation plans are developed in the security dashboard of the Risk Com-
mittee. Internal Audit Achmea (the third line of defence) reviews the effectiveness of the imple-
mented ISMS on a 3-annual basis, in accordance with the defined audit activities within the ap-
proved internal audit plan. Nonconformities are recorded, reviewed, prioritized and analysed, to
be able to define and implement remediation plans. The remediation plans are registered in the
issue register and monitored by the Risk and Compliance Committee.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
IM-4 Identified security incidents are post-mortem investigated and the security incident response No exceptions noted
procedures are tested annually to identify areas for improvement.
IS-6 The Risk Management department (the second line of defence) reviews the effectiveness of
the implemented Information Security Management System (ISMS) on an annual basis, in accord-
ance with the defined audit activities within the approved risk management audit plan. Noncon-
formities are recorded, reviewed, prioritized and analysed, to be able to define and implement re-
mediation plans. The remediation plans are developed in the security dashboard of the Risk Com-
mittee. Internal Audit Achmea (the third line of defence) reviews the effectiveness of the imple-
mented ISMS on a 3-annual basis, in accordance with the defined audit activities within the ap-
proved internal audit plan. Nonconformities are recorded, reviewed, prioritized and analysed, to
65
Trust service criteria Controls specified by InShared Results of PwC’s
Testing

be able to define and implement remediation plans. The remediation plans are registered in the
issue register and monitored by the Risk and Compliance Committee.

IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.

66
7.1.5 Control activities
Trust service criteria
CC5.1 COSO Principle 10
The entity selects and devel-
ops control activities that con-
tribute to the mitigation of
risks to the achievement of
objectives to acceptable lev-
els.
Controls specified by InShared Results of PwC’s
Testing
BC-1 A Disaster & Recovery Management Policy has been established and communicated that de- No exceptions noted
fines the lines of communication, roles, and responsibilities. Disasters & Recovery Management is
triggered by an emergency or disruption to the CynoSure Services. Continuity of the office is de-
fined in the Business Continuity Plan.
In case of an emergency or disruption, the Business Continuity Manager and/or Chief Review Of-
ficer activates the IT Continuity Plan, which is an integral part of the Business Continuity and Dis-
aster & Recovery Management plans. The IT Continuity Plan defines the continuity architecture
and detailed procedures for recovery and reconstitution of systems to a known state per defined
Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
The Disaster & Recovery Management, Business Continuity Plan and IT Continuity plan are re-
viewed annually and updated as necessary.
CM-1 A Change Management Policy and a Release Management Policy has been established and
communicated that defines the procedures and roles and responsibilities with respect to the (pre-
)authorization, development, testing and implementation of changes. The change management
process is divided in three different phases: (1) define changes, (2) prioritize & plan changes and
(3) build & test changes. Completion of the change management process triggers the Release
Management process. The Change Management Policy and the Release Management Policy are
reviewed annually and updated as necessary.
DS-5 A Retention Period Policy has been established and communicated to ensure that customer
data is retained and removed per the defined retention periods. The Retention Period Policy is re-
viewed annually and updated as necessary.
DS-6 A Repurposing of Equipment Policy has been established and communicated that defines the
destruction guidelines and procedures for secure disposal or repurposing of equipment used out-
side InShared's premise or tenant domain. The Repurposing of Equipment Policy is reviewed an-
nually and updated as necessary.
67
Trust service criteria Controls specified by InShared Results of PwC’s
Testing

IM-1 An Incident Management Policy and a Security Incident Response Management Policy has
been established and communicated with defined processes, roles and responsibilities for the de-
tection, escalation, response and reporting of incidents. These policies are reviewed annually and
updated as necessary.

IS-1 An Information Security Policy has been established and communicated that defines the In-
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The Infor-
mation Security Policy is reviewed annually and updated as necessary.

IS-5 A Risk and Compliance Policy has been established and communicated that defines the gov-
ernance of the risk management and compliance functions within the InShared group, the risk
strategy and risk appetite, the Risk Management Framework InShared (RMFI) and the methods
used to identify and treat risks. The Risk and Compliance Policy describes the three lines of de-
fence for the InShared group. The first line is operations, the second line is the Risk Management
department and the third line is Internal Audit Achmea. The Risk and Compliance Policy is made
operational in a Risk and Compliance year plan. The Risk and Compliance Policy is reviewed annu-
ally and updated as necessary.

LA-1 An Authorization Management Policy has been established and communicated that defines
the Authorization Management of InShared for the CynoSure Platform. The Authorization Man-
agement Policy is reviewed annually and updated as necessary.

SOC2-1 A Data Classification Policy has been established and communicated that defines the clas-
sification of data and systems and the security requirements for each classification level. The fol-
lowing classification levels are defined:
- Availability: 0 Basic, 1 Low, 2 Middle, 3 High
- Integrity: 0 Unknown, 1 Assumed Correct, 2 Verified Correct and 3 Proven correct
- Confidentiality: 0 Public, 1 Low, 2 Middle and 3 High
- Privacy: 0 Not personal, 1 Low, 2 Middle and 3 High.

In accordance with the Data Classification Policy customer data is classified as Availability level 2,
Integrity level 2, Confidentiality Level 2 and Privacy Level 2. In addition, the CynoSure platform fa-
cilitates a classification mechanism which can be used by the client depending on customer needs.

68
Trust service criteria
CC5.2 COSO Principle 11
The entity also selects and de-
velops general control activi-
ties over technology to sup-
port the achievement of ob-
jectives.
Controls specified by InShared Results of PwC’s
Testing
The Data Classification Policy is reviewed annually and updated as necessary.
VM-8 A Patch Management Policy has been established and communicated that defines the
scope, the roles and responsibilities and procedures with respect to patch management for the
CynoSure Platform. The Patch Management Policy is reviewed annually and updated as necessary.
BC-1 A Disaster & Recovery Management Policy has been established and communicated that de- No exceptions noted
fines the lines of communication, roles, and responsibilities. Disasters & Recovery Management is
triggered by an emergency or disruption to the CynoSure Services. Continuity of the office is de-
fined in the Business Continuity Plan.
In case of an emergency or disruption, the Business Continuity Manager and/or Chief Review Of-
ficer activates the IT Continuity Plan, which is an integral part of the Business Continuity and Dis-
aster & Recovery Management plans. The IT Continuity Plan defines the continuity architecture
and detailed procedures for recovery and reconstitution of systems to a known state per defined
Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
The Disaster & Recovery Management, Business Continuity Plan and IT Continuity plan are re-
viewed annually and updated as necessary.
CM-1 A Change Management Policy and a Release Management Policy has been established and
communicated that defines the procedures and roles and responsibilities with respect to the (pre-
)authorization, development, testing and implementation of changes. The change management
process is divided in three different phases: (1) define changes, (2) prioritize & plan changes and
(3) build & test changes. Completion of the change management process triggers the Release
Management process. The Change Management Policy and the Release Management Policy are
reviewed annually and updated as necessary.
DS-5 A Retention Period Policy has been established and communicated to ensure that customer
data is retained and removed per the defined retention periods. The Retention Period Policy is re-
viewed annually and updated as necessary.
DS-6 A Repurposing of Equipment Policy has been established and communicated that defines the
destruction guidelines and procedures for secure disposal or repurposing of equipment used
69
Trust service criteria Controls specified by InShared Results of PwC’s
Testing

outside InShared's premise or tenant domain. The Repurposing of Equipment Policy is reviewed
annually and updated as necessary.

IM-1 An Incident Management Policy and a Security Incident Response Management Policy has
been established and communicated with defined processes, roles and responsibilities for the de-
tection, escalation, response and reporting of incidents. These policies are reviewed annually and
updated as necessary.

IS-1 An Information Security Policy has been established and communicated that defines the In-
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The Infor-
mation Security Policy is reviewed annually and updated as necessary.

IS-5 A Risk and Compliance Policy has been established and communicated that defines the gov-
ernance of the risk management and compliance functions within the InShared group, the risk
strategy and risk appetite, the Risk Management Framework InShared (RMFI) and the methods
used to identify and treat risks. The Risk and Compliance Policy describes the three lines of de-
fence for the InShared group. The first line is operations, the second line is the Risk Management
department and the third line is Internal Audit Achmea. The Risk and Compliance Policy is made
operational in a Risk and Compliance year plan. The Risk and Compliance Policy is reviewed annu-
ally and updated as necessary.

LA-1 An Authorization Management Policy has been established and communicated that defines
the Authorization Management of InShared for the CynoSure Platform. The Authorization Man-
agement Policy is reviewed annually and updated as necessary.

SOC2-1 A Data Classification Policy has been established and communicated that defines the clas-
sification of data and systems and the security requirements for each classification level. The fol-
lowing classification levels are defined:
- Availability: 0 Basic, 1 Low, 2 Middle, 3 High
- Integrity: 0 Unknown, 1 Assumed Correct, 2 Verified Correct and 3 Proven correct
- Confidentiality: 0 Public, 1 Low, 2 Middle and 3 High
- Privacy: 0 Not personal, 1 Low, 2 Middle and 3 High.

In accordance with the Data Classification Policy customer data is classified as Availability level 2,

70
Trust service criteria
CC5.3 COSO Principle 12
The entity deploys control ac-
tivities through policies that
establish what is expected
and in procedures that put
policies into action.
Controls specified by InShared Results of PwC’s
Testing
Integrity level 2, Confidentiality Level 2 and Privacy Level 2. In addition, the CynoSure platform fa-
cilitates a classification mechanism which can be used by the client depending on customer needs.
The Data Classification Policy is reviewed annually and updated as necessary.
VM-8 A Patch Management Policy has been established and communicated that defines the
scope, the roles and responsibilities and procedures with respect to patch management for the
CynoSure Platform. The Patch Management Policy is reviewed annually and updated as necessary.
BC-1 A Disaster & Recovery Management Policy has been established and communicated that de- No exceptions noted
fines the lines of communication, roles, and responsibilities. Disasters & Recovery Management is
triggered by an emergency or disruption to the CynoSure Services. Continuity of the office is de-
fined in the Business Continuity Plan.
In case of an emergency or disruption, the Business Continuity Manager and/or Chief Review Of-
ficer activates the IT Continuity Plan, which is an integral part of the Business Continuity and Dis-
aster & Recovery Management plans. The IT Continuity Plan defines the continuity architecture
and detailed procedures for recovery and reconstitution of systems to a known state per defined
Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
The Disaster & Recovery Management, Business Continuity Plan and IT Continuity plan are re-
viewed annually and updated as necessary.
CM-1 A Change Management Policy and a Release Management Policy has been established and
communicated that defines the procedures and roles and responsibilities with respect to the (pre-
)authorization, development, testing and implementation of changes. The change management
process is divided in three different phases: (1) define changes, (2) prioritize & plan changes and
(3) build & test changes. Completion of the change management process triggers the Release
Management process. The Change Management Policy and the Release Management Policy are
reviewed annually and updated as necessary.
DS-5 A Retention Period Policy has been established and communicated to ensure that customer
data is retained and removed per the defined retention periods. The Retention Period Policy is re-
viewed annually and updated as necessary.
71
Trust service criteria Controls specified by InShared Results of PwC’s
Testing

DS-6 A Repurposing of Equipment Policy has been established and communicated that defines the
destruction guidelines and procedures for secure disposal or repurposing of equipment used out-
side InShared's premise or tenant domain. The Repurposing of Equipment Policy is reviewed an-
nually and updated as necessary.

IM-1 An Incident Management Policy and a Security Incident Response Management Policy has
been established and communicated with defined processes, roles and responsibilities for the de-
tection, escalation, response and reporting of incidents. These policies are reviewed annually and
updated as necessary.

IS-1 An Information Security Policy has been established and communicated that defines the In-
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The Infor-
mation Security Policy is reviewed annually and updated as necessary.

IS-5 A Risk and Compliance Policy has been established and communicated that defines the gov-
ernance of the risk management and compliance functions within the InShared group, the risk
strategy and risk appetite, the Risk Management Framework InShared (RMFI) and the methods
used to identify and treat risks. The Risk and Compliance Policy describes the three lines of de-
fence for the InShared group. The first line is operations, the second line is the Risk Management
department and the third line is Internal Audit Achmea. The Risk and Compliance Policy is made
operational in a Risk and Compliance year plan. The Risk and Compliance Policy is reviewed annu-
ally and updated as necessary.

LA-1 An Authorization Management Policy has been established and communicated that defines
the Authorization Management of InShared for the CynoSure Platform. The Authorization Man-
agement Policy is reviewed annually and updated as necessary.

SOC2-1 A Data Classification Policy has been established and communicated that defines the clas-
sification of data and systems and the security requirements for each classification level. The fol-
lowing classification levels are defined:
- Availability: 0 Basic, 1 Low, 2 Middle, 3 High
- Integrity: 0 Unknown, 1 Assumed Correct, 2 Verified Correct and 3 Proven correct
- Confidentiality: 0 Public, 1 Low, 2 Middle and 3 High
- Privacy: 0 Not personal, 1 Low, 2 Middle and 3 High.

72
Trust service criteria Controls specified by InShared Results of PwC’s
Testing

In accordance with the Data Classification Policy customer data is classified as Availability level 2,
Integrity level 2, Confidentiality Level 2 and Privacy Level 2. In addition, the CynoSure platform fa-
cilitates a classification mechanism which can be used by the client depending on customer needs.

The Data Classification Policy is reviewed annually and updated as necessary.

VM-8 A Patch Management Policy has been established and communicated that defines the
scope, the roles and responsibilities and procedures with respect to patch management for the
CynoSure Platform. The Patch Management Policy is reviewed annually and updated as necessary.

73
7.1.6 Logical & Physical Access Controls
Trust service criteria
CC6.1
The entity implements logical
access security software, in-
frastructure, and architec-
tures over protected infor-
mation assets to protect them
from security events to meet
the entity's objectives.
Controls specified by InShared Results of PwC’s
Testing
DS-1 Communication with key CynoSure components where customer data is transmitted or in- No exceptions noted
volved is secured using encryption. Encryption is based on the implemented Encryption Key Man-
agement Policy. InShared uses industry standards and best practices for encryption.
Within the CynoSure platform encryption keys are applied in the following areas:
- Webservices: public certificates are used for the webservices for external communication and
client certificates are generated and stored manually using an encryption key server (Simple Au-
thority) for internal communication of the webservices within the CynoSure Platform.
- Datacentre communication: connections between datacentres are point to point using IPsec
managed by the Fortinet FortiGate firewall devices.
- Storage: encryption of data is handled automatically within the storage solution (Pure Storage).
- Remote users: Encryption of VPN connections for end users (remote users) is handled automati-
cally within the VPN solution, including the SSL connection with clients (Pulse Secure).
- Laptops: encryption of laptops is handled automatically by bit locker software on the laptop.
Cryptographic keys, certificates, and customer access keys used for communication between Cy-
noSure services and other internal components or external parties are hosted by the load bal-
ancer and managed by the Network Operating Centre (NOC) of InShared. Changes in client certifi-
cates for webservices are communicated to the client and/or partners by the NOC.
LA-1 An Authorization Management Policy has been established and communicated that defines
the Authorization Management of InShared for the CynoSure Platform. The Authorization Man-
agement Policy is reviewed annually and updated as necessary.
LA-2 Provisioning and de-provisioning of customer user account entitlements for the CynoSure
Platform is requested, authorized and granted or revoked in accordance with the implemented
Authorization Management Policy.
LA-3 Customer credentials used to access CynoSure services meet the applicable password policy
requirements as defined in the Authorization Management Policy.
74
Trust service criteria Controls specified by InShared Results of PwC’s
Testing

OA-1 Access/Roles groups are defined based upon established business rules, including segrega-
tion of duties, in a SOLL authorization matrix. Procedures are in place to ensure timely initiation
and update in the SOLL authorization matrices for all assets. Management authorizes changes to
defined privileges for access groups/roles. The SOLL authorization matrix is reviewed annually and
updated as necessary.

OA-2 Employee access rights are assigned commensurate with assigned job responsibilities (e.g.
through role-based access). Administration procedures are available to define activities for re-
questing, authorizing and granting an account and its associated user access rights. Access to in-
formation is based on 'need-to-know/need-to-have'-principle and all user activities can be traced
to uniquely identifiable users.

OA-3 Administration procedures are available to define activities for requesting and revoking an
account and its associated user access rights. Terminated user access rights are removed on a
timely basis. The return of assets is checked using the checklist according to exit employee check-
list.

OA-4 All employment candidates and contractors are subject to pre-employment screening (PES).
Candidates and contractors are registered in Jira. Subsequently a PES ticket is generated automati-
cally within Jira to start PES process. Hardware and software (credentials) are only provided to
employees and contractors after PES clearance.

OA-5 Management periodically reviews user access implemented for the relevant physical and vir-
tual application interfaces and infrastructure network and systems components (IST-situation) in
order to confirm the correctness of implemented accounts and roles (the access rights) and vali-
date that access rights are commensurate with assigned job responsibilities, as set out by the ac-
cess rules (SOLL-situation). Any inappropriate access noted during the review process is revoked in
a timely manner. This control involves SOLL and IST matrices being compared by responsible man-
agement.

OA-6 Management is responsible for periodically reviewing the list of active IDs in relevant physi-
cal and virtual application interfaces and infrastructure network and systems components, in or-
der to validate whether unique User ID's are implemented to provide individual accountability and

75
Trust service criteria Controls specified by InShared Results of PwC’s
Testing

to ensure that generic or system level IDs are locked or otherwise protected. Any inappropriate or
inactive IDs noted during the review process are disabled in a timely manner.

OA-7 Corporate user account credentials meet the applicable password policy requirements, as
defined within Authorization Management Policy.

OA-9 Access to infrastructure components is controlled through defined Active Directory Security
Groups, which require identification with credentials as an administrator, which is a separate ac-
count from regular accounts for (high) privileged access. The accounts with (high) privileged ac-
cess rights are not configured to perform day-to-day activities, but exclusively to perform adminis-
trative tasks.

OA-10 Perimeter firewalls are implemented and properly configured to restrict unauthorized traf-
fic. A mechanism called Reverse Path Forwarding (RPF), or anti spoofing, is implemented with the
installed firewall which prevents IP packets to be forwarded if its source IP is spoofed.

OA-11 Remote Desktop Connection for administrator access to the production environment are
encrypted.

OA-12 The management VLAN is separating management traffic from customer traffic.

OA-14 The access point radio equipment on the firewall scans for other available access points.
Unauthorized access points connected to the InShared wired network are detected, the firewall
will send an alert to the infra team who will respond with placing the access point on a black list.
The detected rogue SSID will be suppressed using roque access point functionality on the Wi-Fi
controller that sends de-authentication messages to the rogue access point.

PE-3 A complete inventory of assets in the datacentres is maintained by the infrastructure team.
The inventory of assets is reviewed at least annually.

PE-4 Delivery and removal of assets are requested and authorized within the IT-ticketing system
(Jira) by the infrastructure team.

PI-3 InShared segregates and appropriately provisions the services to restrict unauthorized access
to other customer tenants and data based on request from customer through the portal / API
which are custom made and routed with a Point to Point connection (firewalling) and IP

76
Trust service criteria
CC6.2
Prior to issuing system cre-
dentials and granting system
access, the entity registers
and authorizes new internal
and external users whose ac-
cess is administered by the
entity. For those users whose
access is administered by the
entity, user system creden-
tials are removed when user
access is no longer author-
ized.
Controls specified by InShared Results of PwC’s
Testing
whitelisting per client and are listed centrally and communicated with the client upon request.
The routing of each webservice / API is registered centrally.
SOC2-1 A Data Classification Policy has been established and communicated that defines the clas-
sification of data and systems and the security requirements for each classification level. The fol-
lowing classification levels are defined:
- Availability: 0 Basic, 1 Low, 2 Middle, 3 High
- Integrity: 0 Unknown, 1 Assumed Correct, 2 Verified Correct and 3 Proven correct
- Confidentiality: 0 Public, 1 Low, 2 Middle and 3 High
- Privacy: 0 Not personal, 1 Low, 2 Middle and 3 High.
In accordance with the Data Classification Policy customer data is classified as Availability level 2,
Integrity level 2, Confidentiality Level 2 and Privacy Level 2. In addition, the CynoSure platform fa-
cilitates a classification mechanism which can be used by the client depending on customer needs.
The Data Classification Policy is reviewed annually and updated as necessary.
LA-1 An Authorization Management Policy has been established and communicated that defines No exceptions noted
the Authorization Management of InShared for the CynoSure Platform. The Authorization Man-
agement Policy is reviewed annually and updated as necessary.
LA-2 Provisioning and de-provisioning of customer user account entitlements for the CynoSure
Platform is requested, authorized and granted or revoked in accordance with the implemented
Authorization Management Policy.
LA-3 Customer credentials used to access CynoSure services meet the applicable password policy
requirements as defined in the Authorization Management Policy.
OA-1 Access/Roles groups are defined based upon established business rules, including segrega-
tion of duties, in a SOLL authorization matrix. Procedures are in place to ensure timely initiation
and update in the SOLL authorization matrices for all assets. Management authorizes changes to
defined privileges for access groups/roles. The SOLL authorization matrix is reviewed annually and
updated as necessary.
77
Trust service criteria Controls specified by InShared Results of PwC’s
Testing

OA-2 Employee access rights are assigned commensurate with assigned job responsibilities (e.g.
through role-based access). Administration procedures are available to define activities for re-
questing, authorizing and granting an account and its associated user access rights. Access to in-
formation is based on 'need-to-know/need-to-have'-principle and all user activities can be traced
to uniquely identifiable users.

OA-3 Administration procedures are available to define activities for requesting and revoking an
account and its associated user access rights. Terminated user access rights are removed on a
timely basis. The return of assets is checked using the checklist according to exit employee check-
list.

OA-4 All employment candidates and contractors are subject to pre-employment screening (PES).
Candidates and contractors are registered in Jira. Subsequently a PES ticket is generated automati-
cally within Jira to start PES process. Hardware and software (credentials) are only provided to
employees and contractors after PES clearance.

OA-5 Management periodically reviews user access implemented for the relevant physical and vir-
tual application interfaces and infrastructure network and systems components (IST-situation) in
order to confirm the correctness of implemented accounts and roles (the access rights) and vali-
date that access rights are commensurate with assigned job responsibilities, as set out by the ac-
cess rules (SOLL-situation). Any inappropriate access noted during the review process is revoked in
a timely manner. This control involves SOLL and IST matrices being compared by responsible man-
agement.

OA-6 Management is responsible for periodically reviewing the list of active IDs in relevant physi-
cal and virtual application interfaces and infrastructure network and systems components, in or-
der to validate whether unique User ID's are implemented to provide individual accountability and
to ensure that generic or system level IDs are locked or otherwise protected. Any inappropriate or
inactive IDs noted during the review process are disabled in a timely manner.

OA-7 Corporate user account credentials meet the applicable password policy requirements, as
defined within Authorization Management Policy.

OA-9 Access to infrastructure components is controlled through defined Active Directory Security
Groups, which require identification with credentials as an administrator, which is a separate

78
Trust service criteria
CC6.3
The entity authorizes, modi-
fies, or removes access to
data, software, functions, and
other protected information
assets based on roles, respon-
sibilities, or the system design
and changes, giving consider-
ation to the concepts of least
privilege and segregation of
duties, to meet the entity’s
objectives.
Controls specified by InShared Results of PwC’s
Testing
account from regular accounts for (high) privileged access. The accounts with (high) privileged ac-
cess rights are not configured to perform day-to-day activities, but exclusively to perform adminis-
trative tasks.
SOC2-2 The applicable security, regulatory and contractual requirements and the related obliga-
tions are defined within the client contract. The client contract is signed by the client and In-
Shared, prior to granting access to the CynoSure Platform.
LA-1 An Authorization Management Policy has been established and communicated that defines No exceptions noted
the Authorization Management of InShared for the CynoSure Platform. The Authorization Man-
agement Policy is reviewed annually and updated as necessary.
LA-2 Provisioning and de-provisioning of customer user account entitlements for the CynoSure
Platform is requested, authorized and granted or revoked in accordance with the implemented
Authorization Management Policy.
LA-3 Customer credentials used to access CynoSure services meet the applicable password policy
requirements as defined in the Authorization Management Policy.
OA-1 Access/Roles groups are defined based upon established business rules, including segrega-
tion of duties, in a SOLL authorization matrix. Procedures are in place to ensure timely initiation
and update in the SOLL authorization matrices for all assets. Management authorizes changes to
defined privileges for access groups/roles. The SOLL authorization matrix is reviewed annually and
updated as necessary.
OA-2 Employee access rights are assigned commensurate with assigned job responsibilities (e.g.
through role-based access). Administration procedures are available to define activities for re-
questing, authorizing and granting an account and its associated user access rights. Access to in-
formation is based on 'need-to-know/need-to-have'-principle and all user activities can be traced
to uniquely identifiable users.
OA-3 Administration procedures are available to define activities for requesting and revoking an
account and its associated user access rights. Terminated user access rights are removed on a
timely basis. The return of assets is checked using the checklist according to exit employee check-
list.
79
Trust service criteria Controls specified by InShared Results of PwC’s
Testing

OA-4 All employment candidates and contractors are subject to pre-employment screening (PES).
Candidates and contractors are registered in Jira. Subsequently a PES ticket is generated automati-
cally within Jira to start PES process. Hardware and software (credentials) are only provided to
employees and contractors after PES clearance.

OA-5 Management periodically reviews user access implemented for the relevant physical and vir-
tual application interfaces and infrastructure network and systems components (IST-situation) in
order to confirm the correctness of implemented accounts and roles (the access rights) and vali-
date that access rights are commensurate with assigned job responsibilities, as set out by the ac-
cess rules (SOLL-situation). Any inappropriate access noted during the review process is revoked in
a timely manner. This control involves SOLL and IST matrices being compared by responsible man-
agement.

OA-6 Management is responsible for periodically reviewing the list of active IDs in relevant physi-
cal and virtual application interfaces and infrastructure network and systems components, in or-
der to validate whether unique User ID's are implemented to provide individual accountability and
to ensure that generic or system level IDs are locked or otherwise protected. Any inappropriate or
inactive IDs noted during the review process are disabled in a timely manner.

OA-7 Corporate user account credentials meet the applicable password policy requirements, as
defined within Authorization Management Policy.

OA-9 Access to infrastructure components is controlled through defined Active Directory Security
Groups, which require identification with credentials as an administrator, which is a separate ac-
count from regular accounts for (high) privileged access. The accounts with (high) privileged ac-
cess rights are not configured to perform day-to-day activities, but exclusively to perform adminis-
trative tasks.

SOC2-2 The applicable security, regulatory and contractual requirements and the related obliga-
tions are defined within the client contract. The client contract is signed by the client and In-
Shared, prior to granting access to the CynoSure Platform.

80
Trust service criteria
CC6.4
The entity restricts physical
access to facilities and pro-
tected information assets (for
example, data centre facili-
ties, back-up media storage,
and other sensitive locations)
to authorized personnel to
meet the entity’s objectives.
CC6.5
The entity discontinues logical
and physical protections over
physical assets only after the
ability to read or recover data
and software from those as-
sets has been diminished and
is no longer required to meet
the entity’s objectives.
Controls specified by InShared Results of PwC’s
Testing
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed No exceptions noted
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
PE-1 Authorization to give physical access to the datacentre is given by the information manager
of InShared to the regarding datacentre. Security verification and check-in are required for per-
sonnel for temporary access to the interior datacentre facility including tour groups or visitors.
DS-5 A Retention Period Policy has been established and communicated to ensure that customer No exceptions noted
data is retained and removed per the defined retention periods. The Retention Period Policy is re-
viewed annually and updated as necessary.
DS-6 A Repurposing of Equipment Policy has been established and communicated that defines the
destruction guidelines and procedures for secure disposal or repurposing of equipment used out-
side InShared's premise or tenant domain. The Repurposing of Equipment Policy is reviewed an-
nually and updated as necessary.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
PE-1 Authorization to give physical access to the datacentre is given by the information manager
of InShared to the regarding datacentre. Security verification and check-in are required for per-
sonnel for temporary access to the interior datacentre facility including tour groups or visitors.
PE-4 Delivery and removal of assets are requested and authorized within the IT-ticketing system
(Jira) by the infrastructure team.
SOC2-1 A Data Classification Policy has been established and communicated that defines the clas-
sification of data and systems and the security requirements for each classification level. The fol-
lowing classification levels are defined:
81
Trust service criteria
CC6.6
The entity implements logical
access security measures to
protect against threats from
sources outside its system
boundaries.
Controls specified by InShared Results of PwC’s
Testing
- Availability: 0 Basic, 1 Low, 2 Middle, 3 High
- Integrity: 0 Unknown, 1 Assumed Correct, 2 Verified Correct and 3 Proven correct
- Confidentiality: 0 Public, 1 Low, 2 Middle and 3 High
- Privacy: 0 Not personal, 1 Low, 2 Middle and 3 High.
In accordance with the Data Classification Policy customer data is classified as Availability level 2,
Integrity level 2, Confidentiality Level 2 and Privacy Level 2. In addition, the CynoSure platform fa-
cilitates a classification mechanism which can be used by the client depending on customer needs.
The Data Classification Policy is reviewed annually and updated as necessary.
CCM-1 The system clocks of the firewalls are synchronized with reliable external sources via the No exceptions noted
Network Time Protocol (NTP). The domain controllers and hypervisors are configured to synchro-
nize with the nearest firewall.
CM-4 The Information Security Policy instructs the use of the baselines during the installation of
(new) IT equipment. The security baseline configuration settings of firewalls, Wi-Fi access points,
VPN, load balancers, database servers and operating systems are assessed annually, by using au-
tomated tools and industry baselines. Non-acceptable deviations from the industry baseline are
followed up and remediated, in accordance with the Change Management and Release Manage-
ment policies and procedures.
CM-6 Applications and programming interfaces (APIs) and webservices are authorized, designed,
developed, configured, documented, tested, approved and deployed in line with the implemented
change management policy and procedures. This includes developing and testing in accordance
with the following industry standards:
- Coding standard PHP
- Web services Security standard (OWASP)
- Bitbucket code checks
- Automated webservice creation
- SOAPUI WSI compliance report
DS-1 Communication with key CynoSure components where customer data is transmitted or in-
volved is secured using encryption. Encryption is based on the implemented Encryption Key
82
Trust service criteria Controls specified by InShared Results of PwC’s
Testing

Management Policy. InShared uses industry standards and best practices for encryption.

Within the CynoSure platform encryption keys are applied in the following areas:
- Webservices: public certificates are used for the webservices for external communication and
client certificates are generated and stored manually using an encryption key server (Simple Au-
thority) for internal communication of the webservices within the CynoSure Platform.
- Datacentre communication: connections between datacentres are point to point using IPsec
managed by the Fortinet FortiGate firewall devices.
- Storage: encryption of data is handled automatically within the storage solution (Pure Storage).
- Remote users: Encryption of VPN connections for end users (remote users) is handled automati-
cally within the VPN solution, including the SSL connection with clients (Pulse Secure).
- Laptops: encryption of laptops is handled automatically by bit locker software on the laptop.

Cryptographic keys, certificates, and customer access keys used for communication between Cy-
noSure services and other internal components or external parties are hosted by the load bal-
ancer and managed by the Network Operating Centre (NOC) of InShared. Changes in client certifi-
cates for webservices are communicated to the client and/or partners by the NOC.

LA-1 An Authorization Management Policy has been established and communicated that defines
the Authorization Management of InShared for the CynoSure Platform. The Authorization Man-
agement Policy is reviewed annually and updated as necessary.

LA-2 Provisioning and de-provisioning of customer user account entitlements for the CynoSure
Platform is requested, authorized and granted or revoked in accordance with the implemented
Authorization Management Policy.

LA-3 Customer credentials used to access CynoSure services meet the applicable password policy
requirements as defined in the Authorization Management Policy.

OA-8 Access to network devices for remote access in the scope boundary requires two factor au-
thentication.

83
Trust service criteria Controls specified by InShared Results of PwC’s
Testing

OA-10 Perimeter firewalls are implemented and properly configured to restrict unauthorized traf-
fic. A mechanism called Reverse Path Forwarding (RPF), or anti spoofing, is implemented with the
installed firewall which prevents IP packets to be forwarded if its source IP is spoofed.

OA-11 Remote Desktop Connection for administrator access to the production environment are
encrypted.

OA-12 The management VLAN is separating management traffic from customer traffic.

OA-14 The access point radio equipment on the firewall scans for other available access points.
Unauthorized access points connected to the InShared wired network are detected, the firewall
will send an alert to the infra team who will respond with placing the access point on a black list.
The detected rogue SSID will be suppressed using roque access point functionality on the Wi-Fi
controller that sends de-authentication messages to the rogue access point.

PE-3 A complete inventory of assets in the datacentres is maintained by the infrastructure team.
The inventory of assets is reviewed at least annually.

PE-4 Delivery and removal of assets are requested and authorized within the IT-ticketing system
(Jira) by the infrastructure team.

PI-2 Data input and output routines are implemented in the webservices using Simple Object Ac-
cess Protocol (SOAP/envelopes), Web Service Definition Language (WSDL) techniques and API in-
tegrity checks. Errors are logged and followed up when necessary. Non permissible requests are
not processed by the applications and programming interfaces (APIs).

PI-3 InShared segregates and appropriately provisions the services to restrict unauthorized access
to other customer tenants and data based on request from customer through the portal / API
which are custom made and routed with a Point to Point connection (firewalling) and IP whitelist-
ing per client and are listed centrally and communicated with the client upon request. The routing
of each webservice / API is registered centrally.

SOC2-1 A Data Classification Policy has been established and communicated that defines the clas-
sification of data and systems and the security requirements for each classification level. The fol-
lowing classification levels are defined:
- Availability: 0 Basic, 1 Low, 2 Middle, 3 High

84
Trust service criteria Controls specified by InShared Results of PwC’s
Testing

- Integrity: 0 Unknown, 1 Assumed Correct, 2 Verified Correct and 3 Proven correct

- Confidentiality: 0 Public, 1 Low, 2 Middle and 3 High
- Privacy: 0 Not personal, 1 Low, 2 Middle and 3 High.

In accordance with the Data Classification Policy customer data is classified as Availability level 2,
Integrity level 2, Confidentiality Level 2 and Privacy Level 2. In addition, the CynoSure platform fa-
cilitates a classification mechanism which can be used by the client depending on customer needs.

The Data Classification Policy is reviewed annually and updated as necessary.

SOC2-7 Reliable logs are available for the CynoSure platform, which allows forensic procedures
when necessary, upon request of the customer and when the customer has specified the content
and format of data that InShared has to provide. These logs are implemented and changed as nec-
essary following the formal change management procedures of InShared.

VM-1 Production and development webservers, database servers, mail servers, file servers, fire-
walls, domain controllers and other network devices are configured to log security events.

VM-2 Events, thresholds and metrics have been defined and configured in the third-party Security
Information and Event Management (SIEM) system to detect security incidents and to alert the
Security Operations Centre, which are also reported within the monthly SIEM report. Actual met-
rics and events trespassing thresholds are visible in the online SIEM monitoring dashboard.

VM-3 Security event logs are centrally collected by the third-party Security Information and Event
Management (SIEM) software log collector. The log collector is appropriately segmented from any
production related node and sends the log data to the SIEM system. The log collector is managed
by the third-party vendor.

VM-4 The Security Operations Centre (SOC) performs monitoring activities, including the escala-
tion and coordination of incidents. The activities are defined and agreed upon within the Service
Level Agreement (SLA).

VM-5 Semi-annually vulnerability assessments and semi-annually penetration testing activities are
performed by a third-party vendor on InShared's network and web applications (frontend,
backend, webservices, external web connections, CynoSure applications and the supporting

85
Trust service criteria
CC6.7
The entity restricts the trans-
mission, movement, and re-
moval of information to au-
thorized internal and external
users and processes, and pro-
tects it during transmission,
movement, or removal to
meet the entity’s objectives.
Controls specified by InShared Results of PwC’s
Testing
infrastructure). Identified vulnerabilities are analysed and followed-up in a timely manner, de-
pending on the severity of the vulnerability, in accordance with the Incident Management Policy,
Change Management Policy and Release Management Policy.
VM-8 A Patch Management Policy has been established and communicated that defines the
scope, the roles and responsibilities and procedures with respect to patch management for the
CynoSure Platform. The Patch Management Policy is reviewed annually and updated as necessary.
DS-1 Communication with key CynoSure components where customer data is transmitted or in- No exceptions noted
volved is secured using encryption. Encryption is based on the implemented Encryption Key Man-
agement Policy. InShared uses industry standards and best practices for encryption.
Within the CynoSure platform encryption keys are applied in the following areas:
- Webservices: public certificates are used for the webservices for external communication and
client certificates are generated and stored manually using an encryption key server (Simple Au-
thority) for internal communication of the webservices within the CynoSure Platform.
- Datacentre communication: connections between datacentres are point to point using IPsec
managed by the Fortinet FortiGate firewall devices.
- Storage: encryption of data is handled automatically within the storage solution (Pure Storage).
- Remote users: Encryption of VPN connections for end users (remote users) is handled automati-
cally within the VPN solution, including the SSL connection with clients (Pulse Secure).
- Laptops: encryption of laptops is handled automatically by bit locker software on the laptop.
Cryptographic keys, certificates, and customer access keys used for communication between Cy-
noSure services and other internal components or external parties are hosted by the load bal-
ancer and managed by the Network Operating Centre (NOC) of InShared. Changes in client certifi-
cates for webservices are communicated to the client and/or partners by the NOC.
DS-6 A Repurposing of Equipment Policy has been established and communicated that defines the
destruction guidelines and procedures for secure disposal or repurposing of equipment used out-
side InShared's premise or tenant domain. The Repurposing of Equipment Policy is reviewed an-
nually and updated as necessary.
86
Trust service criteria
CC6.8
The entity implements con-
trols to prevent or detect and
act upon the introduction of
unauthorized or malicious
software to meet the entity’s
objectives.
Controls specified by InShared Results of PwC’s
Testing
OA-11 Remote Desktop Connection for administrator access to the production environment are
encrypted.
PI-3 InShared segregates and appropriately provisions the services to restrict unauthorized access
to other customer tenants and data based on request from customer through the portal / API
which are custom made and routed with a Point to Point connection (firewalling) and IP whitelist-
ing per client and are listed centrally and communicated with the client upon request. The routing
of each webservice / API is registered centrally.
CCM-1 The system clocks of the firewalls are synchronized with reliable external sources via the No exceptions noted
Network Time Protocol (NTP). The domain controllers and hypervisors are configured to synchro-
nize with the nearest firewall.
CM-1 A Change Management Policy and a Release Management Policy has been established and
communicated that defines the procedures and roles and responsibilities with respect to the (pre-
)authorization, development, testing and implementation of changes. The change management
process is divided in three different phases: (1) define changes, (2) prioritize & plan changes and
(3) build & test changes. Completion of the change management process triggers the Release
Management process. The Change Management Policy and the Release Management Policy are
reviewed annually and updated as necessary.
CM-4 The Information Security Policy instructs the use of the baselines during the installation of
(new) IT equipment. The security baseline configuration settings of firewalls, WIFI access points,
VPN, load balancers, database servers and operating systems are assessed annually, by using au-
tomated tools and industry baselines. Non-acceptable deviations from the industry baseline are
followed up and remediated, in accordance with the Change Management and Release Manage-
ment policies and procedures.
OA-13 Authorized software is made available through Software Centre. Installation of unauthor-
ized software on organizationally-owned or managed user end-point devices is restricted as users
have no (local) administrator rights. Compliance with authorized software is monitored quarterly.
PE-3 A complete inventory of assets in the datacentres is maintained by the infrastructure team.
The inventory of assets is reviewed at least annually.
87
Trust service criteria Controls specified by InShared Results of PwC’s
Testing

PE-4 Delivery and removal of assets are requested and authorized within the IT-ticketing system
(Jira) by the infrastructure team.

PI-2 Data input and output routines are implemented in the webservices using Simple Object Ac-
cess Protocol (SOAP/envelopes), Web Service Definition Language (WSDL) techniques and API in-
tegrity checks. Errors are logged and followed up when necessary. Non permissible requests are
not processed by the applications and programming interfaces (APIs).

SOC2-1 A Data Classification Policy has been established and communicated that defines the clas-
sification of data and systems and the security requirements for each classification level. The fol-
lowing classification levels are defined:
- Availability: 0 Basic, 1 Low, 2 Middle, 3 High
- Integrity: 0 Unknown, 1 Assumed Correct, 2 Verified Correct and 3 Proven correct
- Confidentiality: 0 Public, 1 Low, 2 Middle and 3 High
- Privacy: 0 Not personal, 1 Low, 2 Middle and 3 High.

In accordance with the Data Classification Policy customer data is classified as Availability level 2,
Integrity level 2, Confidentiality Level 2 and Privacy Level 2. In addition, the CynoSure platform fa-
cilitates a classification mechanism which can be used by the client depending on customer needs.

The Data Classification Policy is reviewed annually and updated as necessary.

SOC2-7 Reliable logs are available for the CynoSure platform, which allows forensic procedures
when necessary, upon request of the customer and when the customer has specified the content
and format of data that InShared has to provide. These logs are implemented and changed as nec-
essary following the formal change management procedures of InShared.

VM-1 Production and development webservers, database servers, mail servers, file servers, fire-
walls, domain controllers and other network devices are configured to log security events.

VM-2 Events, thresholds and metrics have been defined and configured in the third-party Security
Information and Event Management (SIEM) system to detect security incidents and to alert the
Security Operations Centre, which are also reported within the monthly SIEM report. Actual met-
rics and events trespassing thresholds are visible in the online SIEM monitoring dashboard.

88
Trust service criteria Controls specified by InShared Results of PwC’s
Testing

VM-3 Security event logs are centrally collected by the third-party Security Information and Event
Management (SIEM) software log collector. The log collector is appropriately segmented from any
production related node and sends the log data to the SIEM system. The log collector is managed
by the third-party vendor.

VM-4 The Security Operations Centre (SOC) performs monitoring activities, including the escala-
tion and coordination of incidents. The activities are defined and agreed upon within the Service
Level Agreement (SLA).

VM-5 Semi-annually vulnerability assessments and semi-annually penetration testing activities are
performed by a third-party vendor on InShared's network and web applications (frontend,
backend, webservices, external web connections, CynoSure applications and the supporting infra-
structure). Identified vulnerabilities are analysed and followed-up in a timely manner, depending
on the severity of the vulnerability, in accordance with the Incident Management Policy, Change
Management Policy and Release Management Policy.

VM-6 All end-points managed and/or owned by InShared are protected for the execution of mal-
ware using windows Anti-Virus. Windows servers are protected using TrendMicro Apex One.

VM-7 As part of the Information Security Policy, mobile code is not allowed at InShared. Mobile
code, including Java, is not allowed in the installation (SCCM). Users are therefore not able to in-
stall programs which are not part of the InShared software store. Upon request, an IT employee
can request exception for Java needed for cooperation with suppliers who work with Java.

89
7.1.7 System Operations
Trust service criteria
CC7.1
To meet its objectives, the en-
tity uses detection and moni-
toring procedures to identify
(1) changes to configurations
that result in the introduction
of new vulnerabilities, and (2)
susceptibilities to newly dis-
covered vulnerabilities.
Controls specified by InShared Results of PwC’s
Testing
CCM-1 The system clocks of the firewalls are synchronized with reliable external sources via the No exceptions noted
Network Time Protocol (NTP). The domain controllers and hypervisors are configured to synchro-
nize with the nearest firewall.
CM-4 The Information Security Policy instructs the use of the baselines during the installation of
(new) IT equipment. The security baseline configuration settings of firewalls, Wi-Fi access points,
VPN, load balancers, database servers and operating systems are assessed annually, by using au-
tomated tools and industry baselines. Non-acceptable deviations from the industry baseline are
followed up and remediated, in accordance with the Change Management and Release Manage-
ment policies and procedures.
CM-6 Applications and programming interfaces (APIs) and webservices are authorized, designed,
developed, configured, documented, tested, approved and deployed in line with the implemented
change management policy and procedures. This includes developing and testing in accordance
with the following industry standards:
- Coding standard PHP
- Web services Security standard (OWASP)
- Bitbucket code checks
- Automated webservice creation
- SOAPUI WSI compliance report
PE-3 A complete inventory of assets in the datacentres is maintained by the infrastructure team.
The inventory of assets is reviewed at least annually.
PE-4 Delivery and removal of assets are requested and authorized within the IT-ticketing system
(Jira) by the infrastructure team.
PI-2 Data input and output routines are implemented in the webservices using Simple Object Ac-
cess Protocol (SOAP/envelopes), Web Service Definition Language (WSDL) techniques and API in-
tegrity checks. Errors are logged and followed up when necessary. Non permissible requests are
not processed by the applications and programming interfaces (APIs).
90
Trust service criteria Controls specified by InShared Results of PwC’s
Testing

SOC2-1 A Data Classification Policy has been established and communicated that defines the clas-
sification of data and systems and the security requirements for each classification level. The fol-
lowing classification levels are defined:
- Availability: 0 Basic, 1 Low, 2 Middle, 3 High
- Integrity: 0 Unknown, 1 Assumed Correct, 2 Verified Correct and 3 Proven correct
- Confidentiality: 0 Public, 1 Low, 2 Middle and 3 High
- Privacy: 0 Not personal, 1 Low, 2 Middle and 3 High.

In accordance with the Data Classification Policy customer data is classified as Availability level 2,
Integrity level 2, Confidentiality Level 2 and Privacy Level 2. In addition, the CynoSure platform fa-
cilitates a classification mechanism which can be used by the client depending on customer needs.

The Data Classification Policy is reviewed annually and updated as necessary.

SOC2-7 Reliable logs are available for the CynoSure platform, which allows forensic procedures
when necessary, upon request of the customer and when the customer has specified the content
and format of data that InShared has to provide. These logs are implemented and changed as nec-
essary following the formal change management procedures of InShared.

SOC2-8 Third-party access transactions or activities are monitored for appropriateness. This log-
ging and monitoring function enables early prevention and/or detection and subsequent timely
reporting of unusual and/or abnormal activities by authorized third parties which needs to be ad-
dressed.

VM-1 Production and development webservers, database servers, mail servers, file servers, fire-
walls, domain controllers and other network devices are configured to log security events.

VM-2 Events, thresholds and metrics have been defined and configured in the third-party Security
Information and Event Management (SIEM) system to detect security incidents and to alert the
Security Operations Centre, which are also reported within the monthly SIEM report. Actual met-
rics and events trespassing thresholds are visible in the online SIEM monitoring dashboard.

VM-3 Security event logs are centrally collected by the third-party Security Information and Event
Management (SIEM) software log collector. The log collector is appropriately segmented from any

91
Trust service criteria
CC7.2
The entity monitors system
components and the opera-
tion of those components for
anomalies that are indicative
of malicious acts, natural dis-
asters, and errors affecting
the entity's ability to meet its
objectives; anomalies are ana-
lysed to determine whether
they represent security
events.
Controls specified by InShared Results of PwC’s
Testing
production related node and sends the log data to the SIEM system. The log collector is managed
by the third-party vendor.
VM-4 The Security Operations Centre (SOC) performs monitoring activities, including the escala-
tion and coordination of incidents. The activities are defined and agreed upon within the Service
Level Agreement (SLA).
VM-5 Semi-annually vulnerability assessments and semi-annually penetration testing activities are
performed by a third-party vendor on InShared's network and web applications (frontend,
backend, webservices, external web connections, CynoSure applications and the supporting infra-
structure). Identified vulnerabilities are analysed and followed-up in a timely manner, depending
on the severity of the vulnerability, in accordance with the Incident Management Policy, Change
Management Policy and Release Management Policy.
VM-8 A Patch Management Policy has been established and communicated that defines the
scope, the roles and responsibilities and procedures with respect to patch management for the
CynoSure Platform. The Patch Management Policy is reviewed annually and updated as necessary.
CCM-1 The system clocks of the firewalls are synchronized with reliable external sources via the No exceptions noted
Network Time Protocol (NTP). The domain controllers and hypervisors are configured to synchro-
nize with the nearest firewall.
DS-4 Data and job error notifications are automatically sent to the service desk. In addition, the
error logs are daily reviewed by the service desk. The data and job error notifications are regis-
tered and followed up by the service desk using the IT ticketing system.
IM-1 An Incident Management Policy and a Security Incident Response Management Policy has
been established and communicated with defined processes, roles and responsibilities for the de-
tection, escalation, response and reporting of incidents. These policies are reviewed annually and
updated as necessary.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
92
Trust service criteria Controls specified by InShared Results of PwC’s
Testing

PE-3 A complete inventory of assets in the datacentres is maintained by the infrastructure team.
The inventory of assets is reviewed at least annually.

PE-4 Delivery and removal of assets are requested and authorized within the IT-ticketing system
(Jira) by the infrastructure team.

PI-2 Data input and output routines are implemented in the webservices using Simple Object Ac-
cess Protocol (SOAP/envelopes), Web Service Definition Language (WSDL) techniques and API in-
tegrity checks. Errors are logged and followed up when necessary. Non permissible requests are
not processed by the applications and programming interfaces (APIs).

SOC2-1 A Data Classification Policy has been established and communicated that defines the clas-
sification of data and systems and the security requirements for each classification level. The fol-
lowing classification levels are defined:
- Availability: 0 Basic, 1 Low, 2 Middle, 3 High
- Integrity: 0 Unknown, 1 Assumed Correct, 2 Verified Correct and 3 Proven correct
- Confidentiality: 0 Public, 1 Low, 2 Middle and 3 High
- Privacy: 0 Not personal, 1 Low, 2 Middle and 3 High.

In accordance with the Data Classification Policy customer data is classified as Availability level 2,
Integrity level 2, Confidentiality Level 2 and Privacy Level 2. In addition, the CynoSure platform fa-
cilitates a classification mechanism which can be used by the client depending on customer needs.

The Data Classification Policy is reviewed annually and updated as necessary.

SOC2-7 Reliable logs are available for the CynoSure platform, which allows forensic procedures
when necessary, upon request of the customer and when the customer has specified the content
and format of data that InShared has to provide. These logs are implemented and changed as nec-
essary following the formal change management procedures of InShared.

SOC2-8 Third-party access transactions or activities are monitored for appropriateness. This log-
ging and monitoring function enables early prevention and/or detection and subsequent timely
reporting of unusual and/or abnormal activities by authorized third parties which needs to be ad-
dressed.

93
Trust service criteria
CC7.3
The entity evaluates security
events to determine whether
they could or have resulted in
a failure of the entity to meet
its objectives (security inci-
dents) and, if so, takes actions
to prevent or address such
failures.
Controls specified by InShared Results of PwC’s
Testing
VM-1 Production and development webservers, database servers, mail servers, file servers, fire-
walls, domain controllers and other network devices are configured to log security events.
VM-2 Events, thresholds and metrics have been defined and configured in the third-party Security
Information and Event Management (SIEM) system to detect security incidents and to alert the
Security Operations Centre, which are also reported within the monthly SIEM report. Actual met-
rics and events trespassing thresholds are visible in the online SIEM monitoring dashboard.
VM-3 Security event logs are centrally collected by the third-party Security Information and Event
Management (SIEM) software log collector. The log collector is appropriately segmented from any
production related node and sends the log data to the SIEM system. The log collector is managed
by the third-party vendor.
VM-4 The Security Operations Centre (SOC) performs monitoring activities, including the escala-
tion and coordination of incidents. The activities are defined and agreed upon within the Service
Level Agreement (SLA).
IM-1 An Incident Management Policy and a Security Incident Response Management Policy has No exceptions noted
been established and communicated with defined processes, roles and responsibilities for the de-
tection, escalation, response and reporting of incidents. These policies are reviewed annually and
updated as necessary.
IM-3 Identified security incidents are analysed and followed-up in a timely manner, in accordance
with the Incident Management Policy and Security Incident Response Management Policy. De-
pending on the severity of the security incident containment, eradication and recovery proce-
dures will be executed.
IM-4 Identified security incidents are post-mortem investigated and the security incident response
procedures are tested annually to identify areas for improvement.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
94
Trust service criteria
CC7.4
The entity responds to identi-
fied security incidents by exe-
cuting a defined incident re-
sponse program to under-
stand, contain, remediate,
and communicate security in-
cidents, as appropriate.
Controls specified by InShared Results of PwC’s
Testing
SOC2-4 InShared maintains and notifies customers of potential changes and events that may im-
pact security or availability of the services. Changes to the security commitments and security ob-
ligations of InShared are communicated to customers in a timely manner via the SLR.
SOC2-5 Identified security incidents are reported to the CynoSure platform customer using the
Service Incident Report. Security incidents related to external parties are shared with the client
and reported in the SLR, in accordance with the Incident Management Policy and Security Incident
Response Management Policy.
VM-4 The Security Operations Centre (SOC) performs monitoring activities, including the escala-
tion and coordination of incidents. The activities are defined and agreed upon within the Service
Level Agreement (SLA).
ELC-2 Risk assessment results are reviewed and discussed quarterly during the Risk Management No exceptions noted
Meeting. Relevant risk assessment results are also reported to the Board of Directors on behalf of
senior management.
IM-1 An Incident Management Policy and a Security Incident Response Management Policy has
been established and communicated with defined processes, roles and responsibilities for the de-
tection, escalation, response and reporting of incidents. These policies are reviewed annually and
updated as necessary.
IM-3 Identified security incidents are analysed and followed-up in a timely manner, in accordance
with the Incident Management Policy and Security Incident Response Management Policy. De-
pending on the severity of the security incident containment, eradication and recovery proce-
dures will be executed.
IM-4 Identified security incidents are post-mortem investigated and the security incident response
procedures are tested annually to identify areas for improvement.
IS-4 Disciplinary actions are defined for employees and contingent staff that violate InShared's se-
curity policies and procedures.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and
95
Trust service criteria
CC7.5
The entity identifies, devel-
ops, and implements activities
to recover from identified se-
curity incidents.
Controls specified by InShared Results of PwC’s
Testing
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
SOC2-4 InShared maintains and notifies customers of potential changes and events that may im-
pact security or availability of the services. Changes to the security commitments and security ob-
ligations of InShared are communicated to customers in a timely manner via the SLR.
SOC2-5 Identified security incidents are reported to the CynoSure platform customer using the
Service Incident Report. Security incidents related to external parties are shared with the client
and reported in the SLR, in accordance with the Incident Management Policy and Security Incident
Response Management Policy.
VM-4 The Security Operations Centre (SOC) performs monitoring activities, including the escala-
tion and coordination of incidents. The activities are defined and agreed upon within the Service
Level Agreement (SLA).
BC-1 A Disaster & Recovery Management Policy has been established and communicated that de- No exceptions noted
fines the lines of communication, roles, and responsibilities. Disasters & Recovery Management is
triggered by an emergency or disruption to the CynoSure Services. Continuity of the office is de-
fined in the Business Continuity Plan.
In case of an emergency or disruption, the Business Continuity Manager and/or Chief Review Of-
ficer activates the IT Continuity Plan, which is an integral part of the Business Continuity and Dis-
aster & Recovery Management plans. The IT Continuity Plan defines the continuity architecture
and detailed procedures for recovery and reconstitution of systems to a known state per defined
Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
The Disaster & Recovery Management, Business Continuity Plan and IT Continuity plan are re-
viewed annually and updated as necessary.
BC-2 Disaster and recovery failover plans are tested annually, using the automated Zert0 failover
tests which are monitored using the periodical checks schedule. Issues identified during testing
are analysed and resolved. The Disaster & Recovery Policy and plans are updated accordingly as
necessary.
96
Trust service criteria Controls specified by InShared Results of PwC’s
Testing

DS-2 Customer data within the CynoSure platform is automatically replicated with Zert0 cross hy-
pervisor replication, to minimize isolated faults. Customers of the CynoSure platform are able to
determine the geographical regions for data processing and storage, including data backups,
within the customer contract.

DS-3 Backup restoration procedures are defined and backup data integrity checks are performed
through standard restoration activities.

ELC-2 Risk assessment results are reviewed and discussed quarterly during the Risk Management
Meeting. Relevant risk assessment results are also reported to the Board of Directors on behalf of
senior management.

IS-4 Disciplinary actions are defined for employees and contingent staff that violate InShared's se-
curity policies and procedures.

IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.

IM-1 An Incident Management Policy and a Security Incident Response Management Policy has
been established and communicated with defined processes, roles and responsibilities for the de-
tection, escalation, response and reporting of incidents. These policies are reviewed annually and
updated as necessary.

IM-3 Identified security incidents are analysed and followed-up in a timely manner, in accordance
with the Incident Management Policy and Security Incident Response Management Policy. De-
pending on the severity of the security incident containment, eradication and recovery proce-
dures will be executed.

IM-4 Identified security incidents are post-mortem investigated and the security incident response
procedures are tested annually to identify areas for improvement.

97
Trust service criteria Controls specified by InShared Results of PwC’s
Testing

PE-2 The Continuity Architecture of InShared is redundant. Within the production datacentre the
infrastructure is redundant, and active-passive between the production site and the BCDR site. A
separate risk assessment is conducted for BCDR sites within 50 km distance of production sites.

SOC2-4 InShared maintains and notifies customers of potential changes and events that may im-
pact security or availability of the services. Changes to the security commitments and security ob-
ligations of InShared are communicated to customers in a timely manner via the SLR.

SOC2-5 Identified security incidents are reported to the CynoSure platform customer using the
Service Incident Report. Security incidents related to external parties are shared with the client
and reported in the SLR, in accordance with the Incident Management Policy and Security Incident
Response Management Policy.

VM-4 The Security Operations Centre (SOC) performs monitoring activities, including the escala-
tion and coordination of incidents. The activities are defined and agreed upon within the Service
Level Agreement (SLA).

98
7.1.8 Change Management
Trust service criteria
CC8.1
The entity authorizes, designs,
develops or acquires, config-
ures, documents, tests, ap-
proves, and implements
changes to infrastructure,
data, software, and proce-
dures to meet its objectives.
Controls specified by InShared Results of PwC’s
Testing
CCM-2 InShared provides its customers with a list of standard set of API's upon request. All API's No exceptions noted
are generated using the standards for TLS and web services.
CM-1 A Change Management Policy and a Release Management Policy has been established and
communicated that defines the procedures and roles and responsibilities with respect to the (pre-
)authorization, development, testing and implementation of changes. The change management
process is divided in three different phases: (1) define changes, (2) prioritize & plan changes and
(3) build & test changes. Completion of the change management process triggers the Release
Management process. The Change Management Policy and the Release Management Policy are
reviewed annually and updated as necessary.
CM-2 Change requests are evaluated to determine the potential effect of the change on system
availability, confidentiality and integrity of CynoSure services and approved in line with the de-
fined roles and responsibilities with respect to the (pre-)authorization, as described within the
Change Management Policy. Changes classified as major require the approval of the Platform Ar-
chitecture Board.
CM-3 Changes to the CynoSure platform, including emergency changes, are (pre-)authorized, de-
signed, developed, configured, documented, tested, approved and deployed in line with the es-
tablished Change Management and Release Management policies and procedures. Changes classi-
fied as major require the approval of the Platform Architecture Board.
CM-5 New features and major changes are developed and tested in separate environments prior
to production implementation. Anonymised data is used for testing purposes. Production data is
not replicated in test or development environments.
CM-6 Applications and programming interfaces (APIs) and webservices are authorized, designed,
developed, configured, documented, tested, approved and deployed in line with the implemented
change management policy and procedures. This includes developing and testing in accordance
with the following industry standards:
- Coding standard PHP
- Web services Security standard (OWASP)
99
Trust service criteria Controls specified by InShared Results of PwC’s
Testing

- Bitbucket code checks

- Automated webservice creation
- SOAPUI WSI compliance report

SDL-1 A centralized repository is used for managing source code changes to the CynoSure plat-
form. The source code is locked down through version control software and changes has to fol-
low-through the change management repositories.

SDL-2 The utility programs at InShared, Bamboo for code deployment, Ansible for Linux deploy-
ment and V-centre for VMware management, are restricted by authorizations following the Au-
thorization Management Policy.

SOC2-3 Information system documentation to be able to configure, install and operate the Cyno-
Sure services and effectively use the platform's security features is available and shared with the
client via (live) training and mail.

SOC2-4 InShared maintains and notifies customers of potential changes and events that may im-
pact security or availability of the services. Changes to the security commitments and security ob-
ligations of InShared are communicated to customers in a timely manner via the SLR.

100
7.1.9 Risk Mitigation
Trust service criteria
CC9.1
The entity identifies, selects,
and develops risk mitigation
activities for risks arising from
potential business disrup-
tions.
Controls specified by InShared Results of PwC’s
Testing
BC-1 A Disaster & Recovery Management Policy has been established and communicated that de- No exceptions noted
fines the lines of communication, roles, and responsibilities. Disasters & Recovery Management is
triggered by an emergency or disruption to the CynoSure Services. Continuity of the office is de-
fined in the Business Continuity Plan.
In case of an emergency or disruption, the Business Continuity Manager and/or Chief Review Of-
ficer activates the IT Continuity Plan, which is an integral part of the Business Continuity and Dis-
aster & Recovery Management plans. The IT Continuity Plan defines the continuity architecture
and detailed procedures for recovery and reconstitution of systems to a known state per defined
Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
The Disaster & Recovery Management, Business Continuity Plan and IT Continuity plan are re-
viewed annually and updated as necessary.
BC-2 Disaster and recovery failover plans are tested annually, using the automated Zert0 failover
tests which are monitored using the periodical checks schedule. Issues identified during testing
are analysed and resolved. The Disaster & Recovery Policy and plans are updated accordingly as
necessary.
BC-3 Business Impact Analyses, Risk Analyses and Risk Treatment Analyses are conducted annually
to identify, analyse and assess business continuity risks related to CynoSure services and to define
and implement business continuity protection measures based on the risk appetite.
DS-2 Customer data within the CynoSure platform is automatically replicated with Zert0 cross hy-
pervisor replication, to minimize isolated faults. Customers of the CynoSure platform are able to
determine the geographical regions for data processing and storage, including data backups,
within the customer contract.
DS-3 Backup restoration procedures are defined and backup data integrity checks are performed
through standard restoration activities.
101
Trust service criteria
CC9.2
The entity assesses and man-
ages risks associated with
vendors and business part-
ners.
Controls specified by InShared Results of PwC’s
Testing
ELC-2 Risk assessment results are reviewed and discussed quarterly during the Risk Management
Meeting. Relevant risk assessment results are also reported to the Board of Directors on behalf of
senior management.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
PE-2 The Continuity Architecture of InShared is redundant. Within the production datacentre the
infrastructure is redundant, and active-passive between the production site and the BCDR site. A
separate risk assessment is conducted for BCDR sites within 50 km distance of production sites.
ELC-2 Risk assessment results are reviewed and discussed quarterly during the Risk Management No exceptions noted
Meeting. Relevant risk assessment results are also reported to the Board of Directors on behalf of
senior management.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
SOC2-8 Third-party access transactions or activities are monitored for appropriateness. This log-
ging and monitoring function enables early prevention and/or detection and subsequent timely
reporting of unusual and/or abnormal activities by authorized third parties which needs to be ad-
dressed.
VM-4 The Security Operations Centre (SOC) performs monitoring activities, including the escala-
tion and coordination of incidents. The activities are defined and agreed upon within the Service
Level Agreement (SLA).
102
7.1.10 Additional Criteria for Availability
Trust service criteria
A1.1
The entity maintains, moni-
tors, and evaluates current
processing capacity and use of
system components (infra-
structure, data, and software)
to manage capacity demand
and to enable the implemen-
tation of additional capacity
to help meet its objectives.
A1.2
The entity authorizes, designs,
develops or acquires, imple-
ments, operates, approves,
maintains, and monitors envi-
ronmental protections, soft-
ware, data backup processes,
and recovery infrastructure to
meet its objectives.
Controls specified by InShared Results of PwC’s
Testing
IM-2 The availability, capacity and performance of the network and resources are monitored by No exceptions noted
third-party monitoring software. Alerts are reported by the third-party vendor and followed up
through the formal incident management procedures, as necessary.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
BC-1 A Disaster & Recovery Management Policy has been established and communicated that de- No exceptions noted
fines the lines of communication, roles, and responsibilities. Disasters & Recovery Management is
triggered by an emergency or disruption to the CynoSure Services. Continuity of the office is de-
fined in the Business Continuity Plan.
In case of an emergency or disruption, the Business Continuity Manager and/or Chief Review Of-
ficer activates the IT Continuity Plan, which is an integral part of the Business Continuity and Dis-
aster & Recovery Management plans. The IT Continuity Plan defines the continuity architecture
and detailed procedures for recovery and reconstitution of systems to a known state per defined
Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
The Disaster & Recovery Management, Business Continuity Plan and IT Continuity plan are re-
viewed annually and updated as necessary.
BC-2 Disaster and recovery failover plans are tested annually, using the automated Zert0 failover
tests which are monitored using the periodical checks schedule. Issues identified during testing
are analysed and resolved. The Disaster & Recovery Policy and plans are updated accordingly as
necessary.
103
Trust service criteria
A1.3
The entity tests recovery plan
procedures supporting system
recovery to meet its objec-
tives.
Controls specified by InShared Results of PwC’s
Testing
BC-3 Business Impact Analyses, Risk Analyses and Risk Treatment Analyses are conducted annually
to identify, analyse and assess business continuity risks related to CynoSure services and to define
and implement business continuity protection measures based on the risk appetite.
DS-2 Customer data within the CynoSure platform is automatically replicated with Zert0 cross hy-
pervisor replication, to minimize isolated faults. Customers of the CynoSure platform are able to
determine the geographical regions for data processing and storage, including data backups,
within the customer contract.
DS-3 Backup restoration procedures are defined and backup data integrity checks are performed
through standard restoration activities.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
PE-2 The Continuity Architecture of InShared is redundant. Within the production datacentre the
infrastructure is redundant, and active-passive between the production site and the BCDR site. A
separate risk assessment is conducted for BCDR sites within 50 km distance of production sites.
SOC2-4 InShared maintains and notifies customers of potential changes and events that may im-
pact security or availability of the services. Changes to the security commitments and security ob-
ligations of InShared are communicated to customers in a timely manner via the SLR.
BC-1 A Disaster & Recovery Management Policy has been established and communicated that de- No exceptions noted
fines the lines of communication, roles, and responsibilities. Disasters & Recovery Management is
triggered by an emergency or disruption to the CynoSure Services. Continuity of the office is de-
fined in the Business Continuity Plan.
In case of an emergency or disruption, the Business Continuity Manager and/or Chief Review Of-
ficer activates the IT Continuity Plan, which is an integral part of the Business Continuity and Dis-
aster & Recovery Management plans. The IT Continuity Plan defines the continuity architecture
and detailed procedures for recovery and reconstitution of systems to a known state per defined
Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
104
Trust service criteria Controls specified by InShared Results of PwC’s
Testing

The Disaster & Recovery Management, Business Continuity Plan and IT Continuity plan are re-
viewed annually and updated as necessary.

BC-2 Disaster and recovery failover plans are tested annually, using the automated Zert0 failover
tests which are monitored using the periodical checks schedule. Issues identified during testing
are analysed and resolved. The Disaster & Recovery Policy and plans are updated accordingly as
necessary.

BC-3 Business Impact Analyses, Risk Analyses and Risk Treatment Analyses are conducted annually
to identify, analyse and assess business continuity risks related to CynoSure services and to define
and implement business continuity protection measures based on the risk appetite.

DS-2 Customer data within the CynoSure platform is automatically replicated with Zert0 cross hy-
pervisor replication, to minimize isolated faults. Customers of the CynoSure platform are able to
determine the geographical regions for data processing and storage, including data backups,
within the customer contract.

DS-3 Backup restoration procedures are defined and backup data integrity checks are performed
through standard restoration activities.

IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.

PE-2 The Continuity Architecture of InShared is redundant. Within the production datacentre the
infrastructure is redundant, and active-passive between the production site and the BCDR site. A
separate risk assessment is conducted for BCDR sites within 50 km distance of production sites.

SOC2-4 InShared maintains and notifies customers of potential changes and events that may im-
pact security or availability of the services. Changes to the security commitments and security ob-
ligations of InShared are communicated to customers in a timely manner via the SLR.

105
7.1.11 Additional Criteria for Confidentiality
Trust service criteria
C1.1
The entity identifies and
maintains confidential infor-
mation to meet the entity’s
objectives related to confi-
dentiality.
Controls specified by InShared Results of PwC’s
Testing
CM-5 New features and major changes are developed and tested in separate environments prior No exceptions noted
to production implementation. Anonymised data is used for testing purposes. Production data is
not replicated in test or development environments.
DS-5 A Retention Period Policy has been established and communicated to ensure that customer
data is retained and removed per the defined retention periods. The Retention Period Policy is re-
viewed annually and updated as necessary.
DS-6 A Repurposing of Equipment Policy has been established and communicated that defines the
destruction guidelines and procedures for secure disposal or repurposing of equipment used out-
side InShared's premise or tenant domain. The Repurposing of Equipment Policy is reviewed an-
nually and updated as necessary.
PE-3 A complete inventory of assets in the datacentres is maintained by the infrastructure team.
The inventory of assets is reviewed at least annually.
PE-4 Delivery and removal of assets are requested and authorized within the IT-ticketing system
(Jira) by the infrastructure team.
SOC2-1 A Data Classification Policy has been established and communicated that defines the clas-
sification of data and systems and the security requirements for each classification level. The fol-
lowing classification levels are defined:
- Availability: 0 Basic, 1 Low, 2 Middle, 3 High
- Integrity: 0 Unknown, 1 Assumed Correct, 2 Verified Correct and 3 Proven correct
- Confidentiality: 0 Public, 1 Low, 2 Middle and 3 High
- Privacy: 0 Not personal, 1 Low, 2 Middle and 3 High.
In accordance with the Data Classification Policy customer data is classified as Availability level 2,
Integrity level 2, Confidentiality Level 2 and Privacy Level 2. In addition, the CynoSure platform fa-
cilitates a classification mechanism which can be used by the client depending on customer needs.
106
Trust service criteria
C1.2
The entity disposes of confi-
dential information to meet
the entity’s objectives related
to confidentiality.
Controls specified by InShared Results of PwC’s
Testing
The Data Classification Policy is reviewed annually and updated as necessary.
SOC2-2 The applicable security, regulatory and contractual requirements and the related obliga-
tions are defined within the client contract. The client contract is signed by the client and In-
Shared, prior to granting access to the CynoSure Platform.
SOC2-6 Customer data is accessible within agreed upon services in data formats compatible with
the CynoSure services provided. Upon customer request data is provided to the customer in the
format as defined within the customer contract.
DS-5 A Retention Period Policy has been established and communicated to ensure that customer No exceptions noted
data is retained and removed per the defined retention periods. The Retention Period Policy is re-
viewed annually and updated as necessary.
DS-6 A Repurposing of Equipment Policy has been established and communicated that defines the
destruction guidelines and procedures for secure disposal or repurposing of equipment used out-
side InShared's premise or tenant domain. The Repurposing of Equipment Policy is reviewed an-
nually and updated as necessary.
PE-4 Delivery and removal of assets are requested and authorized within the IT-ticketing system
(Jira) by the infrastructure team.
SOC2-1 A Data Classification Policy has been established and communicated that defines the clas-
sification of data and systems and the security requirements for each classification level. The fol-
lowing classification levels are defined:
- Availability: 0 Basic, 1 Low, 2 Middle, 3 High
- Integrity: 0 Unknown, 1 Assumed Correct, 2 Verified Correct and 3 Proven correct
- Confidentiality: 0 Public, 1 Low, 2 Middle and 3 High
- Privacy: 0 Not personal, 1 Low, 2 Middle and 3 High.
In accordance with the Data Classification Policy customer data is classified as Availability level 2,
Integrity level 2, Confidentiality Level 2 and Privacy Level 2. In addition, the CynoSure platform fa-
cilitates a classification mechanism which can be used by the client depending on customer needs.
107
Trust service criteria Controls specified by InShared Results of PwC’s
Testing

The Data Classification Policy is reviewed annually and updated as necessary.

SOC2-2 The applicable security, regulatory and contractual requirements and the related obliga-
tions are defined within the client contract. The client contract is signed by the client and In-
Shared, prior to granting access to the CynoSure Platform.

108
8 PART B: CLOUD CONTROL MATRIX CRITERIA, THE CONTROLS ESTABLISHED AND SPECIFIED BY INSHARED
AND TEST RESULTS PROVIDED BY PWC

The Cloud Control Matrix Criteria are listed below, except for the domain Mobile Security, Anti-Malware (MOS) as InShared does not support mobile devices.
Furthermore, the Cloud Control Matrix specifications below do not apply to InShared:
 Control specification DCS-03 as location aware technology does not fit the organisation size of InShared;
 Control specification l IPY-05 as virtualisation is not part of the service delivery of the CynoSure platform;
 Control specification l IVS-02 as change detection upon virtual machines for users is not part of the SaaS service;
 Control specification IVS-10 as InShared does not migrate virtual servers from physical servers; and
 Control specification SEF-01 as contact with local authorities are maintained by the users of the CynoSure platform.

8.1.1 Application & Interface Security (AIS)

CCM criteria Controls specified by InShared Results of PwC’s

Testing

AIS-01 Application Security
Applications and program-
ming interfaces (APIs) shall be
designed, developed, de-
ployed, and tested in accord-
ance with leading industry
standards (e.g., OWASP for
web applications) and adhere
to applicable legal, statutory,
or regulatory compliance obli-
gations.
CM-6 Applications and programming interfaces (APIs) and webservices are authorized, designed, No exceptions noted
developed, configured, documented, tested, approved and deployed in line with the implemented
change management policy and procedures. This includes developing and testing in accordance
with the following industry standards:
- Coding standard PHP
- Web services Security standard (OWASP)
- Bitbucket code checks
- Automated webservice creation
- SOAPUI WSI compliance report
DS-1 Communication with key CynoSure components where customer data is transmitted or in-
volved is secured using encryption. Encryption is based on the implemented Encryption Key Man-
agement Policy. InShared uses industry standards and best practices for encryption.

Within the CynoSure platform encryption keys are applied in the following areas:
- Webservices: public certificates are used for the webservices for external communication and
client certificates are generated and stored manually using an encryption key server (Simple

109
CCM criteria
AIS-02 Access Requirements
Prior to granting customers
access to data, assets, and in-
formation systems, identified
security, contractual, and reg-
ulatory requirements for cus-
tomer access shall be ad-
dressed.
AIS-03 Data Integrity
Data input and output integ-
rity routines (i.e., reconcilia-
tion and edit checks) shall be
implemented for application
interfaces and databases to
prevent manual or systematic
processing errors, corruption
of data, or misuse.
Controls specified by InShared Results of PwC’s
Testing
Authority) for internal communication of the webservices within the CynoSure Platform.
- Datacentre communication: connections between datacentres are point to point using IPsec
managed by the Fortinet FortiGate firewall devices.
- Storage: encryption of data is handled automatically within the storage solution (Pure Storage).
- Remote users: Encryption of VPN connections for end users (remote users) is handled automati-
cally within the VPN solution, including the SSL connection with clients (Pulse Secure).
- Laptops: encryption of laptops is handled automatically by bit locker software on the laptop.
Cryptographic keys, certificates, and customer access keys used for communication between Cy-
noSure services and other internal components or external parties are hosted by the load bal-
ancer and managed by the Network Operating Centre (NOC) of InShared. Changes in client certifi-
cates for webservices are communicated to the client and/or partners by the NOC.
LA-2 Provisioning and de-provisioning of customer user account entitlements for the CynoSure No exceptions noted
Platform is requested, authorized and granted or revoked in accordance with the implemented
Authorization Management Policy.
SOC2-2 The applicable security, regulatory and contractual requirements and the related obliga-
tions are defined within the client contract. The client contract is signed by the client and In-
Shared, prior to granting access to the CynoSure Platform.
PI-2 Data input and output routines are implemented in the webservices using Simple Object Ac- No exceptions noted
cess Protocol (SOAP/envelopes), Web Service Definition Language (WSDL) techniques and API in-
tegrity checks. Errors are logged and followed up when necessary. Non permissible requests are
not processed by the applications and programming interfaces (APIs).
PI-3 InShared segregates and appropriately provisions the services to restrict unauthorized access
to other customer tenants and data based on request from customer through the portal / API
which are custom made and routed with a Point to Point connection (firewalling) and IP whitelist-
ing per client and are listed centrally and communicated with the client upon request. The routing
of each webservice / API is registered centrally.
110
CCM criteria Controls specified by InShared Results of PwC’s
Testing

AIS-04 Data Security / Integ- DS-1 Communication with key CynoSure components where customer data is transmitted or in- No exceptions noted
rity volved is secured using encryption. Encryption is based on the implemented Encryption Key Man-
agement Policy. InShared uses industry standards and best practices for encryption.
Policies and procedures shall
be established and main-
Within the CynoSure platform encryption keys are applied in the following areas:
tained in support of data se-
- Webservices: public certificates are used for the webservices for external communication and
curity to include (confidential-
client certificates are generated and stored manually using an encryption key server (Simple Au-
ity, integrity, and availability)
thority) for internal communication of the webservices within the CynoSure Platform.
across multiple system inter-
- Datacentre communication: connections between datacentres are point to point using IPsec
faces, jurisdictions, and busi-
managed by the Fortinet FortiGate firewall devices.
ness functions to prevent im-
- Storage: encryption of data is handled automatically within the storage solution (Pure Storage).
proper disclosure, alternation,
- Remote users: Encryption of VPN connections for end users (remote users) is handled automati-
or destruction.
cally within the VPN solution, including the SSL connection with clients (Pulse Secure).
- Laptops: encryption of laptops is handled automatically by bit locker software on the laptop.

Cryptographic keys, certificates, and customer access keys used for communication between Cy-
noSure services and other internal components or external parties are hosted by the load bal-
ancer and managed by the Network Operating Centre (NOC) of InShared. Changes in client certifi-
cates for webservices are communicated to the client and/or partners by the NOC.

IS-1 An Information Security Policy has been established and communicated that defines the In-
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The Infor-
mation Security Policy is reviewed annually and updated as necessary.

IS-7 An Enterprise Architecture has been established and communicated that describes the cur-
rent and target architectures for the business, information, data, application and technology do-
mains governing the security principles as outlined in the Information Security Policy. The Enter-
prise Architecture drives process, services and technology changes necessary to execute strategies
for the CynoSure platform. The Enterprise Architecture is reviewed annually and updated as nec-
essary.

111
CCM criteria Controls specified by InShared Results of PwC’s
Testing

OA-10 Perimeter firewalls are implemented and properly configured to restrict unauthorized traf-
fic. A mechanism called Reverse Path Forwarding (RPF), or anti spoofing, is implemented with the
installed firewall which prevents IP packets to be forwarded if its source IP is spoofed.

PI-3 InShared segregates and appropriately provisions the services to restrict unauthorized access
to other customer tenants and data based on request from customer through the portal / API
which are custom made and routed with a Point to Point connection (firewalling) and IP whitelist-
ing per client and are listed centrally and communicated with the client upon request. The routing
of each webservice / API is registered centrally.

112
8.1.2 Audit Assurance and Compliance (AAC)
CCM criteria
AAC-01 Audit Planning
Audit plans shall be devel-
oped and maintained to ad-
dress business process disrup-
tions. Auditing plans shall fo-
cus on reviewing the effec-
tiveness of the implementa-
tion of security operations. All
audit activities must be
agreed upon prior to execut-
ing any audits.
AAC-02 Independent Audits
Independent reviews and as-
sessments shall be performed
at least annually to ensure
that the organization ad-
dresses nonconformities of
established policies, stand-
ards, procedures, and compli-
ance obligations.
Controls specified by InShared Results of PwC’s
Testing
IS-5 A Risk and Compliance Policy has been established and communicated that defines the gov- No exceptions noted
ernance of the risk management and compliance functions within the InShared group, the risk
strategy and risk appetite, the Risk Management Framework InShared (RMFI) and the methods
used to identify and treat risks. The Risk and Compliance Policy describes the three lines of de-
fence for the InShared group. The first line is operations, the second line is the Risk Management
department and the third line is Internal Audit Achmea. The Risk and Compliance Policy is made
operational in a Risk and Compliance year plan. The Risk and Compliance Policy is reviewed annu-
ally and updated as necessary.
IS-6 The Risk Management department (the second line of defence) reviews the effectiveness of
the implemented Information Security Management System (ISMS) on an annual basis, in accord-
ance with the defined audit activities within the approved risk management audit plan. Noncon-
formities are recorded, reviewed, prioritized and analysed, to be able to define and implement re-
mediation plans. The remediation plans are developed in the security dashboard of the Risk Com-
mittee. Internal Audit Achmea (the third line of defence) reviews the effectiveness of the imple-
mented ISMS on a 3-annual basis, in accordance with the defined audit activities within the ap-
proved internal audit plan. Nonconformities are recorded, reviewed, prioritized and analysed, to
be able to define and implement remediation plans. The remediation plans are registered in the
issue register and monitored by the Risk and Compliance Committee.
IS-6 The Risk Management department (the second line of defence) reviews the effectiveness of No exceptions noted
the implemented Information Security Management System (ISMS) on an annual basis, in accord-
ance with the defined audit activities within the approved risk management audit plan. Noncon-
formities are recorded, reviewed, prioritized and analysed, to be able to define and implement re-
mediation plans. The remediation plans are developed in the security dashboard of the Risk Com-
mittee. Internal Audit Achmea (the third line of defence) reviews the effectiveness of the imple-
mented ISMS on a 3-annual basis, in accordance with the defined audit activities within the ap-
proved internal audit plan. Nonconformities are recorded, reviewed, prioritized and analysed, to
be able to define and implement remediation plans. The remediation plans are registered in the
issue register and monitored by the Risk and Compliance Committee.
113
CCM criteria
AAC-03 Information System
Regulatory Mapping
Organizations shall create and
maintain a control framework
which captures standards,
regulatory, legal, and statu-
tory requirements relevant
for their business needs. The
control framework shall be re-
viewed at least annually to
ensure changes that could af-
fect the business processes
are reflected.
Controls specified by InShared Results of PwC’s
Testing
IS-5 A Risk and Compliance Policy has been established and communicated that defines the gov- No exceptions noted
ernance of the risk management and compliance functions within the InShared group, the risk
strategy and risk appetite, the Risk Management Framework InShared (RMFI) and the methods
used to identify and treat risks. The Risk and Compliance Policy describes the three lines of de-
fence for the InShared group. The first line is operations, the second line is the Risk Management
department and the third line is Internal Audit Achmea. The Risk and Compliance Policy is made
operational in a Risk and Compliance year plan. The Risk and Compliance Policy is reviewed annu-
ally and updated as necessary.
IS-6 The Risk Management department (the second line of defence) reviews the effectiveness of
the implemented Information Security Management System (ISMS) on an annual basis, in accord-
ance with the defined audit activities within the approved risk management audit plan. Noncon-
formities are recorded, reviewed, prioritized and analysed, to be able to define and implement re-
mediation plans. The remediation plans are developed in the security dashboard of the Risk Com-
mittee. Internal Audit Achmea (the third line of defence) reviews the effectiveness of the imple-
mented ISMS on a 3-annual basis, in accordance with the defined audit activities within the ap-
proved internal audit plan. Nonconformities are recorded, reviewed, prioritized and analysed, to
be able to define and implement remediation plans. The remediation plans are registered in the
issue register and monitored by the Risk and Compliance Committee.
114
8.1.3 Business Continuity Management and Operational Resilience (BCR)

CCM criteria Controls specified by InShared Results of PwC’s

Testing

BCR-01 Business Continuity BC-1 A Disaster & Recovery Management Policy has been established and communicated that de- No exceptions noted
Planning fines the lines of communication, roles, and responsibilities. Disasters & Recovery Management is
triggered by an emergency or disruption to the CynoSure Services. Continuity of the office is de-
A consistent unified frame-
fined in the Business Continuity Plan.
work for business continuity
planning and plan develop- In case of an emergency or disruption, the Business Continuity Manager and/or Chief Review Of-
ment shall be established, ficer activates the IT Continuity Plan, which is an integral part of the Business Continuity and Dis-
documented, and adopted to aster & Recovery Management plans. The IT Continuity Plan defines the continuity architecture
ensure all business continuity and detailed procedures for recovery and reconstitution of systems to a known state per defined
plans are consistent in ad- Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
dressing priorities for testing,
The Disaster & Recovery Management, Business Continuity Plan and IT Continuity plan are re-
maintenance, and infor-
viewed annually and updated as necessary.
mation security requirements.
BC-2 Disaster and recovery failover plans are tested annually, using the automated Zert0 failover
Requirements for business
tests which are monitored using the periodical checks schedule. Issues identified during testing
continuity plans include the
are analysed and resolved. The Disaster & Recovery Policy and plans are updated accordingly as
following:
necessary.
•Defined purpose and scope,
aligned with relevant depend- IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
encies in line with the reporting frequency, to determine that the scope of the control objectives and
• Accessible to and under- controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
stood by those who will use noted deviations can impact InShared's control objectives.
them
• Owned by a named per-
son(s) who is responsible for
their review, update, and ap-
proval
• Defined lines of communi-
cation, roles, and responsibili-
ties

115
CCM criteria Controls specified by InShared Results of PwC’s
Testing

• Detailed recovery proce-

dures, manual work-around,
and reference information
• Method for plan invocation
BCR-02 Business Continuity BC-2 Disaster and recovery failover plans are tested annually, using the automated Zert0 failover No exceptions noted
Testing tests which are monitored using the periodical checks schedule. Issues identified during testing
are analysed and resolved. The Disaster & Recovery Policy and plans are updated accordingly as
Business continuity and secu-
necessary.
rity incident response plans
shall be subject to testing at IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
planned intervals or upon sig- in line with the reporting frequency, to determine that the scope of the control objectives and
nificant organizational or en- controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
vironmental changes. Incident noted deviations can impact InShared's control objectives.
response plans shall involve
impacted customers (tenant)
and other business relation-
ships that represent critical
intra-supply chain business
process dependencies.

BCR-03 Power / Telecommu-
nications
Data centre utilities services
and environmental conditions
(e.g., water, power, tempera-
ture and humidity controls,
telecommunications, and in-
ternet connectivity) shall be
secured, monitored, main-
tained, and tested for contin-
ual effectiveness at planned
intervals to ensure protection
from unauthorized
BC-2 Disaster and recovery failover plans are tested annually, using the automated Zert0 failover No exceptions noted
tests which are monitored using the periodical checks schedule. Issues identified during testing
are analysed and resolved. The Disaster & Recovery Policy and plans are updated accordingly as
necessary.
DS-2 Customer data within the CynoSure platform is automatically replicated with Zert0 cross hy-
pervisor replication, to minimize isolated faults. Customers of the CynoSure platform are able to
determine the geographical regions for data processing and storage, including data backups,
within the customer contract.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and

116
CCM criteria Controls specified by InShared Results of PwC’s
Testing

interception or damage, and
designed with automated fail-
over or other redundancies in
the event of planned or un-
planned disruptions.
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
PE-2 The Continuity Architecture of InShared is redundant. Within the production datacentre the
infrastructure is redundant, and active-passive between the production site and the BCDR site. A
separate risk assessment is conducted for BCDR sites within 50 km distance of production sites.

BCR-04 Documentation SOC2-3 Information system documentation to be able to configure, install and operate the Cyno- No exceptions noted
Sure services and effectively use the platform's security features is available and shared with the
Information system documen- client via (live) training and mail.
tation (e.g., administrator and
user guides, and architecture
diagrams) shall be made avail-
able to authorized personnel
to ensure the following:
• Configuring, installing, and
operating the information sys-
tem
• Effectively using the sys-
tem’s security features
BCR-05 Environmental Risks BC-2 Disaster and recovery failover plans are tested annually, using the automated Zert0 failover No exceptions noted
tests which are monitored using the periodical checks schedule. Issues identified during testing
Physical protection against
are analysed and resolved. The Disaster & Recovery Policy and plans are updated accordingly as
damage from natural causes
necessary.
and disasters, as well as delib-
erate attacks, including fire, IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
flood, atmospheric electrical in line with the reporting frequency, to determine that the scope of the control objectives and
discharge, solar induced geo- controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
magnetic storm, wind, earth- noted deviations can impact InShared's control objectives.
quake, tsunami, explosion,
PE-2 The Continuity Architecture of InShared is redundant. Within the production datacentre the
nuclear accident, volcanic ac-
infrastructure is redundant, and active-passive between the production site and the BCDR site. A
tivity, biological hazard, civil
separate risk assessment is conducted for BCDR sites within 50 km distance of production sites.
unrest, mudslide, tectonic ac-
tivity, and other forms of

117
CCM criteria
natural or man-made disaster
shall be anticipated, designed,
and have countermeasures
applied.
BCR-06 Equipment Location
To reduce the risks from envi-
ronmental threats, hazards,
and opportunities for unau-
thorized access, equipment
shall be kept away from loca-
tions subject to high probabil-
ity environmental risks and
supplemented by redundant
equipment located at a rea-
sonable distance.
BCR-07 Equipment Mainte-
nance
Policies and procedures shall
be established, and support-
ing business processes and
technical measures imple-
mented, for equipment
maintenance ensuring conti-
nuity and availability of oper-
ations and support personnel.
Controls specified by InShared Results of PwC’s
Testing
DS-2 Customer data within the CynoSure platform is automatically replicated with Zert0 cross hy- No exceptions noted
pervisor replication, to minimize isolated faults. Customers of the CynoSure platform are able to
determine the geographical regions for data processing and storage, including data backups,
within the customer contract.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
PE-2 The Continuity Architecture of InShared is redundant. Within the production datacentre the
infrastructure is redundant, and active-passive between the production site and the BCDR site. A
separate risk assessment is conducted for BCDR sites within 50 km distance of production sites.
BC-2 Disaster and recovery failover plans are tested annually, using the automated Zert0 failover No exceptions noted
tests which are monitored using the periodical checks schedule. Issues identified during testing
are analysed and resolved. The Disaster & Recovery Policy and plans are updated accordingly as
necessary.
DS-2 Customer data within the CynoSure platform is automatically replicated with Zert0 cross hy-
pervisor replication, to minimize isolated faults. Customers of the CynoSure platform are able to
determine the geographical regions for data processing and storage, including data backups,
within the customer contract.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
118
CCM criteria
BCR-08 Equipment Power
Failures
Protection measures shall be
put into place to react to nat-
ural and man-made threats
based upon a geographically-
specific business impact as-
sessment.
BCR-09 Impact Analysis
There shall be a defined and
documented method for de-
termining the impact of any
disruption to the organization
(cloud provider, cloud con-
sumer) that must incorporate
the following:
• Identify critical products
and services
• Identify all dependencies,
including processes, applica-
tions, business partners, and
third-party service providers
• Understand threats to criti-
cal products and services
• Determine impacts result-
ing from planned or
Controls specified by InShared Results of PwC’s
Testing
BC-2 Disaster and recovery failover plans are tested annually, using the automated Zert0 failover No exceptions noted
tests which are monitored using the periodical checks schedule. Issues identified during testing
are analysed and resolved. The Disaster & Recovery Policy and plans are updated accordingly as
necessary.
BC-3 Business Impact Analyses, Risk Analyses and Risk Treatment Analyses are conducted annually
to identify, analyse and assess business continuity risks related to CynoSure services and to define
and implement business continuity protection measures based on the risk appetite.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
BC-1 A Disaster & Recovery Management Policy has been established and communicated that de- No exceptions noted
fines the lines of communication, roles, and responsibilities. Disasters & Recovery Management is
triggered by an emergency or disruption to the CynoSure Services. Continuity of the office is de-
fined in the Business Continuity Plan.
In case of an emergency or disruption, the Business Continuity Manager and/or Chief Review Of-
ficer activates the IT Continuity Plan, which is an integral part of the Business Continuity and Dis-
aster & Recovery Management plans. The IT Continuity Plan defines the continuity architecture
and detailed procedures for recovery and reconstitution of systems to a known state per defined
Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
The Disaster & Recovery Management, Business Continuity Plan and IT Continuity plan are re-
viewed annually and updated as necessary.
BC-2 Disaster and recovery failover plans are tested annually, using the automated Zert0 failover
tests which are monitored using the periodical checks schedule. Issues identified during testing
are analysed and resolved. The Disaster & Recovery Policy and plans are updated accordingly as
necessary.
119
CCM criteria Controls specified by InShared Results of PwC’s
Testing

unplanned disruptions and BC-3 Business Impact Analyses, Risk Analyses and Risk Treatment Analyses are conducted annually
how these vary over time to identify, analyse and assess business continuity risks related to CynoSure services and to define
• Establish the maximum tol- and implement business continuity protection measures based on the risk appetite.
erable period for disruption
• Establish priorities for re-
covery
• Establish recovery time ob-
jectives for resumption of crit-
ical products and services
within their maximum tolera-
ble period of disruption
• Estimate the resources re-
quired for resumption
BCR-10 Policy BC-1 A Disaster & Recovery Management Policy has been established and communicated that de- No exceptions noted
fines the lines of communication, roles, and responsibilities. Disasters & Recovery Management is
Policies and procedures shall
triggered by an emergency or disruption to the CynoSure Services. Continuity of the office is de-
be established, and support- fined in the Business Continuity Plan.
ing business processes and
technical measures imple- In case of an emergency or disruption, the Business Continuity Manager and/or Chief Review Of-
mented, for appropriate IT ficer activates the IT Continuity Plan, which is an integral part of the Business Continuity and Dis-
governance and service man- aster & Recovery Management plans. The IT Continuity Plan defines the continuity architecture
agement to ensure appropri- and detailed procedures for recovery and reconstitution of systems to a known state per defined
ate planning, delivery and Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
support of the organization's
The Disaster & Recovery Management, Business Continuity Plan and IT Continuity plan are re-
IT capabilities supporting
viewed annually and updated as necessary.
business functions, workforce,
and/or customers based on CM-1 A Change Management Policy and a Release Management Policy has been established and
industry acceptable standards communicated that defines the procedures and roles and responsibilities with respect to the (pre-
(i.e., ITIL v4 and COBIT 5). Ad- )authorization, development, testing and implementation of changes. The change management
ditionally, policies and proce- process is divided in three different phases: (1) define changes, (2) prioritize & plan changes and
dures shall include defined (3) build & test changes. Completion of the change management process triggers the Release
roles and responsibilities

120
CCM criteria Controls specified by InShared Results of PwC’s
Testing

supported by regular work- Management process. The Change Management Policy and the Release Management Policy are
force training. reviewed annually and updated as necessary.

IM-1 An Incident Management Policy and a Security Incident Response Management Policy has
been established and communicated with defined processes, roles and responsibilities for the de-
tection, escalation, response and reporting of incidents. These policies are reviewed annually and
updated as necessary.

IS-1 An Information Security Policy has been established and communicated that defines the In-
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The Infor-
mation Security Policy is reviewed annually and updated as necessary.

IS-2 An information security education and awareness program has been established that includes
policy training and periodic security updates to InShared personnel. The results of the awareness
program are evaluated with management and follow-up actions are defined and implemented, as
necessary.

IS-3 Employees and contractors sign agreements that include non-disclosure provisions and asset
protection responsibilities, upon hire. Employees and contractors are provided an intranet page
which describes, in accordance with the Information Security Policy, the responsibilities and ex-
pected behaviour regarding information security. Employees are required to acknowledge agree-
ments to return InShared assets upon termination.

IS-7 An Enterprise Architecture has been established and communicated that describes the cur-
rent and target architectures for the business, information, data, application and technology do-
mains governing the security principles as outlined in the Information Security Policy. The Enter-
prise Architecture drives process, services and technology changes necessary to execute strategies
for the CynoSure platform. The Enterprise Architecture is reviewed annually and updated as nec-
essary.

BCR-11 Retention Policy DS-3 Backup restoration procedures are defined and backup data integrity checks are performed No exceptions noted
through standard restoration activities.
Policies and procedures shall
be established, and support-
ing business processes and

121
CCM criteria Controls specified by InShared Results of PwC’s
Testing

technical measures imple- DS-5 A Retention Period Policy has been established and communicated to ensure that customer
mented, for defining and ad- data is retained and removed per the defined retention periods. The Retention Period Policy is re-
hering to the retention period viewed annually and updated as necessary.
of any critical asset as per es-
PE-2 The Continuity Architecture of InShared is redundant. Within the production datacentre the
tablished policies and proce-
infrastructure is redundant, and active-passive between the production site and the BCDR site. A
dures, as well as applicable le-
separate risk assessment is conducted for BCDR sites within 50 km distance of production sites.
gal, statutory, or regulatory
compliance obligations.
Backup and recovery
measures shall be incorpo-
rated as part of business con-
tinuity planning and tested
accordingly for effectiveness.

122
8.1.4 Change Control and Configuration Management (CCC)
CCM criteria
CCC-01 New Development /
Acquisition
Policies and procedures shall
be established, and support-
ing business processes and
technical measures imple-
mented, to ensure the devel-
opment and/or acquisition of
new data, physical or virtual
applications, infrastructure
network and systems compo-
nents, or any corporate, oper-
ations and/or data centre fa-
cilities have been pre-author-
ized by the organization's
business leadership or other
accountable business role or
function.
CCC-02 Outsourced Develop-
ment
External business partners
shall adhere to the same
Controls specified by InShared Results of PwC’s
Testing
CM-1 A Change Management Policy and a Release Management Policy has been established and No exceptions noted
communicated that defines the procedures and roles and responsibilities with respect to the (pre-
)authorization, development, testing and implementation of changes. The change management
process is divided in three different phases: (1) define changes, (2) prioritize & plan changes and
(3) build & test changes. Completion of the change management process triggers the Release
Management process. The Change Management Policy and the Release Management Policy are
reviewed annually and updated as necessary.
CM-3 Changes to the CynoSure platform, including emergency changes, are (pre-)authorized, de-
signed, developed, configured, documented, tested, approved and deployed in line with the es-
tablished Change Management and Release Management policies and procedures. Changes classi-
fied as major require the approval of the Platform Architecture Board.
CM-5 New features and major changes are developed and tested in separate environments prior
to production implementation. Anonymised data is used for testing purposes. Production data is
not replicated in test or development environments.
CM-6 Applications and programming interfaces (APIs) and webservices are authorized, designed,
developed, configured, documented, tested, approved and deployed in line with the implemented
change management policy and procedures. This includes developing and testing in accordance
with the following industry standards:
- Coding standard PHP
- Web services Security standard (OWASP)
- Bitbucket code checks
- Automated webservice creation
- SOAPUI WSI compliance report
CM-2 Change requests are evaluated to determine the potential effect of the change on system No exceptions noted
availability, confidentiality and integrity of CynoSure services and approved in line with the de-
fined roles and responsibilities with respect to the (pre-)authorization, as described within the
123
CCM criteria
policies and procedures for
change management, release,
and testing as internal devel-
opers within the organization
(e.g., ITIL service management
processes).
CCC-03 Management Quality
Testing
Organizations shall follow a
defined quality change con-
trol and testing process (e.g.,
ITIL Service Management)
with established baselines,
testing, and release standards
which focus on system availa-
bility, confidentiality, and in-
tegrity of systems and ser-
vices.
Controls specified by InShared Results of PwC’s
Testing
Change Management Policy. Changes classified as major require the approval of the Platform Ar-
chitecture Board.
CM-1 A Change Management Policy and a Release Management Policy has been established and No exceptions noted
communicated that defines the procedures and roles and responsibilities with respect to the (pre-
)authorization, development, testing and implementation of changes. The change management
process is divided in three different phases: (1) define changes, (2) prioritize & plan changes and
(3) build & test changes. Completion of the change management process triggers the Release
Management process. The Change Management Policy and the Release Management Policy are
reviewed annually and updated as necessary.
CM-2 Change requests are evaluated to determine the potential effect of the change on system
availability, confidentiality and integrity of CynoSure services and approved in line with the de-
fined roles and responsibilities with respect to the (pre-)authorization, as described within the
Change Management Policy. Changes classified as major require the approval of the Platform Ar-
chitecture Board.
CM-3 Changes to the CynoSure platform, including emergency changes, are (pre-)authorized, de-
signed, developed, configured, documented, tested, approved and deployed in line with the es-
tablished Change Management and Release Management policies and procedures. Changes classi-
fied as major require the approval of the Platform Architecture Board.
CM-4 The Information Security Policy instructs the use of the baselines during the installation of
(new) IT equipment. The security baseline configuration settings of firewalls, WIFI access points,
VPN, load balancers, database servers and operating systems are assessed annually, by using au-
tomated tools and industry baselines. Non-acceptable deviations from the industry baseline are
followed up and remediated, in accordance with the Change Management and Release Manage-
ment policies and procedures.
124
CCM criteria
CCC-04 Unauthorized Soft-
ware Installations
Policies and procedures shall
be established, and support-
ing business processes and
technical measures imple-
mented, to restrict the instal-
lation of unauthorized soft-
ware on organizationally-
owned or managed user end-
point devices (e.g., issued
workstations, laptops, and
mobile devices) and IT infra-
structure network and sys-
tems components.
Controls specified by InShared Results of PwC’s
Testing
CM-5 New features and major changes are developed and tested in separate environments prior
to production implementation. Anonymised data is used for testing purposes. Production data is
not replicated in test or development environments.
CM-6 Applications and programming interfaces (APIs) and webservices are authorized, designed,
developed, configured, documented, tested, approved and deployed in line with the implemented
change management policy and procedures. This includes developing and testing in accordance
with the following industry standards:
- Coding standard PHP
- Web services Security standard (OWASP)
- Bitbucket code checks
- Automated webservice creation
- SOAPUI WSI compliance report
CM-4 The Information Security Policy instructs the use of the baselines during the installation of No exceptions noted
(new) IT equipment. The security baseline configuration settings of firewalls, WIFI access points,
VPN, load balancers, database servers and operating systems are assessed annually, by using au-
tomated tools and industry baselines. Non-acceptable deviations from the industry baseline are
followed up and remediated, in accordance with the Change Management and Release Manage-
ment policies and procedures.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
OA-13 Authorized software is made available through Software Centre. Installation of unauthor-
ized software on organizationally-owned or managed user end-point devices is restricted as users
have no (local) administrator rights. Compliance with authorized software is monitored quarterly.
VM-7 As part of the Information Security Policy, mobile code is not allowed at InShared. Mobile
code, including Java, is not allowed in the installation (SCCM). Users are therefore not able to in-
stall programs which are not part of the InShared software store. Upon request, an IT employee
can request exception for Java needed for cooperation with suppliers who work with Java.
125
CCM criteria
CCC-05 Production Changes
Policies and procedures shall
be established for managing
the risks associated with ap-
plying changes to:
• Business-critical or cus-
tomer (tenant)-impacting
(physical and virtual) applica-
tions and system-system in-
terface (API) designs and con-
figurations.
• Infrastructure network and
systems components.
Technical measures shall be
implemented to provide as-
surance that all changes di-
rectly correspond to a regis-
tered change request, busi-
ness-critical or customer (ten-
ant), and/or authorization by,
the customer (tenant) as per
agreement (SLA) prior to de-
ployment.
Controls specified by InShared Results of PwC’s
Testing
CM-1 A Change Management Policy and a Release Management Policy has been established and No exceptions noted
communicated that defines the procedures and roles and responsibilities with respect to the (pre-
)authorization, development, testing and implementation of changes. The change management
process is divided in three different phases: (1) define changes, (2) prioritize & plan changes and
(3) build & test changes. Completion of the change management process triggers the Release
Management process. The Change Management Policy and the Release Management Policy are
reviewed annually and updated as necessary.
CM-2 Change requests are evaluated to determine the potential effect of the change on system
availability, confidentiality and integrity of CynoSure services and approved in line with the de-
fined roles and responsibilities with respect to the (pre-)authorization, as described within the
Change Management Policy. Changes classified as major require the approval of the Platform Ar-
chitecture Board.
CM-3 Changes to the CynoSure platform, including emergency changes, are (pre-)authorized, de-
signed, developed, configured, documented, tested, approved and deployed in line with the es-
tablished Change Management and Release Management policies and procedures. Changes classi-
fied as major require the approval of the Platform Architecture Board.
CM-5 New features and major changes are developed and tested in separate environments prior
to production implementation. Anonymised data is used for testing purposes. Production data is
not replicated in test or development environments.
CM-6 Applications and programming interfaces (APIs) and webservices are authorized, designed,
developed, configured, documented, tested, approved and deployed in line with the implemented
change management policy and procedures. This includes developing and testing in accordance
with the following industry standards:
- Coding standard PHP
- Web services Security standard (OWASP)
- Bitbucket code checks
- Automated webservice creation
- SOAPUI WSI compliance report
126
8.1.5 Datacentre Security (DCS)

CCM criteria Controls specified by InShared Results of PwC’s

Testing

DCS-01 Asset Management PE-3 A complete inventory of assets in the datacentres is maintained by the infrastructure team. No exceptions noted
The inventory of assets is reviewed at least annually.
Assets must be classified in
terms of 1) business criticality, PE-4 Delivery and removal of assets are requested and authorized within the IT-ticketing system
2) service-level expectations, (Jira) by the infrastructure team.
and 3) operational continuity
SOC2-1 A Data Classification Policy has been established and communicated that defines the clas-
requirements. A complete in-
sification of data and systems and the security requirements for each classification level. The fol-
ventory of 1) business-critical
lowing classification levels are defined:
assets located at all sites
- Availability: 0 Basic, 1 Low, 2 Middle, 3 High
and/or geographical locations
- Integrity: 0 Unknown, 1 Assumed Correct, 2 Verified Correct and 3 Proven correct
and 2) their usage over time
- Confidentiality: 0 Public, 1 Low, 2 Middle and 3 High
shall be maintained and up-
- Privacy: 0 Not personal, 1 Low, 2 Middle and 3 High.
dated regularly, and assigned
ownership by defined roles
In accordance with the Data Classification Policy customer data is classified as Availability level 2,
and responsibilities.
Integrity level 2, Confidentiality Level 2 and Privacy Level 2. In addition, the CynoSure platform fa-
cilitates a classification mechanism which can be used by the client depending on customer needs.

The Data Classification Policy is reviewed annually and updated as necessary.

DCS-02 Controlled Access IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed No exceptions noted
Points in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
Physical security perimeters noted deviations can impact InShared's control objectives.
(e.g., fences, walls, barriers,
guards, gates, electronic sur-
veillance, physical authentica-
tion mechanisms, reception
desks, and security patrols)
shall be implemented to

127
CCM criteria Controls specified by InShared Results of PwC’s
Testing

safeguard sensitive data and

information systems.

DCS-03 Equipment Identifica- Control specification DCS-03 is not applicable to InShared as location aware technology does not Not applicable
tion fit the organisation size of InShared.

Automated equipment identi-

fication shall be used as a
method of connection au-
thentication. Location-aware
technologies may be used to
validate connection authenti-
cation integrity based on
known equipment location.

DCS-04 Offsite Authorization
Authorization must be ob-
tained prior to relocation or
transfer of hardware, soft-
ware, or data to an offsite
premises.
DS-5 A Retention Period Policy has been established and communicated to ensure that customer No exceptions noted
data is retained and removed per the defined retention periods. The Retention Period Policy is re-
viewed annually and updated as necessary.
PE-4 Delivery and removal of assets are requested and authorized within the IT-ticketing system
(Jira) by the infrastructure team.

DCS-05 Offsite Equipment DS-6 A Repurposing of Equipment Policy has been established and communicated that defines the No exceptions noted
destruction guidelines and procedures for secure disposal or repurposing of equipment used out-
Policies and procedures shall
side InShared's premise or tenant domain. The Repurposing of Equipment Policy is reviewed an-
be established for the secure
nually and updated as necessary.
disposal of equipment (by as-
set type) used outside the or-
ganization's premise. This
shall include a wiping solution
or destruction process that
renders recovery of infor-
mation impossible. The eras-
ure shall consist of a full write

128
CCM criteria
of the drive to ensure that the
erased drive is released to in-
ventory for reuse and deploy-
ment or securely stored until
it can be destroyed.
DCS-06 Policy
Policies and procedures shall
be established, and support-
ing business processes imple-
mented, for maintaining a
safe and secure working envi-
ronment in offices, rooms, fa-
cilities, and secure areas stor-
ing sensitive information.
DCS-07 Secure Area Authori-
zation
Ingress and egress to secure
areas shall be constrained and
monitored by physical access
control mechanisms to ensure
that only authorized person-
nel are allowed access.
DCS-08 Unauthorized Persons
Entry
Ingress and egress points such
as service areas and other
Controls specified by InShared Results of PwC’s
Testing
IS-2 An information security education and awareness program has been established that includes No exceptions noted
policy training and periodic security updates to InShared personnel. The results of the awareness
program are evaluated with management and follow-up actions are defined and implemented, as
necessary.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
PE-1 Authorization to give physical access to the datacentre is given by the information manager
of InShared to the regarding datacentre. Security verification and check-in are required for per-
sonnel for temporary access to the interior datacentre facility including tour groups or visitors.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed No exceptions noted
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
PE-1 Authorization to give physical access to the datacentre is given by the information manager
of InShared to the regarding datacentre. Security verification and check-in are required for per-
sonnel for temporary access to the interior datacentre facility including tour groups or visitors.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed No exceptions noted
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
129
CCM criteria Controls specified by InShared Results of PwC’s
Testing

points where unauthorized

personnel may enter the
premises shall be monitored,
controlled and, if possible,
isolated from data storage
and processing facilities to
prevent unauthorized data
corruption, compromise, and
loss.

DCS-09 User Access
Physical access to information
assets and functions by users
and support personnel shall
be restricted.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed No exceptions noted
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
PE-1 Authorization to give physical access to the datacentre is given by the information manager
of InShared to the regarding datacentre. Security verification and check-in are required for per-
sonnel for temporary access to the interior datacentre facility including tour groups or visitors.

130
8.1.6 Data Security and Information Lifecycle Management (DSI)
CCM criteria
DSI-01 Classification
Data and objects containing
data shall be assigned a classi-
fication by the data owner
based on data type, value,
sensitivity, and criticality to
the organization.
DSI-02 Data Inventory / Flows
Policies and procedures shall
be established, and support-
ing business processes and
technical measures imple-
mented, to inventory, docu-
ment, and maintain data
flows for data that is resident
(permanently or temporarily)
within the service's geograph-
ically distributed (physical and
virtual) applications and infra-
structure network and sys-
tems components and/or
shared with other third par-
ties to ascertain any regula-
tory, statutory, or supply
Controls specified by InShared Results of PwC’s
Testing
SOC2-1 A Data Classification Policy has been established and communicated that defines the clas- No exceptions noted
sification of data and systems and the security requirements for each classification level. The fol-
lowing classification levels are defined:
- Availability: 0 Basic, 1 Low, 2 Middle, 3 High
- Integrity: 0 Unknown, 1 Assumed Correct, 2 Verified Correct and 3 Proven correct
- Confidentiality: 0 Public, 1 Low, 2 Middle and 3 High
- Privacy: 0 Not personal, 1 Low, 2 Middle and 3 High.
In accordance with the Data Classification Policy customer data is classified as Availability level 2,
Integrity level 2, Confidentiality Level 2 and Privacy Level 2. In addition, the CynoSure platform fa-
cilitates a classification mechanism which can be used by the client depending on customer needs.
The Data Classification Policy is reviewed annually and updated as necessary.
PE-3 A complete inventory of assets in the datacentres is maintained by the infrastructure team. No exceptions noted
The inventory of assets is reviewed at least annually.
SOC2-1 A Data Classification Policy has been established and communicated that defines the clas-
sification of data and systems and the security requirements for each classification level. The fol-
lowing classification levels are defined:
- Availability: 0 Basic, 1 Low, 2 Middle, 3 High
- Integrity: 0 Unknown, 1 Assumed Correct, 2 Verified Correct and 3 Proven correct
- Confidentiality: 0 Public, 1 Low, 2 Middle and 3 High
- Privacy: 0 Not personal, 1 Low, 2 Middle and 3 High.
In accordance with the Data Classification Policy customer data is classified as Availability level 2,
Integrity level 2, Confidentiality Level 2 and Privacy Level 2. In addition, the CynoSure platform fa-
cilitates a classification mechanism which can be used by the client depending on customer needs.
The Data Classification Policy is reviewed annually and updated as necessary.
131
CCM criteria
chain agreement (SLA) com-
pliance impact, and to ad-
dress any other business risks
associated with the data.
Upon request, provider shall
inform customer (tenant) of
compliance impact and risk,
especially if customer data is
used as part of the services.
DSI-03 E-commerce Transac-
tions
Data related to electronic
commerce (e-commerce) that
traverses public networks
shall be appropriately classi-
fied and protected from
fraudulent activity, unauthor-
ized disclosure, or modifica-
tion in such a manner to pre-
vent contract dispute and
compromise of data.
Controls specified by InShared Results of PwC’s
Testing
SOC2-2 The applicable security, regulatory and contractual requirements and the related obliga-
tions are defined within the client contract. The client contract is signed by the client and In-
Shared, prior to granting access to the CynoSure Platform.
SOC2-4 InShared maintains and notifies customers of potential changes and events that may im-
pact security or availability of the services. Changes to the security commitments and security ob-
ligations of InShared are communicated to customers in a timely manner via the SLR.
SOC2-5 Identified security incidents are reported to the CynoSure platform customer using the
Service Incident Report. Security incidents related to external parties are shared with the client
and reported in the SLR, in accordance with the Incident Management Policy and Security Incident
Response Management Policy.
DS-1 Communication with key CynoSure components where customer data is transmitted or in- No exceptions noted
volved is secured using encryption. Encryption is based on the implemented Encryption Key Man-
agement Policy. InShared uses industry standards and best practices for encryption.
Within the CynoSure platform encryption keys are applied in the following areas:
- Webservices: public certificates are used for the webservices for external communication and
client certificates are generated and stored manually using an encryption key server (Simple Au-
thority) for internal communication of the webservices within the CynoSure Platform.
- Datacentre communication: connections between datacentres are point to point using IPsec
managed by the Fortinet FortiGate firewall devices.
- Storage: encryption of data is handled automatically within the storage solution (Pure Storage).
- Remote users: Encryption of VPN connections for end users (remote users) is handled automati-
cally within the VPN solution, including the SSL connection with clients (Pulse Secure).
- Laptops: encryption of laptops is handled automatically by bit locker software on the laptop.
Cryptographic keys, certificates, and customer access keys used for communication between Cy-
noSure services and other internal components or external parties are hosted by the load bal-
ancer and managed by the Network Operating Centre (NOC) of InShared. Changes in client certifi-
cates for webservices are communicated to the client and/or partners by the NOC.
132
CCM criteria
DSI-04 Handling / Labelling /
Security Policy
Policies and procedures shall
be established for labelling,
handling, and the security of
data and objects which con-
tain data. Mechanisms for la-
bel inheritance shall be imple-
mented for objects that act as
aggregate containers for data.
DSI-05 Nonproduction Data
Production data shall not be
replicated or used in non-pro-
duction environments. Any
use of customer data in non-
production environments
Controls specified by InShared Results of PwC’s
Testing
OA-10 Perimeter firewalls are implemented and properly configured to restrict unauthorized traf-
fic. A mechanism called Reverse Path Forwarding (RPF), or anti spoofing, is implemented with the
installed firewall which prevents IP packets to be forwarded if its source IP is spoofed.
PI-3 InShared segregates and appropriately provisions the services to restrict unauthorized access
to other customer tenants and data based on request from customer through the portal / API
which are custom made and routed with a Point to Point connection (firewalling) and IP whitelist-
ing per client and are listed centrally and communicated with the client upon request. The routing
of each webservice / API is registered centrally.
PE-3 A complete inventory of assets in the datacentres is maintained by the infrastructure team. No exceptions noted
The inventory of assets is reviewed at least annually.
SOC2-1 A Data Classification Policy has been established and communicated that defines the clas-
sification of data and systems and the security requirements for each classification level. The fol-
lowing classification levels are defined:
- Availability: 0 Basic, 1 Low, 2 Middle, 3 High
- Integrity: 0 Unknown, 1 Assumed Correct, 2 Verified Correct and 3 Proven correct
- Confidentiality: 0 Public, 1 Low, 2 Middle and 3 High
- Privacy: 0 Not personal, 1 Low, 2 Middle and 3 High.
In accordance with the Data Classification Policy customer data is classified as Availability level 2,
Integrity level 2, Confidentiality Level 2 and Privacy Level 2. In addition, the CynoSure platform fa-
cilitates a classification mechanism which can be used by the client depending on customer needs.
The Data Classification Policy is reviewed annually and updated as necessary.
CM-3 Changes to the CynoSure platform, including emergency changes, are (pre-)authorized, de- No exceptions noted
signed, developed, configured, documented, tested, approved and deployed in line with the es-
tablished Change Management and Release Management policies and procedures. Changes classi-
fied as major require the approval of the Platform Architecture Board.
133
CCM criteria
requires explicit, documented
approval from all customers
whose data is affected, and
must comply with all legal and
regulatory requirements for
scrubbing of sensitive data el-
ements.
DSI-06 Ownership / Steward-
ship
All data shall be designated
with stewardship, with as-
signed responsibilities de-
fined, documented, and com-
municated.
DSI-07 Secure Disposal
Policies and procedures shall
be established with support-
ing business processes and
technical measures imple-
mented for the secure dis-
posal and complete removal
of data from all storage
Controls specified by InShared Results of PwC’s
Testing
CM-5 New features and major changes are developed and tested in separate environments prior
to production implementation. Anonymised data is used for testing purposes. Production data is
not replicated in test or development environments.
PE-3 A complete inventory of assets in the datacentres is maintained by the infrastructure team. No exceptions noted
The inventory of assets is reviewed at least annually.
SOC2-1 A Data Classification Policy has been established and communicated that defines the clas-
sification of data and systems and the security requirements for each classification level. The fol-
lowing classification levels are defined:
- Availability: 0 Basic, 1 Low, 2 Middle, 3 High
- Integrity: 0 Unknown, 1 Assumed Correct, 2 Verified Correct and 3 Proven correct
- Confidentiality: 0 Public, 1 Low, 2 Middle and 3 High
- Privacy: 0 Not personal, 1 Low, 2 Middle and 3 High.
In accordance with the Data Classification Policy customer data is classified as Availability level 2,
Integrity level 2, Confidentiality Level 2 and Privacy Level 2. In addition, the CynoSure platform fa-
cilitates a classification mechanism which can be used by the client depending on customer needs.
The Data Classification Policy is reviewed annually and updated as necessary.
CM-5 New features and major changes are developed and tested in separate environments prior No exceptions noted
to production implementation. Anonymised data is used for testing purposes. Production data is
not replicated in test or development environments.
DS-6 A Repurposing of Equipment Policy has been established and communicated that defines the
destruction guidelines and procedures for secure disposal or repurposing of equipment used out-
side InShared's premise or tenant domain. The Repurposing of Equipment Policy is reviewed an-
nually and updated as necessary.
134
CCM criteria Controls specified by InShared Results of PwC’s
Testing

media, ensuring data is not

recoverable by any computer
forensic means.

135
8.1.7 Encryption and Key Management (EKM)
CCM criteria
EKM-01 Entitlement
Keys must have identifiable
owners (binding keys to iden-
tities) and there shall be key
management policies.
EKM-02 Key Generation
Policies and procedures shall
be established for the man-
agement of cryptographic
keys in the service's cryp-
tosystem (e.g., lifecycle man-
agement from key generation
to revocation and replace-
ment, public key infrastruc-
ture, cryptographic protocol
Controls specified by InShared Results of PwC’s
Testing
DS-1 Communication with key CynoSure components where customer data is transmitted or in- No exceptions noted
volved is secured using encryption. Encryption is based on the implemented Encryption Key Man-
agement Policy. InShared uses industry standards and best practices for encryption.
Within the CynoSure platform encryption keys are applied in the following areas:
- Webservices: public certificates are used for the webservices for external communication and
client certificates are generated and stored manually using an encryption key server (Simple Au-
thority) for internal communication of the webservices within the CynoSure Platform.
- Datacentre communication: connections between datacentres are point to point using IPsec
managed by the Fortinet FortiGate firewall devices.
- Storage: encryption of data is handled automatically within the storage solution (Pure Storage).
- Remote users: Encryption of VPN connections for end users (remote users) is handled automati-
cally within the VPN solution, including the SSL connection with clients (Pulse Secure).
- Laptops: encryption of laptops is handled automatically by bit locker software on the laptop.
Cryptographic keys, certificates, and customer access keys used for communication between Cy-
noSure services and other internal components or external parties are hosted by the load bal-
ancer and managed by the Network Operating Centre (NOC) of InShared. Changes in client certifi-
cates for webservices are communicated to the client and/or partners by the NOC.
DS-1 Communication with key CynoSure components where customer data is transmitted or in- No exceptions noted
volved is secured using encryption. Encryption is based on the implemented Encryption Key Man-
agement Policy. InShared uses industry standards and best practices for encryption.
Within the CynoSure platform encryption keys are applied in the following areas:
- Webservices: public certificates are used for the webservices for external communication and
client certificates are generated and stored manually using an encryption key server (Simple Au-
thority) for internal communication of the webservices within the CynoSure Platform.
- Datacentre communication: connections between datacentres are point to point using IPsec
managed by the Fortinet FortiGate firewall devices.
136
CCM criteria Controls specified by InShared Results of PwC’s
Testing

design and algorithms used, - Storage: encryption of data is handled automatically within the storage solution (Pure Storage).
access controls in place for se- - Remote users: Encryption of VPN connections for end users (remote users) is handled automati-
cure key generation, and ex- cally within the VPN solution, including the SSL connection with clients (Pulse Secure).
change and storage including - Laptops: encryption of laptops is handled automatically by bit locker software on the laptop.
segregation of keys used for
encrypted data or sessions). Cryptographic keys, certificates, and customer access keys used for communication between Cy-
Upon request, provider shall noSure services and other internal components or external parties are hosted by the load bal-
inform the customer (tenant) ancer and managed by the Network Operating Centre (NOC) of InShared. Changes in client certifi-
of changes within the cryp- cates for webservices are communicated to the client and/or partners by the NOC.
tosystem, especially if the
customer (tenant) data is
used as part of the service,
and/or the customer (tenant)
has some shared responsibil-
ity over implementation of
the control.

EKM-03 Encryption DS-1 Communication with key CynoSure components where customer data is transmitted or in- No exceptions noted
volved is secured using encryption. Encryption is based on the implemented Encryption Key Man-
Policies and procedures shall
agement Policy. InShared uses industry standards and best practices for encryption.
be established, and support-
ing business processes and
Within the CynoSure platform encryption keys are applied in the following areas:
technical measures imple-
- Webservices: public certificates are used for the webservices for external communication and
mented, for the use of en-
client certificates are generated and stored manually using an encryption key server (Simple Au-
cryption protocols for protec-
thority) for internal communication of the webservices within the CynoSure Platform.
tion of sensitive data in stor-
- Datacentre communication: connections between datacentres are point to point using IPsec
age (e.g., file servers, data-
managed by the Fortinet FortiGate firewall devices.
bases, and end-user work-
- Storage: encryption of data is handled automatically within the storage solution (Pure Storage).
stations) and data in transmis-
- Remote users: Encryption of VPN connections for end users (remote users) is handled automati-
sion (e.g., system interfaces,
cally within the VPN solution, including the SSL connection with clients (Pulse Secure).
over public networks, and
- Laptops: encryption of laptops is handled automatically by bit locker software on the laptop.
electronic messaging) as per
applicable legal, statutory,
Cryptographic keys, certificates, and customer access keys used for communication between

137
CCM criteria Controls specified by InShared Results of PwC’s
Testing

and regulatory compliance CynoSure services and other internal components or external parties are hosted by the load bal-
obligations. ancer and managed by the Network Operating Centre (NOC) of InShared. Changes in client certifi-
cates for webservices are communicated to the client and/or partners by the NOC.

OA-11 Remote Desktop Connection for administrator access to the production environment are
encrypted.

EKM-04 Storage and Access DS-1 Communication with key CynoSure components where customer data is transmitted or in- No exceptions noted
volved is secured using encryption. Encryption is based on the implemented Encryption Key Man-
Platform and data appropri-
agement Policy. InShared uses industry standards and best practices for encryption.
ate encryption (e.g., AES-256)
in open/validated formats and
Within the CynoSure platform encryption keys are applied in the following areas:
standard algorithms shall be
- Webservices: public certificates are used for the webservices for external communication and
required. Keys shall not be
client certificates are generated and stored manually using an encryption key server (Simple Au-
stored in the cloud (i.e. at the
thority) for internal communication of the webservices within the CynoSure Platform.
cloud provider in question),
- Datacentre communication: connections between datacentres are point to point using IPsec
but maintained by the cloud
managed by the Fortinet FortiGate firewall devices.
consumer or trusted key man-
- Storage: encryption of data is handled automatically within the storage solution (Pure Storage).
agement provider. Key man-
- Remote users: Encryption of VPN connections for end users (remote users) is handled automati-
agement and key usage shall
cally within the VPN solution, including the SSL connection with clients (Pulse Secure).
be separated duties.
- Laptops: encryption of laptops is handled automatically by bit locker software on the laptop.

Cryptographic keys, certificates, and customer access keys used for communication between Cy-
noSure services and other internal components or external parties are hosted by the load bal-
ancer and managed by the Network Operating Centre (NOC) of InShared. Changes in client certifi-
cates for webservices are communicated to the client and/or partners by the NOC.

138
8.1.8 Governance and Risk Management (GRM)

CCM criteria Controls specified by InShared Results of PwC’s

Testing

GRM-01 Baseline Require- CM-4 The Information Security Policy instructs the use of the baselines during the installation of No exceptions noted
ments (new) IT equipment. The security baseline configuration settings of firewalls, Wi-Fi access points,
VPN, load balancers, database servers and operating systems are assessed annually, by using au-
Baseline security require-
tomated tools and industry baselines. Non-acceptable deviations from the industry baseline are
ments shall be established for
followed up and remediated, in accordance with the Change Management and Release Manage-
developed or acquired, organ-
ment policies and procedures.
izationally-owned or man-
aged, physical or virtual, ap-
plications and infrastructure
system, and network compo-
nents that comply with appli-
cable legal, statutory, and reg-
ulatory compliance obliga-
tions. Deviations from stand-
ard baseline configurations
must be authorized following
change management policies
and procedures prior to de-
ployment, provisioning, or
use. Compliance with security
baseline requirements must
be reassessed at least annu-
ally unless an alternate fre-
quency has been established
and authorized based on busi-
ness needs.

GRM-02 Risk Assessments
Risk assessments associated
with data governance
BC-3 Business Impact Analyses, Risk Analyses and Risk Treatment Analyses are conducted annually No exceptions noted
to identify, analyse and assess business continuity risks related to CynoSure services and to define
and implement business continuity protection measures based on the risk appetite.

139
CCM criteria
requirements shall be con-
ducted at planned intervals
and shall consider the follow-
ing:
• Awareness of where sensi-
tive data is stored and trans-
mitted across applications,
databases, servers, and net-
work infrastructure
• Compliance with defined re-
tention periods and end-of-
life disposal requirements
• Data classification and pro-
tection from unauthorized
use, access, loss, destruction,
and falsification
GRM-03 Management Over-
sight
Managers are responsible for
maintaining awareness of,
and complying with, security
policies, procedures, and
standards that are relevant to
their area of responsibility.
Controls specified by InShared Results of PwC’s
Testing
IS-5 A Risk and Compliance Policy has been established and communicated that defines the gov-
ernance of the risk management and compliance functions within the InShared group, the risk
strategy and risk appetite, the Risk Management Framework InShared (RMFI) and the methods
used to identify and treat risks. The Risk and Compliance Policy describes the three lines of de-
fence for the InShared group. The first line is operations, the second line is the Risk Management
department and the third line is Internal Audit Achmea. The Risk and Compliance Policy is made
operational in a Risk and Compliance year plan. The Risk and Compliance Policy is reviewed annu-
ally and updated as necessary.
SOC2-1 A Data Classification Policy has been established and communicated that defines the clas-
sification of data and systems and the security requirements for each classification level. The fol-
lowing classification levels are defined:
- Availability: 0 Basic, 1 Low, 2 Middle, 3 High
- Integrity: 0 Unknown, 1 Assumed Correct, 2 Verified Correct and 3 Proven correct
- Confidentiality: 0 Public, 1 Low, 2 Middle and 3 High
- Privacy: 0 Not personal, 1 Low, 2 Middle and 3 High.
In accordance with the Data Classification Policy customer data is classified as Availability level 2,
Integrity level 2, Confidentiality Level 2 and Privacy Level 2. In addition, the CynoSure platform fa-
cilitates a classification mechanism which can be used by the client depending on customer needs.
The Data Classification Policy is reviewed annually and updated as necessary.
IS-1 An Information Security Policy has been established and communicated that defines the In- No exceptions noted
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The Infor-
mation Security Policy is reviewed annually and updated as necessary.
IS-2 An information security education and awareness program has been established that includes
policy training and periodic security updates to InShared personnel. The results of the awareness
program are evaluated with management and follow-up actions are defined and implemented, as
necessary.
140
CCM criteria Controls specified by InShared Results of PwC’s
Testing

GRM-04 Management Pro- ELC-2 Risk assessment results are reviewed and discussed quarterly during the Risk Management No exceptions noted
gram Meeting. Relevant risk assessment results are also reported to the Board of Directors on behalf of
senior management.
An Information Security Man-
agement Program (ISMP) shall IS-1 An Information Security Policy has been established and communicated that defines the In-
be developed, documented, formation Security Management System (ISMS) of InShared for the CynoSure Platform. The Infor-
approved, and implemented mation Security Policy is reviewed annually and updated as necessary.
that includes administrative,
IS-5 A Risk and Compliance Policy has been established and communicated that defines the gov-
technical, and physical safe-
ernance of the risk management and compliance functions within the InShared group, the risk
guards to protect assets and
strategy and risk appetite, the Risk Management Framework InShared (RMFI) and the methods
data from loss, misuse, unau-
used to identify and treat risks. The Risk and Compliance Policy describes the three lines of de-
thorized access, disclosure, al-
fence for the InShared group. The first line is operations, the second line is the Risk Management
teration, and destruction. The
department and the third line is Internal Audit Achmea. The Risk and Compliance Policy is made
security program shall in-
operational in a Risk and Compliance year plan. The Risk and Compliance Policy is reviewed annu-
clude, but not be limited to,
ally and updated as necessary.
the following areas insofar as
they relate to the characteris- IS-6 The Risk Management department (the second line of defence) reviews the effectiveness of
tics of the business: the implemented Information Security Management System (ISMS) on an annual basis, in accord-
ance with the defined audit activities within the approved risk management audit plan. Noncon-
• Risk management
formities are recorded, reviewed, prioritized and analysed, to be able to define and implement re-
• Security policy
mediation plans. The remediation plans are developed in the security dashboard of the Risk Com-
• Organization of information
mittee. Internal Audit Achmea (the third line of defence) reviews the effectiveness of the imple-
security
mented ISMS on a 3-annual basis, in accordance with the defined audit activities within the ap-
• Asset management
proved internal audit plan. Nonconformities are recorded, reviewed, prioritized and analysed, to
• Human resources security
be able to define and implement remediation plans. The remediation plans are registered in the
• Physical and environmental
issue register and monitored by the Risk and Compliance Committee.
security
• Communications and oper- IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
ations management in line with the reporting frequency, to determine that the scope of the control objectives and
• Access control controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
• Information systems acqui- noted deviations can impact InShared's control objectives.
sition, development, and
maintenance

141
CCM criteria
GRM-05 Management Sup-
port / Involvement
Executive and line manage-
ment shall take formal action
to support information secu-
rity through clearly-docu-
mented direction and com-
mitment, and shall ensure the
action has been assigned.
GRM-06 Policy
Information security policies
and procedures shall be es-
tablished and made readily
Controls specified by InShared Results of PwC’s
Testing
IS-1 An Information Security Policy has been established and communicated that defines the In- No exceptions noted
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The Infor-
mation Security Policy is reviewed annually and updated as necessary.
IS-2 An information security education and awareness program has been established that includes
policy training and periodic security updates to InShared personnel. The results of the awareness
program are evaluated with management and follow-up actions are defined and implemented, as
necessary.
IS-5 A Risk and Compliance Policy has been established and communicated that defines the gov-
ernance of the risk management and compliance functions within the InShared group, the risk
strategy and risk appetite, the Risk Management Framework InShared (RMFI) and the methods
used to identify and treat risks. The Risk and Compliance Policy describes the three lines of de-
fence for the InShared group. The first line is operations, the second line is the Risk Management
department and the third line is Internal Audit Achmea. The Risk and Compliance Policy is made
operational in a Risk and Compliance year plan. The Risk and Compliance Policy is reviewed annu-
ally and updated as necessary.
IS-6 The Risk Management department (the second line of defence) reviews the effectiveness of
the implemented Information Security Management System (ISMS) on an annual basis, in accord-
ance with the defined audit activities within the approved risk management audit plan. Noncon-
formities are recorded, reviewed, prioritized and analysed, to be able to define and implement re-
mediation plans. The remediation plans are developed in the security dashboard of the Risk Com-
mittee. Internal Audit Achmea (the third line of defence) reviews the effectiveness of the imple-
mented ISMS on a 3-annual basis, in accordance with the defined audit activities within the ap-
proved internal audit plan. Nonconformities are recorded, reviewed, prioritized and analysed, to
be able to define and implement remediation plans. The remediation plans are registered in the
issue register and monitored by the Risk and Compliance Committee.
IS-1 An Information Security Policy has been established and communicated that defines the In- No exceptions noted
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The Infor-
mation Security Policy is reviewed annually and updated as necessary.
142
CCM criteria
available for review by all im-
pacted personnel and exter-
nal business relationships. In-
formation security policies
must be authorized by the or-
ganization's business leader-
ship (or other accountable
business role or function) and
supported by a strategic busi-
ness plan and an information
security management pro-
gram inclusive of defined in-
formation security roles and
responsibilities for business
leadership.
GRM-07 Policy Enforcement
A formal disciplinary or sanc-
tion policy shall be estab-
lished for employees who
have violated security policies
and procedures. Employees
shall be made aware of what
action might be taken in the
Controls specified by InShared Results of PwC’s
Testing
IS-2 An information security education and awareness program has been established that includes
policy training and periodic security updates to InShared personnel. The results of the awareness
program are evaluated with management and follow-up actions are defined and implemented, as
necessary.
IS-5 A Risk and Compliance Policy has been established and communicated that defines the gov-
ernance of the risk management and compliance functions within the InShared group, the risk
strategy and risk appetite, the Risk Management Framework InShared (RMFI) and the methods
used to identify and treat risks. The Risk and Compliance Policy describes the three lines of de-
fence for the InShared group. The first line is operations, the second line is the Risk Management
department and the third line is Internal Audit Achmea. The Risk and Compliance Policy is made
operational in a Risk and Compliance year plan. The Risk and Compliance Policy is reviewed annu-
ally and updated as necessary.
IS-6 The Risk Management department (the second line of defence) reviews the effectiveness of
the implemented Information Security Management System (ISMS) on an annual basis, in accord-
ance with the defined audit activities within the approved risk management audit plan. Noncon-
formities are recorded, reviewed, prioritized and analysed, to be able to define and implement re-
mediation plans. The remediation plans are developed in the security dashboard of the Risk Com-
mittee. Internal Audit Achmea (the third line of defence) reviews the effectiveness of the imple-
mented ISMS on a 3-annual basis, in accordance with the defined audit activities within the ap-
proved internal audit plan. Nonconformities are recorded, reviewed, prioritized and analysed, to
be able to define and implement remediation plans. The remediation plans are registered in the
issue register and monitored by the Risk and Compliance Committee.
IS-3 Employees and contractors sign agreements that include non-disclosure provisions and asset No exceptions noted
protection responsibilities, upon hire. Employees and contractors are provided an intranet page
which describes, in accordance with the Information Security Policy, the responsibilities and ex-
pected behaviour regarding information security. Employees are required to acknowledge agree-
ments to return InShared assets upon termination.
IS-4 Disciplinary actions are defined for employees and contingent staff that violate InShared's se-
curity policies and procedures.
143
CCM criteria Controls specified by InShared Results of PwC’s
Testing

event of a violation, and disci-

plinary measures must be
stated in the policies and pro-
cedures.

GRM-08 Business / Policy
Change Impacts
Risk assessment results shall
include updates to security
policies, procedures, stand-
ards, and controls to ensure
that they remain relevant and
effective.
BC-3 Business Impact Analyses, Risk Analyses and Risk Treatment Analyses are conducted annually No exceptions noted
to identify, analyse and assess business continuity risks related to CynoSure services and to define
and implement business continuity protection measures based on the risk appetite.
IS-1 An Information Security Policy has been established and communicated that defines the In-
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The Infor-
mation Security Policy is reviewed annually and updated as necessary.

GRM-09 Policy Reviews IS-1 An Information Security Policy has been established and communicated that defines the In- No exceptions noted
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The Infor-
The organization's business mation Security Policy is reviewed annually and updated as necessary.
leadership (or other accounta-
ble business role or function)
shall review the information
security policy at planned in-
tervals or as a result of
changes to the organization
to ensure its continuing align-
ment with the security strat-
egy, effectiveness, accuracy,
relevance, and applicability to
legal, statutory, or regulatory
compliance obligations.

GRM-10 Assessments
Aligned with the enterprise-
wide framework, formal risk
BC-3 Business Impact Analyses, Risk Analyses and Risk Treatment Analyses are conducted annually No exceptions noted
to identify, analyse and assess business continuity risks related to CynoSure services and to define
and implement business continuity protection measures based on the risk appetite.

144
CCM criteria
assessments shall be per-
formed at least annually or at
planned intervals, (and in con-
junction with any changes to
information systems) to de-
termine the likelihood and im-
pact of all identified risks us-
ing qualitative and quantita-
tive methods. The likelihood
and impact associated with
inherent and residual risk
shall be determined inde-
pendently, considering all risk
categories (e.g., audit results,
threat and vulnerability analy-
sis, and regulatory compli-
ance).
GRM-11 Program
Risks shall be mitigated to an
acceptable level. Acceptance
levels based on risk criteria
shall be established and docu-
mented in accordance with
reasonable resolution time
frames and stakeholder ap-
proval.
Controls specified by InShared Results of PwC’s
Testing
IS-5 A Risk and Compliance Policy has been established and communicated that defines the gov-
ernance of the risk management and compliance functions within the InShared group, the risk
strategy and risk appetite, the Risk Management Framework InShared (RMFI) and the methods
used to identify and treat risks. The Risk and Compliance Policy describes the three lines of de-
fence for the InShared group. The first line is operations, the second line is the Risk Management
department and the third line is Internal Audit Achmea. The Risk and Compliance Policy is made
operational in a Risk and Compliance year plan. The Risk and Compliance Policy is reviewed annu-
ally and updated as necessary.
BC-3 Business Impact Analyses, Risk Analyses and Risk Treatment Analyses are conducted annually No exceptions noted
to identify, analyse and assess business continuity risks related to CynoSure services and to define
and implement business continuity protection measures based on the risk appetite.
IS-1 An Information Security Policy has been established and communicated that defines the In-
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The Infor-
mation Security Policy is reviewed annually and updated as necessary.
IS-5 A Risk and Compliance Policy has been established and communicated that defines the gov-
ernance of the risk management and compliance functions within the InShared group, the risk
strategy and risk appetite, the Risk Management Framework InShared (RMFI) and the methods
used to identify and treat risks. The Risk and Compliance Policy describes the three lines of de-
fence for the InShared group. The first line is operations, the second line is the Risk Management
department and the third line is Internal Audit Achmea. The Risk and Compliance Policy is made
145
CCM criteria Controls specified by InShared Results of PwC’s
Testing

operational in a Risk and Compliance year plan. The Risk and Compliance Policy is reviewed annu-
ally and updated as necessary.

IS-6 The Risk Management department (the second line of defence) reviews the effectiveness of
the implemented Information Security Management System (ISMS) on an annual basis, in accord-
ance with the defined audit activities within the approved risk management audit plan. Noncon-
formities are recorded, reviewed, prioritized and analysed, to be able to define and implement re-
mediation plans. The remediation plans are developed in the security dashboard of the Risk Com-
mittee. Internal Audit Achmea (the third line of defence) reviews the effectiveness of the imple-
mented ISMS on a 3-annual basis, in accordance with the defined audit activities within the ap-
proved internal audit plan. Nonconformities are recorded, reviewed, prioritized and analysed, to
be able to define and implement remediation plans. The remediation plans are registered in the
issue register and monitored by the Risk and Compliance Committee.

146
8.1.9 Human Resources (HRS)
CCM criteria
HRS-01 Asset Returns
Upon termination of workforce
personnel and/or expiration of
external business relationships,
all organizationally-owned as-
sets shall be returned within an
established period.
HRS-02 Background Screening
Pursuant to local laws, regula-
tions, ethics, and contractual
constraints, all employment
candidates, contractors, and
third parties shall be subject to
background verification propor-
tional to the data classification
to be accessed, the business re-
quirements, and acceptable
risk.
Controls specified by InShared Results of PwC’s
Testing
IS-3 Employees and contractors sign agreements that include non-disclosure provisions and as- No exceptions noted
set protection responsibilities, upon hire. Employees and contractors are provided an intranet
page which describes, in accordance with the Information Security Policy, the responsibilities
and expected behaviour regarding information security. Employees are required to acknowledge
agreements to return InShared assets upon termination.
OA-3 Administration procedures are available to define activities for requesting and revoking an
account and its associated user access rights. Terminated user access rights are removed on a
timely basis. The return of assets is checked using the checklist according to exit employee
checklist.
OA-6 Management is responsible for periodically reviewing the list of active IDs in relevant phys-
ical and virtual application interfaces and infrastructure network and systems components, in
order to validate whether unique User ID's are implemented to provide individual accountability
and to ensure that generic or system level IDs are locked or otherwise protected. Any inappro-
priate or inactive IDs noted during the review process are disabled in a timely manner.
OA-4 All employment candidates and contractors are subject to pre-employment screening No exceptions noted
(PES). Candidates and contractors are registered in Jira. Subsequently a PES ticket is generated
automatically within Jira to start PES process. Hardware and software (credentials) are only pro-
vided to employees and contractors after PES clearance.
147
CCM criteria
HRS-03 Employment Agree-
ments
Employment agreements shall
incorporate provisions and/or
terms for adherence to estab-
lished information governance
and security policies and must
be signed by newly hired or on-
boarded workforce personnel
(e.g., full or part-time employee
or contingent staff) prior to
granting workforce personnel
user access to corporate facili-
ties, resources, and assets.
HRS-04 Employment Termina-
tion
Roles and responsibilities for
performing employment termi-
nation or change in employ-
ment procedures shall be as-
signed, documented, and com-
municated.
Controls specified by InShared Results of PwC’s
Testing
IS-3 Employees and contractors sign agreements that include non-disclosure provisions and as- No exceptions noted
set protection responsibilities, upon hire. Employees and contractors are provided an intranet
page which describes, in accordance with the Information Security Policy, the responsibilities
and expected behaviour regarding information security. Employees are required to acknowledge
agreements to return InShared assets upon termination.
IS-1 An Information Security Policy has been established and communicated that defines the In- No exceptions noted
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The In-
formation Security Policy is reviewed annually and updated as necessary.
IS-2 An information security education and awareness program has been established that in-
cludes policy training and periodic security updates to InShared personnel. The results of the
awareness program are evaluated with management and follow-up actions are defined and im-
plemented, as necessary.
OA-3 Administration procedures are available to define activities for requesting and revoking an
account and its associated user access rights. Terminated user access rights are removed on a
timely basis. The return of assets is checked using the checklist according to exit employee
checklist.
OA-6 Management is responsible for periodically reviewing the list of active IDs in relevant phys-
ical and virtual application interfaces and infrastructure network and systems components, in
order to validate whether unique User ID's are implemented to provide individual accountability
148
CCM criteria Controls specified by InShared Results of PwC’s
Testing

and to ensure that generic or system level IDs are locked or otherwise protected. Any inappro-
priate or inactive IDs noted during the review process are disabled in a timely manner.

HRS-05 Portable / Mobile De- IS-1 An Information Security Policy has been established and communicated that defines the In- No exceptions noted
vices formation Security Management System (ISMS) of InShared for the CynoSure Platform. The In-
formation Security Policy is reviewed annually and updated as necessary.
Policies and procedures shall be
established, and supporting IS-2 An information security education and awareness program has been established that in-
business processes and tech- cludes policy training and periodic security updates to InShared personnel. The results of the
nical measures implemented, to awareness program are evaluated with management and follow-up actions are defined and im-
manage business risks associ- plemented, as necessary.
ated with permitting mobile de-
vice access to corporate re-
sources and may require the
implementation of higher as-
surance compensating controls
and acceptable-use policies and
procedures (e.g., mandated se-
curity training, stronger iden-
tity, entitlement and access
controls, and device monitor-
ing).

HRS-06 Non-disclosure Agree- IS-3 Employees and contractors sign agreements that include non-disclosure provisions and as- No exceptions noted
ments set protection responsibilities, upon hire. Employees and contractors are provided an intranet
page which describes, in accordance with the Information Security Policy, the responsibilities
Requirements for non-disclo-
and expected behaviour regarding information security. Employees are required to acknowledge
sure or confidentiality agree- agreements to return InShared assets upon termination.
ments reflecting the organiza-
tion's needs for the protection
of data and operational details
shall be identified,

149
CCM criteria Controls specified by InShared Results of PwC’s
Testing

documented, and reviewed at

planned intervals.

HRS-07 Roles / Responsibilities IS-3 Employees and contractors sign agreements that include non-disclosure provisions and as- No exceptions noted
set protection responsibilities, upon hire. Employees and contractors are provided an intranet
Roles and responsibilities of
page which describes, in accordance with the Information Security Policy, the responsibilities
contractors, employees, and
and expected behaviour regarding information security. Employees are required to acknowledge
third-party users shall be docu-
agreements to return InShared assets upon termination.
mented as they relate to infor-
mation assets and security.

HRS-08 Acceptable Use IS-1 An Information Security Policy has been established and communicated that defines the In- No exceptions noted
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The In-
Policies and procedures shall be
formation Security Policy is reviewed annually and updated as necessary.
established, and supporting
business processes and tech- IS-2 An information security education and awareness program has been established that in-
nical measures implemented, cludes policy training and periodic security updates to InShared personnel. The results of the
for defining allowances and awareness program are evaluated with management and follow-up actions are defined and im-
conditions for permitting usage plemented, as necessary.
of organizationally-owned or
IS-3 Employees and contractors sign agreements that include non-disclosure provisions and as-
managed user end-point de-
set protection responsibilities, upon hire. Employees and contractors are provided an intranet
vices (e.g., issued workstations,
page which describes, in accordance with the Information Security Policy, the responsibilities
laptops, and mobile devices)
and expected behaviour regarding information security. Employees are required to acknowledge
and IT infrastructure network
agreements to return InShared assets upon termination.
and systems components. Addi-
tionally, defining allowances
and conditions to permit usage
of personal mobile devices and
associated applications with ac-
cess to corporate resources
(i.e., BYOD) shall be considered
and incorporated as appropri-
ate

150
CCM criteria Controls specified by InShared Results of PwC’s
Testing
HRS-09 Training / Awareness IS-2 An information security education and awareness program has been established that in- No exceptions noted
cludes policy training and periodic security updates to InShared personnel. The results of the
A security awareness training
awareness program are evaluated with management and follow-up actions are defined and im-
program shall be established plemented, as necessary.
for all contractors, third-party
users, and employees of the or-
ganization and mandated when
appropriate. All individuals with
access to organizational data
shall receive appropriate
awareness training and regular
updates in organizational pro-
cedures, processes, and policies
relating to their professional
function relative to the organi-
zation.

HRS-10 User Responsibility
All personnel shall be made
aware of their roles and respon-
sibilities for:
• Maintaining awareness and
compliance with established
policies and procedures and ap-
plicable legal, statutory, or reg-
ulatory compliance obligations.
• Maintaining a safe and se-
cure working environment.
IS-1 An Information Security Policy has been established and communicated that defines the In- No exceptions noted
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The In-
formation Security Policy is reviewed annually and updated as necessary.
IS-2 An information security education and awareness program has been established that in-
cludes policy training and periodic security updates to InShared personnel. The results of the
awareness program are evaluated with management and follow-up actions are defined and im-
plemented, as necessary.
IS-3 Employees and contractors sign agreements that include non-disclosure provisions and as-
set protection responsibilities, upon hire. Employees and contractors are provided an intranet
page which describes, in accordance with the Information Security Policy, the responsibilities
and expected behaviour regarding information security. Employees are required to acknowledge
agreements to return InShared assets upon termination.

151
CCM criteria
HRS-11 Workspace
Policies and procedures shall be
established to require that un-
attended workspaces do not
have openly visible (e.g., on a
desktop) sensitive documents
and user computing sessions
had been disabled after an es-
tablished period of inactivity.
Controls specified by InShared Results of PwC’s
Testing
IS-1 An Information Security Policy has been established and communicated that defines the In- No exceptions noted
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The In-
formation Security Policy is reviewed annually and updated as necessary.
IS-2 An information security education and awareness program has been established that in-
cludes policy training and periodic security updates to InShared personnel. The results of the
awareness program are evaluated with management and follow-up actions are defined and im-
plemented, as necessary.
IS-3 Employees and contractors sign agreements that include non-disclosure provisions and as-
set protection responsibilities, upon hire. Employees and contractors are provided an intranet
page which describes, in accordance with the Information Security Policy, the responsibilities
and expected behaviour regarding information security. Employees are required to acknowledge
agreements to return InShared assets upon termination.
152
8.1.10 Identity and Access Management (IAM)

CCM criteria Controls specified by InShared Results of PwC’s

Testing

IAM-01 Audit Tools Access
Access to, and use of, audit
tools that interact with the or-
ganization's information sys-
tems shall be appropriately
segmented and restricted to
prevent compromise and mis-
use of log data.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed No exceptions noted
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
VM-1 Production and development webservers, database servers, mail servers, file servers, fire-
walls, domain controllers and other network devices are configured to log security events.
VM-3 Security event logs are centrally collected by the third-party Security Information and Event
Management (SIEM) software log collector. The log collector is appropriately segmented from any
production related node and sends the log data to the SIEM system. The log collector is managed
by the third-party vendor.

IAM-02 User Access Policy DS-1 Communication with key CynoSure components where customer data is transmitted or in- No exceptions noted
volved is secured using encryption. Encryption is based on the implemented Encryption Key Man-
User access policies and pro-
agement Policy. InShared uses industry standards and best practices for encryption.
cedures shall be established,
and supporting business pro-
Within the CynoSure platform encryption keys are applied in the following areas:
cesses and technical
- Webservices: public certificates are used for the webservices for external communication and
measures implemented, for
client certificates are generated and stored manually using an encryption key server (Simple Au-
ensuring appropriate identity,
thority) for internal communication of the webservices within the CynoSure Platform.
entitlement, and access man-
- Datacentre communication: connections between datacentres are point to point using IPsec
agement for all internal cor-
managed by the Fortinet FortiGate firewall devices.
porate and customer (tenant)
- Storage: encryption of data is handled automatically within the storage solution (Pure Storage).
users with access to data and
- Remote users: Encryption of VPN connections for end users (remote users) is handled automati-
organizationally-owned or
cally within the VPN solution, including the SSL connection with clients (Pulse Secure).
managed (physical and vir-
- Laptops: encryption of laptops is handled automatically by bit locker software on the laptop.
tual) application interfaces
and infrastructure network
Cryptographic keys, certificates, and customer access keys used for communication between Cy-
and systems components.
noSure services and other internal components or external parties are hosted by the load
These policies, procedures,
processes, and measures

153
CCM criteria
must incorporate the follow-
ing:
(1) Procedures, supporting
roles, and responsibilities for
provisioning and de-provision-
ing user account entitlements
following the rule of least
privilege based on job func-
tion (e.g., internal employee
and contingent staff person-
nel changes, customer-con-
trolled access, suppliers' busi-
ness relationships, or other
third-party business relation-
ships).
(2) Business case considera-
tions for higher levels of as-
surance and multi-factor au-
thentication secrets (e.g.,
management interfaces, key
generation, remote access,
segregation of duties, emer-
gency access, large-scale pro-
visioning or geographically-
distributed deployments, and
personnel redundancy for
critical systems).
(3) Access segmentation to
sessions and data in multi-
tenant architectures by any
third-party (e.g., provider
Controls specified by InShared Results of PwC’s
Testing
balancer and managed by the Network Operating Centre (NOC) of InShared. Changes in client cer-
tificates for webservices are communicated to the client and/or partners by the NOC.
IS-1 An Information Security Policy has been established and communicated that defines the In-
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The Infor-
mation Security Policy is reviewed annually and updated as necessary.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
LA-1 An Authorization Management Policy has been established and communicated that defines
the Authorization Management of InShared for the CynoSure Platform. The Authorization Man-
agement Policy is reviewed annually and updated as necessary.
LA-2 Provisioning and de-provisioning of customer user account entitlements for the CynoSure
Platform is requested, authorized and granted or revoked in accordance with the implemented
Authorization Management Policy.
OA-1 Access/Roles groups are defined based upon established business rules, including segrega-
tion of duties, in a SOLL authorization matrix. Procedures are in place to ensure timely initiation
and update in the SOLL authorization matrices for all assets. Management authorizes changes to
defined privileges for access groups/roles. The SOLL authorization matrix is reviewed annually and
updated as necessary.
OA-2 Employee access rights are assigned commensurate with assigned job responsibilities (e.g.
through role-based access). Administration procedures are available to define activities for re-
questing, authorizing and granting an account and its associated user access rights. Access to in-
formation is based on 'need-to-know/need-to-have'-principle and all user activities can be traced
to uniquely identifiable users.
OA-3 Administration procedures are available to define activities for requesting and revoking an
account and its associated user access rights. Terminated user access rights are removed on a
154
CCM criteria
and/or other customer (ten-
ant)).
(4) Identity trust verification
and service-to-service applica-
tion (API) and information
processing interoperability
(e.g., SSO and federation).
(5) Account credential lifecy-
cle management from instan-
tiation through revocation.
(6) Account credential and/or
identity store minimization or
re-use when feasible.
(7) Authentication, authoriza-
tion, and accounting (AAA)
rules for access to data and
sessions (e.g., encryption and
strong/multi-factor, expirea-
ble, non-shared authentica-
tion secrets).
(8) Permissions and support-
ing capabilities for customer
(tenant) controls over authen-
tication, authorization, and
accounting (AAA) rules for ac-
cess to data and sessions.
Controls specified by InShared Results of PwC’s
Testing
timely basis. The return of assets is checked using the checklist according to exit employee check-
list.
OA-5 Management periodically reviews user access implemented for the relevant physical and vir-
tual application interfaces and infrastructure network and systems components (IST-situation) in
order to confirm the correctness of implemented accounts and roles (the access rights) and vali-
date that access rights are commensurate with assigned job responsibilities, as set out by the ac-
cess rules (SOLL-situation). Any inappropriate access noted during the review process is revoked in
a timely manner. This control involves SOLL and IST matrices being compared by responsible man-
agement.
OA-6 Management is responsible for periodically reviewing the list of active IDs in relevant physi-
cal and virtual application interfaces and infrastructure network and systems components, in or-
der to validate whether unique User ID's are implemented to provide individual accountability and
to ensure that generic or system level IDs are locked or otherwise protected. Any inappropriate or
inactive IDs noted during the review process are disabled in a timely manner.
OA-8 Access to network devices for remote access in the scope boundary requires two factor au-
thentication.
OA-9 Access to infrastructure components is controlled through defined Active Directory Security
Groups, which require identification with credentials as an administrator, which is a separate ac-
count from regular accounts for (high) privileged access. The accounts with (high) privileged ac-
cess rights are not configured to perform day-to-day activities, but exclusively to perform adminis-
trative tasks.
OA-10 Perimeter firewalls are implemented and properly configured to restrict unauthorized traf-
fic. A mechanism called Reverse Path Forwarding (RPF), or anti spoofing, is implemented with the
installed firewall which prevents IP packets to be forwarded if its source IP is spoofed.
PI-3 InShared segregates and appropriately provisions the services to restrict unauthorized access
to other customer tenants and data based on request from customer through the portal / API
which are custom made and routed with a Point to Point connection (firewalling) and IP
155
CCM criteria
(9) Adherence to applicable
legal, statutory, or regulatory
compliance requirements.
IAM-03 Diagnostic / Configu-
ration Ports Access
User access to diagnostic and
configuration ports shall be
restricted to authorized indi-
viduals and applications.
Controls specified by InShared Results of PwC’s
Testing
whitelisting per client and are listed centrally and communicated with the client upon request.
The routing of each webservice / API is registered centrally.
OA-1 Access/Roles groups are defined based upon established business rules, including segrega- No exceptions noted
tion of duties, in a SOLL authorization matrix. Procedures are in place to ensure timely initiation
and update in the SOLL authorization matrices for all assets. Management authorizes changes to
defined privileges for access groups/roles. The SOLL authorization matrix is reviewed annually and
updated as necessary.
OA-2 Employee access rights are assigned commensurate with assigned job responsibilities (e.g.
through role-based access). Administration procedures are available to define activities for re-
questing, authorizing and granting an account and its associated user access rights. Access to in-
formation is based on 'need-to-know/need-to-have'-principle and all user activities can be traced
to uniquely identifiable users.
OA-3 Administration procedures are available to define activities for requesting and revoking an
account and its associated user access rights. Terminated user access rights are removed on a
timely basis. The return of assets is checked using the checklist according to exit employee check-
list.
OA-5 Management periodically reviews user access implemented for the relevant physical and vir-
tual application interfaces and infrastructure network and systems components (IST-situation) in
order to confirm the correctness of implemented accounts and roles (the access rights) and vali-
date that access rights are commensurate with assigned job responsibilities, as set out by the ac-
cess rules (SOLL-situation). Any inappropriate access noted during the review process is revoked in
a timely manner. This control involves SOLL and IST matrices being compared by responsible man-
agement.
OA-6 Management is responsible for periodically reviewing the list of active IDs in relevant physi-
cal and virtual application interfaces and infrastructure network and systems components, in or-
der to validate whether unique User ID's are implemented to provide individual accountability and
to ensure that generic or system level IDs are locked or otherwise protected. Any inappropriate or
inactive IDs noted during the review process are disabled in a timely manner.
156
CCM criteria
IAM-04 Policies and Proce-
dures
Policies and procedures shall
be established to store and
manage identity information
about every person who ac-
cesses IT infrastructure and to
determine their level of ac-
cess. Policies shall also be de-
veloped to control access to
network resources based on
user identity.
Controls specified by InShared Results of PwC’s
Testing
OA-9 Access to infrastructure components is controlled through defined Active Directory Security
Groups, which require identification with credentials as an administrator, which is a separate ac-
count from regular accounts for (high) privileged access. The accounts with (high) privileged ac-
cess rights are not configured to perform day-to-day activities, but exclusively to perform adminis-
trative tasks.
IS-1 An Information Security Policy has been established and communicated that defines the In- No exceptions noted
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The Infor-
mation Security Policy is reviewed annually and updated as necessary.
LA-1 An Authorization Management Policy has been established and communicated that defines
the Authorization Management of InShared for the CynoSure Platform. The Authorization Man-
agement Policy is reviewed annually and updated as necessary.
OA-1 Access/Roles groups are defined based upon established business rules, including segrega-
tion of duties, in a SOLL authorization matrix. Procedures are in place to ensure timely initiation
and update in the SOLL authorization matrices for all assets. Management authorizes changes to
defined privileges for access groups/roles. The SOLL authorization matrix is reviewed annually and
updated as necessary.
OA-2 Employee access rights are assigned commensurate with assigned job responsibilities (e.g.
through role-based access). Administration procedures are available to define activities for re-
questing, authorizing and granting an account and its associated user access rights. Access to in-
formation is based on 'need-to-know/need-to-have'-principle and all user activities can be traced
to uniquely identifiable users.
OA-3 Administration procedures are available to define activities for requesting and revoking an
account and its associated user access rights. Terminated user access rights are removed on a
timely basis. The return of assets is checked using the checklist according to exit employee check-
list.
OA-5 Management periodically reviews user access implemented for the relevant physical and vir-
tual application interfaces and infrastructure network and systems components (IST-situation) in
order to confirm the correctness of implemented accounts and roles (the access rights) and vali-
date that access rights are commensurate with assigned job responsibilities, as set out by the
157
CCM criteria
IAM-05 Segregation of Duties
User access policies and pro-
cedures shall be established,
and supporting business pro-
cesses and technical
measures implemented, for
restricting user access as per
defined segregation of duties
to address business risks asso-
ciated with a user-role conflict
of interest.
Controls specified by InShared Results of PwC’s
Testing
access rules (SOLL-situation). Any inappropriate access noted during the review process is revoked
in a timely manner. This control involves SOLL and IST matrices being compared by responsible
management.
OA-6 Management is responsible for periodically reviewing the list of active IDs in relevant physi-
cal and virtual application interfaces and infrastructure network and systems components, in or-
der to validate whether unique User ID's are implemented to provide individual accountability and
to ensure that generic or system level IDs are locked or otherwise protected. Any inappropriate or
inactive IDs noted during the review process are disabled in a timely manner.
OA-9 Access to infrastructure components is controlled through defined Active Directory Security
Groups, which require identification with credentials as an administrator, which is a separate ac-
count from regular accounts for (high) privileged access. The accounts with (high) privileged ac-
cess rights are not configured to perform day-to-day activities, but exclusively to perform adminis-
trative tasks.
OA-1 Access/Roles groups are defined based upon established business rules, including segrega- No exceptions noted
tion of duties, in a SOLL authorization matrix. Procedures are in place to ensure timely initiation
and update in the SOLL authorization matrices for all assets. Management authorizes changes to
defined privileges for access groups/roles. The SOLL authorization matrix is reviewed annually and
updated as necessary.
OA-2 Employee access rights are assigned commensurate with assigned job responsibilities (e.g.
through role-based access). Administration procedures are available to define activities for re-
questing, authorizing and granting an account and its associated user access rights. Access to in-
formation is based on 'need-to-know/need-to-have'-principle and all user activities can be traced
to uniquely identifiable users.
OA-3 Administration procedures are available to define activities for requesting and revoking an
account and its associated user access rights. Terminated user access rights are removed on a
timely basis. The return of assets is checked using the checklist according to exit employee check-
list.
OA-5 Management periodically reviews user access implemented for the relevant physical and vir-
tual application interfaces and infrastructure network and systems components (IST-situation) in
158
CCM criteria Controls specified by InShared Results of PwC’s
Testing

order to confirm the correctness of implemented accounts and roles (the access rights) and vali-
date that access rights are commensurate with assigned job responsibilities, as set out by the ac-
cess rules (SOLL-situation). Any inappropriate access noted during the review process is revoked in
a timely manner. This control involves SOLL and IST matrices being compared by responsible man-
agement.

OA-6 Management is responsible for periodically reviewing the list of active IDs in relevant physi-
cal and virtual application interfaces and infrastructure network and systems components, in or-
der to validate whether unique User ID's are implemented to provide individual accountability and
to ensure that generic or system level IDs are locked or otherwise protected. Any inappropriate or
inactive IDs noted during the review process are disabled in a timely manner.

OA-9 Access to infrastructure components is controlled through defined Active Directory Security
Groups, which require identification with credentials as an administrator, which is a separate ac-
count from regular accounts for (high) privileged access. The accounts with (high) privileged ac-
cess rights are not configured to perform day-to-day activities, but exclusively to perform adminis-
trative tasks.

PI-3 InShared segregates and appropriately provisions the services to restrict unauthorized access
to other customer tenants and data based on request from customer through the portal / API
which are custom made and routed with a Point to Point connection (firewalling) and IP whitelist-
ing per client and are listed centrally and communicated with the client upon request. The routing
of each webservice / API is registered centrally.

IAM-06 Source Code Access CM-1 A Change Management Policy and a Release Management Policy has been established and No exceptions noted
Restriction communicated that defines the procedures and roles and responsibilities with respect to the (pre-
)authorization, development, testing and implementation of changes. The change management
Access to the organization's
process is divided in three different phases: (1) define changes, (2) prioritize & plan changes and
own developed applications,
(3) build & test changes. Completion of the change management process triggers the Release
program, or object source
Management process. The Change Management Policy and the Release Management Policy are
code, or any other form of in- reviewed annually and updated as necessary.
tellectual property (IP), and
use of proprietary software
shall be appropriately

159
CCM criteria
restricted following the rule
of least privilege based on job
function as per established
user access policies and pro-
cedures.
Controls specified by InShared Results of PwC’s
Testing
LA-1 An Authorization Management Policy has been established and communicated that defines
the Authorization Management of InShared for the CynoSure Platform. The Authorization Man-
agement Policy is reviewed annually and updated as necessary.
OA-1 Access/Roles groups are defined based upon established business rules, including segrega-
tion of duties, in a SOLL authorization matrix. Procedures are in place to ensure timely initiation
and update in the SOLL authorization matrices for all assets. Management authorizes changes to
defined privileges for access groups/roles. The SOLL authorization matrix is reviewed annually and
updated as necessary.
OA-2 Employee access rights are assigned commensurate with assigned job responsibilities (e.g.
through role-based access). Administration procedures are available to define activities for re-
questing, authorizing and granting an account and its associated user access rights. Access to in-
formation is based on 'need-to-know/need-to-have'-principle and all user activities can be traced
to uniquely identifiable users.
OA-3 Administration procedures are available to define activities for requesting and revoking an
account and its associated user access rights. Terminated user access rights are removed on a
timely basis. The return of assets is checked using the checklist according to exit employee check-
list.
OA-5 Management periodically reviews user access implemented for the relevant physical and vir-
tual application interfaces and infrastructure network and systems components (IST-situation) in
order to confirm the correctness of implemented accounts and roles (the access rights) and vali-
date that access rights are commensurate with assigned job responsibilities, as set out by the ac-
cess rules (SOLL-situation). Any inappropriate access noted during the review process is revoked in
a timely manner. This control involves SOLL and IST matrices being compared by responsible man-
agement.
OA-6 Management is responsible for periodically reviewing the list of active IDs in relevant physi-
cal and virtual application interfaces and infrastructure network and systems components, in or-
der to validate whether unique User ID's are implemented to provide individual accountability and
to ensure that generic or system level IDs are locked or otherwise protected. Any inappropriate or
inactive IDs noted during the review process are disabled in a timely manner.
160
CCM criteria
IAM-07 Third-party Access
The identification, assess-
ment, and prioritization of
risks posed by business pro-
cesses requiring third-party
access to the organization's
information systems and data
shall be followed by coordi-
nated application of resources
to minimize, monitor, and
measure likelihood and im-
pact of unauthorized or inap-
propriate access. Compensat-
ing controls derived from the
risk analysis shall be imple-
mented prior to provisioning
access.
Controls specified by InShared Results of PwC’s
Testing
OA-9 Access to infrastructure components is controlled through defined Active Directory Security
Groups, which require identification with credentials as an administrator, which is a separate ac-
count from regular accounts for (high) privileged access. The accounts with (high) privileged ac-
cess rights are not configured to perform day-to-day activities, but exclusively to perform adminis-
trative tasks.
SDL-1 A centralized repository is used for managing source code changes to the CynoSure plat-
form. The source code is locked down through version control software and changes has to fol-
low-through the change management repositories.
OA-1 Access/Roles groups are defined based upon established business rules, including segrega- No exceptions noted
tion of duties, in a SOLL authorization matrix. Procedures are in place to ensure timely initiation
and update in the SOLL authorization matrices for all assets. Management authorizes changes to
defined privileges for access groups/roles. The SOLL authorization matrix is reviewed annually and
updated as necessary.
OA-2 Employee access rights are assigned commensurate with assigned job responsibilities (e.g.
through role-based access). Administration procedures are available to define activities for re-
questing, authorizing and granting an account and its associated user access rights. Access to in-
formation is based on 'need-to-know/need-to-have'-principle and all user activities can be traced
to uniquely identifiable users.
OA-3 Administration procedures are available to define activities for requesting and revoking an
account and its associated user access rights. Terminated user access rights are removed on a
timely basis. The return of assets is checked using the checklist according to exit employee check-
list.
OA-5 Management periodically reviews user access implemented for the relevant physical and vir-
tual application interfaces and infrastructure network and systems components (IST-situation) in
order to confirm the correctness of implemented accounts and roles (the access rights) and vali-
date that access rights are commensurate with assigned job responsibilities, as set out by the ac-
cess rules (SOLL-situation). Any inappropriate access noted during the review process is revoked in
a timely manner. This control involves SOLL and IST matrices being compared by responsible man-
agement.
161
CCM criteria Controls specified by InShared Results of PwC’s
Testing

SOC2-8 Third-party access transactions or activities are monitored for appropriateness. This log-
ging and monitoring function enables early prevention and/or detection and subsequent timely
reporting of unusual and/or abnormal activities by authorized third parties which needs to be ad-
dressed.

IAM-08 User Access Re- DS-1 Communication with key CynoSure components where customer data is transmitted or in- No exceptions noted
striction / Authorization volved is secured using encryption. Encryption is based on the implemented Encryption Key Man-
agement Policy. InShared uses industry standards and best practices for encryption.
Policies and procedures are
established for permissible
Within the CynoSure platform encryption keys are applied in the following areas:
storage and access of identi-
- Webservices: public certificates are used for the webservices for external communication and
ties used for authentication to
client certificates are generated and stored manually using an encryption key server (Simple Au-
ensure identities are only ac-
thority) for internal communication of the webservices within the CynoSure Platform.
cessible based on rules of
- Datacentre communication: connections between datacentres are point to point using IPsec
least privilege and replication
managed by the Fortinet FortiGate firewall devices.
limitation only to users explic-
- Storage: encryption of data is handled automatically within the storage solution (Pure Storage).
itly defined as business neces-
- Remote users: Encryption of VPN connections for end users (remote users) is handled automati-
sary.
cally within the VPN solution, including the SSL connection with clients (Pulse Secure).
- Laptops: encryption of laptops is handled automatically by bit locker software on the laptop.

Cryptographic keys, certificates, and customer access keys used for communication between Cy-
noSure services and other internal components or external parties are hosted by the load bal-
ancer and managed by the Network Operating Centre (NOC) of InShared. Changes in client certifi-
cates for webservices are communicated to the client and/or partners by the NOC.

LA-1 An Authorization Management Policy has been established and communicated that defines
the Authorization Management of InShared for the CynoSure Platform. The Authorization Man-
agement Policy is reviewed annually and updated as necessary.

OA-1 Access/Roles groups are defined based upon established business rules, including segrega-
tion of duties, in a SOLL authorization matrix. Procedures are in place to ensure timely initiation
and update in the SOLL authorization matrices for all assets. Management authorizes changes to

162
CCM criteria Controls specified by InShared Results of PwC’s
Testing

defined privileges for access groups/roles. The SOLL authorization matrix is reviewed annually and
updated as necessary.

OA-2 Employee access rights are assigned commensurate with assigned job responsibilities (e.g.
through role-based access). Administration procedures are available to define activities for re-
questing, authorizing and granting an account and its associated user access rights. Access to in-
formation is based on 'need-to-know/need-to-have'-principle and all user activities can be traced
to uniquely identifiable users.

OA-3 Administration procedures are available to define activities for requesting and revoking an
account and its associated user access rights. Terminated user access rights are removed on a
timely basis. The return of assets is checked using the checklist according to exit employee check-
list.

OA-5 Management periodically reviews user access implemented for the relevant physical and vir-
tual application interfaces and infrastructure network and systems components (IST-situation) in
order to confirm the correctness of implemented accounts and roles (the access rights) and vali-
date that access rights are commensurate with assigned job responsibilities, as set out by the ac-
cess rules (SOLL-situation). Any inappropriate access noted during the review process is revoked in
a timely manner. This control involves SOLL and IST matrices being compared by responsible man-
agement.

OA-6 Management is responsible for periodically reviewing the list of active IDs in relevant physi-
cal and virtual application interfaces and infrastructure network and systems components, in or-
der to validate whether unique User ID's are implemented to provide individual accountability and
to ensure that generic or system level IDs are locked or otherwise protected. Any inappropriate or
inactive IDs noted during the review process are disabled in a timely manner.

OA-9 Access to infrastructure components is controlled through defined Active Directory Security
Groups, which require identification with credentials as an administrator, which is a separate ac-
count from regular accounts for (high) privileged access. The accounts with (high) privileged ac-
cess rights are not configured to perform day-to-day activities, but exclusively to perform adminis-
trative tasks.

163
CCM criteria
IAM-09 User Access Authori-
zation
Provisioning user access (e.g.,
employees, contractors, cus-
tomers (tenants), business
partners and/or supplier rela-
tionships) to data and organi-
zationally-owned or managed
(physical and virtual) applica-
tions, infrastructure systems,
and network components
shall be authorized by the or-
ganization's management
prior to access being granted
and appropriately restricted
as per established policies and
procedures. Upon request,
provider shall inform cus-
tomer (tenant) of this user ac-
cess, especially if customer
(tenant) data is used as part
of the service and/or cus-
tomer (tenant) has some
shared responsibility over im-
plementation of control.
Controls specified by InShared Results of PwC’s
Testing
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed No exceptions noted
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
LA-1 An Authorization Management Policy has been established and communicated that defines
the Authorization Management of InShared for the CynoSure Platform. The Authorization Man-
agement Policy is reviewed annually and updated as necessary.
OA-1 Access/Roles groups are defined based upon established business rules, including segrega-
tion of duties, in a SOLL authorization matrix. Procedures are in place to ensure timely initiation
and update in the SOLL authorization matrices for all assets. Management authorizes changes to
defined privileges for access groups/roles. The SOLL authorization matrix is reviewed annually and
updated as necessary.
OA-2 Employee access rights are assigned commensurate with assigned job responsibilities (e.g.
through role-based access). Administration procedures are available to define activities for re-
questing, authorizing and granting an account and its associated user access rights. Access to in-
formation is based on 'need-to-know/need-to-have'-principle and all user activities can be traced
to uniquely identifiable users.
OA-3 Administration procedures are available to define activities for requesting and revoking an
account and its associated user access rights. Terminated user access rights are removed on a
timely basis. The return of assets is checked using the checklist according to exit employee check-
list.
OA-5 Management periodically reviews user access implemented for the relevant physical and vir-
tual application interfaces and infrastructure network and systems components (IST-situation) in
order to confirm the correctness of implemented accounts and roles (the access rights) and vali-
date that access rights are commensurate with assigned job responsibilities, as set out by the ac-
cess rules (SOLL-situation). Any inappropriate access noted during the review process is revoked in
a timely manner. This control involves SOLL and IST matrices being compared by responsible man-
agement.
164
CCM criteria
IAM-10 User Access Reviews
User access shall be author-
ized and revalidated for enti-
tlement appropriateness, at
planned intervals, by the or-
ganization's business leader-
ship or other accountable
business role or function sup-
ported by evidence to demon-
strate the organization is ad-
hering to the rule of least
privilege based on job func-
tion. For identified access vio-
lations, remediation must fol-
low established user access
policies and procedures.
Controls specified by InShared Results of PwC’s
Testing
OA-6 Management is responsible for periodically reviewing the list of active IDs in relevant physi-
cal and virtual application interfaces and infrastructure network and systems components, in or-
der to validate whether unique User ID's are implemented to provide individual accountability and
to ensure that generic or system level IDs are locked or otherwise protected. Any inappropriate or
inactive IDs noted during the review process are disabled in a timely manner.
OA-9 Access to infrastructure components is controlled through defined Active Directory Security
Groups, which require identification with credentials as an administrator, which is a separate ac-
count from regular accounts for (high) privileged access. The accounts with (high) privileged ac-
cess rights are not configured to perform day-to-day activities, but exclusively to perform adminis-
trative tasks.
LA-1 An Authorization Management Policy has been established and communicated that defines No exceptions noted
the Authorization Management of InShared for the CynoSure Platform. The Authorization Man-
agement Policy is reviewed annually and updated as necessary.
OA-1 Access/Roles groups are defined based upon established business rules, including segrega-
tion of duties, in a SOLL authorization matrix. Procedures are in place to ensure timely initiation
and update in the SOLL authorization matrices for all assets. Management authorizes changes to
defined privileges for access groups/roles. The SOLL authorization matrix is reviewed annually and
updated as necessary.
OA-2 Employee access rights are assigned commensurate with assigned job responsibilities (e.g.
through role-based access). Administration procedures are available to define activities for re-
questing, authorizing and granting an account and its associated user access rights. Access to in-
formation is based on 'need-to-know/need-to-have'-principle and all user activities can be traced
to uniquely identifiable users.
OA-3 Administration procedures are available to define activities for requesting and revoking an
account and its associated user access rights. Terminated user access rights are removed on a
timely basis. The return of assets is checked using the checklist according to exit employee check-
list.
OA-5 Management periodically reviews user access implemented for the relevant physical and vir-
tual application interfaces and infrastructure network and systems components (IST-situation) in
165
CCM criteria
IAM-11 User Access Revoca-
tion
Timely de-provisioning (revo-
cation or modification) of user
access to data and organiza-
tionally-owned or managed
(physical and virtual) applica-
tions, infrastructure systems,
and network components,
shall be implemented as per
established policies and pro-
cedures and based on user's
change in status (e.g., termi-
nation of employment or
other business relationship,
Controls specified by InShared Results of PwC’s
Testing
order to confirm the correctness of implemented accounts and roles (the access rights) and vali-
date that access rights are commensurate with assigned job responsibilities, as set out by the ac-
cess rules (SOLL-situation). Any inappropriate access noted during the review process is revoked in
a timely manner. This control involves SOLL and IST matrices being compared by responsible man-
agement.
OA-6 Management is responsible for periodically reviewing the list of active IDs in relevant physi-
cal and virtual application interfaces and infrastructure network and systems components, in or-
der to validate whether unique User ID's are implemented to provide individual accountability and
to ensure that generic or system level IDs are locked or otherwise protected. Any inappropriate or
inactive IDs noted during the review process are disabled in a timely manner.
OA-9 Access to infrastructure components is controlled through defined Active Directory Security
Groups, which require identification with credentials as an administrator, which is a separate ac-
count from regular accounts for (high) privileged access. The accounts with (high) privileged ac-
cess rights are not configured to perform day-to-day activities, but exclusively to perform adminis-
trative tasks.
LA-1 An Authorization Management Policy has been established and communicated that defines No exceptions noted
the Authorization Management of InShared for the CynoSure Platform. The Authorization Man-
agement Policy is reviewed annually and updated as necessary.
LA-2 Provisioning and de-provisioning of customer user account entitlements for the CynoSure
Platform is requested, authorized and granted or revoked in accordance with the implemented
Authorization Management Policy.
OA-1 Access/Roles groups are defined based upon established business rules, including segrega-
tion of duties, in a SOLL authorization matrix. Procedures are in place to ensure timely initiation
and update in the SOLL authorization matrices for all assets. Management authorizes changes to
defined privileges for access groups/roles. The SOLL authorization matrix is reviewed annually and
updated as necessary.
OA-2 Employee access rights are assigned commensurate with assigned job responsibilities (e.g.
through role-based access). Administration procedures are available to define activities for re-
questing, authorizing and granting an account and its associated user access rights. Access to
166
CCM criteria
job change, or transfer). Upon
request, provider shall inform
customer (tenant) of these
changes, especially if cus-
tomer (tenant) data is used as
part the service and/or cus-
tomer (tenant) has some
shared responsibility over im-
plementation of control.
IAM-12 User ID Credentials
Internal corporate or cus-
tomer (tenant) user account
credentials shall be restricted
as per the following, ensuring
appropriate identity,
Controls specified by InShared Results of PwC’s
Testing
information is based on 'need-to-know/need-to-have'-principle and all user activities can be
traced to uniquely identifiable users.
OA-3 Administration procedures are available to define activities for requesting and revoking an
account and its associated user access rights. Terminated user access rights are removed on a
timely basis. The return of assets is checked using the checklist according to exit employee check-
list.
OA-5 Management periodically reviews user access implemented for the relevant physical and vir-
tual application interfaces and infrastructure network and systems components (IST-situation) in
order to confirm the correctness of implemented accounts and roles (the access rights) and vali-
date that access rights are commensurate with assigned job responsibilities, as set out by the ac-
cess rules (SOLL-situation). Any inappropriate access noted during the review process is revoked in
a timely manner. This control involves SOLL and IST matrices being compared by responsible man-
agement.
OA-6 Management is responsible for periodically reviewing the list of active IDs in relevant physi-
cal and virtual application interfaces and infrastructure network and systems components, in or-
der to validate whether unique User ID's are implemented to provide individual accountability and
to ensure that generic or system level IDs are locked or otherwise protected. Any inappropriate or
inactive IDs noted during the review process are disabled in a timely manner.
OA-9 Access to infrastructure components is controlled through defined Active Directory Security
Groups, which require identification with credentials as an administrator, which is a separate ac-
count from regular accounts for (high) privileged access. The accounts with (high) privileged ac-
cess rights are not configured to perform day-to-day activities, but exclusively to perform adminis-
trative tasks.
DS-1 Communication with key CynoSure components where customer data is transmitted or in- No exceptions noted
volved is secured using encryption. Encryption is based on the implemented Encryption Key Man-
agement Policy. InShared uses industry standards and best practices for encryption.
Within the CynoSure platform encryption keys are applied in the following areas:
- Webservices: public certificates are used for the webservices for external communication and
167
CCM criteria
entitlement, and access man-
agement and in accordance
with established policies and
procedures:
• Identity trust verification
and service-to-service applica-
tion (API) and information
processing interoperability
(e.g., SSO and Federation)
• Account credential lifecycle
management from instantia-
tion through revocation
• Account credential and/or
identity store minimization or
re-use when feasible
• Adherence to industry ac-
ceptable and/or regulatory
compliant authentication, au-
thorization, and accounting
(AAA) rules (e.g.,
strong/multi-factor, expirea-
ble, non-shared authentica-
tion secrets)
Controls specified by InShared Results of PwC’s
Testing
client certificates are generated and stored manually using an encryption key server (Simple Au-
thority) for internal communication of the webservices within the CynoSure Platform.
- Datacentre communication: connections between datacentres are point to point using IPsec
managed by the Fortinet FortiGate firewall devices.
- Storage: encryption of data is handled automatically within the storage solution (Pure Storage).
- Remote users: Encryption of VPN connections for end users (remote users) is handled automati-
cally within the VPN solution, including the SSL connection with clients (Pulse Secure).
- Laptops: encryption of laptops is handled automatically by bit locker software on the laptop.
Cryptographic keys, certificates, and customer access keys used for communication between Cy-
noSure services and other internal components or external parties are hosted by the load bal-
ancer and managed by the Network Operating Centre (NOC) of InShared. Changes in client certifi-
cates for webservices are communicated to the client and/or partners by the NOC.
LA-2 Provisioning and de-provisioning of customer user account entitlements for the CynoSure
Platform is requested, authorized and granted or revoked in accordance with the implemented
Authorization Management Policy.
LA-3 Customer credentials used to access CynoSure services meet the applicable password policy
requirements as defined in the Authorization Management Policy.
OA-7 Corporate user account credentials meet the applicable password policy requirements, as
defined within Authorization Management Policy.
OA-8 Access to network devices for remote access in the scope boundary requires two factor au-
thentication.
OA-10 Perimeter firewalls are implemented and properly configured to restrict unauthorized traf-
fic. A mechanism called Reverse Path Forwarding (RPF), or anti spoofing, is implemented with the
installed firewall which prevents IP packets to be forwarded if its source IP is spoofed.
PI-3 InShared segregates and appropriately provisions the services to restrict unauthorized access
to other customer tenants and data based on request from customer through the portal / API
which are custom made and routed with a Point to Point connection (firewalling) and IP
168
CCM criteria
IAM-13 Utility Program Ac-
cess
Utility programs capable of
potentially overriding system,
object, network, virtual ma-
chine, and application con-
trols shall be restricted.
Controls specified by InShared Results of PwC’s
Testing
whitelisting per client and are listed centrally and communicated with the client upon request.
The routing of each webservice / API is registered centrally.
OA-13 Authorized software is made available through Software Centre. Installation of unauthor- No exceptions noted
ized software on organizationally-owned or managed user end-point devices is restricted as users
have no (local) administrator rights. Compliance with authorized software is monitored quarterly.
SDL-2 The utility programs at InShared, Bamboo for code deployment, Ansible for Linux deploy-
ment and V-centre for VMware management, are restricted by authorizations following the Au-
thorization Management Policy.
VM-7 As part of the Information Security Policy, mobile code is not allowed at InShared. Mobile
code, including Java, is not allowed in the installation (SCCM). Users are therefore not able to in-
stall programs which are not part of the InShared software store. Upon request, an IT employee
can request exception for Java needed for cooperation with suppliers who work with Java.
169
8.1.11 Infrastructure and Virtualization Security (IVS)

CCM criteria Controls specified by InShared Results of PwC’s

Testing

IVS-01 Audit Logging and In-
trusion Detection
Higher levels of assurance are
required for protection, re-
tention, and lifecycle manage-
ment of audit logs, adhering
to applicable legal, statutory,
or regulatory compliance obli-
gations and providing unique
user access accountability to
detect potentially suspicious
network behaviors and/or file
integrity anomalies, and to
support forensic investigative
capabilities in the event of a
security breach.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed No exceptions noted
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
VM-1 Production and development webservers, database servers, mail servers, file servers, fire-
walls, domain controllers and other network devices are configured to log security events.
VM-2 Events, thresholds and metrics have been defined and configured in the third-party Security
Information and Event Management (SIEM) system to detect security incidents and to alert the
Security Operations Centre, which are also reported within the monthly SIEM report. Actual met-
rics and events trespassing thresholds are visible in the online SIEM monitoring dashboard.
VM-3 Security event logs are centrally collected by the third-party Security Information and Event
Management (SIEM) software log collector. The log collector is appropriately segmented from any
production related node and sends the log data to the SIEM system. The log collector is managed
by the third-party vendor.
VM-4 The Security Operations Centre (SOC) performs monitoring activities, including the escala-
tion and coordination of incidents. The activities are defined and agreed upon within the Service
Level Agreement (SLA).

IVS-02 Change Detection Control specification l IVS-02 is not applicable to InShared as change detection upon virtual ma- Not applicable
chines for users is not part of the SaaS service.
The provider shall ensure the
integrity of all virtual machine
images at all times. Any
changes made to virtual ma-
chine images must be logged
and an alert raised regardless
of their running state (e.g.,
dormant, off, or running). The

170
CCM criteria Controls specified by InShared Results of PwC’s
Testing

results of a change or move of

an image and the subsequent
validation of the image's in-
tegrity must be immediately
available to customers
through electronic methods
(e.g., portals or alerts).

IVS-03 Clock Synchronisation CCM-1 The system clocks of the firewalls are synchronized with reliable external sources via the No exceptions noted
Network Time Protocol (NTP). The domain controllers and hypervisors are configured to synchro-
A reliable and mutually nize with the nearest firewall.
agreed upon external time
source shall be used to syn-
chronize the system clocks of
all relevant information pro-
cessing systems to facilitate
tracing and reconstitution of
activity timelines.

IVS-04 Capacity / Resource IM-2 The availability, capacity and performance of the network and resources are monitored by No exceptions noted
Planning third-party monitoring software. Alerts are reported by the third-party vendor and followed up
through the formal incident management procedures, as necessary.
The availability, quality, and
adequate capacity and re-
sources shall be planned, pre-
pared, and measured to de-
liver the required system per-
formance in accordance with
legal, statutory, and regula-
tory compliance obligations.
Projections of future capacity
requirements shall be made

171
CCM criteria
to mitigate the risk of system
overload.
IVS-05 Capacity / Resource
Planning
Implementers shall ensure
that the security vulnerability
assessment tools or services
accommodate the virtualiza-
tion technologies used (e.g.,
virtualization aware).
IVS-06 Network Security
Network environments and
virtual instances shall be de-
signed and configured to re-
strict and monitor traffic be-
tween trusted and untrusted
connections. These configura-
tions shall be reviewed at
Controls specified by InShared Results of PwC’s
Testing
CM-4 The Information Security Policy instructs the use of the baselines during the installation of No exceptions noted
(new) IT equipment. The security baseline configuration settings of firewalls, Wi-Fi access points,
VPN, load balancers, database servers and operating systems are assessed annually, by using au-
tomated tools and industry baselines. Non-acceptable deviations from the industry baseline are
followed up and remediated, in accordance with the Change Management and Release Manage-
ment policies and procedures.
VM-2 Events, thresholds and metrics have been defined and configured in the third-party Security
Information and Event Management (SIEM) system to detect security incidents and to alert the
Security Operations Centre, which are also reported within the monthly SIEM report. Actual met-
rics and events trespassing thresholds are visible in the online SIEM monitoring dashboard.
VM-4 The Security Operations Centre (SOC) performs monitoring activities, including the escala-
tion and coordination of incidents. The activities are defined and agreed upon within the Service
Level Agreement (SLA).
VM-5 Semi-annually vulnerability assessments and semi-annually penetration testing activities are
performed by a third-party vendor on InShared's network and web applications (frontend,
backend, webservices, external web connections, CynoSure applications and the supporting infra-
structure). Identified vulnerabilities are analysed and followed-up in a timely manner, depending
on the severity of the vulnerability, in accordance with the Incident Management Policy, Change
Management Policy and Release Management Policy.
CM-4 The Information Security Policy instructs the use of the baselines during the installation of No exceptions noted
(new) IT equipment. The security baseline configuration settings of firewalls, Wi-Fi access points,
VPN, load balancers, database servers and operating systems are assessed annually, by using au-
tomated tools and industry baselines. Non-acceptable deviations from the industry baseline are
followed up and remediated, in accordance with the Change Management and Release Manage-
ment policies and procedures.
DS-1 Communication with key CynoSure components where customer data is transmitted or in-
volved is secured using encryption. Encryption is based on the implemented Encryption Key
172
CCM criteria
least annually, and supported
by a documented justification
for use for all allowed ser-
vices, protocols, ports, and
compensating controls.
Controls specified by InShared Results of PwC’s
Testing
Management Policy. InShared uses industry standards and best practices for encryption.
Within the CynoSure platform encryption keys are applied in the following areas:
- Webservices: public certificates are used for the webservices for external communication and
client certificates are generated and stored manually using an encryption key server (Simple Au-
thority) for internal communication of the webservices within the CynoSure Platform.
- Datacentre communication: connections between datacentres are point to point using IPsec
managed by the Fortinet FortiGate firewall devices.
- Storage: encryption of data is handled automatically within the storage solution (Pure Storage).
- Remote users: Encryption of VPN connections for end users (remote users) is handled automati-
cally within the VPN solution, including the SSL connection with clients (Pulse Secure).
- Laptops: encryption of laptops is handled automatically by bit locker software on the laptop.
Cryptographic keys, certificates, and customer access keys used for communication between Cy-
noSure services and other internal components or external parties are hosted by the load bal-
ancer and managed by the Network Operating Centre (NOC) of InShared. Changes in client certifi-
cates for webservices are communicated to the client and/or partners by the NOC.
OA-10 Perimeter firewalls are implemented and properly configured to restrict unauthorized traf-
fic. A mechanism called Reverse Path Forwarding (RPF), or anti spoofing, is implemented with the
installed firewall which prevents IP packets to be forwarded if its source IP is spoofed.
OA-12 The management VLAN is separating management traffic from customer traffic.
PI-3 InShared segregates and appropriately provisions the services to restrict unauthorized access
to other customer tenants and data based on request from customer through the portal / API
which are custom made and routed with a Point to Point connection (firewalling) and IP whitelist-
ing per client and are listed centrally and communicated with the client upon request. The routing
of each webservice / API is registered centrally.
VM-1 Production and development webservers, database servers, mail servers, file servers, fire-
walls, domain controllers and other network devices are configured to log security events.
173
CCM criteria Controls specified by InShared Results of PwC’s
Testing

IVS-07 OS Hardening and Base CM-4 The Information Security Policy instructs the use of the baselines during the installation of No exceptions noted
Controls (new) IT equipment. The security baseline configuration settings of firewalls, Wi-Fi access points,
VPN, load balancers, database servers and operating systems are assessed annually, by using au-
Each operating system shall
tomated tools and industry baselines. Non-acceptable deviations from the industry baseline are
be hardened to provide only
followed up and remediated, in accordance with the Change Management and Release Manage-
necessary ports, protocols, ment policies and procedures.
and services to meet business
needs and have in place sup-
porting technical controls
such as: antivirus, file integrity
monitoring, and logging as
part of their baseline operat-
ing build standard or tem-
plate.

IVS-08 Production / Non-pro-
duction Environments
Production and non-produc-
tion environments shall be
separated to prevent unau-
thorized access or changes to
information assets. Separa-
tion of the environments may
include:
(1) stateful inspection fire-
walls,
(2) domain/realm authentica-
tion sources, and
CM-1 A Change Management Policy and a Release Management Policy has been established and No exceptions noted
communicated that defines the procedures and roles and responsibilities with respect to the (pre-
)authorization, development, testing and implementation of changes. The change management
process is divided in three different phases: (1) define changes, (2) prioritize & plan changes and
(3) build & test changes. Completion of the change management process triggers the Release
Management process. The Change Management Policy and the Release Management Policy are
reviewed annually and updated as necessary.
CM-5 New features and major changes are developed and tested in separate environments prior
to production implementation. Anonymised data is used for testing purposes. Production data is
not replicated in test or development environments.
DS-1 Communication with key CynoSure components where customer data is transmitted or in-
volved is secured using encryption. Encryption is based on the implemented Encryption Key Man-
agement Policy. InShared uses industry standards and best practices for encryption.

(3) clear segregation of duties Within the CynoSure platform encryption keys are applied in the following areas:
for personnel accessing these - Webservices: public certificates are used for the webservices for external communication and
client certificates are generated and stored manually using an encryption key server (Simple

174
CCM criteria
environments as part of their
job duties.
IVS-09 Segmentation
Multi-tenant organizationally-
owned or managed (physical
and virtual) applications, and
infrastructure system and net-
work components, shall be
designed, developed, de-
ployed, and configured such
that provider and customer
(tenant) user access is
Controls specified by InShared Results of PwC’s
Testing
Authority) for internal communication of the webservices within the CynoSure Platform.
- Datacentre communication: connections between datacentres are point to point using IPsec
managed by the Fortinet FortiGate firewall devices.
- Storage: encryption of data is handled automatically within the storage solution (Pure Storage).
- Remote users: Encryption of VPN connections for end users (remote users) is handled automati-
cally within the VPN solution, including the SSL connection with clients (Pulse Secure).
- Laptops: encryption of laptops is handled automatically by bit locker software on the laptop.
Cryptographic keys, certificates, and customer access keys used for communication between Cy-
noSure services and other internal components or external parties are hosted by the load bal-
ancer and managed by the Network Operating Centre (NOC) of InShared. Changes in client certifi-
cates for webservices are communicated to the client and/or partners by the NOC.
OA-10 Perimeter firewalls are implemented and properly configured to restrict unauthorized traf-
fic. A mechanism called Reverse Path Forwarding (RPF), or anti spoofing, is implemented with the
installed firewall which prevents IP packets to be forwarded if its source IP is spoofed.
PI-3 InShared segregates and appropriately provisions the services to restrict unauthorized access
to other customer tenants and data based on request from customer through the portal / API
which are custom made and routed with a Point to Point connection (firewalling) and IP whitelist-
ing per client and are listed centrally and communicated with the client upon request. The routing
of each webservice / API is registered centrally.
CM-4 The Information Security Policy instructs the use of the baselines during the installation of No exceptions noted
(new) IT equipment. The security baseline configuration settings of firewalls, Wi-Fi access points,
VPN, load balancers, database servers and operating systems are assessed annually, by using au-
tomated tools and industry baselines. Non-acceptable deviations from the industry baseline are
followed up and remediated, in accordance with the Change Management and Release Manage-
ment policies and procedures.
DS-1 Communication with key CynoSure components where customer data is transmitted or in-
volved is secured using encryption. Encryption is based on the implemented Encryption Key Man-
agement Policy. InShared uses industry standards and best practices for encryption.
175
CCM criteria
appropriately segmented
from other tenant users,
based on the following con-
siderations:
(1) Established policies and
procedures
(2) Isolation of business criti-
cal assets and/or sensitive
user data and sessions that
mandate stronger internal
controls and high levels of as-
surance
(3) Compliance with legal,
statutory, and regulatory
compliance obligations
IVS-10 VM Security / Data
Protection
Secured and encrypted com-
munication channels shall be
used when migrating physical
servers, applications, or data
to virtualized servers and,
Controls specified by InShared Results of PwC’s
Testing
Within the CynoSure platform encryption keys are applied in the following areas:
- Webservices: public certificates are used for the webservices for external communication and
client certificates are generated and stored manually using an encryption key server (Simple Au-
thority) for internal communication of the webservices within the CynoSure Platform.
- Datacentre communication: connections between datacentres are point to point using IPsec
managed by the Fortinet FortiGate firewall devices.
- Storage: encryption of data is handled automatically within the storage solution (Pure Storage).
- Remote users: Encryption of VPN connections for end users (remote users) is handled automati-
cally within the VPN solution, including the SSL connection with clients (Pulse Secure).
- Laptops: encryption of laptops is handled automatically by bit locker software on the laptop.
Cryptographic keys, certificates, and customer access keys used for communication between Cy-
noSure services and other internal components or external parties are hosted by the load bal-
ancer and managed by the Network Operating Centre (NOC) of InShared. Changes in client certifi-
cates for webservices are communicated to the client and/or partners by the NOC.
OA-10 Perimeter firewalls are implemented and properly configured to restrict unauthorized traf-
fic. A mechanism called Reverse Path Forwarding (RPF), or anti spoofing, is implemented with the
installed firewall which prevents IP packets to be forwarded if its source IP is spoofed.
PI-3 InShared segregates and appropriately provisions the services to restrict unauthorized access
to other customer tenants and data based on request from customer through the portal / API
which are custom made and routed with a Point to Point connection (firewalling) and IP whitelist-
ing per client and are listed centrally and communicated with the client upon request. The routing
of each webservice / API is registered centrally.
Control specification IVS-10 is not applicable to InShared as InShared does not migrate virtual Not applicable
servers from physical servers.
176
CCM criteria Controls specified by InShared Results of PwC’s
Testing

where possible, shall use a

network segregated from pro-
duction-level networks for
such migrations.

IVS-11 VMM Security - Hyper- DS-1 Communication with key CynoSure components where customer data is transmitted or in- No exceptions noted
visor Hardening volved is secured using encryption. Encryption is based on the implemented Encryption Key Man-
agement Policy. InShared uses industry standards and best practices for encryption.
Access to all hypervisor man-
agement functions or admin-
Within the CynoSure platform encryption keys are applied in the following areas:
istrative consoles for systems
- Webservices: public certificates are used for the webservices for external communication and
hosting virtualized systems
client certificates are generated and stored manually using an encryption key server (Simple Au-
shall be restricted to person-
thority) for internal communication of the webservices within the CynoSure Platform.
nel based upon (1) the princi-
- Datacentre communication: connections between datacentres are point to point using IPsec
ple of least privilege and (2)
managed by the Fortinet FortiGate firewall devices.
supported through technical
- Storage: encryption of data is handled automatically within the storage solution (Pure Storage).
controls (e.g., two-factor au-
- Remote users: Encryption of VPN connections for end users (remote users) is handled automati-
thentication, audit trails, IP
cally within the VPN solution, including the SSL connection with clients (Pulse Secure).
address filtering, firewalls,
- Laptops: encryption of laptops is handled automatically by bit locker software on the laptop.
and TLS encapsulated com-
munications to the adminis-
Cryptographic keys, certificates, and customer access keys used for communication between Cy-
trative consoles).
noSure services and other internal components or external parties are hosted by the load bal-
ancer and managed by the Network Operating Centre (NOC) of InShared. Changes in client certifi-
cates for webservices are communicated to the client and/or partners by the NOC.

OA-1 Access/Roles groups are defined based upon established business rules, including segrega-
tion of duties, in a SOLL authorization matrix. Procedures are in place to ensure timely initiation
and update in the SOLL authorization matrices for all assets. Management authorizes changes to
defined privileges for access groups/roles. The SOLL authorization matrix is reviewed annually and
updated as necessary.

OA-2 Employee access rights are assigned commensurate with assigned job responsibilities (e.g.
through role-based access). Administration procedures are available to define activities for re-
questing, authorizing and granting an account and its associated user access rights. Access to

177
CCM criteria
IVS-12 Wireless Security
Policies and procedures shall
be established, and support-
ing business processes and
technical measures imple-
mented, to protect wireless
Controls specified by InShared Results of PwC’s
Testing
information is based on 'need-to-know/need-to-have'-principle and all user activities can be
traced to uniquely identifiable users.
OA-3 Administration procedures are available to define activities for requesting and revoking an
account and its associated user access rights. Terminated user access rights are removed on a
timely basis. The return of assets is checked using the checklist according to exit employee check-
list.
OA-5 Management periodically reviews user access implemented for the relevant physical and vir-
tual application interfaces and infrastructure network and systems components (IST-situation) in
order to confirm the correctness of implemented accounts and roles (the access rights) and vali-
date that access rights are commensurate with assigned job responsibilities, as set out by the ac-
cess rules (SOLL-situation). Any inappropriate access noted during the review process is revoked in
a timely manner. This control involves SOLL and IST matrices being compared by responsible man-
agement.
OA-6 Management is responsible for periodically reviewing the list of active IDs in relevant physi-
cal and virtual application interfaces and infrastructure network and systems components, in or-
der to validate whether unique User ID's are implemented to provide individual accountability and
to ensure that generic or system level IDs are locked or otherwise protected. Any inappropriate or
inactive IDs noted during the review process are disabled in a timely manner.
OA-9 Access to infrastructure components is controlled through defined Active Directory Security
Groups, which require identification with credentials as an administrator, which is a separate ac-
count from regular accounts for (high) privileged access. The accounts with (high) privileged ac-
cess rights are not configured to perform day-to-day activities, but exclusively to perform adminis-
trative tasks.
CM-4 The Information Security Policy instructs the use of the baselines during the installation of No exceptions noted
(new) IT equipment. The security baseline configuration settings of firewalls, Wi-Fi access points,
VPN, load balancers, database servers and operating systems are assessed annually, by using au-
tomated tools and industry baselines. Non-acceptable deviations from the industry baseline are
followed up and remediated, in accordance with the Change Management and Release Manage-
ment policies and procedures.
178
CCM criteria
network environments, in-
cluding the following:
(1) Perimeter firewalls imple-
mented and configured to re-
strict unauthorized traffic
(2) Security settings enabled
with strong encryption for au-
thentication and transmis-
sion, replacing vendor default
settings (e.g., encryption keys,
passwords, and SNMP com-
munity strings)
(3) User access to wireless
network devices restricted to
authorized personnel
(4) The capability to detect
the presence of unauthorized
(rogue) wireless network de-
vices for a timely disconnect
from the network
Controls specified by InShared Results of PwC’s
Testing
DS-1 Communication with key CynoSure components where customer data is transmitted or in-
volved is secured using encryption. Encryption is based on the implemented Encryption Key Man-
agement Policy. InShared uses industry standards and best practices for encryption.
Within the CynoSure platform encryption keys are applied in the following areas:
- Webservices: public certificates are used for the webservices for external communication and
client certificates are generated and stored manually using an encryption key server (Simple Au-
thority) for internal communication of the webservices within the CynoSure Platform.
- Datacentre communication: connections between datacentres are point to point using IPsec
managed by the Fortinet FortiGate firewall devices.
- Storage: encryption of data is handled automatically within the storage solution (Pure Storage).
- Remote users: Encryption of VPN connections for end users (remote users) is handled automati-
cally within the VPN solution, including the SSL connection with clients (Pulse Secure).
- Laptops: encryption of laptops is handled automatically by bit locker software on the laptop.
Cryptographic keys, certificates, and customer access keys used for communication between Cy-
noSure services and other internal components or external parties are hosted by the load bal-
ancer and managed by the Network Operating Centre (NOC) of InShared. Changes in client certifi-
cates for webservices are communicated to the client and/or partners by the NOC.
OA-1 Access/Roles groups are defined based upon established business rules, including segrega-
tion of duties, in a SOLL authorization matrix. Procedures are in place to ensure timely initiation
and update in the SOLL authorization matrices for all assets. Management authorizes changes to
defined privileges for access groups/roles. The SOLL authorization matrix is reviewed annually and
updated as necessary.
OA-2 Employee access rights are assigned commensurate with assigned job responsibilities (e.g.
through role-based access). Administration procedures are available to define activities for re-
questing, authorizing and granting an account and its associated user access rights. Access to in-
formation is based on 'need-to-know/need-to-have'-principle and all user activities can be traced
to uniquely identifiable users.
OA-3 Administration procedures are available to define activities for requesting and revoking an
account and its associated user access rights. Terminated user access rights are removed on a
179
CCM criteria Controls specified by InShared Results of PwC’s
Testing

timely basis. The return of assets is checked using the checklist according to exit employee check-
list.

OA-5 Management periodically reviews user access implemented for the relevant physical and vir-
tual application interfaces and infrastructure network and systems components (IST-situation) in
order to confirm the correctness of implemented accounts and roles (the access rights) and vali-
date that access rights are commensurate with assigned job responsibilities, as set out by the ac-
cess rules (SOLL-situation). Any inappropriate access noted during the review process is revoked in
a timely manner. This control involves SOLL and IST matrices being compared by responsible man-
agement.

OA-6 Management is responsible for periodically reviewing the list of active IDs in relevant physi-
cal and virtual application interfaces and infrastructure network and systems components, in or-
der to validate whether unique User ID's are implemented to provide individual accountability and
to ensure that generic or system level IDs are locked or otherwise protected. Any inappropriate or
inactive IDs noted during the review process are disabled in a timely manner.

OA-9 Access to infrastructure components is controlled through defined Active Directory Security
Groups, which require identification with credentials as an administrator, which is a separate ac-
count from regular accounts for (high) privileged access. The accounts with (high) privileged ac-
cess rights are not configured to perform day-to-day activities, but exclusively to perform adminis-
trative tasks.

OA-10 Perimeter firewalls are implemented and properly configured to restrict unauthorized traf-
fic. A mechanism called Reverse Path Forwarding (RPF), or anti spoofing, is implemented with the
installed firewall which prevents IP packets to be forwarded if its source IP is spoofed.

OA-14 The access point radio equipment on the firewall scans for other available access points.
Unauthorized access points connected to the InShared wired network are detected, the firewall
will send an alert to the infra team who will respond with placing the access point on a black list.
The detected rogue SSID will be suppressed using roque access point functionality on the Wi-Fi
controller that sends de-authentication messages to the rogue access point.

180
CCM criteria Controls specified by InShared Results of PwC’s
Testing
IVS-13 Network Architecture CM-6 Applications and programming interfaces (APIs) and webservices are authorized, designed, No exceptions noted
developed, configured, documented, tested, approved and deployed in line with the implemented
A: Network architecture dia-
change management policy and procedures. This includes developing and testing in accordance
grams shall clearly identify (1)
with the following industry standards:
high-risk environments and
- Coding standard PHP
(2) data flows that may have
- Web services Security standard (OWASP)
legal compliance impacts.
- Bitbucket code checks
B: Technical measures shall be - Automated webservice creation
implemented and shall apply - SOAPUI WSI compliance report
defense-in-depth techniques
DS-1 Communication with key CynoSure components where customer data is transmitted or in-
(e.g., deep packet analysis,
volved is secured using encryption. Encryption is based on the implemented Encryption Key Man-
traffic throttling, and black-
agement Policy. InShared uses industry standards and best practices for encryption.
holing) for detection and
timely response to network-
Within the CynoSure platform encryption keys are applied in the following areas:
based attacks associated with
- Webservices: public certificates are used for the webservices for external communication and
anomalous ingress or egress
client certificates are generated and stored manually using an encryption key server (Simple Au-
traffic patterns (e.g., MAC
thority) for internal communication of the webservices within the CynoSure Platform.
spoofing and ARP poisoning
- Datacentre communication: connections between datacentres are point to point using IPsec
attacks) and/or distributed
managed by the Fortinet FortiGate firewall devices.
denial-of-service (DDoS) at-
- Storage: encryption of data is handled automatically within the storage solution (Pure Storage).
tacks.
- Remote users: Encryption of VPN connections for end users (remote users) is handled automati-
cally within the VPN solution, including the SSL connection with clients (Pulse Secure).
- Laptops: encryption of laptops is handled automatically by bit locker software on the laptop.

Cryptographic keys, certificates, and customer access keys used for communication between Cy-
noSure services and other internal components or external parties are hosted by the load bal-
ancer and managed by the Network Operating Centre (NOC) of InShared. Changes in client certifi-
cates for webservices are communicated to the client and/or partners by the NOC.

IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and

181
CCM criteria Controls specified by InShared Results of PwC’s
Testing

controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.

OA-10 Perimeter firewalls are implemented and properly configured to restrict unauthorized traf-
fic. A mechanism called Reverse Path Forwarding (RPF), or anti spoofing, is implemented with the
installed firewall which prevents IP packets to be forwarded if its source IP is spoofed.

PE-4 Delivery and removal of assets are requested and authorized within the IT-ticketing system
(Jira) by the infrastructure team.

PI-3 InShared segregates and appropriately provisions the services to restrict unauthorized access
to other customer tenants and data based on request from customer through the portal / API
which are custom made and routed with a Point to Point connection (firewalling) and IP whitelist-
ing per client and are listed centrally and communicated with the client upon request. The routing
of each webservice / API is registered centrally.

VM-1 Production and development webservers, database servers, mail servers, file servers, fire-
walls, domain controllers and other network devices are configured to log security events.

VM-2 Events, thresholds and metrics have been defined and configured in the third-party Security
Information and Event Management (SIEM) system to detect security incidents and to alert the
Security Operations Centre, which are also reported within the monthly SIEM report. Actual met-
rics and events trespassing thresholds are visible in the online SIEM monitoring dashboard.

VM-3 Security event logs are centrally collected by the third-party Security Information and Event
Management (SIEM) software log collector. The log collector is appropriately segmented from any
production related node and sends the log data to the SIEM system. The log collector is managed
by the third-party vendor.

VM-4 The Security Operations Centre (SOC) performs monitoring activities, including the escala-
tion and coordination of incidents. The activities are defined and agreed upon within the Service
Level Agreement (SLA).

182
8.1.12 Interoperability and Portability (IPY)
CCM criteria
IPY-01 API's
The provider shall use open
and published APIs to ensure
support for interoperability
between components and to
facilitate migrating applica-
tions.
IPY-02 Data Request
All structured and unstruc-
tured data shall be available
to the customer and provided
to them upon request in an
industry-standard format
(e.g., .doc, .xls, .pdf, logs, and
flat files).
IPY-03 Policy and Legal
Policies, procedures, and mu-
tually-agreed upon provisions
and/or terms shall be estab-
lished to satisfy customer
(tenant) requirements for ser-
vice-to-service application
(API) and information
Controls specified by InShared Results of PwC’s
Testing
CCM-2 InShared provides its customers with a list of standard set of API's upon request. All API's No exceptions noted
are generated using the standards for TLS and web services.
CM-6 Applications and programming interfaces (APIs) and webservices are authorized, designed,
developed, configured, documented, tested, approved and deployed in line with the implemented
change management policy and procedures. This includes developing and testing in accordance
with the following industry standards:
- Coding standard PHP
- Web services Security standard (OWASP)
- Bitbucket code checks
- Automated webservice creation
- SOAPUI WSI compliance report
SOC2-6 Customer data is accessible within agreed upon services in data formats compatible with No exceptions noted
the CynoSure services provided. Upon customer request data is provided to the customer in the
format as defined within the customer contract.
CCM-2 InShared provides its customers with a list of standard set of API's upon request. All API's No exceptions noted
are generated using the standards for TLS and web services.
CM-6 Applications and programming interfaces (APIs) and webservices are authorized, designed,
developed, configured, documented, tested, approved and deployed in line with the implemented
change management policy and procedures. This includes developing and testing in accordance
with the following industry standards:
- Coding standard PHP
- Web services Security standard (OWASP)
183
CCM criteria Controls specified by InShared Results of PwC’s
Testing

processing interoperability, - Bitbucket code checks

and portability for application - Automated webservice creation
development and information - SOAPUI WSI compliance report
exchange, usage, and integrity
persistence.

IPY-04 Standardized Network DS-1 Communication with key CynoSure components where customer data is transmitted or in- No exceptions noted
Protocols volved is secured using encryption. Encryption is based on the implemented Encryption Key Man-
agement Policy. InShared uses industry standards and best practices for encryption.
The provider shall use secure
(e.g., non-clear text and au-
Within the CynoSure platform encryption keys are applied in the following areas:
thenticated) standardized
- Webservices: public certificates are used for the webservices for external communication and
network protocols for the im-
client certificates are generated and stored manually using an encryption key server (Simple Au-
port and export of data and to
thority) for internal communication of the webservices within the CynoSure Platform.
manage the service, and shall
- Datacentre communication: connections between datacentres are point to point using IPsec
make available a document to
managed by the Fortinet FortiGate firewall devices.
consumers (tenants) detailing
- Storage: encryption of data is handled automatically within the storage solution (Pure Storage).
the relevant interoperability
- Remote users: Encryption of VPN connections for end users (remote users) is handled automati-
and portability standards that
cally within the VPN solution, including the SSL connection with clients (Pulse Secure).
are involved.
- Laptops: encryption of laptops is handled automatically by bit locker software on the laptop.

Cryptographic keys, certificates, and customer access keys used for communication between Cy-
noSure services and other internal components or external parties are hosted by the load bal-
ancer and managed by the Network Operating Centre (NOC) of InShared. Changes in client certifi-
cates for webservices are communicated to the client and/or partners by the NOC.

OA-10 Perimeter firewalls are implemented and properly configured to restrict unauthorized traf-
fic. A mechanism called Reverse Path Forwarding (RPF), or anti spoofing, is implemented with the
installed firewall which prevents IP packets to be forwarded if its source IP is spoofed.

PI-3 InShared segregates and appropriately provisions the services to restrict unauthorized access
to other customer tenants and data based on request from customer through the portal / API
which are custom made and routed with a Point to Point connection (firewalling) and IP

184
CCM criteria Controls specified by InShared Results of PwC’s
Testing

whitelisting per client and are listed centrally and communicated with the client upon request.
The routing of each webservice / API is registered centrally.

SOC2-3 Information system documentation to be able to configure, install and operate the Cyno-
Sure services and effectively use the platform's security features is available and shared with the
client via (live) training and mail.

IPY-05 Virtualization Control specification l IPY-05 is not applicable to InShared as virtualisation is not part of the ser- Not applicable
vice delivery of the CynoSure platform.
The provider shall use an in-
dustry-recognized virtualiza-
tion platform and standard
virtualization formats (e.g.,
OVF) to help ensure interop-
erability, and shall have docu-
mented custom changes
made to any hypervisor in use
and all solution-specific virtu-
alization hooks available for
customer review.

185
8.1.13 Security Incident Management, E-Discovery & Cloud Forensics (SEF)

CCM criteria Controls specified by InShared Results of PwC’s

Testing

SEF-01 Contact / Authority Control specification SEF-01 is not applicable to InShared as contact with local authorities are Not applicable
Maintenance maintained by the users of the CynoSure platform.

Points of contact for applica-

ble regulation authorities, na-
tional and local law enforce-
ment, and other legal jurisdic-
tional authorities shall be
maintained and regularly up-
dated (e.g., change in im-
pacted-scope and/or a change
in any compliance obligation)
to ensure direct compliance li-
aisons have been established
and to be prepared for a fo-
rensic investigation requiring
rapid engagement with law
enforcement.

SEF-02 Incident Management
Policies and procedures shall
be established, and support-
ing business processes and
technical measures imple-
mented, to triage security-re-
lated events and ensure
timely and thorough incident
management, as per estab-
lished IT service management
policies and procedures.
IM-1 An Incident Management Policy and a Security Incident Response Management Policy has No exceptions noted
been established and communicated with defined processes, roles and responsibilities for the de-
tection, escalation, response and reporting of incidents. These policies are reviewed annually and
updated as necessary.
IM-3 Identified security incidents are analysed and followed-up in a timely manner, in accordance
with the Incident Management Policy and Security Incident Response Management Policy. De-
pending on the severity of the security incident containment, eradication and recovery proce-
dures will be executed.
IM-4 Identified security incidents are post-mortem investigated and the security incident response
procedures are tested annually to identify areas for improvement.

186
CCM criteria
SEF-03 Incident Reporting
(1) Workforce personnel and
external business relation-
ships shall be informed of
their responsibility and, if re-
quired, shall consent and/or
contractually agree to report
all information security events
in a timely manner. (2) Infor-
mation security events shall
be reported through prede-
fined communications chan-
nels in a timely manner ad-
hering to applicable legal,
statutory, or regulatory com-
pliance obligations.
Controls specified by InShared Results of PwC’s
Testing
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
VM-2 Events, thresholds and metrics have been defined and configured in the third-party Security
Information and Event Management (SIEM) system to detect security incidents and to alert the
Security Operations Centre, which are also reported within the monthly SIEM report. Actual met-
rics and events trespassing thresholds are visible in the online SIEM monitoring dashboard.
VM-4 The Security Operations Centre (SOC) performs monitoring activities, including the escala-
tion and coordination of incidents. The activities are defined and agreed upon within the Service
Level Agreement (SLA).
IM-1 An Incident Management Policy and a Security Incident Response Management Policy has No exceptions noted
been established and communicated with defined processes, roles and responsibilities for the de-
tection, escalation, response and reporting of incidents. These policies are reviewed annually and
updated as necessary.
IS-1 An Information Security Policy has been established and communicated that defines the In-
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The Infor-
mation Security Policy is reviewed annually and updated as necessary.
IS-3 Employees and contractors sign agreements that include non-disclosure provisions and asset
protection responsibilities, upon hire. Employees and contractors are provided an intranet page
which describes, in accordance with the Information Security Policy, the responsibilities and ex-
pected behaviour regarding information security. Employees are required to acknowledge agree-
ments to return InShared assets upon termination.
SOC2-5 Identified security incidents are reported to the CynoSure platform customer using the
Service Incident Report. Security incidents related to external parties are shared with the client
and reported in the SLR, in accordance with the Incident Management Policy and Security Incident
Response Management Policy.
187
CCM criteria Controls specified by InShared Results of PwC’s
Testing

SEF-04 Incident Response Le- SOC2-7 Reliable logs are available for the CynoSure platform, which allows forensic procedures No exceptions noted
gal Preparation when necessary, upon request of the customer and when the customer has specified the content
and format of data that InShared has to provide. These logs are implemented and changed as nec-
Proper forensic procedures, essary following the formal change management procedures of InShared.
including chain of custody, are
required for the presentation
of evidence to support poten-
tial legal action subject to the
relevant jurisdiction after an
information security incident.
Upon notification, customers
and/or other external busi-
ness partners impacted by a
security breach shall be given
the opportunity to participate
as is legally permissible in the
forensic investigation.

SEF-05 Incident Response
Metrics
Mechanisms shall be put in
place to monitor and quantify
the types, volumes, and costs
of information security inci-
dents.
IM-1 An Incident Management Policy and a Security Incident Response Management Policy has No exceptions noted
been established and communicated with defined processes, roles and responsibilities for the de-
tection, escalation, response and reporting of incidents. These policies are reviewed annually and
updated as necessary.
VM-2 Events, thresholds and metrics have been defined and configured in the third-party Security
Information and Event Management (SIEM) system to detect security incidents and to alert the
Security Operations Centre, which are also reported within the monthly SIEM report. Actual met-
rics and events trespassing thresholds are visible in the online SIEM monitoring dashboard.

VM-4 The Security Operations Centre (SOC) performs monitoring activities, including the escala-
tion and coordination of incidents. The activities are defined and agreed upon within the Service
Level Agreement (SLA).

188
8.1.14 Supply Chain Management, Transparency and Accountability (STA)
CCM criteria
STA-01 Data Quality and In-
tegrity
Providers shall inspect, ac-
count for, and work with their
cloud supply-chain partners to
correct data quality errors
and associated risks. Provid-
ers shall design and imple-
ment controls to mitigate and
contain data security risks
through (1) proper separation
of duties, (2) role-based ac-
cess, and (3) least-privilege
access for all personnel within
their supply chain.
Controls specified by InShared Results of PwC’s
Testing
CM-4 The Information Security Policy instructs the use of the baselines during the installation of No exceptions noted
(new) IT equipment. The security baseline configuration settings of firewalls, Wi-Fi access points,
VPN, load balancers, database servers and operating systems are assessed annually, by using au-
tomated tools and industry baselines. Non-acceptable deviations from the industry baseline are
followed up and remediated, in accordance with the Change Management and Release Manage-
ment policies and procedures.
CM-6 Applications and programming interfaces (APIs) and webservices are authorized, designed,
developed, configured, documented, tested, approved and deployed in line with the implemented
change management policy and procedures. This includes developing and testing in accordance
with the following industry standards:
- Coding standard PHP
- Web services Security standard (OWASP)
- Bitbucket code checks
- Automated webservice creation
- SOAPUI WSI compliance report
DS-1 Communication with key CynoSure components where customer data is transmitted or in-
volved is secured using encryption. Encryption is based on the implemented Encryption Key Man-
agement Policy. InShared uses industry standards and best practices for encryption.
Within the CynoSure platform encryption keys are applied in the following areas:
- Webservices: public certificates are used for the webservices for external communication and
client certificates are generated and stored manually using an encryption key server (Simple Au-
thority) for internal communication of the webservices within the CynoSure Platform.
- Datacentre communication: connections between datacentres are point to point using IPsec
managed by the Fortinet FortiGate firewall devices.
- Storage: encryption of data is handled automatically within the storage solution (Pure Storage).
- Remote users: Encryption of VPN connections for end users (remote users) is handled automati-
cally within the VPN solution, including the SSL connection with clients (Pulse Secure).
- Laptops: encryption of laptops is handled automatically by bit locker software on the laptop.
189
CCM criteria Controls specified by InShared Results of PwC’s
Testing

Cryptographic keys, certificates, and customer access keys used for communication between Cy-
noSure services and other internal components or external parties are hosted by the load bal-
ancer and managed by the Network Operating Centre (NOC) of InShared. Changes in client certifi-
cates for webservices are communicated to the client and/or partners by the NOC.

OA-1 Access/Roles groups are defined based upon established business rules, including segrega-
tion of duties, in a SOLL authorization matrix. Procedures are in place to ensure timely initiation
and update in the SOLL authorization matrices for all assets. Management authorizes changes to
defined privileges for access groups/roles. The SOLL authorization matrix is reviewed annually and
updated as necessary.

OA-2 Employee access rights are assigned commensurate with assigned job responsibilities (e.g.
through role-based access). Administration procedures are available to define activities for re-
questing, authorizing and granting an account and its associated user access rights. Access to in-
formation is based on 'need-to-know/need-to-have'-principle and all user activities can be traced
to uniquely identifiable users.

OA-3 Administration procedures are available to define activities for requesting and revoking an
account and its associated user access rights. Terminated user access rights are removed on a
timely basis. The return of assets is checked using the checklist according to exit employee check-
list.

OA-5 Management periodically reviews user access implemented for the relevant physical and vir-
tual application interfaces and infrastructure network and systems components (IST-situation) in
order to confirm the correctness of implemented accounts and roles (the access rights) and vali-
date that access rights are commensurate with assigned job responsibilities, as set out by the ac-
cess rules (SOLL-situation). Any inappropriate access noted during the review process is revoked in
a timely manner. This control involves SOLL and IST matrices being compared by responsible man-
agement.

OA-6 Management is responsible for periodically reviewing the list of active IDs in relevant physi-
cal and virtual application interfaces and infrastructure network and systems components, in or-
der to validate whether unique User ID's are implemented to provide individual accountability and

190
CCM criteria
STA-02 Incident Reporting
The provider shall make secu-
rity incident information avail-
able to all affected customers
and providers periodically
through electronic methods
(e.g., portals).
Controls specified by InShared Results of PwC’s
Testing
to ensure that generic or system level IDs are locked or otherwise protected. Any inappropriate or
inactive IDs noted during the review process are disabled in a timely manner.
OA-9 Access to infrastructure components is controlled through defined Active Directory Security
Groups, which require identification with credentials as an administrator, which is a separate ac-
count from regular accounts for (high) privileged access. The accounts with (high) privileged ac-
cess rights are not configured to perform day-to-day activities, but exclusively to perform adminis-
trative tasks.
SDL-1 A centralized repository is used for managing source code changes to the CynoSure plat-
form. The source code is locked down through version control software and changes has to fol-
low-through the change management repositories.
SOC2-5 Identified security incidents are reported to the CynoSure platform customer using the
Service Incident Report. Security incidents related to external parties are shared with the client
and reported in the SLR, in accordance with the Incident Management Policy and Security Incident
Response Management Policy.
IM-1 An Incident Management Policy and a Security Incident Response Management Policy has No exceptions noted
been established and communicated with defined processes, roles and responsibilities for the de-
tection, escalation, response and reporting of incidents. These policies are reviewed annually and
updated as necessary.
SOC2-4 InShared maintains and notifies customers of potential changes and events that may im-
pact security or availability of the services. Changes to the security commitments and security ob-
ligations of InShared are communicated to customers in a timely manner via the SLR.
SOC2-5 Identified security incidents are reported to the CynoSure platform customer using the
Service Incident Report. Security incidents related to external parties are shared with the client
and reported in the SLR, in accordance with the Incident Management Policy and Security Incident
Response Management Policy.
191
CCM criteria
STA-03 Network / Infrastruc-
ture Services
Business-critical or customer
(tenant) impacting (physical
and virtual) application and
system-system interface (API)
designs and configurations,
and infrastructure network
and systems components,
shall be designed, developed,
and deployed in accordance
with mutually agreed-upon
service and capacity-level ex-
pectations, as well as IT gov-
ernance and service manage-
ment policies and procedures.
Controls specified by InShared Results of PwC’s
Testing
CM-1 A Change Management Policy and a Release Management Policy has been established and No exceptions noted
communicated that defines the procedures and roles and responsibilities with respect to the (pre-
)authorization, development, testing and implementation of changes. The change management
process is divided in three different phases: (1) define changes, (2) prioritize & plan changes and
(3) build & test changes. Completion of the change management process triggers the Release
Management process. The Change Management Policy and the Release Management Policy are
reviewed annually and updated as necessary.
CM-2 Change requests are evaluated to determine the potential effect of the change on system
availability, confidentiality and integrity of CynoSure services and approved in line with the de-
fined roles and responsibilities with respect to the (pre-)authorization, as described within the
Change Management Policy. Changes classified as major require the approval of the Platform Ar-
chitecture Board.
CM-3 Changes to the CynoSure platform, including emergency changes, are (pre-)authorized, de-
signed, developed, configured, documented, tested, approved and deployed in line with the es-
tablished Change Management and Release Management policies and procedures. Changes classi-
fied as major require the approval of the Platform Architecture Board.
CM-6 Applications and programming interfaces (APIs) and webservices are authorized, designed,
developed, configured, documented, tested, approved and deployed in line with the implemented
change management policy and procedures. This includes developing and testing in accordance
with the following industry standards:
- Coding standard PHP
- Web services Security standard (OWASP)
- Bitbucket code checks
- Automated webservice creation
- SOAPUI WSI compliance report
PI-3 InShared segregates and appropriately provisions the services to restrict unauthorized access
to other customer tenants and data based on request from customer through the portal / API
which are custom made and routed with a Point to Point connection (firewalling) and IP whitelist-
ing per client and are listed centrally and communicated with the client upon request. The routing
of each webservice / API is registered centrally.
192
CCM criteria
STA-04 Provider Internal As-
sessments
The provider shall perform
annual internal assessments
of conformance and effective-
ness of its policies, proce-
dures, and supporting
measures and metrics.
Controls specified by InShared Results of PwC’s
Testing
IS-1 An Information Security Policy has been established and communicated that defines the In- No exceptions noted
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The Infor-
mation Security Policy is reviewed annually and updated as necessary.
IS-5 A Risk and Compliance Policy has been established and communicated that defines the gov-
ernance of the risk management and compliance functions within the InShared group, the risk
strategy and risk appetite, the Risk Management Framework InShared (RMFI) and the methods
used to identify and treat risks. The Risk and Compliance Policy describes the three lines of de-
fence for the InShared group. The first line is operations, the second line is the Risk Management
department and the third line is Internal Audit Achmea. The Risk and Compliance Policy is made
operational in a Risk and Compliance year plan. The Risk and Compliance Policy is reviewed annu-
ally and updated as necessary.
IS-6 The Risk Management department (the second line of defence) reviews the effectiveness of
the implemented Information Security Management System (ISMS) on an annual basis, in accord-
ance with the defined audit activities within the approved risk management audit plan. Noncon-
formities are recorded, reviewed, prioritized and analysed, to be able to define and implement re-
mediation plans. The remediation plans are developed in the security dashboard of the Risk Com-
mittee. Internal Audit Achmea (the third line of defence) reviews the effectiveness of the imple-
mented ISMS on a 3-annual basis, in accordance with the defined audit activities within the ap-
proved internal audit plan. Nonconformities are recorded, reviewed, prioritized and analysed, to
be able to define and implement remediation plans. The remediation plans are registered in the
issue register and monitored by the Risk and Compliance Committee.
193
CCM criteria Controls specified by InShared Results of PwC’s
Testing

STA-05 Third-party Agree-
ments
Supply chain agreements
(e.g., SLAs) between providers
and customers (tenants) shall
incorporate at least the fol-
lowing mutually-agreed upon
provisions and/or terms:
(1) Scope of business relation-
ship and services offered
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed No exceptions noted
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
SOC2-2 The applicable security, regulatory and contractual requirements and the related obliga-
tions are defined within the client contract. The client contract is signed by the client and In-
Shared, prior to granting access to the CynoSure Platform.
SOC2-4 InShared maintains and notifies customers of potential changes and events that may im-
pact security or availability of the services. Changes to the security commitments and security ob-
ligations of InShared are communicated to customers in a timely manner via the SLR.

(2) Information security re- SOC2-5 Identified security incidents are reported to the CynoSure platform customer using the
quirements, provider and cus- Service Incident Report. Security incidents related to external parties are shared with the client
tomer (tenant) primary points and reported in the SLR, in accordance with the Incident Management Policy and Security Incident
of contact for the duration of Response Management Policy.
the business relationship, and
references to detailed sup-
porting and relevant business
processes and technical
measures implemented to en-
able effectively governance,
risk management, assurance
and legal, statutory and regu-
latory compliance obligations
by all impacted business rela-
tionships.

(3) Notification and/or pre-au-

thorization of any changes
controlled by the provider
with customer (tenant) im-
pacts.

194
CCM criteria Controls specified by InShared Results of PwC’s
Testing

(4) Timely notification of a se-

curity incident (or confirmed
breach) to all customers (ten-
ants) and other business rela-
tionships impacted (i.e., up-
and down-stream impacted
supply chain).

(5) Assessment and independ-

ent verification of compliance
with agreement provisions
and/or terms (e.g., industry-
acceptable certification, attes-
tation audit report, or equiva-
lent forms of assurance) with-
out posing an unacceptable
business risk of exposure to
the organization being as-
sessed.

(6) Expiration of the business

relationship and treatment of
customer (tenant) data im-
pacted.

(7) Customer (tenant) service-

to-service application (API)
and data interoperability and
portability requirements for
application development and
information exchange, usage,
and integrity persistence.

195
CCM criteria
STA-06 Supply Chain Govern-
ance Review
Providers shall review the risk
management and governance
processes of their partners so
that practices are consistent
and aligned to account for
risks inherited from other
members of that partner's
cloud supply chain.
STA-07 Supply Chain Metrics
Policies and procedures shall
be implemented to ensure
the consistent review of ser-
vice agreements (e.g., SLAs)
between providers and cus-
tomers (tenants) across the
relevant supply chain (up-
stream/downstream). Re-
views shall be performed at
least annually and identify
non-conformance to estab-
lished agreements. The re-
views should result in actions
to address service-level con-
flicts or inconsistencies result-
ing from disparate supplier re-
lationships.
Controls specified by InShared Results of PwC’s
Testing
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed No exceptions noted
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
IM-2 The availability, capacity and performance of the network and resources are monitored by No exceptions noted
third-party monitoring software. Alerts are reported by the third-party vendor and followed up
through the formal incident management procedures, as necessary.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
PI-1 The performance indicators as defined within the customer SLAs are measured, reviewed, an-
alysed and reported to the customer in the SLR on a monthly basis.
SOC2-2 The applicable security, regulatory and contractual requirements and the related obliga-
tions are defined within the client contract. The client contract is signed by the client and In-
Shared, prior to granting access to the CynoSure Platform.
SOC2-5 Identified security incidents are reported to the CynoSure platform customer using the
Service Incident Report. Security incidents related to external parties are shared with the client
and reported in the SLR, in accordance with the Incident Management Policy and Security Incident
Response Management Policy.
196
CCM criteria Controls specified by InShared Results of PwC’s
Testing

STA-08 Third-party Assess- IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed No exceptions noted
ments in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
Providers shall assure reason- noted deviations can impact InShared's control objectives.
able information security
across their information sup-
ply chain by performing an
annual review. The review
shall include all part-
ners/third-party providers
upon which their information
supply chain depends on.

STA-09 Third-party Audits IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed No exceptions noted
in line with the reporting frequency, to determine that the scope of the control objectives and
Third-party service providers
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
shall demonstrate compliance
noted deviations can impact InShared's control objectives.
with information security and
confidentiality, access control,
service definitions, and deliv-
ery level agreements included
in third-party contracts. Third-
party reports, records, and
services shall undergo audit
and review at least annually
to govern and maintain com-
pliance with the service deliv-
ery agreements.

197
8.1.15 Threat and Vulnerability Management (TVM)
CCM criteria
TVM-01 Antivirus / Malicious
Software
Policies and procedures shall
be established, and support-
ing business processes and
technical measures imple-
mented, to prevent the exe-
cution of malware on organi-
zationally-owned or managed
user end-point devices (i.e.,
issued workstations, laptops,
and mobile devices) and IT in-
frastructure network and sys-
tems components.
TVM-02 Vulnerability / patch
management
Policies and procedures shall
be established, and support-
ing processes and technical
measures implemented, for
timely detection of vulnerabil-
ities within organizationally-
owned or managed applica-
tions, infrastructure network
Controls specified by InShared Results of PwC’s
Testing
IS-1 An Information Security Policy has been established and communicated that defines the In- No exceptions noted
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The Infor-
mation Security Policy is reviewed annually and updated as necessary.
IS-8 The assurance report(s) and relevant certification(s) of the datacentres and SOC are reviewed
in line with the reporting frequency, to determine that the scope of the control objectives and
controls are sufficient for the services outsourced to the regarding datacentres and to verify if any
noted deviations can impact InShared's control objectives.
VM-2 Events, thresholds and metrics have been defined and configured in the third-party Security
Information and Event Management (SIEM) system to detect security incidents and to alert the
Security Operations Centre, which are also reported within the monthly SIEM report. Actual met-
rics and events trespassing thresholds are visible in the online SIEM monitoring dashboard.
VM-4 The Security Operations Centre (SOC) performs monitoring activities, including the escala-
tion and coordination of incidents. The activities are defined and agreed upon within the Service
Level Agreement (SLA).
VM-6 All end-points managed and/or owned by InShared are protected for the execution of mal-
ware using windows Anti-Virus. Windows servers are protected using TrendMicro Apex One.
CM-1 A Change Management Policy and a Release Management Policy has been established and No exceptions noted
communicated that defines the procedures and roles and responsibilities with respect to the (pre-
)authorization, development, testing and implementation of changes. The change management
process is divided in three different phases: (1) define changes, (2) prioritize & plan changes and
(3) build & test changes. Completion of the change management process triggers the Release
Management process. The Change Management Policy and the Release Management Policy are
reviewed annually and updated as necessary.
IM-1 An Incident Management Policy and a Security Incident Response Management Policy has
been established and communicated with defined processes, roles and responsibilities for the
198
CCM criteria
and system components (e.g.,
network vulnerability assess-
ment, penetration testing) to
ensure the efficiency of imple-
mented security controls. A
risk-based model for prioritiz-
ing remediation of identified
vulnerabilities shall be used.
Changes shall be managed
through a change manage-
ment process for all vendor-
supplied patches, configura-
tion changes, or changes to
the organization's internally
developed software. Upon re-
quest, the provider informs
customer (tenant) of policies
and procedures and identified
weaknesses especially if cus-
tomer (tenant) data is used as
part the service and/or cus-
tomer (tenant) has some
shared responsibility over im-
plementation of control.
TVM-03 Mobile Code
Policies and procedures shall
be established, and support-
ing business processes and
technical measures imple-
mented, to prevent the exe-
cution of unauthorized mobile
Controls specified by InShared Results of PwC’s
Testing
detection, escalation, response and reporting of incidents. These policies are reviewed annually
and updated as necessary.
IS-1 An Information Security Policy has been established and communicated that defines the In-
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The Infor-
mation Security Policy is reviewed annually and updated as necessary.
SOC2-4 InShared maintains and notifies customers of potential changes and events that may im-
pact security or availability of the services. Changes to the security commitments and security ob-
ligations of InShared are communicated to customers in a timely manner via the SLR.
VM-5 Semi-annually vulnerability assessments and semi-annually penetration testing activities are
performed by a third-party vendor on InShared's network and web applications (frontend,
backend, webservices, external web connections, CynoSure applications and the supporting infra-
structure). Identified vulnerabilities are analysed and followed-up in a timely manner, depending
on the severity of the vulnerability, in accordance with the Incident Management Policy, Change
Management Policy and Release Management Policy.
VM-8 A Patch Management Policy has been established and communicated that defines the
scope, the roles and responsibilities and procedures with respect to patch management for the
CynoSure Platform. The Patch Management Policy is reviewed annually and updated as necessary.
IS-1 An Information Security Policy has been established and communicated that defines the In- No exceptions noted
formation Security Management System (ISMS) of InShared for the CynoSure Platform. The Infor-
mation Security Policy is reviewed annually and updated as necessary.
VM-7 As part of the Information Security Policy, mobile code is not allowed at InShared. Mobile
code, including Java, is not allowed in the installation (SCCM). Users are therefore not able to in-
stall programs which are not part of the InShared software store. Upon request, an IT employee
can request exception for Java needed for cooperation with suppliers who work with Java.
199
CCM criteria Controls specified by InShared Results of PwC’s
Testing

code, defined as software

transferred between systems
over a trusted or untrusted
network and executed on a
local system without explicit
installation or execution by
the recipient, on organization-
ally-owned or managed user
end-point devices (e.g., issued
workstations, laptops, and
mobile devices) and IT infra-
structure network and sys-
tems components.

200
9 PART C: DESCRIPTION OF THE TESTS PERFORMED BY PWC TO DETERMINE WHETHER INSHARED’S
CONTROLS WERE EFFECTIVELY DESIGNED AND SUFFICIENTLY IMPLEMENTED AND THE RESULTS OF
TESTING

9.1.1 Entity Level (ELC)

InShared’s Controls specified by InShared Testing performed by PwC Results of PwC’s

Control ID Testing

ELC-1 The InShared values are defined and an Integrity Pol-
icy has been established and communicated. The In-
Shared values and Integrity Policy are accessible to
employees via the Internal Platform and are updated
by management, as necessary.
Inspected the InShared values and the Integrity Policy and No exceptions noted
determined that values are defined, and an up-to-date In-
tegrity Policy has been established and made available to
employees via InShared’s intranet.

ELC-2 Risk assessment results are reviewed and discussed
quarterly during the Risk Management Meeting. Rel-
evant risk assessment results are also reported to
the Board of Directors on behalf of senior manage-
ment.
Inspected a sample of one of the minutes of the quarterly No exceptions noted
risk management meetings and determined that risk as-
sessment results are reviewed and discussed during the
risk management meeting.

201
9.1.2 Information Security Program (IS)
InShared’s Controls specified by InShared
Control ID
IS-1 An Information Security Policy has been established
and communicated that defines the Information Secu-
rity Management System (ISMS) of InShared for the
CynoSure Platform. The Information Security Policy is
reviewed annually and updated as necessary.
IS-2 An information security education and awareness pro-
gram has been established that includes policy training
and periodic security updates to InShared personnel.
The results of the awareness program are evaluated
with management and follow-up actions are defined
and implemented, as necessary.
IS-3 Employees and contractors sign agreements that in-
clude non-disclosure provisions and asset protection
responsibilities, upon hire. Employees and contractors
are provided an intranet page which describes, in ac-
cordance with the Information Security Policy, the re-
sponsibilities and expected behaviour regarding infor-
mation security. Employees are required to
acknowledge agreements to return InShared assets
upon termination.
IS-4 Disciplinary actions are defined for employees and
contingent staff that violate InShared's security poli-
cies and procedures.
202
Testing performed by PwC Results of PwC’s
Testing
Inspected the Information Security Policy and determined No exceptions noted
that an up-to-date information security policy has been
established that defines the ISMS of InShared for the Cy-
noSure Platform.
Inspected the information security education and aware- No exceptions noted
ness program and program results and determined that
an information security education and awareness program
has been established and that the results of the aware-
ness program are evaluated and followed-up when
needed.
Inspected the template agreement for the use of No exceptions noted
InShared’s equipment and determined that non-disclosure
provisions, asset protection responsibilities and agree-
ments to return InShared’s assets upon termination are
included. Inspected the intranet page and determined
that the page describes the responsibilities and expected
behaviour regarding information security.
Inspected the Information Security Policy and the tem- No exceptions noted
plate agreement for the use of InShared’s equipment and
determined that disciplinary actions are defined for staff
that violate InShared's security policies and procedures.
InShared’s Controls specified by InShared
Control ID
IS-5 A Risk and Compliance Policy has been established and
communicated that defines the governance of the risk
management and compliance functions within the In-
Shared group, the risk strategy and risk appetite, the
Risk Management Framework InShared (RMFI) and the
methods used to identify and treat risks. The Risk and
Compliance Policy describes the three lines of defence
for the InShared group. The first line is operations, the
second line is the Risk Management department and
the third line is Internal Audit Achmea. The Risk and
Compliance Policy is made operational in a Risk and
Compliance year plan. The Risk and Compliance Policy
is reviewed annually and updated as necessary.
Testing performed by PwC Results of PwC’s
Testing
Inspected the Risk and Compliancy Policy and determined No exceptions noted
that an up-to-date risk and compliancy policy has been es-
tablished that defines the governance of the risk manage-
ment and compliance functions within the InShared
group, the risk strategy and risk appetite, the risk manage-
ment framework InShared and the methods used to iden-
tify and treat risks.

IS-6 The Risk Management department (the second line of Inspected the second line review conducted in January No exceptions noted
defence) reviews the effectiveness of the imple- 2020 and determined that the effectiveness of the imple-
mented Information Security Management System mented ISMS is assessed annually by the risk management
(ISMS) on an annual basis, in accordance with the de- department. Inspected the internal audit year plan 2020-
fined audit activities within the approved risk manage- 2022 and determined that internal audit assesses the ef-
ment audit plan. Nonconformities are recorded, re- fectiveness of the implemented ISMS on a three-annually
viewed, prioritized and analysed, to be able to define basis.
and implement remediation plans. The remediation
plans are developed in the security dashboard of the
Risk Committee. Internal Audit Achmea (the third line
of defence) reviews the effectiveness of the imple-
mented ISMS on a 3-annual basis, in accordance with
the defined audit activities within the approved inter-
nal audit plan. Nonconformities are recorded, re-
viewed, prioritized and analysed, to be able to define
and implement remediation plans. The remediation
plans are registered in the issue register and moni-
tored by the Risk and Compliance Committee.

203
InShared’s Controls specified by InShared Testing performed by PwC Results of PwC’s
Control ID Testing
IS-7 An Enterprise Architecture has been established and Inspected InShared’s enterprise architecture and deter- No exceptions noted
communicated that describes the current and target mined that an up-to-date enterprise architecture has been
architectures for the business, information, data, ap- established that describes the current and target architec-
plication and technology domains governing the secu- tures for the business, information, data, application and
rity principles as outlined in the Information Security technology domains.
Policy. The Enterprise Architecture drives process, ser-
vices and technology changes necessary to execute
strategies for the CynoSure platform. The Enterprise
Architecture is reviewed annually and updated as nec-
essary.

IS-8 The assurance report(s) and relevant certification(s) of Inspected management’s assessment of relevant assur- No exceptions noted
the datacentres and SOC are reviewed in line with the ance reports and certifications of outsourced services and
reporting frequency, to determine that the scope of activities and determined that the assurance reports and
the control objectives and controls are sufficient for certifications are sufficiently assessed by management.
the services outsourced to the regarding datacentres
and to verify if any noted deviations can impact In-
Shared's control objectives.

204
9.1.3 Logical Customer Access (LA)
InShared’s Controls specified by InShared
Control ID
LA-1 An Authorization Management Policy has been estab-
lished and communicated that defines the Authoriza-
tion Management of InShared for the CynoSure Plat-
form. The Authorization Management Policy is re-
viewed annually and updated as necessary.
LA-2 Provisioning and de-provisioning of customer user ac-
count entitlements for the CynoSure Platform is re-
quested, authorized and granted or revoked in accord-
ance with the implemented Authorization Manage-
ment Policy.
LA-3 Customer credentials used to access CynoSure services
meet the applicable password policy requirements as
defined in the Authorization Management Policy.
205
Testing performed by PwC Results of PwC’s
Testing
Inspected the authorization management policy and de- No exceptions noted
termined that an up-to-date authorization management
policy has been established that defines the processes,
roles and responsibilities for requesting, authorizing,
granting, periodically reviewing and revoking user ac-
cess accounts and rights.
Inspected the authorization management policy and a No exceptions noted
sample of one customer user accounts entitlements and
determined that provisioning and de-provisioning of
customer user account entitlements for the CynoSure
platform is requested, authorized, granted and revoked
in accordance with the authorization management pol-
icy.
Inspected the password generation script for customer No exceptions noted
credentials and determined that customer credentials
meet the applicable password policy requirements, as
defined within Authorization Management Policy.
9.1.4 Operator Access (OA)
InShared’s Controls specified by InShared
Control ID
OA-1 Access/Roles groups are defined based upon estab-
lished business rules, including segregation of duties,
in a SOLL authorization matrix. Procedures are in place
to ensure timely initiation and update in the SOLL au-
thorization matrices for all assets. Management au-
thorizes changes to defined privileges for access
groups/roles. The SOLL authorization matrix is re-
viewed annually and updated as necessary.
OA-2 Employee access rights are assigned commensurate
with assigned job responsibilities (e.g. through role-
based access). Administration procedures are available
to define activities for requesting, authorizing and
granting an account and its associated user access
rights. Access to information is based on 'need-to-
know/need-to-have'-principle and all user activities
can be traced to uniquely identifiable users.
OA-3 Administration procedures are available to define ac-
tivities for requesting and revoking an account and its
associated user access rights. Terminated user access
rights are removed on a timely basis. The return of as-
sets is checked using the checklist according to exit
employee checklist.
OA-4 All employment candidates and contractors are sub-
ject to pre-employment screening (PES). Candidates
and contractors are registered in Jira. Subsequently a
PES ticket is generated automatically within Jira to
start PES process. Hardware and software (credentials)
are only provided to employees and contractors after
PES clearance.
206
Testing performed by PwC Results of PwC’s
Testing
Inspected the soll authorization matrix and determined No exceptions noted
that access/roles groups are defined based upon estab-
lished business rules, including segregation of duties, in
an up-to-date soll authorization matrix for all in-scope
assets.
Inspected a sample of one employee access rights as- No exceptions noted
signed and determined that employee access rights are
assigned commensurate with assigned job responsibili-
ties through role-based access in accordance with the
soll authorization matrix and that administration proce-
dures are available to define activities for requesting,
authorizing and granting an account and its associated
user access rights.
Inspected the exit employees process document and de- No exceptions noted
termined that administration procedures are available
to define activities for requesting and revoking an ac-
count and its associated user access rights and that exit
employee checklists are available.
Inspected the pre-employment screening document and No exceptions noted
a sample of one employment candidate and determined
that pre-employment screening was conducted, and
that hardware and software was provided after PES
clearance.
InShared’s Controls specified by InShared
Control ID
OA-5 Management periodically reviews user access imple-
mented for the relevant physical and virtual applica-
tion interfaces and infrastructure network and sys-
tems components (IST-situation) in order to confirm
the correctness of implemented accounts and roles
(the access rights) and validate that access rights are
commensurate with assigned job responsibilities, as
set out by the access rules (SOLL-situation). Any inap-
propriate access noted during the review process is re-
voked in a timely manner. This control involves SOLL
and IST matrices being compared by responsible man-
agement.
OA-6 Management is responsible for periodically reviewing
the list of active IDs in relevant physical and virtual ap-
plication interfaces and infrastructure network and
systems components, in order to validate whether
unique User ID's are implemented to provide individ-
ual accountability and to ensure that generic or sys-
tem level IDs are locked or otherwise protected. Any
inappropriate or inactive IDs noted during the review
process are disabled in a timely manner.
OA-7 Corporate user account credentials meet the applica-
ble password policy requirements, as defined within
Authorization Management Policy.
OA-8 Access to network devices for remote access in the
scope boundary requires two factor authentication.
207
Testing performed by PwC Results of PwC’s
Testing
Inspected a sample of one quarterly review and deter- No exceptions noted
mined that management performed a user access re-
view for the in-scope physical and virtual application in-
terfaces and infrastructure network and systems com-
ponents, and that management validated that access
rights are commensurate with assigned job responsibili-
ties, as set out with the soll authorization matrix.
Inspected a sample of one quarterly review and deter- No exceptions noted
mined that management performed a review of active
Active Directory user accounts and that management
validated that unique user accounts are assigned and
generic or system accounts are protected to provide in-
dividual accountability.
Inspected the Active Directory domain password policy No exceptions noted
and determined that corporate user account credentials
meet the applicable password policy requirements, as
defined within Authorization Management Policy.
Inspected the configuration settings of the VPN connec- No exceptions noted
tion and determined that access to network devices for
remote access in the scope boundary requires two fac-
tor authentication.
InShared’s Controls specified by InShared
Control ID
OA-9 Access to infrastructure components is controlled
through defined Active Directory Security Groups,
which require identification with credentials as an ad-
ministrator, which is a separate account from regular
accounts for (high) privileged access. The accounts
with (high) privileged access rights are not configured
to perform day-to-day activities, but exclusively to
perform administrative tasks.
OA-10 Perimeter firewalls are implemented and properly
configured to restrict unauthorized traffic. A mecha-
nism called Reverse Path Forwarding (RPF), or anti
spoofing, is implemented with the installed firewall
which prevents IP packets to be forwarded if its source
IP is spoofed.
OA-11 Remote Desktop Connection for administrator access
to the production environment are encrypted.
OA-12 The management VLAN is separating management
traffic from customer traffic.
OA-13 Authorized software is made available through Soft-
ware Centre. Installation of unauthorized software on
organizationally-owned or managed user end-point
devices is restricted as users have no (local) adminis-
trator rights. Compliance with authorized software is
monitored quarterly.
208
Testing performed by PwC Results of PwC’s
Testing
Inspected a sample of one set of regular and administra- No exceptions noted
tor accounts and determined that the account with priv-
ileged access is not configured to perform day-to-day
activities.
Inspected the spoofing rules of the firewall and deter- No exceptions noted
mined that perimeter firewalls are implemented and
that a mechanism called reverse path forwarding is im-
plemented which prevents IP packets to be forwarded if
its source IP is spoofed.
Inspected the configuration settings of the remote desk- No exceptions noted
top connection and determined that remote desktop
connections are encrypted.
Inspected a sample of one switch configuration settings No exceptions noted
and determined that the management VLAN is separat-
ing management traffic from customer traffic.
Inspected the software made available through soft- No exceptions noted
ware centre and a sample of one quarterly compliance
review and determined that management validated
compliance with authorized software.
InShared’s Controls specified by InShared Testing performed by PwC Results of PwC’s
Control ID Testing
OA-14 The access point radio equipment on the firewall scans Inspected the identified available access points from the No exceptions noted
for other available access points. Unauthorized access rogue access point monitor module of the firewall and
points connected to the InShared wired network are determined that management did not identified any
detected, the firewall will send an alert to the infra rogue access points.
team who will respond with placing the access point
on a black list. The detected rogue SSID will be sup-
pressed using roque access point functionality on the
Wi-Fi controller that sends de-authentication mes-
sages to the rogue access point.

209
9.1.5 Data Security (DS)

InShared’s Controls specified by InShared Testing performed by PwC Results of PwC’s

Control ID Testing

DS-1 Communication with key CynoSure components Inspected the established encryption key policy, a certif- No exceptions noted
where customer data is transmitted or involved is se- icate generated and stored by the encryption key
cured using encryption. Encryption is based on the im- server, an overview of certificates managed by the In-
plemented Encryption Key Management Policy. In- Shared’s Network Operating Centre, a certificate signed
Shared uses industry standards and best practices for by an external party, the configurations of the IPsec ,
encryption. the technical white paper of Pure Storage, the configu-
ration settings of the VPN connection and the configura-
Within the CynoSure platform encryption keys are ap- tion settings to automatically deploy bit locker software
plied in the following areas: on laptops, and determined that the communications
- Webservices: public certificates are used for the with key CynoSure components are secured with en-
webservices for external communication and client cryption.
certificates are generated and stored manually using
an encryption key server (Simple Authority) for inter-
nal communication of the webservices within the Cy-
noSure Platform.
- Datacentre communication: connections between
datacentres are point to point using IPsec managed by
the Fortinet FortiGate firewall devices.
- Storage: encryption of data is handled automatically
within the storage solution (Pure Storage).
- Remote users: Encryption of VPN connections for
end users (remote users) is handled automatically
within the VPN solution, including the SSL connection
with clients (Pulse Secure).
- Laptops: encryption of laptops is handled automati-
cally by bit locker software on the laptop.

Cryptographic keys, certificates, and customer access

keys used for communication between CynoSure ser-
vices and other internal components or external

210
InShared’s Controls specified by InShared
Control ID
parties are hosted by the load balancer and managed
by the Network Operating Centre (NOC) of InShared.
Changes in client certificates for webservices are com-
municated to the client and/or partners by the NOC.
DS-2 Customer data within the CynoSure platform is auto-
matically replicated with Zert0 cross hypervisor repli-
cation, to minimize isolated faults. Customers of the
CynoSure platform are able to determine the geo-
graphical regions for data processing and storage, in-
cluding data backups, within the customer contract.
DS-3 Backup restoration procedures are defined and
backup data integrity checks are performed through
standard restoration activities.
DS-4 Data and job error notifications are automatically sent
to the service desk. In addition, the error logs are daily
reviewed by the service desk. The data and job error
notifications are registered and followed up by the
service desk using the IT ticketing system.
DS-5 A Retention Period Policy has been established and
communicated to ensure that customer data is re-
tained and removed per the defined retention periods.
The Retention Period Policy is reviewed annually and
updated as necessary.
211
Testing performed by PwC Results of PwC’s
Testing
Inspected the redundant architecture document, the No exceptions noted
Zert0 replication and redundant flows and instances and
a sample of one automated replication and determined
that customer data within the CynoSure platform is au-
tomatically replicated with Zert0 cross hypervisor repli-
cation.
Inspected the backup and restore procedure document No exceptions noted
and determined that backup restoration procedures are
defined, and back-up data integrity checks are per-
formed through standard restoration activities.
Inspected a sample of one error log and determined No exceptions noted
that data and job error notifications are automatically
sent to the service desk, that error logs are reviewed by
the service desk and that the data and job error notifica-
tions are registered and followed up by the service desk
using the IT ticketing system.
Inspected the retention period policy and determined No exceptions noted
that an up-to-date retention period policy has been es-
tablished.
InShared’s Controls specified by InShared
Control ID
DS-6 A Repurposing of Equipment Policy has been estab-
lished and communicated that defines the destruction
guidelines and procedures for secure disposal or re-
purposing of equipment used outside InShared's
premise or tenant domain. The Repurposing of Equip-
ment Policy is reviewed annually and updated as nec-
essary.
212
Testing performed by PwC Results of PwC’s
Testing
Inspected the repurposing of equipment policy and de- No exceptions noted
termined that an up-to-date repurposing of equipment
has been established that defines the destruction guide-
lines and procedures for secure disposal or repurposing
of equipment used outside InShared's premise or tenant
domain.
9.1.6 Change Management (CM)
InShared’s Controls specified by InShared
Control ID
CM-1 A Change Management Policy and a Release Manage-
ment Policy has been established and communicated
that defines the procedures and roles and responsibili-
ties with respect to the (pre-)authorization, develop-
ment, testing and implementation of changes. The
change management process is divided in three differ-
ent phases: (1) define changes, (2) prioritize & plan
changes and (3) build & test changes. Completion of
the change management process triggers the Release
Management process. The Change Management Pol-
icy and the Release Management Policy are reviewed
annually and updated as necessary.
CM-2 Change requests are evaluated to determine the po-
tential effect of the change on system availability, con-
fidentiality and integrity of CynoSure services and ap-
proved in line with the defined roles and responsibili-
ties with respect to the (pre-)authorization, as de-
scribed within the Change Management Policy.
Changes classified as major require the approval of the
Platform Architecture Board.
CM-3 Changes to the CynoSure platform, including emer-
gency changes, are (pre-)authorized, designed, devel-
oped, configured, documented, tested, approved and
deployed in line with the established Change Manage-
ment and Release Management policies and proce-
dures. Changes classified as major require the ap-
proval of the Platform Architecture Board.
213
Testing performed by PwC Results of PwC’s
Testing
Inspected the change management and release man- No exceptions noted
agement policy and determined that an up-to-date
change and release management policy has been estab-
lished that defines the procedures and roles and respon-
sibilities with respect to the (pre-)authorization, devel-
opment, testing and implementation of changes.
Inspected a sample of one change request and deter- No exceptions noted
mined that change requests are evaluated to determine
the potential effect of the change on system availability,
confidentiality and integrity and approved in line with
the defined roles and responsibilities with respect to
(pre-)authorization, as described within the change
management policy.
Inspected a sample of one change and determined that No exceptions noted
changes to the CynoSure platform are (pre-)authorized,
designed, developed, configured, documented, tested,
approved and deployed in line with the established
change and release management policies and proce-
dures.
InShared’s Controls specified by InShared
Control ID
CM-4 The Information Security Policy instructs the use of the
baselines during the installation of (new) IT equip-
ment. The security baseline configuration settings of
firewalls, Wi-Fi access points, VPN, load balancers, da-
tabase servers and operating systems are assessed an-
nually, by using automated tools and industry base-
lines. Non-acceptable deviations from the industry
baseline are followed up and remediated, in accord-
ance with the Change Management and Release Man-
agement policies and procedures.
CM-5 New features and major changes are developed and
tested in separate environments prior to production
implementation. Anonymised data is used for testing
purposes. Production data is not replicated in test or
development environments.
CM-6 Applications and programming interfaces (APIs) and
webservices are authorized, designed, developed, con-
figured, documented, tested, approved and deployed
in line with the implemented change management
policy and procedures. This includes developing and
testing in accordance with the following industry
standards:
- Coding standard PHP
- Web services Security standard (OWASP)
- Bitbucket code checks
- Automated webservice creation
- SOAPUI WSI compliance report
214
Testing performed by PwC Results of PwC’s
Testing
Inspected a sample of one of the industry baselines No exceptions noted
used, the baseline results and baseline analyses and fol-
low up and determined that the security baseline con-
figuration settings of firewalls, Wi-Fi access points, VPN,
load balancers, database servers and operating systems
are assessed annually, and that non-acceptable devia-
tions from the industry baseline are followed up and re-
mediated in accordance with the change and release
management policies and procedures.
Inspected the script used to anonymise data and an No exceptions noted
overview of the separate production and staging envi-
ronments and determined that anonymised data and
separate environments are used for development and
testing purposes.
Inspected a sample of one change and determined that No exceptions noted
APIs and webservices are authorized, designed, devel-
oped, configured, documented, tested, approved and
deployed in line with the implemented change and re-
lease management policies and procedures.
9.1.7 Software Development (SDL)
InShared’s Controls specified by InShared
Control ID
SDL-1 A centralized repository is used for managing source
code changes to the CynoSure platform. The source
code is locked down through version control software
and changes has to follow-through the change man-
agement repositories.
SDL-2 The utility programs at InShared, Bamboo for code de-
ployment, Ansible for Linux deployment and V-centre
for VMware management, are restricted by authoriza-
tions following the Authorization Management Policy.
215
Testing performed by PwC Results of PwC’s
Testing
Inspected the code repository and determined that a No exceptions noted
centralized repository is used for managing source code
changes to the CynoSure platform.
Inspected a sample of one quarterly review and deter- No exceptions noted
mined that management performed a user access re-
view for the in-scope physical and virtual application in-
terfaces and infrastructure network and systems com-
ponents, and that management validated that access
rights are commensurate with assigned job responsibili-
ties, as set out with the soll authorization matrix.
9.1.8 Vulnerability Management (VM)
InShared’s Controls specified by InShared
Control ID
VM-1 Production and development webservers, database
servers, mail servers, file servers, firewalls, domain
controllers and other network devices are configured
to log security events.
VM-2 Events, thresholds and metrics have been defined and
configured in the third-party Security Information and
Event Management (SIEM) system to detect security
incidents and to alert the Security Operations Centre,
which are also reported within the monthly SIEM re-
port. Actual metrics and events trespassing thresholds
are visible in the online SIEM monitoring dashboard.
VM-3 Security event logs are centrally collected by the third-
party Security Information and Event Management
(SIEM) software log collector. The log collector is ap-
propriately segmented from any production related
node and sends the log data to the SIEM system. The
log collector is managed by the third-party vendor.
VM-4 The Security Operations Centre (SOC) performs moni-
toring activities, including the escalation and coordina-
tion of incidents. The activities are defined and agreed
upon within the Service Level Agreement (SLA).
216
Testing performed by PwC Results of PwC’s
Testing
Inspected the network devices in monitoring and deter- No exceptions noted
mined that production and development webservers,
database servers, mail servers, file servers, firewalls, do-
main controllers and other network devices are config-
ured to log security events.
Inspected a sample of one monthly SIEM report and an No exceptions noted
example of the online SIEM monitoring dashboard and
determined that events, thresholds and metrics have
been defined and configured in the third-party Security
Information and Event Management (SIEM) system to
detect security incidents and to alert the security opera-
tions centre and that actual metrics and events tres-
passing thresholds are visible in the online SIEM moni-
toring dashboard.
Inspected the firewall rules for the SIEM log collector No exceptions noted
and determined that the log collector is appropriately
segmented from any production related node and sends
the log data to the SIEM system.
Inspected the service level agreement and a sample of No exceptions noted
one security incident report and determined that the se-
curity operations centre performs monitoring activities,
including the escalation and coordination of incidents.
InShared’s Controls specified by InShared
Control ID
VM-5 Semi-annually vulnerability assessments and semi-an-
nually penetration testing activities are performed by
a third-party vendor on InShared's network and web
applications (frontend, backend, webservices, external
web connections, CynoSure applications and the sup-
porting infrastructure). Identified vulnerabilities are
analysed and followed-up in a timely manner, depend-
ing on the severity of the vulnerability, in accordance
with the Incident Management Policy, Change Man-
agement Policy and Release Management Policy.
VM-6 All end-points managed and/or owned by InShared are
protected for the execution of malware using windows
Anti-Virus. Windows servers are protected using
TrendMicro Apex One.
VM-7 As part of the Information Security Policy, mobile code
is not allowed at InShared. Mobile code, including
Java, is not allowed in the installation (SCCM). Users
are therefore not able to install programs which are
not part of the InShared software store. Upon request,
an IT employee can request exception for Java needed
for cooperation with suppliers who work with Java.
VM-8 A Patch Management Policy has been established and
communicated that defines the scope, the roles and
responsibilities and procedures with respect to patch
management for the CynoSure Platform. The Patch
Management Policy is reviewed annually and updated
as necessary.
217
Testing performed by PwC Results of PwC’s
Testing
Inspected a sample of one vulnerability assessment and No exceptions noted
penetration testing report performed by a third-party
vendor and determined that semi-annually vulnerability
assessments and penetration testing activities are per-
formed on InShared's network and web applications and
that identified vulnerabilities are analysed and followed-
up, in accordance with the incident, change and release
management policies and procedures.
Inspected the antivirus and antimalware analyses re- No exceptions noted
ports and determined that InShared’s end-points are
protected for the execution of malware.
Inspected the software made available through soft- No exceptions noted
ware centre and a sample of one quarterly compliance
review and determined that mobile code is not available
for installation and that management validated compli-
ance with authorized software.
Inspected the patch management policy and deter- No exceptions noted
mined that an up-to-date patch management policy has
been established that defines the scope, the roles and
responsibilities and procedures with respect to patch
management for the CynoSure platform.
9.1.9 Incident Management (IM)
InShared’s Controls specified by InShared
Control ID
IM-1 An Incident Management Policy and a Security Inci-
dent Response Management Policy has been estab-
lished and communicated with defined processes,
roles and responsibilities for the detection, escalation,
response and reporting of incidents. These policies are
reviewed annually and updated as necessary.
IM-2 The availability, capacity and performance of the net-
work and resources are monitored by third-party mon-
itoring software. Alerts are reported by the third-party
vendor and followed up through the formal incident
management procedures, as necessary.
IM-3 Identified security incidents are analysed and fol-
lowed-up in a timely manner, in accordance with the
Incident Management Policy and Security Incident Re-
sponse Management Policy. Depending on the sever-
ity of the security incident containment, eradication
and recovery procedures will be executed.
IM-4 Identified security incidents are post-mortem investi-
gated and the security incident response procedures
are tested annually to identify areas for improvement.
218
Testing performed by PwC Results of PwC’s
Testing
Inspected the incident management policy and the se- No exceptions noted
curity incident response management policy and deter-
mined that an up-to-date incident management policy
and an up-to-date security incident response manage-
ment policy has been established that defines the pro-
cesses, roles and responsibilities for the detection, esca-
lation, response and reporting of incidents.
Inspected a sample of one monthly service management No exceptions noted
report and determined that the availability, capacity and
performance of the network and resources are moni-
tored by third-party monitoring software and that alerts
are reported by the third-party vendor and followed up
through the formal incident management procedures.
Inspected a sample of one identified security incident No exceptions noted
and determined that security incidents are analysed, fol-
lowed-up and reported in accordance with the incident
management policy and security incident response man-
agement policy.
Inspected a sample of one security incident report and No exceptions noted
security incident response test plan and determined
that security incidents are post-mortem investigated
and that the security incident response procedures are
tested annually to identify areas for improvement.
9.1.10 Physical and Environmental Security (PE)
InShared’s Controls specified by InShared
Control ID
PE-1 Authorization to give physical access to the datacentre
is given by the information manager of InShared to the
regarding datacentre. Security verification and check-
in are required for personnel for temporary access to
the interior datacentre facility including tour groups or
visitors.
PE-2 The Continuity Architecture of InShared is redundant.
Within the production datacentre the infrastructure is
redundant, and active-passive between the produc-
tion site and the BCDR site. A separate risk assessment
is conducted for BCDR sites within 50 km distance of
production sites.
PE-3 A complete inventory of assets in the datacentres is
maintained by the infrastructure team. The inventory
of assets is reviewed at least annually.
PE-4 Delivery and removal of assets are requested and au-
thorized within the IT-ticketing system (Jira) by the in-
frastructure team.
219
Testing performed by PwC Results of PwC’s
Testing
Inspected a sample of one given authorization for physi- No exceptions noted
cal access to the datacentre and determined that au-
thorization was given by the information manager of In-
Shared.
Inspected the continuity architecture, the redundant ar- No exceptions noted
chitecture document, the redundant flows and in-
stances and the separate risk assessment for BCDR sites
within 50km distance of production sites and deter-
mined that the continuity architecture of InShared is re-
dundant, that within the production datacentre the in-
frastructure is redundant, and active-passive between
the production site and the BCDR site and that a sepa-
rate risk assessment is conducted for BCDR sites within
50 km distance of production sites.
Inspected the inventory of assets in the datacentres and No exceptions noted
concluded that an up-to-date inventory of assets in the
datacentres is maintained by the infrastructure team.
Inspected a sample of one infrastructure change and de- No exceptions noted
termined that delivery and removal of assets are re-
quested and authorized by the infrastructure team
within the IT-ticketing system.
9.1.11 Business Continuity and Resilience (BC)

InShared’s Controls specified by InShared Testing performed by PwC Results of PwC’s

Control ID Testing

BC-1 A Disaster & Recovery Management Policy has been
established and communicated that defines the lines
of communication, roles, and responsibilities. Disas-
ters & Recovery Management is triggered by an emer-
gency or disruption to the CynoSure Services. Continu-
ity of the office is defined in the Business Continuity
Plan.
Inspected the business continuity and disaster and re- No exceptions noted
covery policies and the IT continuity plan and deter-
mined that an up-to date business continuity and disas-
ter and recovery policy and an up-to-date the IT conti-
nuity plan has been established that defines the lines of
communication and the roles and responsibilities re-
garding business continuity and disaster recovery.

In case of an emergency or disruption, the Business

Continuity Manager and/or Chief Review Officer acti-
vates the IT Continuity Plan, which is an integral part
of the Business Continuity and Disaster & Recovery
Management plans. The IT Continuity Plan defines the
continuity architecture and detailed procedures for re-
covery and reconstitution of systems to a known state
per defined Recovery Time Objectives (RTOs) and Re-
covery Point Objectives (RPOs).

The Disaster & Recovery Management, Business Conti-

nuity Plan and IT Continuity plan are reviewed annu-
ally and updated as necessary.

BC-2 Disaster and recovery failover plans are tested annu- Inspected a sample of one Zert0 failover tests and deter- No exceptions noted
ally, using the automated Zert0 failover tests which mined that disaster and recovery failover plans are
are monitored using the periodical checks schedule. Is- tested annually.
sues identified during testing are analysed and re-
solved. The Disaster & Recovery Policy and plans are
updated accordingly as necessary.

220
InShared’s Controls specified by InShared
Control ID
BC-3 Business Impact Analyses, Risk Analyses and Risk
Treatment Analyses are conducted annually to iden-
tify, analyse and assess business continuity risks re-
lated to CynoSure services and to define and imple-
ment business continuity protection measures based
on the risk appetite.
221
Testing performed by PwC Results of PwC’s
Testing
Inspected a sample of one business impact analyses, risk No exceptions noted
analyses and risk treatment analyses report and deter-
mined that business impact analyses, risk analyses and
risk treatment analyses are conducted annually to iden-
tify, analyse and assess business continuity risks related
to the CynoSure services and to define and implement
business continuity protection measures based on the
risk appetite.
9.1.12 Processing integrity (PI)

InShared’s Controls specified by InShared Testing performed by PwC Results of PwC’s

Control ID Testing

PI-1 The performance indicators as defined within the Inspected a sample of one monthly service level report No exceptions noted
customer SLAs are measured, reviewed, analysed and determined that performance indicators are meas-
and reported to the customer in the SLR on a ured, reviewed, analysed and reported to the customer in
monthly basis. the service level report.

PI-2 Data input and output routines are implemented in Inspected a sample of one created webservice and input No exceptions noted
the webservices using Simple Object Access Protocol and output validation checks and determined that input
(SOAP/envelopes), Web Service Definition Language and output routines are implemented in the CynoSure
(WSDL) techniques and API integrity checks. Errors webservices.
are logged and followed up when necessary. Non
permissible requests are not processed by the appli-
cations and programming interfaces (APIs).

PI-3 InShared segregates and appropriately provisions Inspected a sample of one centrally registered web- No exceptions noted
the services to restrict unauthorized access to other service/API routing-overview per tenant and determined
customer tenants and data based on request from that InShared segregates and appropriately provisions the
customer through the portal / API which are custom services through the portal/API and that the routing of
made and routed with a Point to Point connection webservices/APIs is registered centrally.
(firewalling) and IP whitelisting per client and are
listed centrally and communicated with the client
upon request. The routing of each webservice / API
is registered centrally.

222
9.1.13 SOC2

InShared’s Controls specified by InShared Testing performed by PwC Results of PwC’s

Control ID Testing

SOC2-1 A Data Classification Policy has been established and Inspected the data classification policy and determined No exceptions noted
communicated that defines the classification of data that an up-to date data classification policy has been es-
and systems and the security requirements for each tablished that defines the classification of data and sys-
classification level. The following classification levels tems and the security requirements for each classification
are defined: level.
- Availability: 0 Basic, 1 Low, 2 Middle, 3 High
- Integrity: 0 Unknown, 1 Assumed Correct, 2 Veri-
fied Correct and 3 Proven correct
- Confidentiality: 0 Public, 1 Low, 2 Middle and 3
High
- Privacy: 0 Not personal, 1 Low, 2 Middle and 3
High.

In accordance with the Data Classification Policy cus-

tomer data is classified as Availability level 2, Integ-
rity level 2, Confidentiality Level 2 and Privacy Level
2. In addition, the CynoSure platform facilitates a
classification mechanism which can be used by the
client depending on customer needs.

The Data Classification Policy is reviewed annually

and updated as necessary.

SOC2-2 The applicable security, regulatory and contractual
requirements and the related obligations are defined
within the client contract. The client contract is
signed by the client and InShared, prior to granting
access to the CynoSure Platform.
Inspected a sample of one customer contract and deter- No exceptions noted
mined that the applicable security, regulatory and con-
tractual requirements and the related obligations are de-
fined within the client contract, and that the contract is
signed by the customer.

223
InShared’s Controls specified by InShared
Control ID
SOC2-3 Information system documentation to be able to
configure, install and operate the CynoSure services
and effectively use the platform's security features is
available and shared with the client via (live) training
and mail.
SOC2-4 InShared maintains and notifies customers of poten-
tial changes and events that may impact security or
availability of the services. Changes to the security
commitments and security obligations of InShared
are communicated to customers in a timely manner
via the SLR.
SOC2-5 Identified security incidents are reported to the Cy-
noSure platform customer using the Service Incident
Report. Security incidents related to external parties
are shared with the client and reported in the SLR, in
accordance with the Incident Management Policy
and Security Incident Response Management Policy.
SOC2-6 Customer data is accessible within agreed upon ser-
vices in data formats compatible with the CynoSure
services provided. Upon customer request data is
provided to the customer in the format as defined
within the customer contract.
SOC2-7 Reliable logs are available for the CynoSure platform,
which allows forensic procedures when necessary,
upon request of the customer and when the cus-
tomer has specified the content and format of data
that InShared has to provide. These logs are imple-
mented and changed as necessary following the for-
mal change management procedures of InShared.
224
Testing performed by PwC Results of PwC’s
Testing
Inspected a sample of one customer system documenta- No exceptions noted
tion and communication and determined that system doc-
umentation is available and shared with the customer.
Inspected a sample of one service level report and deter- No exceptions noted
mined that InShared maintains and notifies customers of
potential changes and events that may impact security or
availability of the Cynosure services.
Inspected a sample of one identified security incident and No exceptions noted
determined that security incidents are analysed, followed-
up and reported in accordance with the incident manage-
ment policy and security incident response management
policy.
Inspected a sample of one customer contract and deter- No exceptions noted
mined that customer data formats are defined within the
contract.
Inspected a sample of one log and determined that relia- No exceptions noted
ble logs are available for the CynoSure platform, which al-
lows forensic procedures when necessary, upon request
of the customer and when the customer has specified the
content and format of data that InShared has to provide.
InShared’s Controls specified by InShared Testing performed by PwC Results of PwC’s
Control ID Testing
SOC2-8 Third-party access transactions or activities are mon- Inspected a sample of one third-party access transactions No exceptions noted
itored for appropriateness. This logging and monitor- and activities monitoring and determined that manage-
ing function enables early prevention and/or detec- ment validated that third-party access transactions and
tion and subsequent timely reporting of unusual activities were appropriate.
and/or abnormal activities by authorized third par-
ties which needs to be addressed.

225
9.1.14 CCM

InShared’s Controls specified by InShared Testing performed by PwC Results of PwC’s

Control ID Testing

CCM-1 The system clocks of the firewalls are synchronized
with reliable external sources via the Network Time
Protocol (NTP). The domain controllers and hypervi-
sors are configured to synchronize with the nearest
firewall.
Inspected a sample of one of the network time protocol No exceptions noted
configuration settings and determined that the system
clocks of the firewalls are synchronized with reliable ex-
ternal sources via the network time protocol and that the
domain controllers and hypervisors are configured to syn-
chronize with the nearest firewall.

CCM-2 InShared provides its customers with a list of stand- Inspected a sample of one created webservice and deter- No exceptions noted
ard set of API's upon request. All API's are generated mined that the webservice was generated using the
using the standards for TLS and web services. standards for TLS and webservices.

226
Appendices
APPENDIX 1: CSA ENTERPRISE ARCHITECTURE

228
APPENDIX 2: ENTERPRISE ARCHITECTURE VS DESCRIPTION CRITERIA

Description Cri-

Infrastructure
teria 3

Procedures
Software

People*

Data
Architecture

BOSS PES /Contracts X

/ deployment

ITOS X

TOGAF X X E.g. Use of en-

cryption proce-
dure, software
development,
patching

Jericho authorisation /
authentication
/ SOD etc

* People contain the access to the environment. This is divided into three categories:

1. Customers of the clients of InShared who have an insurance at InShared clients. The access for these people
is managed by the CynoSure platform and front end of the client;
2. Key users of InShared clients gain access via the Jira portal tot the CynoSure platform (portal, assist, control
and claims);
3. IT personnel of InShared gains access using Active Directory and all authorisation management implemented
by InShared.

229