5 Compliance Projects Gone Terribly Wrong

Live Webinar: May 23, 2017

10:00 a.m. PT | 1:00 p.m. ET

If you work in compliance, then there's no doubt that you have at least 1 story of a project that has gone horribly wrong. If these nightmare scenarios didn't give you many sleepless nights, then it definitely created lots of stress for you and your team. You probably told your story to your peers and colleagues seeking some catharsis. With limited budgets and resources dedicated to GRC, the margin for error is slim; this webinar can help you reduce the risk associated with new or existing compliance programs.

Join Matt Kelly, Founder of the popular blog Radical Compliance, as he moderates a roundtable discussion with Reciprocity's GRC experts about who's got the best and worst story to tell about projects that have given them heartburn and headaches. Not only will you be able to ask our experts about what they've learned from the projects that didn't work out as expected, but you will also have the opportunity to ask our GRC experts for recommendations for when you find yourself in a project that's turning sideways.

This is a can't miss session for anyone managing a growing compliance practice. REGISTER NOW and feel free to share with colleagues and friends.

Making the Switch from SSAE 16 to SSAE 18 (credit: A-LIGN)

Written by Sue Wells, A-LIGN on December 19, 2016

When service organizations receive a SOC 1 examination, it is performed under the SSAE 16 or “Statements on Standards for Attestation Engagements 16, Reporting on Controls at a Service Organization” standard.

In Spring 2016, The AICPA’s Auditing Standards Board (ASB) completed the clarity project, the result of which was the issuance of the SSAE 18 standard, “Concepts common to all Attestation Engagements”. This new standard replaces SSAE 16 for SOC 1 engagements and goes into effect for reports dated after May 1, 2017.

It is important to note that the SSAE 16 standard was specific to service organizations and the SSAE 18 is for all attestation engagements. This means that we can no longer refer to SOC 1 as an SSAE 16 examination and it will not be replaced by the term SSAE 18 examination. Instead, it will simply be referred to as the SOC 1.

Despite the potential for confusion related to the naming of the examinations and reports, the actual changes to what a service organization has to do to prepare for an examination is not extensive. Here are four changes that come with SSAE 18 that affect the SOC 1 examination.

Vendor Management

The most significant change in the requirements that has to be met by a service organization is ensuring that its vendor management program for sub-service providers (for example colocation facilities) is significantly robust.  SSAE 18 is requiring that service organizations implement processes that monitor the controls at sub-service organizations. SSAE 18 provides the following control suggestions:

  • Review and reconcile output reports.
  • Hold periodic discussions with the sub-service organization.
  • Make regular site visits to the sub-service organization.
  • Test controls at the sub-service organization by members of the service organization’s internal audit function.
  • Review Type I or Type II reports on the sub-service organization’s system.
  • Monitor external communications, such as customer complaints relevant to the services by the sub-service organization.

Risk Assessment

Another change in what will be required by SSAE 18 will be in the area of more specific requirements as opposed to the existing general considerations of risk via a risk assessment.  SSAE 18 requires service auditors to obtain a more in-depth understanding of the development of the subject matter than currently required, in order to better identify the risks of material misstatement in an examination engagement. This, in turn, should lead to an improved linkage between assessed risks and the nature, timing, and extent of attestation procedures performed in response to those risks.

Complementary Sub-service Organization Controls

SSAE 16 required that service organizations provide a listing of controls that should be performed by user organizations.

In order to recognize that more organizations are outsourcing key functions to their own set of sub-service organizations, SSAE 18 introduces the concept of “Complementary Sub-service Organization” controls. This concept establishes and defines the controls for which user entities must now assume in the design of the system description. Another key factor related to these complementary controls is that they are necessary for the achievement of control objectives in the report. SSAE 18 provides more guidance around this area, and will hopefully lead to more consistent reporting across entities and practitioners.

Written Assertion Requirement

The final change to the SOC 1 is the requirement, per SSAE 18, that the service auditor obtains a written assertion. This written assertion is the statement found within the SOC report wherein the service organization asserts that the system description provided is essentially true and complete. This statement has always been contained within the SOC 1 reporting document but the requirement that the service organization signs the document was optional. In practice, the majority of service organizations have already been signing this document, as a way to strengthen the credibility of the report. Accordingly, there will not be significant changes to what either the service auditor or service organization will have to do to meet this requirement.

14 Ways to Prevent Data Breaches in Your Organization (credit: A-LIGN)

Written by Blaise Wabo, A-LIGN on October 11, 2016

Actionable Tips to Prevent Data Breaches

Feeling safe about your organization’s personal data because of encryption standards? Don’t fool yourself into a false sense of security. Managing cyber-risk is a multi-faceted, whole-organization effort that requires implementation at the top levels down. In IBM’s Security Services 2014 Cyber Security Intelligence Index, which analyzed cyber-attack and incident data, more than 95% of all incidents cited “human error” as a contributing factor to the attack.

The list of potential human error risk factors is longer than expected:

  • Administrator system misconfiguration
  • Not updating systems appropriately
  • Not managing system patches
  • Default password usage
  • Default user ID usage
  • Lost devices
  • Misplaced devices
  • Unlocked devices
  • Incorrect disclosure procedures

Though this list is not exhaustive, it emphasizes the importance of cybersecurity education for management and employees, so that organizations are able to prevent data breaches caused by human error.

1. Education from the Top Down

This is number one for a reason. Individuals in management may think that because they have an incredible IT Security Director at the helm, their duties regarding risk mitigation are fully out of their hands. However, ensuring that management and employees fully understand the potential cybersecurity risks innate to your organization is important in preventing risks.

The development of policies and procedures on how to prevent data breaches is essential, and educating employees both new and old on these policies and procedures is critical. Because the cybersecurity landscape is constantly changing, regularly educating management and employees on updated cybersecurity policies and procedures is essential in mitigating risk. In addition, your organization should inform employees on new scams or potential new risks as they arise – for example, new phishing scams or websites with potential vulnerabilities.

2. Hire Well

Strong security starts with great personnel, which is why the hiring process is important. While individuals with experience can be beneficial to an organization, professionals who have a deep understanding of the current risk landscape can be invaluable to an organization, while trying to implement security controls. When recruiting individuals, management should be certain that employees understand the concepts behind both breach prevention and management in the event that a breach does occur.

In addition, management should be sure to maintain communication lines with their security and compliance team in order to ensure that all potential threats are being monitored carefully.

3. Develop an Exit Strategy

It is just as important that employees are educated in cybersecurity as having an exit strategy for employees that are leaving your organization. This includes changing passwords, ensuring that computers and personal devices no longer have sensitive information available on them, and developing contracts that include legal repercussion for sharing or utilizing sensitive data.

4. The Less Data, the Better

Since cyber criminals can only steal information that an employee or organization has access to, one of the major ways to minimize risk is to limit data availability:

  • Reduce the number of employees that have access to at-risk information.
  • Don’t collect information that isn’t relevant to your business.
  • Reduce the number of places where data is physically stored.
  • Only grant data access on an as-needed basis and revoke access as soon as information is no longer necessary.
  • Purge data early and often!

You prevent data breaches by minimizing the amount of access that individuals have to data.

5. Purge Your Data Properly

It isn’t enough to simply purge your data. Getting rid of sensitive data in the appropriate fashion is the other half of the battle.

Too often, employees think that they are getting rid of all of their data when they remove files that are located on their desktop, without realizing that other clones of the files are present within the body of the computer. By teaching employees’ proper data disposal techniques, you’re able to minimize the risk of having that data get into the wrong hands.

6. Monitor Your BYOD Programs

BYOD or Bring Your Own Device is a program where employees bring their own technology (computers, tablets, cell phones, etc.) to work. Many organizations have moved to this type of program so that employees are able to use technology that they have a better understanding of.  This reduces training time and increases productivity.

However, one of the major risks is that employees do not feel as though they need to be utilizing organizational policies when they are using their “personal” device. The risk here is that while the device may be used for both work and fun, sensitive data is still readily available.

In addition, these programs leave IT administrators frustrated, as they have to understand necessary updates and patches for a litany of different devices instead of just a few.

By implementing strong BYOD policies that force employees to fully understand the risks inherent with the utilization of their own devices, organizations are able to fully prevent data breaches from happening. These programs should emphasize or consider:

  • Password and device-encryption requirements
  • Update and patch requirements
  • Lost or misplaced device notification for emergency response and remote data-wiping
  • Utilization of tracking software
  • Establishment of secure app workflows
  • Anti-malware software
  • Jailbreak prevention
  • Sandboxing
  • Device partitioning

The creation of appropriate BYOD management and policies allow for the program to work successfully, instead of becoming a pain point for organizations.

7. Secure Your Networks

Employees are constantly on mobile devices these days, and often times have their devices set to “Automatically Connect” to the closest Wi-Fi available. This leaves security professionals floundering, as there have been more than a few fake Wi-Fi capture spots that pull sensitive information from these “Hot Spots.”

Ensure the security of your network by investing in a personal or corporate VPN, that way all of the data that is being utilized is appropriately encrypted at the source.

8. Update Software with All Patches and Updates

Software companies are constantly updating their product in order to ensure that their devices are secure for use. Outside companies are constantly finding new vulnerabilities in their software, and patches and updates allow for organizations to ensure that these vulnerabilities do not affect their business functions.

9. Develop “Appropriate Usage” Guidelines for Company Technology

Educate employees on the appropriate usage of organizational technology. This includes when, where and how to login to accounts, how to check their connection to ensure it is reliable and secure, and when not to use devices.

10. Hold Outside Vendors to the Same Standards

By only working with organizations with the correct security and regulatory designations, you are able to prevent data breaches by ensuring all of the appropriate controls are in place. While it may be cheaper to hire organizations that hold no designations or function outside of governing bodies with strict regulation, it is not cheaper than the consumers that are lost due to a data breach. At the end of the day, if your vendor makes a mistake – it is your clients on the line, not just theirs.

11. Prepare for the Worst

Establishing a disaster management plan allows for your organization to feel prepared if the worst were to happen.

While all of your preparations can help you to prevent data breaches, your risk is never fully mitigated. Being prepared allows your team to have a full understanding of their job in order to prevent the breach from growing, or causing unnecessary customer backlash.

12. Test Out Your Disaster Management Plan

Put your breach protocol to the test with a mock disaster. See how well your team is prepared for a potential breach and troubleshoot problems with your protocol before it is a reality.

13. Audit Your Organization Regularly

By auditing your team on their practices, you are able to see where there are potential problems that could lead to future breaches. This allows your organization to modify policies and protocols prior to an issue.

14. Notify Early and Appropriately

If your team even vaguely believes that there was a potential data breach, communicate with your organization’s security management team and notify the appropriate authorities immediately.

The sooner that your team is able to response to an incident, the greater the chance that you have in being able to manage the potential damage to your organization and its clients. Reporting unusual or suspicious activity is the difference between a major breach and a minor one.

Detecting the Threat Within - The Real Challenge of Insider Threat

This is a fantastic white paper published by one of the true pioneers in inside-out cybersecurity and early threat detection/prevention - Darktrace - The Enterprise Immune System

Click this link Darktrace Insider to read the article - it is a GREAT read!  

Darktrace is the world leader in Behavioural Cyber Defence technology. Based on pioneering Bayesian mathematics developed at the University of Cambridge, Darktrace’s unique approach helps organizations to defend against insider threat and advanced, persistent attackers within the network, by detecting new attack vectors as they emerge. Darktrace’s self-learning platform works out normal and abnormal behavior within an organization in real time, in order to detect anomalous and threatening activity. Darktrace is made up of world-class cyber intelligence experts and mathematicians. The company is headquartered in Cambridge, UK, with offices in London, New York, Paris, and Milan.   www.darktrace.com


Attached is a great whitepaper on Cybersecurity.  It was authored by Christopher Pogue, Chief Information Security Officer @ Nuix.

It's absolutely well worth the time to read the article... enjoy!  There are several valuable links to further reading on page 19 as well.  Select the link below to launch the Nuix Whitepaper.

Why the cybersecurity industry has been fighting the wrong battle for 20 years—and how we can reclaim the surrendered ground

Find Digital Evidence

Finding the Digital Elephant in the Room- a story about digital investigation, told using an elephant. 
With traditional digital forensic investigation tools, you can never see the bigger picture –only the individual parts. It's a bit like the ancient parable from Asia about six blindfolded men and an elephant. But there is a better way.

Watch the video

FINRA 2017 Regulatory and Examination Priorities

On January 4th, 2017, the Financial Industry Regulatory Authority (FINRA) published its Annual Regulatory and Examination Priorities Letter to highlight issues of importance to FINRA's regulatory programs. 

The letter can be found by selecting this link:  http://www.finra.org/industry/2017-regulatory-and-examination-priorities-letter#1

Below are some notable points from the FINRA letter:


FINRA will review firms’ compliance with their supervisory and record retention obligations with respect to social media and other electronic communications in light of the increasingly important role they play in the securities business.


Cybersecurity threats remain one of the most significant risks many firms face. FINRA will continue to assess firms’ programs to mitigate those risks. FINRA recognizes there is no one-size-fits-all approach to cybersecurity, and will tailor their assessment of cybersecurity programs to each firm based on a variety of factors, including its business model, size, and risk profile.

  •  Among the areas FINRA may review are firms’ methods for preventing data loss, including understanding their data (e.g., its degree of sensitivity and the locations where it is stored), and its flow through the firm, and possibly to vendors.
  • FINRA may assess controls firms use to monitor and protect this data, for example, through data loss prevention tools. In some instances, they will review how firms manage their vendor relationships, including the controls to manage those relationships. The controls should be informed by a number of factors, including a clear understanding of any customer or employee personally identifiable information or sensitive firm information to which vendors have access.
  • They may also examine firms’ controls to protect sensitive information from insider threats. The nature of the insider threat itself is rapidly changing as the workforce evolves to include more employees who are mobile, trusted external partnerships and vendors, internal and external contractors, as well as offshore resources.
  • FINRA will also draw firms’ attention to two areas in which they have observed repeated shortcomings in controls.
    • First, cybersecurity controls at branch offices, particularly independent contractor branch offices, tend to be weaker than those at firms’ home offices. They have observed poor controls related to the use of passwords, encryption of data, use of portable storage devices, implementation of patches and virus protection, and the physical security of assets and data.
    • Second, in multiple instances, firms have failed to fulfill one or more of their obligations under Securities Exchange Act (SEA) Rule 17a-4(f) that requires firms to, among other things, preserve certain records in a non-rewriteable, non-erasable format, commonly known as write once, read many (WORM) format. This includes situations where vendor-provided email review and retention services did not fulfill SEA Rule 17a-4(f) requirements. FINRA recently announced enforcement actions against 12 firms for, among other things, failure to preserve broker-dealer and customer records in WORM format.


FINRA will assess firms’ testing of their internal supervisory controls. Regular testing is critical to enabling firms to identify and mitigate gaps or inadequate controls (e.g., poorly set parameters in automated compliance systems) that, left undetected, may lead to significant, systemic control breakdowns. These problems arise in firms’ day- to-day operations, but FINRA has observed that they can be more prevalent when firms increase the scale or scope of their business or change from legacy to new compliance systems.

  • Control breakdowns can include record-retention omissions and failures to deliver requisite disclosure or other documents to clients. In addition, FINRA has observed situations where data is inaccurate, for example, with respect to product or order types. This can lead to situations where automated alerts fail to identify activity in client accounts for further review or where extensive manual intervention is necessary to make the data useable. FINRA reminds firms of their obligations with respect to supervisory controls testing and chief executive officer certifications pursuant to FINRA Rules 3120 and 3130.


FINRA urges compliance staff, supervisors, and senior business leaders to consider the topics addressed in this letter. Using the information as part of firms’ compliance, supervision and risk management practices can better protect investors, the markets, and firms themselves.

Think You Haven't Been Breached?- you just don't know it yet

We only hear about the companies that figure out that they've been breached... and most often, they figure it out WAY too late!

As for where the threats originate, insider threats by employees are always going to be the biggest security risk for businesses. Employees without proper information security access controls and training are more likely to succumb to popular tactics used by hackers.

You must consider what information/data to which your employees have access.

Michael Hack, Senior VP of EMEA Operations at Ipswitch said, “It’s no longer good enough just to have the right policies in place for secure data transfer, an organization must ensure it has the right file transfer technologies, security systems, processes, and most importantly, staff training.”

Employers must also consider the serious responsibility of receiving and managing customer information in a way that retains customer confidence when using their information/data.

Data is Like Beans

Finding the nugget of Critical Data out of a Massive Datastore- a story about finding 1 out of 3 Billion cans of beans.
Why Beans? The can of beans represents a single email and its attachments. When we’re talking about Terabytes of data, we tend to lose perspective on how big a problem these files can be, and how difficult it is to find what you’re looking for.

Watch the video

SOC 2 Compliance

What Legal Professionals Needs To Know

The importance of achieving Type II Service Organization Control (SOC 2) compliance cannot be undervalued by the legal community. SOC 2 compliance is part of the American Institute of Certified Public Accountants (AICPA) Service Organization Control reporting platform. These guidelines were introduced in an attempt to restructure the existing (outdated) reporting methods of service organizations, and to align with the growing trend toward more globally accepted accounting principles.

The SOC reporting platform has three options: SOC 1, SOC 2 and SOC 3. Although SOC 1 and SOC 3 will be addressed briefly in this whitepaper, the primary focus will be on SOC 2 compliance, which is designed specifically to address the increasing popularity of cloud computing and other forms of shared technology within the service organization world.

Maintaining secure channels for the transmission and storage of this type of data is of particular concern when dealing with legal matters. Achieving compliance with SOC 2 is indicative of maintaining objective levels of security, availability, confidentiality and privacy. Determining criteria are evaluated by independent auditing agencies, and include such elements as operating effectiveness, design, processes, and procedures involved with data-center controls.

Security Risks in Outsourcing

The way business is done has changed so drastically that it’s become necessary for companies to outsource portions of their functions or tasks – and sometimes even core operations – to outside service organizations. When the service organization takes on these functions, they also adopt the inherent risks that used to be the company’s sole responsibility. Yet, since they are external to the user entity, they often operate outside the bounds of existing safeguards. In other words, the same rules may not apply.

Recent increases in privacy breaches, fraudulent activities, and other malicious ‘hacking’ have served to similarly increase internal regulatory controls, such as HIPAA, the Sarbanes-Oxley Act, and Basel II. As a result, due diligence during the vetting process of prospective service organizations is increasing and the government is now overseeing existing outsourced organizations. Regulatory changes, especially in the field of technology, have underlined the need for assurance that management is capable of maintaining client security and data integrity. The systems used by both the originating organization and any satellite service organizations must process data with the same level of privacy, confidentiality, and integrity.

Enacting SOC 2 compliance, along with meeting other compliance standards, allows an independent entity or CPA to determine whether the existing controls of a service organization meet the necessary standards. Additionally, the service organizations are able to respond with concrete action plans to achieve compliance through this objective evaluation. The three Service Organization Control reporting options laid out by the AICPA provide this necessary framework.

Focus on SOC 2 Compliance

As mentioned previously, there are three different types of SOC reports.

·         SOC 1 Report: Provide focus on internal controls that are relevant to financial reporting. These are conducted in accordance with SSAE 16.

·         SOC 2 Report: Address the controls regarding security, availability, and processing integrity of internal systems, as well as the confidentiality and privacy of any data that is processed by that system.

·         SOC 3 Report: Handle controls related to security, availability, confidentiality, and processing integrity in accordance with Trust Service Principles.

Unlike SOC 1 reports, SOC 2 compliance relies on the AT Section 101 professional standard which uses a criteria-based analysis that centers on the five Trust Service Principles, as stated by the AICPA and CICA:

Security. The system is protected against unauthorized access (both physical and logical).

Availability. The system is available for operation and use as committed or agreed.

Processing Integrity. System processing is complete, accurate, timely, and authorized.

Confidentiality. Information designated as confidential is protected as committed or agreed.

Privacy. Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally-accepted privacy principles issued by the AICPA and CICA.”

Specifically, SOC 2 compliance is based on the reporting of non-financial controls, like those within the technological sector such as managed services, data-centers, and other aspects of service organizations.

The development of the SOC 2 guidelines arose from the multitude of changes within service organization reporting, the growing trend toward international accounting standards, the previous abuse of outdated auditing standards, and the simple need to provide a more appropriate reporting platform for the way business is done today. The SOC framework delivers a multifaceted approach for reporting platforms among service organizations.

Core Requirements

·         System Description:  A key aspect for obtaining SOC 2 compliance is to maintain a written description of the “system” used by the service provider. The narrative must be both detailed and comprehensive, addressing the services provided as well as any supporting processes, internal policies and procedures, and any other core operational activities that are relevant to the service provider’s user entity. This system description requires much more in-depth detail than the control descriptions mandated by the SAS 70 predecessor audit.

·         Written Statement of Assertion: The service auditor who is performing the examination for SOC 2 compliance must be provided with a written statement of assertion. This document declares factual statements regarding the service provider’s control environment.

·         Criteria Description: Since SOC 2 compliance is based on criteria rather than objectives, documentation is required showing the metrics that are in place to meet the Trust Service Principles.

Benefits of SOC 2 Compliance for the Legal Community

The American Bar Association Formal Opinion #451 specifically states that:

"The challenge for an outsourcing lawyer is, therefore, to ensure that tasks are delegated to individuals who are competent to perform them, and then to oversee the execution of the project adequately and appropriately. When delegating tasks to lawyers in remote locations, the physical separation between the outsourcing lawyer and those performing the work can be thousands of miles, with a time difference of several hours further complicating direct contact. Electronic communication can close this gap somewhat, but may not be sufficient to allow the lawyer to monitor the work of the lawyers and non-lawyers working for her in an effective manner. At a minimum, a lawyer outsourcing services for ultimate provision to a client should consider conducting reference checks and investigating the background of the lawyer or non-lawyer providing the services as well as any non-lawyer intermediary involved."

Rule 1.6(a) of the ABA Model Rules of Professional Conduct states:

“A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).”

Rule 1.6(c) adds:

“A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

Comment 3 on Rule 1.6 clarifies:

“The rule of client-lawyer confidentiality applies in situations other than those where evidence is sought from the lawyer through compulsion of law. The confidentiality rule, for example, applies not only to matters communicated in confidence by the client but also to all information relating to the representation, whatever its source. A lawyer may not disclose such information except as authorized or required by the Rules of Professional Conduct or other law. See also Scope.”

Rule 5.3(b) requires that lawyers who utilize the skills and talents of non-lawyers must “make reasonable efforts to ensure that the person’s conduct is compatible with the professional obligations of the lawyer.”

Above all, the lawyer must preserve fiduciary responsibility to their client. When hiring outside parties and service providers, it’s counsel’s responsibility to ensure that the attorney-client privilege is kept sacrosanct. Independent auditing to determine SOC 2 compliance delivers an extra layer of protection for both counsel and client. Clients have an objective set of guidelines that they know their team is bound by, and counsel has the assurance that all members of the staff must hold to the same ethical guidelines as they themselves are required to uphold.

SOC 2 compliance extends far beyond personnel, as well. The entire organization is covered, as well as the technological infrastructure being utilized. This includes the data-center operating environment, management of data storage, server and database administration, and tools and processes used for system monitoring. Both physical and virtual system security are included, as well as common support processes that are applicable to multiple avenues of service provider and primary business.

Ensuring SOC 2 compliance satisfies the ethical obligations set forth by the ABA in providing insurance that systemic and necessary protocols are in place to protect the lawyer-client privilege. This offers clients a higher level of confidence in their counsel, as well as assurance that any critical data or sensitive information will be handled and stored securely. For clients, doing business with a legal team with SOC 2 compliance delivers an additional seal of approval for the methods used to handle client information, allowing for greater peace of mind for client and counsel alike.


There are quite a few individual certifications that complement SOC 2; some of the more relevant to a services company include:

  • CISSP – Certified Information Systems Security Professional
  • CIPP (US, IT, Europe) – Certified Information Privacy Professional
  • ECMP – Enterprise Content Management Practitioner
  • ERM – Enterprise Risk Management

Completing a Type II SOC 2 examination relevant to security, availability, confidentiality and privacy provides attestation that processes, procedures and controls are formally evaluated and tested by an independent auditing firm.  Passing this audit provides certification of compliance to a service organization that qualifies the design and operating effectiveness of their organization.  This examination demonstrates that the service organization is compliant with the relevant criteria and its clients are being served by a SOC 2 standard controlled facility.  The examination's completion also provides valuable insight into the people and procedures responsible for successful data-center controls.