Complementary Controls at User Organizations

EnCirca’s services are designed with the assumption that certain controls will be implemented by user organizations. Such controls are called complementary user organization controls. It is not feasible for all of the control objectives related to EnCirca’s customized domain name registration services to be solely achieved by EnCirca’s control procedures. Accordingly, user organizations, in conjunction with the services, should establish their own internal controls or procedures to complement those of EnCirca.

The following complementary user organization controls should be implemented by user organizations to provide additional assurance that the control objectives described within this report are met. As these items represent only a part of the control considerations that might be pertinent at the user organizations’ locations, user organizations’ auditors should exercise judgment in selecting and reviewing these complementary user organization controls, which may include:

• User organizations are responsible for understanding and complying with their contractual obligations to EnCirca.
• User organizations are responsible for developing their own disaster recovery and business continuity plans that address their ability to access or utilize EnCirca services.
• User organizations are responsible for ensuring that user IDs and passwords used to access EnCirca applications are kept in a secure manner and only used by authorized employees.
• User organizations are responsible for requesting an authorized user ID and password for user organization employees. User organizations are responsible for defining the level of access given to employees and customers.
• User organizations are responsible for requesting the revocation of application access privileges assigned to terminated employees as a component of the employee termination process.
• User organizations are responsible for restricting administrative privileges within the application or systems to authorized personnel and for designating internal personnel who are authorized to request user additions, deletions, and security level changes.
• User organizations are responsible for notifying EnCirca of changes made to technical or administrative contact information in a timely manner.
• User organizations are responsible for understanding and defining data storage requirements.
• User organizations are responsible for understanding and implementing encryption protocols to protect data during transfer to EnCirca.
• User organizations are responsible for immediately notifying EnCirca of any actual or suspected information security breaches, including compromised user accounts and passwords.
• User organizations are responsible for notifying EnCirca of any regulatory issues that may affect the services provided by EnCirca.