- Managed Services
- About Us
SOC 3® | IS Partners, LLC
INDEPENDENT PRACTITIONER’S TRUST SERVICES REPORT
To the Management of Kastle Systems:
We have examined management’s assertion that Kastle Systems (“Kastle”) during the period January 1, 2018 through November 30, 2018, maintained effective controls to provide reasonable assurance that the managed security services system, as described in the attached system description, was: 1) protected against unauthorized access, use, or modification (both physical and logical) to meet the entity’s commitments and system requirements, based on the American Institute of Certified Public Accountants’ (“AICPA”) Trust Services Criteria for Security set forth in TSP Section 100A, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (“applicable trust services criteria”).
Kastle’s management is responsible for this assertion. Our responsibility is to express an opinion based on our examination. Management’s description of the managed security services system covered by its assertion is attached. We did not examine this description and, accordingly, we do not express an opinion on it.
Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included: (1) obtaining an understanding of the controls related to the security of the managed security services system; (2) testing and evaluating the operating effectiveness of the controls; and (3) performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion.
Because of the nature and inherent limitations in controls, Kastle’s ability to meet the aforementioned criteria may be affected. For example, controls may not prevent or detect and correct error or fraud, unauthorized access to systems and information, or failure to comply with internal and external policies and requirements. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that changes may alter the validity of such conclusions.
In our opinion, management’s assertion referred to above is fairly stated, in all material respects, based on the AICPA Trust Services Criteria for Security.
IS Partners, LLC
Certified Public Accountants
February 13, 2019
Management’s Assertion Regarding the Effectiveness of its
Controls over Kastle Systems’ Managed Security Services System
Based on the AICPA Trust Services™ Criteria for Security
Kastle Systems maintained effective controls over the security of the managed security services system to provide reasonable assurance that:
during the period January 1, 2018 through November 30, 2018, based on the Trust Services™ Criteria for security, established by the American Institute of Certified Public Accountants (“AICPA”) set forth in TSP Section 100A, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy.
The attached “System Description of Kastle Systems’ Managed Security Services System” identifies those aspects of the system covered by our assertion.
February 13, 2019
System Description of Kastle Systems’ Managed Security Services System
Kastle Systems has been a leader in the security industry for more than 45 years with new technologies and advanced security solutions. Kastle was named the 2015 Systems Integrator of the Year for outstanding innovation and customer experience by SDM, the industry’s leading trade publication, Kastle operates and manages security systems for over 10,000 locations around-the-clock. Kastle’s innovative outsourced security services including video, access and visitor management, significantly reduce costs and improve the critically important, 24/7 performance of security systems for building owners, developers and tenants.
Kastle creates security solutions based on an expert assessment of each client’s unique environment and situation. Kastle partners with leading manufacturers in the security industry and build open, standardized systems suited to each client. Kastle implements their designs using industry best practices, with minimal business interruption. Kastle ensures that each client’s system operates in peak condition because they repair, replace, and warranty their products.
Kastle’s Managed Security Services includes a team of trained operators that works in the industry’s most advanced centers 24×7, responding to critical signals that are reported to client administrators. Kastle takes responsibility for security procedures, database management, and reporting on trends and events, delivering the highest level of preparedness. Account managers work as the main point of contact, while tools and organization ensure that Kastle can provide assistance to clients quickly and efficiently. Kastle’s services strengthen business continuity plans with redundancy in power, connectivity, support coverage, and data storage.
This system description covers Kastle’s Managed Security Services.
Products and Services
The primary products and services that Kastle Systems provides to clients are as follows:
Access Control – Kastle Systems is the industry’s leading provider of managed access control and is recognized by peers as best in class You can count on us, as part of your team, to complete the tasks that maintain security integrity day in and day out. Kastle’s access control monitors and responds to critical security alarms at industry-best levels. With Kastle’s access control, an employee is recorded only once, and every credential is associated with that person. Kastle syncs their access control system with the client’s authoritative source. The result is that on-boarding and off-boarding are automatically controlled, and end users can use a single credential to access multiple offices or spaces easily.
Video Surveillance (KastleVideo) – KastleVideo allows clients to receive and view highly detailed images from cameras in client buildings. KastleVideo also allows clients to see their video cameras anywhere to monitor what’s happening in real time or to review past events. Client computers, laptops, surface tablets, and smartphones can be used to access live footage from KastleVideo. Through advances in analytics, KastleVideo can set rules for multiple functions. The system can be programmed to send an alert to client management when someone is in an area they shouldn’t be and various related security and monitoring functions.
Visitor Management (Kastle FrontOffice) – Kastle FrontOffice enables visitor registration directly from Microsoft Outlook or Gmail, to user-friendly barcodes that are emailed to visitors for a better check-in experience, KastleFrontOffice helps clients securely increase pre-authorized visitor rates and decrease wait times and congestion in the lobby. The system automatically sends invites, maintains tight control for visitor access timeframes, and assigns and shares a barcode for each visitor, allowing entry into the facility in a fast, efficient manner.
Fire and Life Safety – Kastle monitors critical alarms, such as fire, so that within seconds of an alarm Kastle will have already begun handling it and dispatching first responders. Kastle partners with clients to regularly test equipment and alarm functionality to ensure everything is working exactly as it should be. All of client alarms are sent to multiple monitoring centers simultaneously.
Environmental Control – Kastle critical sensor monitoring protects client systems from a variety of potential disasters caused by unexpected changes in the environment including overheating in the IT room, equipment tampering, HVAC system indicators, power outages or even rising water levels. Kastle provides immediate notification of critical environmental or system changes so you can take action before the damage is done.
24×7 Monitoring – Kastle Systems are connected to client buildings 24×7. This connection gives Kastle the ability to remotely report on everything that’s happening in a client space live, in real-time. The Kastle priority queue reports everything but orders it from highest to lowest priority, allowing Kastle operators to respond to the most important events first. Any Kastle location can immediately pick up and take over for any other location, providing clients with expert service. Kastle’s team of operators receive extensive training in advanced technology and innovative solutions, and they are committed to client security.
Components of the System
The system is comprised of the following five components:
The following sections of this description define each of these five components comprising Kastle’s managed security services system.
Kastle Systems is headquartered in Falls Church, Virginia. Kastle Systems also has offices in Atlanta, Los Angeles, San Francisco, Houston, Dallas, Chicago, Miami, New York, Philadelphia, and Sydney, Australia. Physical and logical security controls are uniform across all Kastle locations. Access to every office, computer machine room, and other Kastle work areas containing sensitive information is physically restricted. During non-working hours, workers in areas containing sensitive information lock-up all information. All Kastle computer and network equipment is physically secured at all times. Local area network servers and other multi-user systems are placed in locked cabinets, locked closets, or locked computer rooms. Computer and network gear may not be removed from Kastle offices unless the involved person has obtained permission from management.
Information Technology Department – The Information Technology department is the central point of contact for all information security matters at Kastle Systems. Acting as internal technical consultants, it is this department’s responsibility to create workable information security compromises that take into consideration the needs of users, custodians, owners, and selected third parties. Reflecting these compromises, this department defines information security standards, procedures, policies, and other requirements applicable to the entire organization. Information Security must handle all access control administration activities, monitor the security of Kastle information systems, and provide information security training and awareness programs to Kastle workers. The department is responsible for periodically providing management with reports about the current state of information security at Kastle. While information systems contingency planning is the responsibility of information custodians, the Information Technology department must provide technical consulting assistance related to emergency response procedures and disaster recovery. The Information Technology department is also responsible for organizing a computer emergency response team to promptly respond to virus infections, hacker break-ins, system outages, and similar information security problems.
The following people comprise the Kastle Systems management team: The Kastle Systems Chairman and Co-Chairman, Chief Executive Officer, Chief Customer Officer, Chief Technology Officer, Chief Human Resources Officer, Chief Financial Officer, and the Regional General Managers.
Kastle Systems has documented policies and procedures to support the operation and controls over the system. Specific examples of the relevant policies and procedures include the following:
This component of the system definition is limited to the information used and supported by the system for the services outlined in this description. The Kastle Systems data classification system is based on the concept of need-to-know. This term means that information is not disclosed to any person who does not have a legitimate and demonstrable business need to receive the information. This concept, when combined with security policies, will protect Kastle Systems information from unauthorized disclosure, use, modification, and deletion.
Kastle Systems is committed to protecting the privacy of its clients and to the confidentiality of their information. Kastle Systems expects all employees, consultants and vendors to abide by Kastle Systems’ Data Classification and Information Security policies. If non-public information is to be accessed or shared with these third parties, they should be bound by contract to abide by Kastle Systems’ Data Classification and Information Security policies.