main page

Technology, Compliance & Security

Second Look, Inc. Information Technology (IT) Controls

The following description outlines the IT environment of Second Look and general controls in place. General controls establish the control environment in which all applications and data are processed. Therefore, the general data processing procedures have an impact on the effectiveness of controls in all applications.

Second Look has organized its Information Technology Services department as a separate organizational unit in its corporate structure.

Information Technology Services is responsible for the following functions:

1. Information Security
2. Computer Equipment Security
3. Data Processing
4. Systems Development and Implementation, and Change Management/Maintenance

Information Security

Information security is monitored and managed by two resources, a Chief Security Officer and a Compliance Officer. These employees are responsible for ensuring the overall security of the infrastructure and the intellectual capital of Second Look and its clients. Second Look has established an extensive series of policies concerning employee, customer, client, business, and personal and medical security issues. Additionally, the Company has established non-disclosure and information privacy related policies to ensure the overall security of client information. Some of the policies require employee signature and/or receipt acknowledgements. These policies are given to the employees in hard copy form and also published on the company Intranet. Employees attend semi-annual security policy refresher training to ensure their information security responsibilities are kept at the forefront of their daily activities.

Second Look maintains an advanced wide area computer network that employs security technologies and industry standard preventative maintenance processes to secure information and intellectual assets. The Company has a well established IT Department, skilled in maintaining the overall functionality of the network that administers policies deemed necessary to ensure the security of information. Second Look’s IT staff disables system access immediately upon notification from Human Resources.

Computer Equipment Security

The offices of Second Look are secured using electronic locks and badge security cards assigned and monitor by the HR department. In addition, office receptionists control people entering and exiting the building. During non-business hours, alarm systems are activated and monitored by external companies. The data center has heavy duty combination locks to restrict entry only to IT personnel. There are policies and procedures in place that reinforce office security. For example, Second Look has a policy that requires visitors and contractors to be escorted by a Second Look employee at all times while inside the facility. Additionally, human resources policies prevent terminated employees from accessing the facilities. Second Look has developed a Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP). The network infrastructure is protected by a series of disaster prevention and disaster recovery technologies and processes. Each server room is kept safe through the use of common power backup, fire detection, fire suppression, and climate control systems. An information backup system is used as a means to replicate information off site and as a method of recovering should a disaster occur.

Data Processing

Second Look’s network infrastructure utilizes the Microsoft platform, with overall architecture and management of the infrastructure provided by the Company’s IT Department. Network servers utilize the Microsoft Server infrastructure and desktops use XP/Vista business operating systems. Second Look uses a Wide-Area Network (WAN) topology to connect all offices, but the majority of non-IBM i-Series information remains within each office. The Company’s IT Department employs full-time systems operators to monitor and manage on a day-to-day basis the production systems, which are powered by two IBM i-Series servers. Second Look maintains two data centers, one in New York and the other in Florida to provide failover and real-time redundancy capability.
Production processing is performed through job and batch execution of scheduled programs. These jobs are scheduled to run during night hours, weekends and during the day, based on pre-defined business processes and triggers. Control over production processing is provided by a predefined schedule, which is monitored and change-restricted to certain Second Look personnel.

Systems Development and Implementation, Change Management and Maintenance

Second Look uses a Change Control System to manage the Systems Change Management business process to provide documentation assistance and business process enforcement. This system is used by the IT Department to manage the entire systems development lifecycle, from end user requests for new changes through the move into production. To provide controls associated with new system launches, Second Look employs an iterative software development approach which consists of the following main stages:

• Requirements Gathering and Analyzing
• Design and Prototyping
• Development and Unit Testing
• Quality Assurance
• User Acceptance Testing
• Support and Enhancement

The stages are supported by development, Quality Assurance/Testing and production environments. Each has a unique purpose and provides additional controls designed to improve the security and stability of the production environment. The systems change methodology involves a distinct segregation of duties, involving the project managers, the programmers, the design and testing staff, and Second Look users. The objective is to ensure that developers cannot implement their own changes and thus, reduce errors and minimize risks. All steps within the process are followed by a procedure that tracks and documents project steps.
Software changes can only be submitted by supervisors. Programmers are only authorized to access select software libraries, based on the team they are assigned. Changes implemented are first tested in the programmer’s work library, second in the project manager’s own test library prior to submission to the testing group for final quality assurance and user acceptance testing and then moved into production. A Quality Assurance (QA)/Testing team has a full copy of the production database (with all personally identifiable information masked), which is used to run a production load test on the change in question prior to moving to production. The developers do not have access to the QA/Testing environment and vice versa. Additionally, systematic controls ensure developers cannot move code into production. Only the QA/Testing team is empowered to implement the changes into production.