A. Overview of Service Provided
Castlight Health, Inc. (Castlight or Company) provides cloud-based software that enables enterprises to gain control over their healthcare costs. Castlight was incorporated in the State of Delaware in January 2008 as Maria Health, Inc. In November 2008, the Company changed its name to Ventana Health Services, and in April 2010, changed its name to Castlight, Inc., and then subsequently changed its name to Castlight Health, Inc. The Company’s principal executive offices are located in San Francisco, California.
B. The components of the system used to provide the services, are the following:
Castlight employs infrastructure, hardware and network services incorporating physical, technical and administrative controls including: external and internal firewalls configured for least port access, traffic load balancing for server masking, network switching with VLAN segregation, network intrusion detection systems (NIDS), host intrusion detection systems (HDS), application firewalls (WAF), data leakage protection (DLP), server function segregation (DMZ, web/application, database), encryption in transit and at rest, and Linux based operation systems.Hosting facilities are located at SunGard Data Systems in Aurora, Colorado, and Scottsdale, Arizona, which provide a wide range of facility characteristics, including architectural design and facilities, power distribution and backup power supply, environmental controls including air quality control systems, and secure monitoring. Other facility characteristics include multiple, redundant UPS-protected power circuits with generator backup, smoke detection units, fire suppression systems, customer-operated environmental control, biometric geometry scanners and controlled customer access via a secure lobby.
The Company maintains documented policies and procedures to support the operations and controls over its physical and logical environments. Specific examples of the relevant procedures include the following:
Castlight collects and stores healthcare data and other personal information related to its customers’ health and welfare benefit plan eligible members (“Members”) as part of the service the Company provides to its customers. During the new customer on-boarding process, the Company receives eligibility files from customers that include 2 years of claims data as well as the full name, address, phone number, email address and date of birth of customer Members. The Company has controls in place to encrypt data at rest and in motion. Castlight uses for encryption at rest (Gazzang Ezncrypt) and encryption in motion (SSL or PGP).
C. The Boundaries of the System Covered by the Description
The boundaries of a system are the specific aspects of a service organization’s infrastructure, software, people, procedures and data necessary to provide its services. The boundaries of Castlight’s system include the infrastructure, software, people, procedures and data at the Company’s headquarters that directly support the services that the Company provides to its customers. The Company uses SunGard for data center co-location services. The description of the system includes only the control objectives and related controls of Castlight and excludes the control objectives and related controls of SunGard.
D. Significant Events and Conditions
Every user must successfully complete a three-part process before receiving access to the Enterprise Healthcare Cloud software:
All subsequent requests to the Enterprise Healthcare Cloud software are validated against a server-side user session. The session ID is stored in a secure cookie and submitted with each request. Single session authentication tokens are used to protect against Cross Site Request Forgery. All requests and responses are sent via HTTPS. SAML assertions are encrypted in transport via SSL and Castlight encourages encryption of the payload using a public key from Castlight.
Setup of access rights for all users are initiated through a Customer eligibility file that is securely transferred to the Enterprise Healthcare Cloud software and processed. The processing of the file is done periodically to ensure that only approved active users can register and access the software.
The Enterprise Healthcare Cloud software employs security measures to protect against the loss, misuse and unauthorized alteration of data, including:
Castlight employs software performance monitoring services to simulate the end user experience from fifteen different global locations, testing two of these locations simultaneously every five minutes (http://www.alertsite.com).
Castlight also employs an internal monitoring system to monitor each individual server hosting the Enterprise Healthcare Cloud software. This enables Castlight to promptly detect poorly performing servers and resolve performance issues.
Monitoring provides real-time information that allows Castlight to verify infrastructure operations and is designed to ensure the availability and performance of distributed IT infrastructures, including: servers, operating systems, network devices, network services, applications and application components.
Castlight manages data created internally and obtained from external sources, including data that is confidential or private in nature. The trust of our customers and partners is essential to the business, and therefore the protection of this data and the technology that processes the data is pivotal to supporting the company’s mission. The protection of this data from unauthorized use, modification or disclosure is mandated in Castlight’s information security policies. These policies allow management to monitor and control information security while reducing the residual business risk and complying with customer, legal, regulatory and stakeholder requirements.
As the information security policies share a common goal of protecting data and technology through consistent standards and processes, it is imperative that all security-related policies follow a common framework. A common framework for information security policies will establish a comprehensive and cohesive information security management for Castlight personnel and facilitate compliance with the policies.
Castlight protects the Enterprise Healthcare Cloud software and data through the implementation of information security controls. Where an incident is not prevented, an Incident Management process is in place to detect and respond to incidents in a manner intended to eliminate or minimize incident impact. The purpose of the Incident and Breach Management is to detect, report, assess, contain, and respond to information security and data breach incidents.
E. Reporting to User Entities and Other Parties
Castlight Insights provides dashboards, reports, and analytics to pinpoint opportunities that eliminate wasteful healthcare spending and poor-quality outcomes. This Solution Center allows business and benefits executives to move from receiving disparate reports from multiple sources—which often lack synergy with the entire benefits strategy—to a single source of record for enterprise healthcare with analytics identifying how to optimize for cost and employee outcomes.
Castlight Care is available to users across a variety of platforms including, web, iOS, Android, Windows Mobile, the Castlight Guide live telephonic service, and is available in Spanish on mobile devices.
F. Control Environment
The board of directors and senior management establish the Company’s culture regarding the importance of internal control including expected standards of conduct. Management reinforces expectations at the various levels of the organization. The control environment comprises the integrity and ethical values of the organization; the parameters enabling the board of directors to carry out its oversight responsibilities, the organizational structure and assignment of authority and responsibility, the process for attracting, developing, and retaining competent individuals, and, the rigor around the performance measures, incentives, and rewards to drive accountability for performance. The resulting control environment has a substantive impact on the overall system of internal control.
Core Principles included in the Company’s Control Environment:
G. Risk Assessment
The Company has a risk assessment process to identify and manage risks that could affect its ability to provide reliable services to its clients. This process requires management to identify significant risks in their areas of responsibility and to implement appropriate measures to address those risks.
Risk is defined as the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives. Risks to the achievement of these objectives from across the Company are considered relative to established risk tolerances. Thus, risk assessment forms the basis for determining how risks will be managed. A precondition to risk assessment is the establishment of objectives, linked at different levels of the entity. Management specifies objectives within categories relating to operations, reporting and compliance with sufficient clarity to be able to identify and analyze risks to those objectives. Management also considers the suitability of the objectives for the Company. Risk assessment also requires management to consider the impact of possible changes in the external environment and within its own business model that may render internal control effective.
Core Principles included in the Company’s Risk Assessment Process:
As part of the risk assessment process, the Company determines mitigation strategies for the risks that have been identified and designs, develops and implements controls, including policies and procedures, to implement its risk mitigation strategy.
H. Control Activities
Control activities are performed at all levels of the Company, at various stages within business processes, and over the technology environment. They are preventive and detective in nature and encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and business performances reviews. Segregation of duties is built into the selection and development of control activities.
The Company’s control activities are included in Section IV of this report, “Trust Services Principles and Criteria and Related Controls.” Although the controls are presented in Section IV, they are an integral part of the description of the Company’s system.
Core Principles included in the Company’s Control Activity Processes:
Ongoing evaluations, built into business processes at different levels of the Company, provide timely information. Separate evaluations, conducted periodically, vary in scope and frequency depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations. Findings are evaluated against criteria established by management and the board of directors, and deficiencies are communicated to management and the board of directors as appropriate.
Core Principles included in the Company’s Monitoring Process:
J. Information and Communication
The Company has implemented various methods of communication to ensure that all employees understand their individual roles and responsibilities. These methods include periodic training programs for educating employees on internal developments, industry trends, and organizational development activities.
Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of internal control. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is the means by which information is disseminated throughout the organization, flowing up, down, and across the entity. It enables personnel to receive a clear message from senior management that responsibilities for internal control must be taken seriously. External communication is twofold: it enables inbound communication of relevant external information and provides information to external parties in response to requirements and expectations.
Core Principles included in the Company’s Information and Communication Process:
K. Trust Services Principles, Criteria and Related Controls
The five attributes of a system are known as the “Trust Services Principles” and are defined as follows:
Many of the criteria used to evaluate a system are shared amongst all of the principles; for example, the criteria related to risk management apply to the security, availability, processing integrity, and confidentiality principles. As a result, the criteria for the security, availability, processing integrity, and confidentiality principles are organized into (a) the criteria that are applicable to all four principles (common criteria) and (b) criteria applicable only to a single principle. The common criteria constitute the complete set of criteria for the security principle. For the principles of availability, processing integrity, and confidentiality, a complete set of criteria is comprised of all of the common criteria and all of the criteria applicable to the principle(s) being reported on.
The common criteria are organized into seven categories:
a. Organization and management: The criteria relevant to how the organization is structured and the processes the organization has implemented to manage and support people within its operating units. This includes criteria addressing accountability, integrity, ethical values and qualifications of personnel, and the environment in which they function.
b. Communications: The criteria relevant to how the organization communicates its policies, processes, procedures, commitments, and requirements to authorized users and other parties of the system and the obligations of those parties and users to the effective operation of the system.
c. Risk management and design and implementation of controls: The criteria relevant to how the entity (i) identifies potential risks that would affect the entity’s ability to achieve its objectives, (ii) analyzes those risks, (iii) develops responses to those risks including the design and implementation of controls and other risk mitigating actions, and (iv) conducts ongoing monitoring of risks and the risk management process.
d. Monitoring of controls: The criteria relevant to how the entity monitors the system, including the suitability and design and operating effectiveness of the controls, and how it takes action to address deficiencies identified.
e. Logical and physical access controls: The criteria relevant to how the organization restricts logical and physical access to the system, provides and removes that access, and prevents unauthorized access to meet the criteria for the principle(s) addressed in the engagement.
f. System operations: The criteria relevant to how the organization manages the execution of system procedures and detects and mitigates processing deviations, including logical and physical security deviations, to meet the objective(s) of the principle(s) addressed in the engagement.
g. Change management: The criteria relevant to how the organization identifies the need for changes to the system, makes the changes following a controlled change management process, and prevents unauthorized changes from being made to meet the criteria for the principle(s) addressed in the engagement.
This report is focused solely on the common controls criteria which includes all of the Security trust principle. The report does not include controls for the Availability, Confidentiality, Processing Integrity and Privacy trust principles.
Castlight’s applicable common controls criteria supporting the Security principle and related controls are included in Section IV of this report, “Trust Services Principles, Criteria and Related Controls” to eliminate the redundancy that would result from listing them in this section and repeating them in Section IV. Although the applicable criteria and related controls are included in Section IV, they are, nevertheless, an integral part of the organization’s description of its System.
L. Complementary User Controls
Castlight’s services were designed with the assumption that certain controls would be implemented by users. These controls should be in operation by users to complement Castlight’s controls. The user controls subsequently presented should not be regarded as a comprehensive list of all controls that should be employed by users.
Users of Castlight’s Enterprise Healthcare Cloud System should maintain controls to provide reasonable assurance that