After having used many open and commercial  monitoring systems, we have settled on Zabbix because of it’s extensive features and expandability (especially with the new integrated API).  That and it doesn’t hurt that it is well designed for expanded enterprises and is OpenSource.

This article was originally posted with details for Zabbix 1.6 and was updated on April 10 to reflect how to set it up under Zabbix 1.8.

OSSEC is a great tool provided by Trend Micro and is also an OpenSource application. OSSEC provides a variety of tools for host based intrusion detection including:  log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.  All of which support several compliance and basic security requirements. OSSEC is deployed in a client-server model with all alerting and active response features being controlled and sent through the central server.

To integrate OSSEC and Zabbix we will be using the active-response feature of OSSEC integrated with zabbix_sender to send the active response alert to the zabbix server.   Configuring for this integration requires a simple script, a quick change to the ossec.conf and the creation of an OSSEC template in the zabbix system.

We will start with the OSSEC changes.  First, we will edit the OSSEC/etc/ossec.conf file, where OSSEC is the path to your OSSEC installation.  In this file you will need to add the following items:

<command>
<name>zabbix-alert</name>
<executable>zabbix-alert.sh</executable>
<timeout_allowed>no</timeout_allowed>
<expect></expect>
</command>

<active-response>
<disabled>no</disabled>
<command>zabbix-alert</command>
<location>server</location>
<level>1</level>
</active-response>

The first <command> item defines the script we will be using for the zabbix-alert.  The <active-response> item defines when the system will use this script.  The defined configuration above has all alerts at and above level “1″ sent to the zabbix-alert command.  This can be modified for higher levels or specific rules or rule groups.  More information on this configuration can be found in the OSSEC manual.

Now the zabbix-alert.sh script needs to be put into the OSSEC/active-response/bin directory (be sure to watch for lines that are wrapped around but shouldn’t be).  You can download the script here: zabbix-alert.sh.

#!/bin/sh
#
# Submits an OSSEC alert as a passive service check result to zabbix.
#
# Author: David M. Zendzian
# ZZ Servers, LLC 2010
#
# Idea from Dave Stycos post: http://groups.google.com/group/ossec-dev/browse_thread/thread/e29c5d71926b8af5
#
# This script is Public Domain, and is provided AS-IS.  There is no
# warranty, and no support given for its contents.
#
# Version 1.0: Apr. 6, 2010
#

DEBUG=”false”
ACTION=$1
USER=$2
IP=$3
ALERTID=$4
RULEID=$5

LOCAL=`dirname $0`;
cd $LOCAL
cd ../
PWD=`pwd`
UNAME=`uname`

# Zabbix Sender
ZabbixSender=”/usr/bin/zabbix_sender”
#ZabbixSender=”/usr/sbin/zabbix_sender”

# Zabbix Server
ZabbixServer=<your zabbix server ip>

# Zabbix Port
ZabbixPort=10051

# All alerts will be processed by Zabbix under this key.
ZabbixKeyName=OSSEC

# Check that zabbix_sender file exists.
if [ ! -w $ZabbixSender ]; then
logger -p local0.err “$0: File $ZabbixSender not found.  Exiting.”
exit 1
fi

# Getting alert time
ALERTTIME=`echo “$ALERTID” | cut -d  “.” -f 1`

# Getting end of alert
ALERTLAST=`echo “$ALERTID” | cut -d  “.” -f 2`

# Getting full alert
ALERTTEXT=`grep -A 10 “$ALERTTIME” $PWD/../logs/alerts/alerts.log | grep -v “.$ALERTLAST: ” -A 10 `

# Extract host (agent) name from alert.
HOSTNAME=`echo “$ALERTTEXT” | sed -n ’1,1s/^.*\:[0-9][0-9]\:[0-9][0-9][^A-Za-z0-9_]*\([-A-Za-z0-9_]*\)\->.*$/\1/p’`

# if hostname alert wasn’t from local host, the host value is “(hostname) ip”, which extracts differently
if [ "$HOSTNAME" = "" ]
then
HOSTNAME=`echo “$ALERTTEXT” | sed -n ’1,1s/^.*\:[0-9][0-9]\:[0-9][0-9] (\([-A-Za-z0-9_]*\)) .*\->.*$/\1/p’`
fi
if [ "$HOSTNAME" = "" ]
then
exit 0
fi

# Extract alert level from alert.
ALERTLVL=`echo “$ALERTTEXT” | sed -n ’2,2s/^.*(level \([0-9]*\).*$/\1/p’`

# Extract description from alert.
ALERTMSG=`echo “$ALERTTEXT” | sed -n ’5,5p’`

# Create Alert message
# Short MSG version
#ZMSG=”$ALERTID | $ALERTLVL | $RULEID – $ALERTMSG”
# Full MSG Version
ZMSG=”AlertID: $ALERTID | User: $USER | IP: $IP | Level: $ALERTLVL | RuleID: $RULEID – $ALERTMSG”

# Send result to zabbix for logging and notification alerts.
$ZabbixSender –zabbix-server $ZabbixServer –port $ZabbixPort –host $HOSTNAME –key $ZabbixKeyName –value “$ZMSG”

if [ "$DEBUG" = "true" ]
then
echo “$ZabbixSender –zabbix-server $ZabbixServer –port $ZabbixPort –host $HOSTNAME –key $ZabbixKeyName –value ‘$ZMSG’” >> /tmp/zabbix-test.log
echo “ACTION: $ACTION” >> /tmp/zabbix-test.log
echo “USER: $USER”
echo “IP: $IP” >> /tmp/zabbix-test.log
echo “ALERTID: $ALERTID” >> /tmp/zabbix-test.log
echo “ALERTLVL: $ALERTLVL” >> /tmp/zabbix-test.log
echo “RULEID: $RULEID” >> /tmp/zabbix-test.log
echo “———————————” >> /tmp/zabbix-test.log
fi

With the script saved, you can restart OSSEC (OSSEC/bin/ossec-control restart) or wait until zabbix is setup then restart.

UPDATE 07-16-2010 – If you are using zabbix-proxies then you need to have the OSSEC alerts for proxy monitored hosts submitted through the proxy server.  This isn’t a problem with the existing script if the proxy server is also monitored through the proxy; just update the server IP to be the proxy not the central zabbix server.  If you monitor your proxy directly from the central zabbix server then the script needs to be updated to support sending proxy hosts though proxy and the host itself directly to zabbix.  The script can be found here; or below.  Again be sure to watch for broken wrapped lines:

#!/bin/sh
#
# Submits an OSSEC alert as a passive service check result to zabbix.
#
# Author: David M. Zendzian
#
# Idea from Dave Stycos post: http://groups.google.com/group/ossec-dev/browse_thread/thread/e29c5d71926b8af5
#
# Updated 7/15/10 – using 2 server hosts in case using proxies and local host is monitored directly by central server and not proxy.
#
# This script is Public Domain, and is provided AS-IS.  There is no
# warranty, and no support given for its contents.
#
# Version 1.1: Jul. 15, 2010
#

DEBUG=”true”
ACTION=$1
USER=$2
IP=$3
ALERTID=$4
RULEID=$5

if [ "$DEBUG" = "true" ]
then
echo “NOTICE: Starting Zabbix sender” >> /tmp/zabbix-test.log
fi

LOCAL=`dirname $0`;
cd $LOCAL
cd ../
PWD=`pwd`
UNAME=`uname`

# Zabbix Sender
ZabbixSender=”/usr/bin/zabbix_sender”
#ZabbixSender=”/usr/sbin/zabbix_sender”

# Zabbix Server
# Set server2 to be the same if all hosts monitored through proxy or the same server; otherwise
# set ZabbixServer to the proxy for non-localhost and then ZabbixServer2 to the host that the
# local proxy uses
ZabbixServer=<Server/Proxy>
ZabbixServer2=<Server for “Localhost”>

# Zabbix Port
ZabbixPort=10051

# All alerts will be processed by Zabbix under this key.
ZabbixKeyName=OSSEC

# Check that zabbix_sender file exists.
if [ ! -w $ZabbixSender ]; then
logger -p local0.err “$0: File $ZabbixSender not found.  Exiting.”
if [ "$DEBUG" = "true" ]
then
echo “ERROR: No Zabbix Sender” >> /tmp/zabbix-test.log
fi
exit 1
fi

# Getting alert time
ALERTTIME=`echo “$ALERTID” | cut -d  “.” -f 1`

# Getting end of alert
ALERTLAST=`echo “$ALERTID” | cut -d  “.” -f 2`

# Getting full alert
ALERTTEXT=`grep -A 10 “$ALERTTIME” $PWD/../logs/alerts/alerts.log | grep -v “.$ALERTLAST: ” -A 10 `

# Extract host (agent) name from alert.
HOSTNAME=`echo “$ALERTTEXT” | sed -n ’1,1s/^.*\:[0-9][0-9]\:[0-9][0-9][^A-Za-z0-9_]*\([-A-Za-z0-9_]*\)\->.*$/\1/p’`

# if hostname alert wasn’t from local host, the host value is “(hostname) ip”, which extracts differently
if [ "$HOSTNAME" = "" ]
then
HOSTNAME=`echo “$ALERTTEXT” | sed -n ’1,1s/^.*\:[0-9][0-9]\:[0-9][0-9] (\([-A-Za-z0-9_]*\)) .*\->.*$/\1/p’`
fi
if [ "$HOSTNAME" = "" ]
then
if [ "$DEBUG" = "true" ]
then
echo “ERROR: No Hostname” >> /tmp/zabbix-test.log
fi
exit 0
fi

# if the local host is a proxy then monitored items submitted through proxy, localhost probably monitored directly from central server (if not change comment this out)
LOCALHOSTNAME=`hostname -s`
if [ "$HOSTNAME" = "$LOCALHOSTNAME" ]
then
ZabbixServer=$ZabbixServer2
fi

if [ "$DEBUG" = "true" ]
then
echo “ZabbixServer: $ZabbixServer” >> /tmp/zabbix-test.log
fi

# Extract alert level from alert.
ALERTLVL=`echo “$ALERTTEXT” | sed -n ’2,2s/^.*(level \([0-9]*\).*$/\1/p’`

# Extract description from alert.
ALERTMSG=`echo “$ALERTTEXT” | sed -n ’5,5p’`

# Create Alert message
ZMSG=”$ALERTID | $ALERTLVL | $RULEID – $ALERTMSG”

# Send result to zabbix for logging and notification alerts.
$ZabbixSender –zabbix-server $ZabbixServer –port $ZabbixPort –host $HOSTNAME –key $ZabbixKeyName –value “$ZMSG”

if [ "$DEBUG" = "true" ]
then
echo “$ZabbixSender –zabbix-server $ZabbixServer –port $ZabbixPort –host $HOSTNAME –key $ZabbixKeyName –value ‘$ZMSG’” >> /tmp/zabbix-test.log
echo “ACTION: $ACTION” >> /tmp/zabbix-test.log
echo “USER: $USER” >> /tmp/zabbix-test.log
echo “IP: $IP” >> /tmp/zabbix-test.log
echo “ALERTID: $ALERTID” >> /tmp/zabbix-test.log
echo “ALERTLVL: $ALERTLVL” >> /tmp/zabbix-test.log
echo “RULEID: $RULEID” >> /tmp/zabbix-test.log
echo “———————————” >> /tmp/zabbix-test.log
fi

exit 0

For this integration to work, the host names used in OSSEC need to match the host names defined in Zabbix.  If they do not match, then zabbix_sender results will not make it into the hosts items correctly.

The easiest way to setup zabbix is to setup a template.  This template will define the application, item and triggers for OSSEC and can easily be linked to the hosts you are monitoring.

In zabbix goto Configure/Hosts and select ‘templates’.

Create a new template called OSSEC and be sure to add it to the Templates group.

Zabbix 1.6: Add OSSEC Template

Zabbix 1.8: Add OSSEC Template

With the template created, a new application needs to be created so the OSSEC items have a place to be organized.  Staying in Configuration / Hosts (for Zabbix 1.6 & 1.8), in the drop down on the upper right, select “Applications” and then from the group and host dropdown, select Templates / Template_OSSEC that was just created.  There should be no Applications in the list. If you do not see Template_OSSEC that was just created, go back to templates and edit the OSSEC item and be sure that it is in the “Templates” group.

Click on “Create application” and create “OSSEC Monitor” or whatever you want to call it.

Zabbix 1.6: Create OSSEC Template Application

Zabbix 1.8: Create OSSEC Application

Now we are ready to create the Item & Trigger for the OSSEC data.  In Zabbix 1.6, select “Configuration / Items” and select “Templates / Template_OSSEC” from the group and host selections and then click on “Create Item.”  The important item here is the Key which we will setup as OSSEC and is required to match the ZabbixKeyName in the zabbix-alert.sh script on the OSSEC server.

Zabbix 1.6: Create OSSEC Item

In Zabbix 1.8, remain in the “Configuration / Hosts” menu and in the upper right drop down select “Items”.  Click on “Create Item.”  When the new form is up, click on “Select” for the Host and select Template_OSSEC that we created above.  The same values will be set as with Zabbix 1.6.

Zabbix 1.8: Create OSSEC Item

As you can see, the item is a “Text” type getting data from a Zabbix Trapper event.  The things to not forget here are to enter your OSSEC server(s) in the Allowed Host line and to select the OSSEC Monitor application.

The next step is to create a trigger which will let us know when new data has arrived from OSSEC. Select “Configuration / Triggers” in Zabbix 1.6.

If you are using 1.8 then remain on the “Configuration / Hosts” page and select “Triggers” from the dropdown box on the upper right.

It should default to the Template_OSSEC host, but if it doesn’t then select Templates from groups and the Template_OSSEC host.

There are several ways to monitor the OSSEC text data, but I have selected to alert if there is new data in the last 10 minutes.  As you can see from the screenshot, the expression I used is {Template_OSSEC:OSSEC.nodata(600)}#1.  This works because the nodata(600) will return a 1 if no data is received in the time period specified (600 sec or 10 min).  So if it ever returns anything other than 1, we have new data.  For more information on trigger functions, consult the zabbix manual.

Now click on “Create Trigger” go create the trigger.

Zabbix 1.6: Create OSSEC Zabbix Trigger

Zabbix 1.8: Create OSSEC Zabbix Trigger

I have set the alert severity to “average” but you may want to change that depending on your needs.  The zabbix actions we will define will send all OSSEC alerts so the severity will not really matter.  One thing that is worth examining is to change the OSSEC item value to log instead of text which could allow for log severity and other values that could be used with the OSSEC alert levels; but that project is for another time.

Updated: 4/16/10 – What I have done for alerting based on level is to use the “short” ZMSG message type in the zabbix-alert.sh script and define a trigger such as:

({Template_OSSEC:OSSEC.nodata(600)}#1)&({Template_OSSEC:OSSEC.str( | 1 | )}#1)&({Template_OSSEC:OSSEC.str( | 2 | )}#1)&({Template_OSSEC:OSSEC.str( | 3 | )}#1)

What this trigger does is requires all 4 conditions to be met (&=”AND” between each item test).  The first is that there is new data within the last 10 minutes, the other 3 are requirements that the new data does not contain | 1 | or | 2 | or | 3 |, which would be OSSEC alert levels 1, 2 and 3.  If you use the longer ZMSG then the str values would be like: {Template_OSSEC:OSSEC.str( | Level: 3 | )}#1

Only 2 things left to do and the OSSEC/Zabbix integration is done.  These are to create actions for OSSEC events and to link the OSSEC template to the hosts you are monitoring with OSSEC.

In our local zabbix configuration I have created a “Security Administrator” group that receives IDS and other security events and will be using that to specify who receives the alerts.  You can modify these settings based on your local policy and zabbix configuration.

As you will also see in the following screenshot, I have modified the default message.  This allows me to receive the full data from the OSSEC event through {ITEM.LASTVALUE}.  I have also shortened the message so I can receive the details I want on my SMS alerts which have a smaller size than full emails.

I have tried to enable escalations for OSSEC alerts, however the way that zabbix handles items is that it will only look at the “active” triggers & items, what this means is that when a new OSSEC alert comes in and is added to the items database, the trigger is alerted but after 10 minutes it will “go away”.  There is no way, currently, to have a trigger depend on it’s being “Ack’d” which would be preferred for security, log and other events that just shouldn’t go away until an admin acks what happened.  There is a currently active zabbix feature request requesting this, so please go vote it up so we can see it added in the near future!

Zabbix 1.6: Create OSSEC Action

Zabbix 1.8: Create OSSEC Action

All that is left is to link your hosts to the OSSEC template.  The OSSEC alert submits data to zabbix based on the host names defined in OSSEC.  So once again, please be sure the names used match in both systems.

If you do not know how to link the OSSEC template, simply go to “Configuration / Hosts” and edit the hosts that are monitored by OSSEC.  You need to link every host as the alerts will be coming in directly to each unique host.  The example below is for one of our ossec servers, but the configuration should be the same for all OSSEC monitored hosts.

Zabbix 1.6: Host OSSEC Template Link

Zabbix 1.8: Host OSSEC Template Link

This should be it.  If you have already restarted OSSEC then you just need to create an event it will alert on (logging onto monitored host, creating “segfault” log messages: logger “segfault”, etc).  In my quick test, seen below, I did a failed logon (bad pw) and within a few seconds I had my jabber alert pop up and a sms message arrive on my phone!

If you have any problems, you can set DEBUG=true in the zabbix-alert.sh and it will log out what is being sent to zabbix into /tmp/zabbix-test.log.

If OSSEC is not running active-alerts, you may want to jump on #ossec on the openprojects IRC and get some assistance or search google.

Good luck!

David M. Zendzian | Managing Partner | ZZ Servers
268 Bush St. #4127 | San Francisco, CA 94104

Business Hosting Solutions | PCI | HIPAA
Managed Hosting Specialists

1. Improved efficiency in health care delivery by standardizing electronic data interchange, and
2. Protection of confidentiality and security of health data through setting and enforcing standards.

More specifically, HIPAA called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure:

1. Standardization of electronic patient health, administrative and financial data
2. Unique health identifiers for individuals, employers, health plans and health care providers
3. Security standards protecting the confidentiality and integrity of “individually identifiable health information,” past, present or future.

Compliance requirements include:

• Building initial organizational awareness of HIPAA
• Comprehensive assessment of the organization’s privacy practices, information security systems and procedures, and use of electronic transactions
• Developing an action plan for compliance with each rule
• Developing a technical and management infrastructure to implement the plans
• Implementing a comprehensive implementation action plan, including
• Developing new policies, processes, and procedures to ensure privacy, security and patients’ rights
• Building business associate agreements with business partners to support HIPAA objectives
• Developing a secure technical and physical information infrastructure
• Updating information systems to safeguard protected health information (PHI) and enable use of standard claims and related transactions
• Training of all workforce members
• Developing and maintaining an internal privacy and security management and enforcement infrastructure, including providing a Privacy Officer and a Security Officer

All of these requirements apply to not only the company which owns the PHI, but also any company or contractor they work with who has access to this information. The details on how to meet the HIPAA requirements is up to the individual company, allowing the “market to dictate” the terms and conditions.

Most companies I have worked with spend a considerable amount of time generating the paper documentation they feel will meet the above requirements. That is the most important part of any security policy or plan, knowing what is important (PHI/Card Data/Financial/etc) and defining how the business will properly control that information.

Data-centers, managed service providers and other contracted service providers come into this picture when companies outsource their data-center operations or when you are partnering with a company for data-center services. If you look at the HIPAA requirements, they all can be applied in some form or another to the outsourced provider, but the validation is left up to the contracting business and there is no guidance other than “best practices”.

So what should you look for in a business partner to have that can meet these HIPAA requirements? Before I answer that, I would like to discuss a similar security standard. As you may know from regular occurrence in the news, credit card data is lost and stolen on an increasingly regular basis. To help fight this, the Payment Card Industry has created the PCI Security Standards Council whose charter is to create and maintain specific industry standards and to train qualified assessors on how to validate against those standards. Any business that stores, transmits or processes credit card data is required to abide by these standards. This means even the person with a cellular card swipe machine at the flea market has to meet the same standards as Walmart, Amazon.com, PayPal or other multi-national merchants and banks. Below is a list of 12 sections in the PCI Security Audit Procedure which which you should look for from any service provider or partner you are considering. These sections break down in detail the steps which must be taken to comply with the PCI standard. To get more information, you can download the PCI details here https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf and here https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf

1. Firewalls & Routers
2. Service configuration (note service includes servers/applications/databases/firewalls/etc)
3. Storage of Card data (what is/is not allowed, encryption, secure deletion), Data retention policy
4. Transmission of card data (SSL, VPN, 802.11, etc)
5. Anti-virus
6. Secure Development — ** Change Management **
7. Need-to-know
8. Unique ID for _everyone_ – no shared root, enable, administrator & password requirements
9. Physical Security
10. Logging & Time sync
11. Security Testing (security scanning, pen testing)
12. Policies, Contracts, Security Training, Risk Assessment, Incident Response Policies, Connected Entities (partner connection) management

Additionally, depending on which services you plan on using from a contracted provider or partner, different sections will apply for example:

• If they are going to provide router or firewall services, section 1
• If they are going to provide any servers (virtual or real) then sections 2, 5, 7, 8, 9, 10, 11 & 12 (yes most of it:)
• If they are going to provide development support sections 3, 4 & 6
• If they are going to provide system management support, 2, 3, 4, 5, 7, 8, 10

I mention PCI because unlike the HIPAA requirements, the PCI Standards and process is very clearly defined. While PCI is not perfect, since it was based on ISO17799 it covers a wide range of security issues. If you take the PCI standards and replace PCI with HIPAA or Financial (SOX), then you have a great guideline and audit procedure to work with for your own and your partners security.

So back to the question for this thread. How can you determine if a data-center/service provider meets your needs for the various compliance requirements. To answer this, you need to determine the role the service provider has with relation to your business and your specific data-set requirements.

If you are looking for somewhere to host your entire “business” and then VPN back into your company network, then you have physical, network, policy, procedure and contractual security needs.

If you are looking to have someone provide a more hands-on role then the same requirements are met, but then the providers mechanisms for providing support will then need to be evaluated. This would bring the assessment into the way they store passwords, monitor systems, provide support, troubleshoot, maintain change management, key-management, security monitoring, image management, upgrades, etc.

Giving all of these considerations, as a business you need to determine how you wish to handle the requirements. If you are a large merchant or service provider, you typically get ISO or SAS70 audits. Any data-center should be able to provide that assessment as you are trying to determine who you wish to work with. Keep in mind that with these assessments, the company has hired the auditor to validate a “specific” item, so the audit report will be focused only on that and may not take into consideration other processes or areas within the facility.

If the company has been through a PCI or other audit they should be able to provide some documentation regarding the audit and the controls they have in place that they used to go through the audit.

If they are a service provider (providing services to PCI organizations) and have been through a level 1 audit then they will be listed here: http://usa.visa.com/download/merchants/cisp_list_of_cisp_compliant_service_providers.pdf

Not many ISPs or Data-Centers have been through a level 1 PCI audit as they are usually very costly and if you read through the SAP you will find time consuming in the details that need to be met.

So what can you hope to find in a service partner you are looking to host with:

• A physical location that has good security controls
• 24×7 guard & locked doors
• Sign-in required and only authorized visitors
• at least 3 months camera data (90 days) on all entrances & exits to data-center facility
• Security for the physical servers (do not use shared cages)
• Policies
• Standard configuration documentation for all services you are getting services for (servers, firewalls, load balancers, certificates, etc)
• Network & server security – IDS / IPS / Host IDS / Log Monitoring / Internal & External Scanning / ASV Scanning
• Change Management that includes
• Documentation of impact
• Management sign off – colo should notify of customers of changes (good communication, as it was mentioned in a previous post, most providers that provide HIPAA or other services tend to have more communication with their customers)
• Back out plan / procedure
• Functional testing

If you are looking for more advanced services to ensure that not only is the machine physically secure, but also have you deployed your application architecture properly, then you may want to also be sure the service provider can also provide:

• Firewalls
• Private Networks
• VPN
• Load balancers
• 2 factor authentication
• IDS
• Log Monitoring
• Centralized logging
• Monitoring (Security & Availability)
• Development services
• Code review
• Time services (NTP)
• Senior Security & Architectural staff as well as Sr systems staff

Many of the people I have worked with have needed just about all of the above services when they are either building, expanding or migrating their applications into data-center facilities.

I know I did not stick specifically with the HIPAA question, but hopefully this information will help those are looking for new hosting facilities.

Now for those who are wondering, well do you provide those services? The short answer is yes. However not all are immediately activated “web dashboard” ready services and require a direct relationship with our senior architects and systems folks.

Our San Francisco data-center is through a partnership with ColoServe who provides the physical security and raw bandwidth to our secure cabinets. While the physical center has not been through any Level 1 PCI audits, ZZ servers has been through 2 bi-annual security audits by American Express for one of our customers and the facility has a SAS70 certificate and has the added security of also hosting the 911 systems for the city of San Francisco so our structural, power and data systems are a step above par.

I myself consult with a QSA out of San Meto (http://www.drgsf.com) and perform Level 1 audits and Security Assessment for payment applications as specified by the Payment Applications Best Practices following the PA-DSS (https://www.pcisecuritystandards.org/tech/pa-dss.htm

After spending 20 years building and working with small to large companies and founding 3 previous ISP services I wanted to bring a level of business service to the hosting community. So in founding ZZ Servers with my brother, Peter – a 20 year Navy vet currently spending his last year in the service stationed in Bagdad), we specifically created the infrastructure to be able to provide many if not all of the requirements mentioned above.

We are focused on providing services that are priced to compete with the largest players (rack-space, one and one, etc) but to also have the value added services I discussed in the requirements listings above.

We currently have customers utilizing the following services:

• Co-located servers
• Leased Servers
• Virtual Private Servers
• Private Networks
• Multiple firewalls (internal & external)
• Load Balancers
• Managed monitoring & support
• Centralized Logging & monitoring
• IDS
• VPN
• 2 Factor Authentication with CryptoCard
• Time services (NTP)
• Senior Security & Architectural staff as well as senior systems staff

And we are in the midst of deploying a full change-management system that will be available to any customer using any service which will fully integrated into all hosted services (schedule changes for firewalls or clusters of servers, and track status of each individual change).

We have also just signed an agreement with DRG to provide integrated ASV scanning which will be integrated into our order wizard allowing customers to sign-up and manage their PCI compliant scans and automatically send results to your merchant bank. This service will also include an on line form for creating and submitting the Self Assessment Questionnaire.

We are a small family-run business focused on slow growth and providing tools for both the smaller & larger customers to grow into whatever their business has potential for.

For more details about HIPPA, please visit (http://www.hipaadvisory.com/regs/HIPAAprimer.htm)

Regards,

David