This report is intended for use by the management of the Variable Annuity Life Insurance Company ("VALIC") and its subsidiaries.

VALIC Retirement Services Company ("VRSCO") and VALIC Financial Advisors, Inc. ("VFA"), its user entities, and the independent

auditors of its user entities, and is not intended and should not be used by anyone other than these specified parties.

Back to TOC

Click

VALIC

.com 46

Backup of Distributed Applications

At the Fort Worth data center a full volume backup is performed weekly, with a five-week retention cycle.

Daily full backup tapes for break-fix are written to virtual tapes and replicated in Fort Worth.

Distributed applications backups are monitored to ensure completeness of processing. Errors are monitored on

a daily basis by Data Protection Advisor (DPA) and failure alerts are logged to CA. The failed alerts are reviewed

and remediated by the GCC Open Systems Team. Any failures that are unable to be remediated with standard

troubleshooting or job restarts are then logged as a Service Now Incident. The resolution documentation for

each incident is logged within the Service Now ticket

(15.2)

.

Backup of SAP Data

Critical data is replicated to the Fort Worth facility on a daily basis. VALIC relies on CTO for the replication

process and for performing backups of all servers. SAP backups are monitored to ensure completeness of

processing. Errors are monitored, logged, resolved and documentation of the resolution is maintained

(15.2)

.

Physical Access

Fort Worth and Livingston Data Centers

AIG Safety and Security Department in Livingston and Ft. Worth provides 24x7x365 physical protection for

data center facilities. Data Center facilities are secured via closed fences surrounding the entire site with a

rolling gate present at the entrance and exits. There are security guards stationed at every entrance to the Data

Centers including the guardhouses, which are set up outside the entrance gate for the purpose of monitoring

and authorizing all individuals who enter the premises. Access Control System (ProWatch) is the security

system used for maintaining and tracking access card data. Monitoring alarms are attached to ProWatch and are

displayed at the control room on the first floor. Currently, there are designated monitoring points throughout the

complex, and security personnel must acknowledge critical alarms and follow provided instructions. ProWatch

consists of the following types of equipment: Card Readers, Door Alarms, Motion Sensors, Digital Video

Surveillance and PIN Readers.

Each data center facility has physical access controls, continuous monitoring, redundant connectivity, cooling,

power and a viable disaster recovery solution. Onsite generators with dedicated fuel tanks and UPS systems are

in place. TS is the primary service provider for technology hardware and hosting services.

Entrance to the data centers and to the raised floor areas which house the computing facilities is protected

by electronic access control (i.e., access badges and card readers) and monitored by security video. The data

centers are further protected by door alarms and PIN readers. Employees must use their access badges in order

to enter and exit the premises. Security personnel process all visitors prior to entering and upon leaving the

data centers. Card keys are required to access the computer rooms. Highly sensitive and secure rooms, such as

raised floor rooms and hardware rooms are also protected by PIN readers. Quarterly recertification of physical

access is only attached to secure and sensitive areas. Such as ATAC LAB, IT SECURITY LAB, HR OFFICE, AIGGS

Global Command Office, BuildingMGMT Office, Mail Rooms, Freight Loading Docks, Mechanical Infrastructure

Rooms, Raised Floor, Server Rooms, Data Center, Cable Rooms, Staging Rooms, Network Storage Rooms,

Telephone Data Area, Test Lab Rooms and Data Center Storage Areas

(16.3)

.

Personnel access to the data centers must be initially approved by a manager and CTOOperations prior

to granting access

(16.1)

. Access to the data centers is removed for terminated employees and contractors

(16.2)

. Access badges automatically expire after 90 days for consultants, one year for long-term consultants,

and five years for employees. Personnel with access to the data centers are reviewed on a quarterly basis for

appropriateness. Any identified corrections are forwarded to security for processing.

III. Description of the VALIC Defined Contribution Plan Administration System