Information Security Management Program
Coffee Break Demo
Put your feet up and enjoy this live Q&A
Learn how Sage Intacct helps you drive improved business performance — throughout your entire organization.
30 minute demo | Daily 9:00 am PT / Noon ET
Effective Date: June 2021
While Sage Intacct’s SaaS based architecture enables flexibility and scalability, the security of our customer’s sensitive data is a core element of our philosophy. This document illustrates and explains Sage Intacct’s security architecture, controls, and practices for all Sage Intacct core ERP production environments.
Security Staff and Management
Sage Intacct employs dedicated, seasoned and certified (CISSP) Information Security professionals who have the responsibility for developing and driving Sage Intacct’s security program. The program encompasses both physical and logical security of the Sage Intacct application and infrastructure, as well as Sage Intacct’s internal IT systems.
Security Policies / Processes
Sage Intacct maintains a suite of relevant security-related policies and procedures. Updates to policies and procedures are performed on at least a yearly basis with appropriate approvals and documentation controls. A list of policies includes:
|Policy Name||General Purpose|
|Acceptable Use Policy||General Security Policy covering the following topics:
|System and network configuration standards||Requires configuration standards to be maintained for all critical resources / applications in line with defined industry standard benchmarks|
|System backup policy and procedures||Specifies the backup frequency, which data is backed up, location and secure movement of backup data and requirements for regular testing|
|Vulnerability and threat management scan policy and procedures||Dictates the responsibility, scope and frequency of audits and vulnerability assessments|
|Application security policy||Policy and standards, based upon OWASP and other general best practices, for the secure development of applications|
|Change control / Problem Management||Defines requirements for change management and the process for managing change for IT, Engineering and Operations|
|Internal vulnerability assessments of systems, applications, and networks||Defines the authority and scope of internal assessments and penetration testing of our application, network and infrastructure|
|Media Disposition||Defines the requirements for ensuring Sage Intacct sensitive and customer data is permanently removed from media prior to disposal, maintenance or reuse|
|System development and lifecycle (SDLC) process document||Includes the planning, design, building, security / other testing and delivery of various components of our application|
|Business continuity plan (BCP) and / or Disaster recovery plan||Requirements and process to be followed in the event of a disaster or other event requiring Sage Intacct to provide continuity of business in order to meet SLAs|
|Passwords||Policy and standards for creation, administration and management of passwords, the protection of those passwords and the frequency of password changes|
|Mobile Device||Describes the security policy regarding handheld mobile devices|
|Termination||Governs actions to be taken upon the voluntary or involuntary termination of employment or other affiliation with Sage Intacct|
|Facility Access||Provides physical security requirements for access to Sage Intacct facilities|
|Data Classification||Guidance related to the classification of Sage Intacct data assets|
|A/V – Patch Management||Describes the requirements for endpoint protection (i.e. Anti-Virus (A/V) and software security patches|
|Security Awareness||Defines the requirements for Sage Intacct’s information security awareness and training program|
Education / Awareness
Sage Intacct requires that all employees have undergone periodic security training in the previous twelve (12) months. Such security training includes, but is not limited to: acceptable use, social engineering, personnel security, data protection, PCI, HIPPA, GDPR, and Incident Response. Sage Intacct’s application developers and engineers are provided with additional application development related security training to include (at a minimum) the top ten security risks outlined by the Open Web Application Security Project (OWASP Top 10). In addition to formal security training, employees are exposed to security awareness during new hire orientation, and throughout the year via email reminders and posters/monitors.
Security Incident Response
Sage Intacct maintains a Security Incident Response Plan, which details procedures to be followed in the event of an actual or reasonably suspected unauthorized access to or use of Sage Intacct or customer data, including but not limited to disclosure, theft or manipulation of data that has the potential to cause harm to Sage Intacct systems, data, or the Sage Intacct brand name. Our incident response process is tested at least annually and addresses specific requirements related to PCI, HIPAA, and GDPR, CCPA and other security and privacy regulations and requirements.
For applications and systems associated with the access, processing, storage, communication and/or transmission of Sage Intacct data, Sage Intacct generates audit logs detailing use, access, disclosure, theft, manipulation, and reproduction. Security-related audit logs are generated and reviewed regularly for indicators of compromise or other relevant suspicious activity. Logs are maintained for at least 1 year. In the event that a review of the audit logs reveals reasonable evidence of a security incident, appropriate action would be taken in accordance with the Security Incident Response Plan.
Audit and Compliance
Sage Intacct performs various types of internal and third-party audits to validate compliance with applicable requirements. Upon completion of each audit, a written report of the findings and recommendations is created and maintained in a secure central repository. In the event that a non-compliance, deficiency or other finding is discovered during the course of an audit, Sage Intacct promptly assesses, prioritizes, mitigates or identifies appropriate compensating controls. The Sage Intacct US production environments are included in the scope of the opinions and audits listed below. We plan to include non-US environments in audit scope for the below beginning Nov 2021.
SSAE 18 SOC 1 Type II
Sage Intacct maintains an SSAE 18 SOC 1Type II opinion from a reputable, independent third-party audit firm. We conduct this activity twice per year to address timeliness of customer reporting requirements. The controlled report is available under NDA to relevant parties (including customers and prospective customers) upon request.
SOC 2 Type II
Sage Intacct maintains a SOC 2 Type II opinion from a reputable, independent third-party audit firm. We conduct this activity once per year. The controlled report is available under NDA to relevant parties (including customers and prospective customers) upon request.
ISAE 3402 / ISAE 3000
The International Standard on Assurance Engagements (ISAE) 3402 and 3000 are international assurance standards, which maps to SSAE 18 and SOC 2 respectively. Sage Intacct maintains an ISAE 3402 and ISAE 3000 opinion from a reputable, independent third-party audit firm. The controlled reports are available under NDA to relevant parties (including customers and prospective customers) upon request.
PCI-DCC Level 1
Sage Intacct maintains a Level 1 PCI status, which includes a full audit by a qualified security assessor (QSA), who issues a Report on Compliance (RoC) and two attestations as both a merchant and service provider. Our Attestations of Compliance (AoC) are available under NDA to relevant parties (including customers and prospective customers) upon request.
Sage Intacct’s product is certified to meet the requirements of the U.S. Health Insurance Portability and Accountability Act.
Privacy Shield / GDPR
Sage Intacct partners with TRUSTe, which has verified Sage Intacct’s privacy practices against Trustee’s Privacy Standards using a combination of technical and manual methodologies. While the EU-U.S. Privacy Shield Framework is no longer a legal basis for transfer of personal data from the EEA or the UK, Sage Intacct is Privacy Shield certified and the Sage Intacct product meets the requirements of the General Data Protection Regulation (GDPR).
Risk Assessment and Penetration Testing
Sage Intacct conducts regular internal and external third-party Risk Assessments and Penetration Tests on data applications, systems, and infrastructure associated with accessing, processing, storage, communication and/or transmission of customer or sensitive data. An independent summary report is available under NDA to relevant parties (including customers and prospective customers) upon request.
Sage Intacct has developed and implemented a program to evaluate relevant third-party vendors and partners prior to engaging in a business relationship and regularly thereafter. Our vendor management program takes a risk-based approach to evaluate the security maturity, compliance and security features and functionality available to Sage Intacct.
Data Loss Prevention
Sage Intacct has implemented a variety of processes and technologies to identify and manage data loss events across key Sage Intacct internal business applications, such as corporate email and sanctioned collaboration tools.
Digital Reputation / Intelligence Monitoring
Sage Intacct has deployed technology and processes to detect and remediate threats to the organization and its employees on social, mobile, digital and collaboration platforms to include both commercials as well as “dark web” resources.
Transferring of Sage Intacct Data
The handling and transfer of customer data, both electronic and paper, including, but not limited to transportation offsite for storage or backup purposes, is carried out using methods appropriate to the sensitivity and criticality of the data. The process for handling and physical transport of customer data is documented and reviewed regularly.
All Sage Intacct employees are required to have valid user IDs and passwords to access the Sage Intacct corporate network, internal and SaaS-based applications from the office and/or remotely via Virtual Private Network. In addition to username/passwords, Multi-Factor Authentication is required for access to critical business systems. The user IDs are used to restrict system privileges based on job duties, project responsibilities, and other relevant business activities. Sage Intacct’s policies require users to comply with network operating system policies with regard to user IDs and passwords. When possible, passwords must include a minimum number of characters and are required to expire on a scheduled basis. Passwords are required to be complex, including a combination of numbers, alpha, and special characters. Additionally, an attempt to log in using the incorrect password for more than a certain number of times will lock the user out of the system for a specified duration or until the password is manually reset by an administrator.
Access Justification/Authorization Process
Access authorization procedures comply with the following standards:
- Sage Intacct has in place a process designed to limit access to customer data to only authorized personnel having a business need to fulfill obligations to customers.
- Each authorization is approved by appropriate Sage Intacct management. The authorization and manager approval is documented and retained.
- Sage Intacct has in place a process that will promptly remove all access for employees that leave the company or change jobs within the company and no longer need access.
- Annual re-verification of individuals that have access to systems that host Sage Intacct or Sage Intacct customer data is performed to verify that malicious, out-of-date, or unknown accounts do not exist.
- Sage Intacct monitors accounts used for remote maintenance to verify that they are enabled only during the time needed.
System and Application Monitoring
Sage Intacct utilizes a variety of monitoring services to monitor system activity within both production and corporate systems. These utilities track and monitor server and user activity on Sage Intacct network servers including security settings, systems monitoring, remote access activity, server capacity, and server event activities. The System Administrators and Security personnel are responsible for reviewing the monitored activities on a regularly scheduled basis, as well as monitoring firewall logs and other system administration and network activities. Events are logged to a central logging server, correlated and displayed on a console, and relevant alerts are sent to Sage Intacct Operations and Security Staff.
Encryption and Key Management
Sage Intacct provides protection of customer data through a combination of access controls and encryption.
Encryption is required if:
- Customer data is transmitted over public networks.
- The use of encryption is mandated by law or regulation (i.e. PCI).
- Sage Intacct determines that encryption is necessary to protect customer data.
When data is transmitted over public networks or over private or public wireless networks the following apply as indicated:
- Use of strong cryptography and encryption techniques (at least 128 bit) such as Secure Sockets Layer (SSL/TLS) or Internet Protocol Security (IPSEC) to safeguard sensitive data.
- For wireless networks transmitting customer data, the transmissions are encrypted using Wi-Fi Protected Access (WPA) technology if WPA capable, otherwise VPN or TLS at 128-bit.
When encryption at rest is mandated by law or regulation, or Sage Intacct determines that encryption is necessary, the following is implemented:
- Sensitive customer data is rendered unreadable anywhere it is stored (at rest), by using some of the following approaches depending on the circumstances:
- One-way hashes (hashed indexes) such as SHA
- Strong cryptography, such as Triple-DES 128-bit or AES 256-bit with associated key management processes and procedures.
Encryption is required if:
- Access to keys are restricted to the fewest number of personnel necessary
- Keys are stored in the fewest possible locations using measures designed to prevent unauthorized disclosure
- Prevention of unauthorized substitution of keys
- Replacement of known or suspected compromised keys
Sage Intacct has established guidelines and processes in place with the goal of architecting, developing and maintaining the Sage Intacct platform and applications free from security vulnerabilities. Security is built into our agile-focused Software Development Lifecycle process. Regular internal and third-party assessments are conducted, and we are constantly on the lookout for new and emerging threats and vulnerabilities that could impact the Sage Intacct application.
All worker types responsible for developing or maintaining code are required to:
- Comply with Sage Intacct’s Secure Coding Standards
- Remediate any discovered application security issues in a timely manner
- Complete application security awareness and training. Areas of focus are based on OWASP Top 10 and may include:
- Injection Flaws
- Authentication and Session Management
- Cross Site Scripting
- Insecure Direct Object References
- Security Misconfigurations
- Sensitive Data Exposure
- Access Control
- Cross Site Request Forgery
- Using components with known vulnerabilities
- Un-validated Redirects and Forwards
Network and Host Security
Sage Intacct deploys reasonable and efficient network Intrusion Detection capabilities, firewalls and commercial grade anti-virus protection. Operating systems and applications associated with Sage Intacct customer data and Sage Intacct’s own sensitive data are patched within a commercially reasonable time period after Sage Intacct has knowledge of any security vulnerabilities or vendor patch releases. Sage Intacct takes precautions designed to safeguard the software, systems, or networks that may interact with Sage Intacct’s systems, networks or any Sage Intacct customer data such that they do not become infected by computer viruses, malware, unauthorized programs or other harmful components.
Sage Intacct implements an intrusion detection program comprising of network intrusion detection, log analysis and data integrity monitoring, to monitor all network traffic associated with access, processing, storage, communication and/or transmission of Sage Intacct customer data. Sage Intacct personnel are alerted to, analyze and if necessary, take action on any suspected indicators of compromises and keep all intrusion detection and prevention engines up to date.
Sage Intacct deploys stateful inspection firewalls at various locations within our infrastructure. Sage Intacct has established firewall configuration standards which include:
- A default to deny policy, requiring only authorized ports and protocols
- A formal process for approving and testing all external network connections and changes to the firewall configuration
- Regular audits of our firewall configurations
Patch and Vulnerability Management
Sage Intacct has processes in place to:
- Update all system components and software with the latest vendor-supplied security patches.
- Identify newly discovered security vulnerabilities (through subscription to alert services).
- Update standards to address newly discovered vulnerabilities.
Sage Intacct maintains commercial-grade antivirus software to protect from viruses, worms, and other malicious code. Virus-screening software (when available) is installed and maintained on all systems, to include those that access, store or process Sage Intacct customer data or other identified sensitive information. Once installed, antivirus software must not be disabled. Antivirus software is regularly updated with virus signatures in order to locate and/or protect against new viruses or malicious code.
Sage Intacct follows industry practices with respect to system hardening on systems hosting Sage Intacct customer data including:
- Removing unnecessary system functionality including scripts, drivers, features, subsystems, and file systems.
- Disabling unnecessary and non-secure services and protocols.
- Configuring system security parameters in accordance with industry best practices (i.e. CIS/NIST) to prevent misuse.
- Changing vendor-supplied defaults before the system is live on the network.
For wireless environments, we change wireless vendor defaults, including but not limited to, WEP keys, default SSID, passwords, and SNMP community strings, and disable SSID broadcasts. We enable Wi-Fi Protected Access (WPA) technology for encryption and authentication when WPA-capable.
Routers and Network Infrastructure
Sage Intacct implements best practices with respect to securing network infrastructure, including:
- Installing the latest vendor-supplied security patches on all network infrastructure devices (hardware and software)
- Establishing a process to identify newly discovered security vulnerabilities
- Periodically auditing devices
We restrict access of Spyware, Adware, and Webmail by:
- Inspecting web-based email traffic for indicators of suspicious activity
- Installing, configuring and maintaining anti-Spyware / Malware software
- Identifying and blocking email phishing attacks for corporate email
- Providing relevant training and periodic advisories to workers related to email threats
Sage Intacct has physical security measures in place to control physical access to office facilities, paper records and corporate IT systems. In addition, Sage Intacct’s data centers that store or process customer data are SOC 2 compliant and include the following controls:
- Badge Access
- 24x7 Security
- Strong environmental controls
Business Continuity and Disaster Recovery
Sage Intacct has the ability to recover data in the event of a disaster or for business continuity purposes. Sage Intacct maintains a Data Recovery Process, covering back-up and restore procedures for Sage Intacct customer data. For customer data, our SLAs include both a Restore Point Objective (RPO) of no more than 4 hours and Restore Time Objective (RTO) of no more than 24 hours.
Sage Intacct adheres to and maintains measures to secure data being transported offsite for usage, hosting, backup purposes and/or storage. This includes:
- Storing media back-ups in a secure off-site facility, which may be either an alternate third-party or a commercial storage facility
- Maintaining strict control over the internal or external distribution of any media back-ups that contain Sage Intacct customer data
- Transmission of data via secured protocols
Data Disposal and Hardware Sanitization
Sage Intacct performs sanitization of media containing Sage Intacct data or customer data. Data is disposed of utilizing one of the following three methods:
- Overwriting - The software process that replaces the data previously stored on magnetic storage media with a predetermined set of meaningless data, rendering the data unrecoverable
- Degaussing - Exposing the media to strong magnetic fields to destroy its contents. This method eliminates any data still on the media
- Physical Destruction - This includes shredding or any other method of physical destruction including extremes of physical force and temperature. Physical destruction is accomplished in a manner that precludes further use of the media.
Changes to information resources are managed and executed according to a defined ticket and change management process. This process helps us review, authorize, test, document and implement/release in-scope proposed changes in a controlled manner; and monitor the status of each proposed change.
Applications transmitting, processing or storing Sage Intacct customer data leverage a System Development Life Cycle (SDLC) framework methodology that encourages security as a built-in function.
The SDLC includes, but is not limited to:
- Security testing and source code analysis of system and software configuration changes
- Separate development/test and production environments
- Separate duties between development/test and production environments
- Removing test data and accounts before production systems become active
- Documentation of impact
- Management sign-off