Effective Date: May 2022
While Sage Intacct’s SaaS based architecture enables flexibility and scalability, the security of our customer’s sensitive data is a core element of our philosophy. This document illustrates and explains Sage Intacct’s security architecture, controls, and practices for all Sage Intacct core ERP production environments.
Sage Intacct employs dedicated, seasoned and certified (CISSP) Information Security professionals who have the responsibility for developing and driving Sage Intacct’s security program. The program encompasses both physical and logical security of the Sage Intacct application and infrastructure, as well as Sage Intacct’s internal IT systems.
Sage Intacct maintains a suite of relevant security-related policies and procedures. Updates to policies and procedures are performed on at least a yearly basis with appropriate approvals and documentation controls. A list of policies includes:
|Policy Name||General Purpose|
|Acceptable Use Policy||
General Security Policy covering the following topics:
|System and network configuration standards||Requires configuration standards to be maintained for all critical resources / applications in line with defined industry standard benchmarks|
|System backup policy and procedures||Specifies the backup frequency, which data is backed up, location and secure movement of backup data and requirements for regular testing|
|Vulnerability and threat management scan policy and procedures||Dictates the responsibility, scope and frequency of audits and vulnerability assessments|
|Application security policy||Policy and standards, based upon OWASP and other general best practices, for the secure development of applications|
|Change control / Problem Management||Defines requirements for change management and the process for managing change for IT, Engineering and Operations|
|Internal vulnerability assessments of systems, applications, and networks||Defines the authority and scope of internal assessments and penetration testing of our application, network and infrastructure|
|Media Disposition||Defines the requirements for ensuring Sage Intacct sensitive and customer data is permanently removed from media prior to disposal, maintenance or reuse|
|System development and lifecycle (SDLC) process document||Includes the planning, design, building, security / other testing and delivery of various components of our application|
|Business continuity plan (BCP) and / or Disaster recovery plan||Requirements and process to be followed in the event of a disaster or other event requiring Sage Intacct to provide continuity of business in order to meet SLAs|
|Passwords||Policy and standards for creation, administration and management of passwords, the protection of those passwords and the frequency of password changes|
|Mobile Device||Describes the security policy regarding handheld mobile devices|
|Termination||Governs actions to be taken upon the voluntary or involuntary termination of employment or other affiliation with Sage Intacct|
|Facility Access||Provides physical security requirements for access to Sage Intacct facilities|
|Data Classification||Guidance related to the classification of Sage Intacct data assets|
|A/V – Patch Management||Describes the requirements for endpoint protection (i.e. Anti-Virus (A/V) and software security patches|
|Security Awareness||Defines the requirements for Sage Intacct’s information security awareness and training program|
Sage Intacct requires that all employees have undergone periodic security training in the previous twelve (12) months. Such security training includes, but is not limited to: acceptable use, social engineering, personnel security, data protection, PCI, HIPAA, GDPR, and Incident Response. Sage Intacct’s application developers and engineers are provided with additional application development related security training to include (at a minimum) the top ten security risks outlined by the Open Web Application Security Project (OWASP Top 10). In addition to formal security training, employees are exposed to security awareness during new hire orientation, and throughout the year via email reminders and posters/monitors.
Sage Intacct maintains a Security Incident Response Plan, which details procedures to be followed in the event of an actual or reasonably suspected unauthorized access to or use of Sage Intacct or customer data, including but not limited to disclosure, theft or manipulation of data that has the potential to cause harm to Sage Intacct systems, data, or the Sage Intacct brand name. Our incident response process is tested at least annually and addresses specific requirements related to PCI, HIPAA, and GDPR, CCPA and other security and privacy regulations and requirements.
For applications and systems associated with the access, processing, storage, communication and/or transmission of Sage Intacct data, Sage Intacct generates audit logs detailing use, access, disclosure, theft, manipulation, and reproduction. Security-related audit logs are generated and reviewed regularly for indicators of compromise or other relevant suspicious activity. Logs are maintained for at least 1 year. In the event that a review of the audit logs reveals reasonable evidence of a security incident, appropriate action would be taken in accordance with the Security Incident Response Plan.
Sage Intacct performs various types of internal and third-party audits to validate compliance with applicable requirements. Upon completion of each audit, a written report of the findings and recommendations is created and maintained in a secure central repository. In the event that a non-compliance, deficiency or other finding is discovered during the course of an audit, Sage Intacct promptly assesses, prioritizes, mitigates or identifies appropriate compensating controls. The Sage Intacct US production environments are included in the scope of the opinions and audits listed below. We plan to include non-US environments in audit scope for the below beginning Nov 2021.
Sage Intacct conducts regular internal and external third-party Risk Assessments and Penetration Tests on data applications, systems, and infrastructure associated with accessing, processing, storage, communication and/or transmission of customer or sensitive data. An independent summary report is available under NDA to relevant parties (including customers and prospective customers) upon request.
Sage Intacct has developed and implemented a program to evaluate relevant third-party vendors and partners prior to engaging in a business relationship and regularly thereafter. Our vendor management program takes a risk-based approach to evaluate the security maturity, compliance and security features and functionality available to Sage Intacct.
Sage Intacct has implemented a variety of processes and technologies to identify and manage data loss events across key Sage Intacct internal business applications, such as corporate email and sanctioned collaboration tools
Sage Intacct has deployed technology and processes to detect and remediate threats to the organization and its employees on social, mobile, digital and collaboration platforms to include both commercials as well as “dark web” resources.
The handling and transfer of customer data, both electronic and paper, including, but not limited to transportation offsite for storage or backup purposes, is carried out using methods appropriate to the sensitivity and criticality of the data. The process for handling and physical transport of customer data is documented and reviewed regularly.
All Sage Intacct employees are required to have valid user IDs and passwords to access the Sage Intacct corporate network, internal and SaaS-based applications from the office and/or remotely via Virtual Private Network. In addition to username/passwords, Multi-Factor Authentication is required for access to critical business systems. The user IDs are used to restrict system privileges based on job duties, project responsibilities, and other relevant business activities. Sage Intacct’s policies require users to comply with network operating system policies with regard to user IDs and passwords. When possible, passwords must include a minimum number of characters and are required to expire on a scheduled basis. Passwords are required to be complex, including a combination of numbers, alpha, and special characters. Additionally, an attempt to log in using the incorrect password for more than a certain number of times will lock the user out of the system for a specified duration or until the password is manually reset by an administrator.
Access authorization procedures comply with the following standards:
Sage Intacct utilizes a variety of monitoring services to monitor system activity within both production and corporate systems. These utilities track and monitor server and user activity on Sage Intacct network servers including security settings, systems monitoring, remote access activity, server capacity, and server event activities. The System Administrators and Security personnel are responsible for reviewing the monitored activities on a regularly scheduled basis, as well as monitoring firewall logs and other system administration and network activities. Events are logged to a central logging server, correlated and displayed on a console, and relevant alerts are sent to Sage Intacct Operations and Security Staff.
Sage Intacct provides protection of customer data through a combination of access controls and encryption.
Encryption is required if:
Sage Intacct has established guidelines and processes in place with the goal of architecting, developing and maintaining the Sage Intacct platform and applications free from security vulnerabilities. Security is built into our agile-focused Software Development Lifecycle process. Regular internal and third-party assessments are conducted, and we are constantly on the lookout for new and emerging threats and vulnerabilities that could impact the Sage Intacct application.
All worker types responsible for developing or maintaining code are required to:
Sage Intacct deploys reasonable and efficient network Intrusion Detection capabilities, firewalls and commercial grade anti-virus protection. Operating systems and applications associated with Sage Intacct customer data and Sage Intacct’s own sensitive data are patched within a commercially reasonable time period after Sage Intacct has knowledge of any security vulnerabilities or vendor patch releases. Sage Intacct takes precautions designed to safeguard the software, systems, or networks that may interact with Sage Intacct’s systems, networks or any Sage Intacct customer data such that they do not become infected by computer viruses, malware, unauthorized programs or other harmful components.
We restrict access of Spyware, Adware, and Webmail by:
Sage Intacct has physical security measures in place to control physical access to office facilities, paper records and corporate IT systems. In addition, Sage Intacct’s data centers that store or process customer data are SOC 2 compliant and include the following controls:
Sage Intacct performs sanitization of media containing Sage Intacct data or customer data. Data is disposed of utilizing one of the following three methods:
Changes to information resources are managed and executed according to a defined ticket and change management process. This process helps us review, authorize, test, document and implement/release in-scope proposed changes in a controlled manner; and monitor the status of each proposed change.
Applications transmitting, processing or storing Sage Intacct customer data leverage a System Development Life Cycle (SDLC) framework methodology that encourages security as a built-in function.
The SDLC includes, but is not limited to:
Risk Assessment and Penetration Testing
Digital Reputation / Intelligence Monitoring
Transferring of Sage Intacct Data
Access Justification/Authorization Process
System and Application Monitoring
Patch and Vulnerability Management
Routers and Network Infrastructure
Business Continuity and Disaster Recovery
Data Disposal and Hardware Sanitization