Considering a move to a cloud solution? Security is likely at the forefront of your concerns.
The Sage Intacct cloud solution offers a Buy with Confidence program that outlines their commitment to customer success. In this blog, we’ll cover the measures they take to ensure your financial application is consistently secure, reliable, and available.
Security measures offered by top-tier SaaS providers are constantly advancing, and far outweigh the measures that most customers could individually afford to take. Modern SaaS security covers physical, network, application, and data protection to ensure your information is safeguarded from all angles.
Security Measures taken by Sage Intacct
Sage Intacct has physical security measures in place to control access to office facilities, paper records and corporate IT systems. In addition, Sage Intacct’s data centers that store or process customer data are SOC 2 compliant and include the following controls:
• Badge Access
• 24×7 Security
• Strong environmental controls
Network & System Monitoring
How does Sage Intacct help protect customer data from external threats? They deploy reasonable and efficient network intrusion detection capabilities, firewalls, and commercial-grade anti-virus protection.
Sage proactively monitors for any vulnerabilities in their software that could be exploited by a cyberattacker.
In addition, Sage ensures that all applications and systems associated with customer data have comprehensive audit logs that detail use, access, disclosure, theft, manipulation, and reproduction. These logs are regularly reviewed to detect any indicators of compromise or suspicious activity.
Furthermore, they make sure that all operating systems and applications connected to your Sage Intacct customer data are promptly patched after any known security vulnerabilities or vendor patch releases.
SaaS providers should be able to demonstrate their ability to secure data and recover data if it is lost from primary systems. Sage Intacct protects customer data through a combination of access controls and encryption.
Sage’s service level agreements (SLAs) promise a restore point objective (RPO) of just four hours – meaning you won’t lose more than four hours worth of data in the event of an unexpected data loss. Plus, their restore time objective (RTO) SLA ensures that all processes will be fully restored within 24 hours of any disaster.
Sage Intacct ensures the security of customer data when it’s being moved offsite for hosting, backup purposes, or storage. They dispose of data using one of three methods: overwriting, degaussing, or physical destruction. There are also strict access control process in place so only authorised personnel with a business need can access customer data, and Sage performs an annual re-verification of these individuals.
Steps you can take to ensure the security of your data in Sage Intacct
Part of the responsibility for security resides with the customer. The customer decides who gets access to the system and how much of the data they can access. Like other SaaS systems, Sage Intacct includes a variety of security controls and functionality.
Security controls include:
- Inactivity timeouts – automatic log out for inactivity set by the administrator
- Session timeouts – automatic log out for session time set by the administrator
- Password complexity, change frequency, and history rules
- Sign-in lockout – repeated unsuccessful attempts to lock out the account, requiring administrator reset
- IP address filtering – option to restrict access to a specific IP address or range of IP addresses on an account-by-account basis
- Two-step verification (multifactor authentication) – periodic use of a second device for authentication
Roles & Permissions
Sage Intacct has two options for assigning permissions: user-based and role-based. User-based permissions, as you’d expect, are assigned manually on a user-by-user basis. For organisations experiencing rapid growth, individually assigning detailed permissions for each additional user can be time-consuming. In addition, you also have the option to create user groups. When you assign a user to a group, that individual automatically inherits that group’s level of access. For example, the HR team all have the same access.
The alternative is to create roles for each job role within the organisation and assign the role-based permissions required for that role to be able to fulfil its responsibilities. See the Project Manager job role permissions below:
User Types Defined
In Sage Intacct the user type affects the maximum number of features and activities that a usr can access and perform in Intacct. Business users are the only users who can directly affect the general ledger. For example, an AP clerk who needs to enter or pay bills must be a Business User. On the other hand, a user who only enters timesheets or expenses can be given the Employee user type.
View more on User Types
Audit Trails & Access Logs
Further monitoring of your system can be done through access logs which show who’s been accessing your system and audit logs which can track any changes made to data in the system.
What should you do if you suspect that your system has been compromised?
If you have concerns about a potential data breach related to Sage products or if you have found a suspected vulnerability in a product, please contact our 24/7 Cyber Defense Operations team via email: email@example.com. You should also contact your Sage partner who is supporting your system.
For those who need more information on compliance with standards
Several standards are in place for services that deal with sensitive data. Compliance with these standards depends on the kind of data a provider handles. Each standard also has a regulatory body that ensures compliance. Providers perform various types of internal and third-party audits to validate compliance with applicable requirements. In the area of SaaS finance, a number of standards come into play. Read more about the standards that Sage Intacct complies with.