intacct security and operations
DESCRIPTION
Learn about some of the details of the Intacct datacenters and measures of security that Intacct takes to protect the cloud they provide to house your accounting and finance data. See why industry experts say that very few - if any - small to medium businesses could spend this kind of money and takes these measures to protect their data and systems.TRANSCRIPT
CONFIDENTIAL | 1
Security and Operations
Trusting Your Financials to the Cloud
2
Early Decisions…
Who is our customer?– Design for accounting and finance professionals– Enable a community of partners
Product Strategy– Best-in-class—stay focused on accounting and finance apps– Multi-ledger—build a reusable framework is always the approach– Double-entry– Approach to the close
Technology– Multi-tenancy– Web Services in the first version– Php / linux / apache on top of oracle– Commodity hardware, open source systems, premium
networking, premium hosting
3
The Intacct API
Accessible via Web Services or custom business logic (triggers) Access to all standard and custom objects and fields Standard Create, Read, Update, Delete plus readByQuery(), readView() Specialty objects designed for external use like GL Total, GL Detail
Roughly 50% of Intacct transactions post via Web Services
4
The Commercial Packaging
IncludedCustomization
Services
OptionalWeb Services
OptionalPlatform
Extensions to standard objects, including Custom Fields, Smart Rules, Smart Links, and Smart Events
Access to Intacct’s API Used when integrating an application that is external to the Intacct Service Also use to automate Intacct processes via external scripts
Includes all Customization Services + Access to Intacct’s custom application development environment Hosting of your custom application within Intacct production operations
5
Intacct Operations
Better than you
have at home
6
Primary Data Center
World class Savvis Hosting Center– Access to premium services and network connectivity– Multi-layer power generation– State-of-the-art fire suppression – Redundant HVAC– Other customers include Salesforce.com, UBS, Adobe, Workday, Merrill Lynch,
Goldman Sachs, Rueters, etc
Network– Connections to multiple backbones– Ample bandwidth burst capacity– Redundant paths and equipment
Hardware– Standard “commodity” servers and other hardware– All 100% owned by Intacct– Access controlled cages; managed only by Intacct personnel
7
Backup and Monitoring
Backups– Full nightly backups– Nightly logical exports– 96 hours of transaction “roll-back” capability–to the minute– Backups kept on local disk, tape and off-site– Backups and Redo logs pushed to Disaster Recovery site– Quarterly database restore testing– Annual Disaster Recovery testing
Monitoring– Redundant external monitoring from multiple Internet locations– Daily posting of performance on the Intacct website– Internal system monitors if fine detail (~900 service points)24x7 monitoring and
response coverage– Detailed performance and usage information allows us to spot issues– before they become problems
8
Disaster Recovery Center
Applications are guaranteed to be back up and available within 24 hours even if Savvis data center is completely destroyed– Never lose more than two hours of work– Regularly exercised by Intacct
No charge to Intacct clients
RecoveryInventory
Data CenterSacramento, CA
DisasterServers
CollectedData
Internet
Intacct - Savvis Data CenterSan Jose, CA Hot standby
Separate geography
9
Data Security
All Intacct employees undergo background checks before hire Secured networks and production assets:
– Intacct corporate networks are secure– Production networks are segregated with further access restrictions– Very limited and controlled access (both physical and logical) to all production
assets– Continuous internal threat monitoring and periodic 3rd party testing
Secure application:– Access to customer data controlled by the customer; must be granted, even to
Intacct support– Browser sessions all secure– Partners have an important part to play
10
Buy With Confidence—Why It is Your Friend
Intacct’s guarantee to your customers Covers all Intacct users We pay, you don’t Industry 1st
Industry most comprehensive
11
What Does the BWC Cover
Uptime
Response Time
Fix Times
Futures
PS Quality(Direct)
12
Transparency Operations
https://us.intacct.com/status
13
SSAE 16 SOC 1 Type II AuditType II
• Report is for a period of time as opposed to a single point in time
• Includes ongoing observations and testing
SOC 1• Service Organization
Control report
• SOC 1 = restricted to controls relevant to audit of a user entity’s financial statements (like SAS 70)
• SOC 2 & SOC 3 = reports on non-financial controls at a service organization
Audit
• Examination, documentation and testing of an array of internal controls
• Control “objectives” specific to Intacct
SSAE 16• Replaces SAS 70
• Statement on Standards for Attestation Engagements No. 16
• To assure safety and integrity of data while in the hands of a third party service organization
14
Intacct’s Control Objectives are BroadControl Objective No. 1 – Management and Organization: Control activities provide reasonable assurance that discipline and structure are an integral part of the organization and influence the control consciousness of its personnel.
Control Objective No. 2 – Physical Access and Environmental Security: Control activities provide reasonable assurance that access to and movement within the corporate facility is properly controlled and monitored. Additionally, access to server rooms, storage media, and other critical infrastructure is limited based on job responsibilities
Control Objective No. 3 – Data Backup and Restore: Control activities provide reasonable assurance that timely and periodic data backups are preformed and the associated restore process is tested, access to backup data is limited, and offsite backups are maintained.
Control Objective No. 4 – System Availability: Control activities provide reasonable assurance that primary runtime systems are maintained in a manner that helps ensure system availability.
Control Objective No. 5 – Service Level Agreement: Controls provide reasonable assurance that policies and procedures are in place and appropriately followed such that Intacct can meet the systems availability objectives of its Buy-with-Confidence service level agreement.
Control Objective No. 6 – Logical Access Security: Control activities provide reasonable assurance that system information, once entered into the system, is protected from unauthorized or unintentional use, modification, addition or deletion. Procedures are also in place to keep authentication and access mechanisms effective.
Control Objective No. 7 – Change Management: Control activities provide reasonable assurance that changes to Intacct’s on-demand financial management and accounting applications and supporting systems are properly authorized, tested, approved, implemented and documented.
Control Objective No. 8 – Network Security: Control activities provide reasonable assurance that the security infrastructure limits unauthorized access to internal networks and external threats are appropriately limited.
15
Other Certifications and Compliance
Privacy Policy
16
Governance & Compliance
GAAP / SOX Compliant Complete Audit Trails SAS 70 Type II Certified PCI DSS Compliant Granular Access Control Smart Rules / Alerts Automated Sales Tax