QuickBooks Online Security White Paper July 2017

Similar documents
SECURITY & PRIVACY DOCUMENTATION

University of Pittsburgh Security Assessment Questionnaire (v1.7)

WORKSHARE SECURITY OVERVIEW

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

The Common Controls Framework BY ADOBE

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Oracle Data Cloud ( ODC ) Inbound Security Policies

WHITE PAPER- Managed Services Security Practices

Security and Compliance at Mavenlink

Twilio cloud communications SECURITY

Keys to a more secure data environment

Security Architecture

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Google Cloud & the General Data Protection Regulation (GDPR)

SECURITY PRACTICES OVERVIEW

FormFire Application and IT Security

Secure Access & SWIFT Customer Security Controls Framework

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Data Security and Privacy at Handshake

Layer Security White Paper

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Juniper Vendor Security Requirements

Security Note. BlackBerry Corporate Infrastructure

Sage Data Security Services Directory

University of Sunderland Business Assurance PCI Security Policy

Checklist: Credit Union Information Security and Privacy Policies

Projectplace: A Secure Project Collaboration Solution

Information Security Policy

RADIAN6 SECURITY, PRIVACY, AND ARCHITECTURE

External Supplier Control Obligations. Cyber Security

Canada Life Cyber Security Statement 2018

Daxko s PCI DSS Responsibilities

Information Security Controls Policy

Protecting your data. EY s approach to data privacy and information security

Awareness Technologies Systems Security. PHONE: (888)

RAPID7 INFORMATION SECURITY. An Overview of Rapid7 s Internal Security Practices and Procedures

IPM Secure Hardening Guidelines

TRACKVIA SECURITY OVERVIEW

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

RMS(one) Solutions PROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS

The Honest Advantage

Information Technology General Control Review

A company built on security

SOLUTIONS BRIEF GOGO AIRBORNE SECURITY SUMMARY 2017 Q3 RELEASE

Cyber Security Program

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Understanding IT Audit and Risk Management

HIPAA Compliance Checklist

IBM SmartCloud Engage Security

NW NATURAL CYBER SECURITY 2016.JUNE.16

CTS performs nightly backups of the Church360 production databases and retains these backups for one month.

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

Altius IT Policy Collection

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Watson Developer Cloud Security Overview

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

SECURITY STRATEGY & POLICIES. Understanding How Swift Digital Protects Your Data

AUTHORITY FOR ELECTRICITY REGULATION

WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution

Cybersecurity Auditing in an Unsecure World

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

Altius IT Policy Collection Compliance and Standards Matrix

Automate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Security Information & Policies

Security+ SY0-501 Study Guide Table of Contents

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Security & Privacy Guide

Standard CIP Cyber Security Critical Cyber Asset Identification

General Data Protection Regulation

MIS Week 9 Host Hardening

Standard CIP Cyber Security Critical Cyber Asset Identification

Altius IT Policy Collection Compliance and Standards Matrix

ISO27001 Preparing your business with Snare

Trust Services Principles and Criteria

AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Information Security in Corporation

CCISO Blueprint v1. EC-Council

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Data Security and Privacy Principles IBM Cloud Services

Online Services Security v2.1

Total Security Management PCI DSS Compliance Guide

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

WHITEPAPER. Security overview. podio.com

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

InterCall Virtual Environments and Webcasting

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

IBM SmartCloud Notes Security

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Version 1/2018. GDPR Processor Security Controls

Data Center Operations Guide

Morningstar ByAllAccounts Service Security & Privacy Overview

Information Technology Branch Organization of Cyber Security Technical Standard

LBI Public Information. Please consider the impact to the environment before printing this.

What can the OnBase Cloud do for you? lbmctech.com

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

W H IT E P A P E R. Salesforce Security for the IT Executive

7.16 INFORMATION TECHNOLOGY SECURITY

Transcription:

QuickBooks Online Security White Paper July 2017 Page 1 of 6

Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a responsibility that is aligned with a key Intuit value: Integrity without Compromise. We take this stewardship seriously as we know you have placed trust in us to hold your data. Security is a shared responsibility. This document describes some of the security controls Intuit has in place to protect your data. Additional information for what you can do to protect your company data is available online at https://security.intuit.com/index.php. Governance Intuit has a comprehensive set of security policies and procedures. Topics include: Security Oversight Data Classification Data Handling Logical Access Management Physical Security Development and Quality Assurance Operational Security Security Incident Response Payment Card Processing Third Party Management QBO and supporting systems handling credit card data are annually assessed to the Payment Card Industry Data Security Standard by a qualified, third-party security assessor. This assessment helps limit data retention, harden our networks and systems, prepare to respond to attacks, secure our payment applications and data, control and monitor access and operate under security policies and procedures. As a key part of Intuit Small Business Group, QBO is subject to a number of other compliance assessments and audits including: Sarbanes Oxley (SOX) Application and IT General Controls Audits; Internal Audits; and NACHA Audits. Page 2 of 6

Risk Assessment Intuit conducts annual risk assessments with quarterly check-ins to identify and address critical business risks. In addition, the QBO team does bottoms-up risk assessments on a continual basis. For example, before any changes are released to the product, they are reviewed and tested thoroughly, in addition to regular vulnerability scans, pen tests, internal and external audits on services/offerings. Authentication Different multi-factor authentication (MFA) strategies using things only known to the account owner help to safeguard against inappropriate account access and validate your identity for sensitive operations (password reset, making or receiving payments, etc.). QBO also uses CAPTCHA and other techniques to protect against automated DOS attacks. Access Control QBO provides granular role-based security so that only you or your designee can specify who can access your data and what level of privileges can be granted to different users. We follow a strong password and multi-factor authentication policy across all environments. You control who accesses your financial data, and what they can see and do with it. Each person you invite to use QBO must create a unique login. Multiple permission levels let you limit the access privileges of each user. For example, you may want your part-time contractor to be able enter work hours, but not access your latest P&L charts. QBO provides an Audit Log that tracks the actions taken by different users. This can help you keep track of user actions on the data. Access to systems, services, and your data follows the principle of least privilege. This means personnel responsible for data backups (as one example) only have access rights sufficient for that purpose. We segregate roles within our development and production teams. Production access requires appropriate levels of authorization. For example, developers do not have access to production systems and operations personnel do not have access to source code. Page 3 of 6

Security Awareness Training All Intuit employees are required to undergo security awareness training on initial hire and annually thereafter. The training covers general security topics, including personnel and physical security, social engineering, IT security controls in place at Intuit (e.g., antivirus, security policies), and privacy best practices. Additional job-related training may be required, depending on the specific duties assigned to individuals. These include secure coding and testing techniques and operations monitoring and response. Our Intuit software development teams also attend frequent technical seminars designed to help them stay on top of secure coding practices. Data Security No single measure can effectively provide complete security, so at QBO, we employ a strategy called defense in depth, a layered approach with multiple security measures in place to help protect your data. We take specific precautions to provide security while your data is in transit from your computer to our servers, as well as while it is being processed and stored in our data centers. Let s start with your data as it leaves your browser. QBO establishes a secure connection to your browser, indicated by the small padlock symbol displayed on your screen (the exact location varies by browser). The padlock symbol denotes a secure connection using TLS (Transport Layer Security) technology to encrypt your data over the Internet. Intuit uses the highest level of protection your browser allows to help protect your data in transit. Your data stays encrypted as it passes through Intuit-managed firewalls. It is processed and stored on dedicated systems protected via tokenization and encryption per National Institute of Standards and Technology (NIST) guidance. Information Protection Processes and Procedures Security policies, processes, and procedures are maintained and used to manage protection of information systems and assets. We follow a strict set of guidelines and practices to help protect your private information. We will not, without explicit permission, sell, publish or share data entrusted to us by a Page 4 of 6

customer that identifies the customer or any person. Our employees are trained on how to keep data safe and secure. Intuit is a licensee of the TRUSTe Privacy Program, an independent, nonprofit organization committed to the use of fair information practices. For full disclosure of our privacy practices, please review our Privacy Statement (https://security.intuit.com/privacy). We incorporate security throughout our standard Software Development Lifecycle (SDLC). This includes threat modeling of architecture and designs, security code reviews, static automated analysis, security vulnerability scans, compliance scans and penetration testing by internal and external security experts. These activities leverage technologically advanced automation tools and industry-vetted security frameworks to ensure quality and security of QBO and your data. This includes regular patching for known vulnerabilities published by security vulnerability tracking authorities, such as Mitre and the National Vulnerability Database. Protective Technology Intuit QBO takes service availability very seriously. QBO is designed to survive a major disaster: We have redundancy within and across at least two geographically separated data centers. QBO is hosted on data centers rated the highest Tier-4 category. Each data center has high physical security, redundancy, and backups for power and cooling. This includes infrastructure components to avoid single points of failure. All web, application, and data servers are spread across multiple isolated fault domains built on best-in-class network and server virtualization technology. Offices and data centers are guarded by onsite security personnel. We enforce access card-based entry to each building and 24/7 perimeter vigil and control. Data center security maintains even stricter access controls. Data is replicated securely between the data centers over multiple telecommunication carriers using industry-standard replication technology. Data synchronization latency between data centers is maintained at less than 5 minutes. Intuit engineers have implemented extensive automation to facilitate non-disruptive switchovers between data centers as often as every other week. Page 5 of 6

Security Monitoring Information systems and assets are monitored for intrusion, unauthorized access, unexpected file changes, unplanned spikes in activity and other events, as well as to verify the effectiveness of protective measures. Our Security Operations Center (SOC) is staffed 24x7, 365 days a year to monitor activities across all Intuit applications and services. Intuit has a global Incident Management Team. This team includes senior executives, product engineers and members of our Security Operations Incident response team. For day-to-day incident event monitoring and response our Security Operations team is responsible for monitoring, opening tickets and following potential incidents and events to resolution. The Incident Management Team quickly engages the right business contacts. Business Continuity and Disaster Recovery We run in asymmetric active-active mode, in which QBO processing is mirrored across our data centers in a way that ensures real-time replication of all systems and data. If something should happen in one data center, another one is ready to take over within moments. We backup our systems at least once a day and use multiple suppliers for critical operational functions such as telecommunications lines. Our data centers are geographically separated, to minimize the chance that a natural disaster in one location might prevent you from accessing your data. Bottom Line At Intuit QuickBooks Online (QBO), we know your data is important to you. We hope the information in this white paper gives you insight into how we approach data security. Page 6 of 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback