What is NetSuite Application and Operational Security?
NetSuite application and operational security blocks unauthorized network and service connections while allowing customers convenient access to NetSuite from anywhere, with complete confidence. Security starts with strong encryption, role-based access controls, and robust password policies. NetSuite adds layers of additional protection, including multi-factor end-user authentication, token-based application authentication, and IP address-based restrictions. NetSuite’s round-the-clock monitoring and dedicated and tenured security team — backed by advanced tools, controls and policies —ensures the strongest operational data center security.
Robust Foundation for Compliance
Oracle NetSuite has the certifications, tools, and advisory services to help you meet your regulatory, operational and compliance challenges. Credit card and personally identifiable information is always secure, and NetSuite is externally audited to SOC 1 Type 2 and SOC 2 Type 2 (SSAE18 and ISAE 3402) standards while maintaining ISO 27001 and 27018, PCI DSS and PA-DSS compliance.
The company could have handled the growth without an ERP system, but we would have been forced to hire a lot more people.
NetSuite Application and Security Benefits
NetSuite Application and Operational Security Features
Transmission of user credentials, as well as all data exchanged, are encrypted with an industry-standard protocol and cipher suite. NetSuite supports custom attribute encryption and provides encryption APIs. NetSuite uses token-based application authentication and multi-factor end-user authentication (MFA).
End users can be assigned roles with specific permissions and restrictions to see only the data, and use only the features, required for their jobs — right down to the field level. NetSuite provides a complete audit trail, tracking transactions by user login details and applying a timestamp to each change.
IP Address Restrictions
The ability to easily restrict access from specific devices and/or locations is invaluable for customers concerned not only about who is able to connect to NetSuite, but from where. This feature significantly reduces the risk of unauthorized third-parties accessing your account using stolen hardware or credentials.
Customers have granular password configuration options, ranging from the length of the passwords to the password expiration policy. They can set up strict rules to ensure that new passwords vary from prior passwords and that passwords are complex enough to include a combination of numbers, letters and special characters. In addition, accounts are locked out after several unsuccessful attempts.
For customers requiring a higher level of access control, NetSuite offers multi-factor authentication using text SMS, one-time passwords (OTP) and backup codes. In addition to entering their own passwords, users must possess a time-based OTP (TOTP)-compatible device to receive random one-time passwords. These cryptographically robust controls prevent keyloggers, shoulder surfers, phishers and password crackers from accessing a user’s account.
NetSuite employs both network- and server-based Intrusion Detection Systems (IDSs) to identify malicious traffic attempting to access its systems. Security alerts and logs are sent to a security information and event management (SIEM) system for monitoring, and response actions, when required, are executed by an experienced, in-house security team.
Separation of Duties
In addition to mandatory employee background checks at all levels of the organization, Oracle NetSuite follows the Principle of Least Authority (POLA) — employees are given only those privileges necessary to do their jobs.
Dedicated Security Team
Oracle NetSuite employs a global security team dedicated to enforcing security policies, monitoring alerts and investigating any anomalous system behavior, including unauthorized connection attempts and malicious software. Near-real-time monitoring is in place with a 24x7 worldwide incident response capability. All access to production systems is approved and regularly reviewed by the security team.
Oracle NetSuite implements auditing controls appropriate for SOC 1 Type II, SOC 2 Type II, ISO 27001 and PCI compliance, and employs a comprehensive risk management process modeled after the National Institute of Standards and Technology’s (NIST) special publication 800-30 and the ISO 27000 series of standards. Periodic audits ensure that personnel performance, procedural compliance, equipment serviceability, updated authorization records and key inventory rounds meet or exceed industry standards.
Oracle NetSuite issues reports upon the completion of periodic SOC 1 Type II and SOC 2 Type II audits and is certified for PCI DSS and ISO 27001:2013.
- Oracle NetSuite has defined its information security management system in accordance with NIST 800-53 and ISO 27000 series standards.
- Oracle NetSuite’s SOC 1 Type II and SOC 2 Type II audits are prepared and audited by independent third-party auditors. A SOC 1 Type II audit is essential to meeting the reporting requirements of Section 404 of Sarbanes-Oxley relating to the effectiveness of internal controls for financial reporting. A SOC 2 Type II audit reports on controls that directly relate to the security, availability and confidentiality of services organizations.
- The PCI DSS security standard is designed to ensure that companies process, store and transmit payment card information in a secure environment. Oracle NetSuite’s Attestation of Compliance (AOC) is prepared and issued by a PCI Qualified Security Assessor (QSA).
Oracle Corporate (Oracle EMEA Ltd) has obtained EU/EEA-wide authorization from the European data protection authorities for its Binding Corporate Rules for Processors (“BCR-p”). This helps our customers address their privacy and security requirements under the EU General Data Protection Regulation (GDPR) and other European data protection laws and regulations in the EU/EEA, the UK, and Switzerland (“European Data Protection Law”). See the Privacy Code for Processing Personal Information of Customer Individuals (Oracle Processor Code). Oracle NetSuite provides Product Feature Guidance documents that describe how the service functionality is designed to assist customers with their EU GDPR requirements.
Oracle NetSuite has extended the ISO 27001 Information Security Management System to include the ISO 27018 control set, demonstrating protection and adequacy for processing Personal Information as a Public Cloud Hosting Provider. Oracle NetSuite performs reviews and annual audits, conducts privacy risk management and oversees remediation, has a third-party vendor management program to ensure that suppliers adhere to privacy regulations, oversees privacy by design in technology and processes and is committed to maintaining and improving its privacy information management and data protection programs.