Protecting your business from cyber threats starts by making sure the solutions you are using are safe.
This article will give you useful information about the range of systems in place to mitigate risks and prevent any malicious intrusions via your NetSuite software.
I - Cyber Security Incidents
NetSuite is committed to tracking cyber security incidents by subscribing to US-CERT and the National Vulnerability Database, actively monitoring feeds from key software vendors, including Oracle, RedHat, and Microsoft and maintaining relationships in Infragard, OWASP, ISC2, ISSA, and IEEE. These required activities are measured annually to ensure we are adhering to our standards and these metrics are included in our ISO27001 audit and certification.
NetSuite takes prompt action on vulnerabilities noted by US-CERT which enjoy sharing agreements with CCIRC, AU-CERT, and others.
This approach also provides a framework for monitoring and tracking specific threat information.
NetSuite security team members are formally obligated to maintain security certifications and to complete CPE hours to maintain such certifications as part of ongoing currency with general security topics.
NetSuite has deployed a network of third-party vulnerability assessment tools that receive daily updates on vulnerabilities. These tools are used to regularly assess the patch status and vulnerability risk of our software and services.
II - Advanced Persistent Threat (APT)
NetSuite has tools and processes in place to mitigate Advanced Persistent Threat (APT) attacks.
III - Control Activities and Incident Response Procedures
Control activities provide reasonable assurance that system availability is monitored on a regular basis with action taken to ensure accessibility to NetSuite customers.
NetSuite has documented incident response procedures in place to address operational requirements for the response and resolution of incidents.
An incident ticketing system is utilized to log and track system incidents through to resolution. Support personnel use the ticketing system to record issues within incident tickets. Customer administrators are also notified on an as-needed basis about other incidents.
Additional details are captured within the incident ticket to include service impact, root cause and steps take to resolve the issue. Support personnel may also generate incident reports to support post incident responsibilities and review preventative measures for recurrence and monitoring.
Production server and network devices are monitored for system performance and availability metrics related to network firewall availability, central processing units (CPUs), process load and server utilization. If predefined thresholds are exceeded on monitored systems, operation personnel receives automated e-mail alert notifications.
Operations personnel also review the system availability, uptime performance and trend analysis reports on a monthly basis to identify or address issues that may impact system performance and perform ongoing monitoring of performance metrics.
NetSuite has standardized build scripts in place for system requirements, installation and configuration settings of production servers. Additionally, the centralized antivirus server software is configured to update antivirus definitions and perform a full scan of our code on registered servers on a daily basis.
Please visit the NetSuite status page for historical system uptime track record and real-time information of NetSuite system status.
IV - NetSuite Incident Response Team (ICT)
NetSuite’s IRT is comprised of executives from crucial departments at NetSuite. An Incident Response Plan (IRP) is managed by the IRT. The IRP is reviewed annually and defines availability requirements for team members and is engaged when a significant event occurs.
The IRT is responsible for evaluating the event and responding in accordance with the IRP, including engaging the mass notification system and making call outs to the production disaster recovery teams with response requests as necessary.
NetSuite reviews output from the IDS on a daily basis. NetSuite's on call Incident Response Team (IRT) is notified immediately of any incidents identified by NetSuite's Intrusion Detection System (IDS) above a specific threshold. All security incidents are logged in the NetSuite Incident Management System (IMS) and tracked to resolution.