Sage 200 Extra Online - Frequently asked security questions

Newcastle Upon Tyne, United Kingdom.

Our hosting provider, Microsoft, do not publish information on TIA tiering. Details of their certification and compliance can be found here.

Customer data is backed up to a geographically distant secondary location. Sage has a documented procedure for restoration of service in the event of a disaster and a well-defined incident management procedure in case of smaller service interruptions. We have carried out a business resiliency assessment to understand the risks of disasters affecting Sage facilities.

Data centre equipment failures and protection from environmental risks are covered by the IT controls of our hosting provider, Microsoft. This is an extract from their published documentation:

• The data centers have dedicated 24x7 uninterruptible power supply (UPS) and emergency power support, which may include generators. Regular maintenance and testing is conducted for both the UPS and generators. Data centers have made arrangements for emergency fuel delivery. The data center has a dedicated Facility Operations Centre to monitor the following:
  
  
  • Power systems, including all critical electrical components – generators, transfer switch, main switchgear, power management module and uninterruptible power supply equipment.
  • The Heating, Ventilation and Air Conditioning (HVAC) system, which controls and monitors space temperature and humidity within the data centers, space pressurization and outside air intake. Fire Detection and Suppression systems exist at all data centers. Additionally, portable fire extinguishers are available at various locations in the data center. Routine maintenance is performed on facility and environmental protection equipment.

"Protecting against external and environmental threats and supporting utilities" is covered under the ISO 27001 standards, specifically addressed in Annex A, domains 9.1.4 and 9.2.2. For more information review of the publicly available ISO standards we are certified against is suggested.

Environmental controls have been implemented to protect the data center including:

• Temperature control
• Heating, Ventilation and Air Conditioning (HVAC)
• Fire detection and suppression systems
• Power Management systems

“Protecting against external and environmental threats” is covered under the ISO 27001 standards, specifically addressed in Annex A, domain 9.1.4. For more information, a review of the publicly available ISO standards we are certified against is suggested.

Our hosting provider, Microsoft, has ISO27001/27002/270018 certification covering all the service component that we use. For details, please see here. Sage 200 Extra Online itself is not accredited, but Sage operates an internal IT controls framework covering security and continuity of service. Sage 200 Extra Online has been audited against this controls framework.

Our hosting provider, Microsoft, provides SOC 1 Type 2 and SOC 2 Type 2 reports on request for customers.

Traffic to and from the cloud services is encrypted at the transport level (HTTPS).

Classified data residing on local hardware is encrypted at rest.

All incoming traffic passes through a network based IPS/IDS. Network traffic inside the datacentre is monitored by our hosting provider, Microsoft.

Sage operates a documented security incident management procedure. We do not routinely publish information on attacks, however, Sage policy is to comply with our statutory obligation and to follow the guidance from the UK Information Commissioners Office on breach reporting.

Sage policy is to comply with our statutory obligation and to follow the guidance from the UK Information Commissioners Office on breach reporting.

Sage 200 Extra Online has not received certifications, however, our hosting provider, Microsoft, has ISO27001/27002/270018 certification covering all the service components that we use. For details, please see here.

No.

Not applicable (see previous point).

Not applicable (see previous two points).

No Sage employees have physical access to the network and compute infrastructure that hosts our applications. Our hosting provider, Microsoft, publishes the following on their vetting process:
"All Microsoft US-based full-time employees (FTE) are required to successfully complete a standard background check as part of the hiring process. Background checks may include but are not limited to review of information relating to a candidate's education, employment, and criminal history. "

They do not publish information for non-US based employees.

The retention period for customer data following termination of the agreement with a customer is 40 days. Within this period, a customer can request a recent backup copy of their data. After this period it will be deleted. The actual destruction of data is covered by the IT controls of our hosting provider, Microsoft. This is an extract from their published documentation:

"Microsoft uses best practice procedures and a wiping solution that is NIST 800-88 compliant. For hard drives that can't be wiped we use a destruction process that destroys it (i.e. shredding) and renders the recovery of information impossible (e.g., disintegrate, shred, pulverize, or incinerate). The appropriate means of disposal is determined by the asset type. Records of the destruction are retained. "

"All Windows Azure services utilise approved media storage and disposal management services. Paper documents are destroyed by approved means at the pre-determined end-of-life cycle."

“Secure disposal or re-use of equipment and disposal of media” is covered under the ISO 27001 standards, specifically addressed in Annex A, domains 9.2.6 and 10.7.2. For more information review of the publicly available ISO standards we are certified against is suggested."

Internet Explorer 10 and 11, Google Chrome updated.

None.

Microsoft Office 2010 SP2 (32-bit only) - Standard, Professional and Professional Plus Editions

Microsoft Office 2013 SP1 (32-bit and 64-bit) – Home and Business, Small Business Premium, Professional Plus, and Enterprise Editions

No.