Operational Security

Key Features

Comprehensive Security Certifications

• SOC 1 Type II: NetSuite provides an SOC 1 Type II audit report to its customers prepared by and audited by independent third-party auditors. This report, commonly referred to as Service Organization Controls report, or SOC 1, is conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and International Standard on Assurance Engagements 3402, “Assurance Reports on Controls at a Service Organization”, issued by the International Auditing and Assurance Standards Board.
• SOC 2 Type II: The AICPA created the System and Organization Controls (SOC) II report to provide management of a service organization, user entities and other specified parties with information and a CPA’s opinion about controls at the service organization that may affect user entities’ security, availability, processing integrity, confidentiality or privacy. Oracle NetSuite’s SOC II is a type II report which means it covers both design and operating effectiveness, are prepared and audited by independent third-party auditors and covers controls on security, availability, and confidentiality.
• PCI DSS: In complying with PCI-DSS requirements, NetSuite offers optional 3D Secure credit card authentication—also known as Verified by Visa and MasterCard SecureCode. 3D Secure adds a higher level of credit card fraud protection. It requests shoppers to create authentication passwords for their credit cards, or requires them to enter their password if they already have one assigned
• EU-US Privacy Shield: Oracle complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention when a customer and Oracle have agreed by contract that transfers of personal information from the European Economic Area (“EEA”) or Switzerland will be transferred and processed pursuant to the Privacy Shield for the relevant services. When conducting those activities on behalf of its EEA or Swiss customers, Oracle holds and/or processes personal information provided by the EEA or Swiss customer at the direction of the customer. Oracle will then be responsible for ensuring that third parties acting as an agent on our behalf do the same.
  
  Oracle has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Statement and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/list.
• ISO 27001: ISO 27001:2013 is a globally recognized international standard that defines a set of requirements to build an information security management system (ISMS) to provide management better control of its information security processes. NetSuite service’s ISMS is currently ISO 27001 certified, which demonstrates that NetSuite meets the requirements of the standards and that processes are in place to enforce the security of customer’s information.

Continuous Security Monitoring

• NetSuite employs numerous intrusion detection systems (IDS) to identify malicious traffic attempting to access its networks
• Any unauthorized attempts to access the data center are blocked, and unauthorized connection attempts are logged and investigated
• Enterprise-grade anti-virus software guards against trojans, worms, viruses and other malware from affecting the software and applications.

Complete Separation of Duties

• Job responsibilities are separated, and mandatory employee background checks are employed at all levels of NetSuite operations
• The principle of least authority (POLA) is followed and employees are given only those privileges necessary to do their duties.

Managed Physical Access

• Stringent physical security policies and controls to allow unescorted access to pre-authorized NetSuite Operations personnel
• Photo ID proximity access cards and a biometric identification system provide assurance against lost badge risks or other attempts at impersonation. Proximity card reader devices are located at major points of entry and critical areas within the data centers
• Single-person portals and T-DAR man traps guarantee that only one person is authenticated at one time to prevent tailgating
• All perimeter doors are alarmed and monitored and all exterior perimeter walls, doors, windows and the main interior entry are constructed of materials that afford Underwriters Laboratory (UL) rated ballistic protection.

Fully Guarded Premises

• On-premise security guards monitor all alarms, personnel activities, access points and shipping and receiving, and ensure that entry and exit procedures are correctly followed on a 24/7 basis
• CCTV video surveillance cameras with pan-tilt-zoom capabilities are located at points of entry to the collocation and other secured areas within the perimeter
• Video is monitored and stored for review for non-repudiation.

Continuous Data Center Performance Audits

• NetSuite Operations manages ongoing SOC 1 Type II and PCI compliance
• Risk management is modeled after the National Institute of Standards and Technology’s (NIST) special publication 800-30 and the ISO 27000 series of standards. Periodic audits help ensure that personnel performance, procedural compliance, equipment serviceability, updated authorization records and key inventory rounds are above par.