The Information Security Management System (ISMS) Management team oversees the operation of the ISMS and includes the CEO, CTO, HoE, and CISO. AccountsIQ manages its technical operations internally, with the CTO having ultimate responsibility for information security and the HoE responsible for application development and operation. The CISO creates and manages a security and compliance framework aligned with ISO 27001 requirements, in cooperation with the technical team.
We are committed to complying with all relevant legislation, such as the EU’s General Data Protection Regulation (GDPR).
The ISO27001 standard specifies requirements for establishing, implementing, executing, monitoring, assessing, maintaining, and improving a documented Information Security Management System (ISMS) in the context of the general business risks to the organisation.
The ISMS is designed to ensure the choice of adequate and proportionate security measures that protect the information and provide confidence to stakeholders.
The audience for this program includes employees, customers, partners, suppliers, shareholders/owners, and authorities engaged in the ISMS.
AccountsIQ has implemented a comprehensive set of policies and controls in relation to the Information security of all company assets & information. These policies and procedures are in line with ISO 27001 Annex A Controls.
The company is certified by an external accredited certification body (Certification Europe) for its compliance with the standard’s requirements.
AccountsIQ uses the OneTrust Compliance (formerly Tugboat Logic) platform to manage and communicate the policies to all relevant parties.
Our ISO Certificate can be downloaded here.
AccountsIQ has satisfied all requirements (Stage 1 and Stage 2) to become fully registered on the FSQS (Financial Services Qualification System) supplier qualification system, as set out by participating buying organisations.
AccountsIQ is hosted by the Microsoft Azure cloud service via a shared responsibility model. According to the shared responsibility model, it is Microsoft’s responsibility to implement physical security controls for the data centres. Microsoft Azure services are ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant.
Microsoft on-site security includes features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. For more please read: Physical security of Azure datacentres - Microsoft Azure | Microsoft Learn
AccountsIQ provides all customers with the option of hosting their data in Microsoft Data Centres in either the UK (London), EU (Dublin) or US (Virginia).
Note that AccountsIQ’s HQ is in a multi-tenant office building within a business park in Dublin, Ireland. The offices are protected with CCTV, electronic doors, and gates (fob key) reception areas. Only local networking equipment is stored within the office premises in a locked and monitored switch room. No client data whatsoever is hosted in the local office environment.
AccountsIQ mitigates risks associated with third-party supplier sub-processors by performing security reviews on all those with any level of access to our systems or service data. Information about regulatory and certification requirements for each service provider supplier is also maintained.
AccountsIQ partners with Microsoft Expert Managed Service Provider (MSP), Transparity, for Azure network security. Transparity provides a 24/7/365 distributed Security Operations Centre (SOC) constantly monitoring the platform for cyber security events and evolving threats and potential vulnerabilities. Transparity and AccountsIQ’s technical teamwork in tandem. In addition to our extensive internal scanning and testing program, AccountsIQ also employs third-party security experts to perform a broad manual penetration test across the application and production network.
Our network security architecture consists of multiple security zones. DMZs are utilised between the Internet, and internally between the different zones of trust, with different levels of access controls and monitoring in place. Infrastructure is configured and hardened according to the recommended guidelines issued by Microsoft and constantly scanned for vulnerabilities against these standards.
Access to the infrastructure is only allowed to a limited number of AIQ’s senior technical support staff, and requires VPN, MFA, and stringent access controls. All access is logged and monitored by the 24x7 SOC team. Transparity as infrastructure and SOC MSP do not have access to any SQL databases where client data is held, and all data is encrypted at rest.
There is a comprehensive system and security monitoring system using a Security Incident Event Management (SIEM) system for the infrastructure and security logs. The SIEM gathers logs from all network devices and VMs and can issue alerts that notify the Security (SOC) team. Another tool is used 5 for the application-level logs which have similar alerting capability built in. Both tools use AI features to help identify and alert on any anomalous behaviour.
Industry leading endpoint protection tools are deployed at server level providing firewalling and AV protection. All data transmitted to/from the hosting site is encrypted, including any documents attached to accounts or transactions.
Client data is stored in Azure shared storage volumes controlled by separate dedicated database server (fault tolerant) clusters running Microsoft SQL Server. These database servers are further protected behind a firewall with only one port open to allow SQL queries generated by the web server to be passed through. No user access channels are open to these database servers.
Each storage element is configured and hardened according to the recommended guidelines issued by Microsoft.
External users log on directly to AccountsIQ via the public internet by accessing URL over an encrypted SSL connection. Data in transit is encrypted over HTTPS with TLS 1.2 minimum (RSA 2048 SHA256) between AccountsIQ's environment and the user’s browser. All data storage is encrypted at rest within SQL Server using Transparent Data Encryption (TDE) and when stored within Azure storage using AEE-256 key encryption.
AccountsIQ maintains a publicly available system status page which shows current availability, upcoming maintenance windows, incident history and any current events.
AccountsIQ uses server clustering, web farms and network redundancies to eliminate single points of failure.
Microsoft SQL Server backs up the database transaction logs every hour. These contain a full log of all database changes so they can be rolled back/forward to reconstruct any stage from the nightly full backup.
All databases are backed up each night to another Azure region, ensuring that there will always be upto-date versions to restore in the event of a disaster to the primary data centre.
Test backups and restores are conducted monthly by Transparity in tandem with AccountsIQ.
Contingency and business recovery is reviewed with Transparity on a quarterly basis and during biweekly governance review meetings.
Our comprehensive Disaster Recovery Plan ensures that our systems remain available and recoverable in the event of a major disaster affecting one of the data centres. These plans include specifics of how to recover the services and have specified recovery point and time objectives, as well as specific response and reporting processes for incidents that involve personal data.
Using Azure Site Recovery (ASR), all production VMs running AccountsIQ are fully backed up on a nightly basis and replicated offsite to another Azure region. For example, the UK South Azure region’s VMs are replicated to the UK West region. This ensures that restoration of servers from recently taken images can be conducted in the event of a full disaster within any of the Azure regions.
In addition, all customer SQL databases are stored in Microsoft Azure data storage with geo-replication offsite for disaster recovery purposes. These can be copied back to an alternative production environment if a rebuild is required in the event of a disaster occurring within the primary data centres.
AccountsIQ has implemented its SDLC based on the requirements defined in the ISO 27001 standard and other international best practices (Agile, OWASP Top 10, OWASP SAMM). All engineers receive training in relation to OWASP Top 10 security risks and receive supplementary training in Threat Modelling.
Our Quality Assurance (QA) function reviews and tests our code base. In addition, dedicated application security engineers within the teams identify, test, and deal with any security vulnerabilities identified in the code. All our testing is conducted in separate environments from where production data is hosted, and no client data is used within any testing processes. In the rare occasion when client data is required to troubleshoot a specific issue, that data is pseudo-anonymised.
AccountsIQ employs the use of automated vulnerability management software to continuously scan the application against cyber security risks and emerging and existing threats. Any weaknesses detected are remediated by our internal security teams and engineers. In addition, the Security Operations Centre has a SIEM in place to continually monitor all hosting infrastructure for vulnerabilities and escalates to the SOC team for remediation if any occur.
Manual penetration testing is also conducted annually by an independent third-party organisation. They are charged with conducting detailed penetration tests on our suite of applications using a range of manual and automated techniques.
Authentication to the product is by means of registered Account ID, username, and password. The password the user enters is checked for strength, and only strong passwords are accepted, users are notified as to what constitutes a strong password. If a user persistently enters an incorrect password for 7 their user account ten times or more, their account will be locked out. An email indicating that this has happened is sent to the Account’s Administrator email account. This person can then unlock the account using the user access controls.
AccountsIQ has Two Factor Authentication included as an additional user access control feature which we strongly advise our clients to implement across their users.
AccountsIQ is currently building support for enterprise Single Sign-On (SSO) that is SAML compliant. This will allow enterprise AD policies for user accounts and passwords to be applied to logins to AccountsIQ. We anticipate this will be made available before the end of 2023.
AccountsIQ follows secure credentials best practice by never storing and sending any passwords in clear text/readable format. All passwords are salted and hashed to obfuscate them from being read.
AccountsIQ’s applications, systems and network services create detailed logging, including but not limited to login success and failure, geocoding user logins, user creation, permissions change, data access, accounting records creation and attempted attacks.
Access to features in the product is managed by Role Based Access Controls (RBAC). Granular access to every feature in the system can be controlled by a flag at a user profile level. User profiles are job rolebased collections of permissions, for example a ‘Purchase Order User’. There are also a set of high-level access privileges for ‘admin’ only users. For example, it is possible to set up a user so they cannot edit or see bank details.
AccountsIQ offers DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, & Conformance) for signing outbound emails from the product. Using an email service that supports these features helps you stop email spoofing from your domain. This is an on-request service which can be configured on your organisation’s behalf.
AccountsIQ aims to minimise the collection and use of Customer Personal Data within the product whenever possible. Where Customer Personal Data is used, it is pseudonymised using aggregation, deidentification or hashing unless the raw data is required for a legitimate business purpose. AccountsIQ has a process for deleting Customer Personal Data on request within the timeframe required by applicable Data Protection Law.
AccountsIQ has implemented our employee security controls based on the requirements defined by ISO 27001.
Our IT Acceptable Usage Policy (AUP) and related policies are made available to all joiners and movers and are required to be read and signed. The policies also outline the disciplinary actions arising from non-conformance with policies.
Employee contracts also outline the confidentiality requirements. Contractors must sign NDAs before commencing.
Employees and contractors must pass a formal screening process that includes reference checking. For sensitive roles, criminal background checks are conducted.
Third parties are assessed according to the established third-party risk management policy that defines the requirements (including due diligence, risk assessment, continuous monitoring).
Security awareness training is mandatory during the onboarding process for new employees/contractors. All employees at all levels are required to conduct and pass Security Awareness Training on a quarterly basis. The KnowB4 platform is used for this purpose.
Engineers must participate in OWASP Top 10 training, as well as advanced threat modelling classes.
AccountsIQ has an incident management process, with clear roles and responsibilities, to manage information security incidents. This includes reporting methods, incident response procedures, and ongoing training for competent personnel. Incident management procedures are created and implemented based on the company's priorities for handling incidents, including evaluation, monitoring, analysis, response, and communication with interested parties. Reporting procedures are established, including actions to be taken, incident forms, feedback processes, and incident reports.
In relation to Incident Communications, our partners and clients will be notified immediately when we suspect a data breach, even when we do not know the source or impact yet. Further notifications on the cause and resolution will be sent thereafter. The appropriate authorities such as the Data Protection Office (DPO) and the Information Commissioner’s Office (ICO) will be notified within the required timeframes for reporting a data breach.
Please see Schedule 1 Section 6 of our Terms and Conditions that details our Support arrangements.
Note that AccountsIQ provides a system status portal to notify users of any system incidents or upcoming platform maintenance.
AccountsIQ maintains an escrow arrangement with NCC Group (UK based). NCC Group provide for additional beneficiaries to be added to the escrow agreement and therefore Customers have the option to sign up to it and will have access to the source code in the unlikely event of AccountsIQ ceasing trading.