Security Policy

Protecting your data

We’re committed to the security of our customers’ data and provide multiple layers of protection for the personal and financial information you trust to Enterprise Systems Australia.

You control access

As a Enterprise Systems Australia customer you have the flexibility to invite unlimited users into your account to collaborate on your data, and the person that holds the subscription has control over who has access and what they are able to do. Our customer support staff cannot access your information unless you invite them to help. Please see our privacy policy for further information.

User authentication

We provide standard access to the Enterprise Systems Australia software through a login and password. In addition we offer the option of using two-step authentication. This provides a second level of security for your Enterprise Systems Australia account. It means you’re also asked to enter a unique code generated by a separate authenticator app on your smartphone. We recommend you use two-step authentication as it reduces the risk of your Enterprise Systems Australia account being accessed if your password is compromised.

Data encryption

We encrypt all data that goes between you and Enterprise Systems Australia using industry-standard TLS (Transport Layer Security), protecting your personal and financial data. Your data is also encrypted at rest when it is stored on our servers, and encrypted when we transfer it between data centres for backup and replication.

Network protection

Enterprise Systems Australia takes a “defence in depth” approach to protecting our systems and your data. Multiple layers of security controls protect access to and within our environment, including firewalls, intrusion protection systems and network segregation. Enterprise Systems Australia’s security services are configured, monitored and maintained according to industry best practice. We partner with industry-leading security vendors to leverage their expertise and global threat intelligence to protect our systems.

Secure data centres

Enterprise Systems Australia’s servers are located within enterprise-grade hosting facilities that employ robust physical security controls to prevent physical access to the servers they house. These controls include 24/7/365 monitoring and surveillance, on-site security staff and regular ongoing security audits. Enterprise Systems Australia maintains multiple geographically separated data replicas and hosting environments to minimise the risk of data loss or outages.

Security monitoring

Enterprise Systems Australia’s Security team continuously monitors security systems, event logs, notifications and alerts from all systems to identify and manage threats.

Security assurance

Enterprise Systems Australia has produced a ES control report. The report is the result of an independent auditor's examination of Enterprise Systems Australia's cloud based accounting system relevant to the Trust Services Principles and Criteria for Security, Availability, and Confidentiality.

If you have questions, or would like to request the latest available ES control report, please complete a request form and a Enterprise Systems Australia Customer Experience representative will contact you.

Always there

Best in class availability

With a record of 99.9% uptime, Enterprise Systems Australia delivers best-in-class availability. We use multiple redundancy technologies for our hardware, networks, data centres and infrastructure. These ensure that if any component fails, Enterprise Systems Australia will keep on running – with little or no disruption to your service.

Built to perform at scale

Enterprise Systems Australia has been designed to grow with your business. Our high performance servers, networks and infrastructure ensure we can deliver quality service to you and our hundreds of thousands of other users.

Disaster recovery and readiness

Enterprise Systems Australia performs real-time data replication between our geographically diverse, protected facilities, to ensure your data is available and safely stored. This means that should even an unlikely event occur, such as an entire hosting facility failure, we can switch over quickly to a backup site to keep Enterprise Systems Australia and your business running. We transmit data securely, across encrypted links.

Constant updates and innovation

We’re constantly enhancing Enterprise Systems Australia, delivering new features and performance improvements. Updates are delivered frequently, with the majority of them being delivered without interrupting our service and disrupting users.

Your online safety

We design security into Enterprise Systems Australia from the ground up. However, there can be risks to working and playing online. Whether you’re shopping, banking, doing your accounts, or simply checking your email, cyber criminals and scammers are always looking for ways to steal money or sensitive information.

Phishing and malicious emails

A phishing email is a favoured way for cyber criminals to get access to your sensitive information, such as your usernames and passwords, credit card details, bank account numbers, etc. This kind of email may look as if it has come from a trustworthy source, but will attempt to trick you into: 

clicking on a link that will infect your computer with malicious software

following a link to a fake (but convincing looking) website that will steal your login details

opening an attachment that will infect your computer.

Once you are hooked, the cyber criminal may be able to steal or extort money from you, or gather sensitive personal or business information that they can use for other attacks. However, you can protect yourself and your business by being aware of these scams, and by knowing what to look for that may help you identify a malicious email: 

Incorrect spelling or grammar: legitimate organisations don’t always get it 100% right, but be suspicious of emails with basic errors.

The actual linked URL is different from the one displayed – hover your mouse over any links in an email (DON’T CLICK) to see if the actual URL is different.

The email asks for personal information that they should already have, or information that isn’t relevant to your business with them.

The email calls for urgent action. For example, “Your bank account will be closed if you don’t respond right away”. If you are not sure and want to check, then go directly to the bank’s website via the URL you would normally use, or phone them. Don’t click on the link in the email. The email says you’ve won a competition you didn’t enter, have a parcel waiting that you didn’t order, or promises huge rewards for your help. On the internet, if it sounds too good to be true then it probably isn’t true.

There are changes to how information is usually presented, for example an email is addressed to “Dear Sirs” or “Hello” instead of to you by name, the sending email address looks different or complex, or the content is not what you would usually expect.

These are just a few of the things to watch out for. There’s a lot more information and tips available on the web. But even if there’s nothing specific you can point to, the email may just not “feel” right. Trust your instincts, and don’t get hooked.

If you suspect you’ve received a phishing or malicious email, and it says it’s from Enterprise Systems Australia or uses Enterprise Systems Australia’s logo, do not click on anything in the email – please report it by forwarding the email to [email protected] .

Try to avoid a phishing attack by following these rules

If you receive a suspicious email make sure you: 

DO NOT CLICK on any link or attachment contained in the email.

DO NOT REPLY to the email.

Report the email by forwarding it to [email protected] if it is Enterprise Systems Australia-branded.

Delete the email.

Update your anti-malware (anti-virus, anti-spyware) and run a full scan on your computer.

Security Noticeboard

Enterprise Systems Australia's Security Noticeboard is where you'll find updates on known phishing and other scams targeting our community, as well as any recommendations on how to protect yourself from them. We'll also post other security related news from Enterprise Systems Australia on the Noticeboard. If you have questions about security matters, or notice any unusual activity or emails related to Enterprise Systems Australia, please contact our Support team.


Security Checklist

1 Business controls

Control Description
1.1 Vulnerability reports

  1. Publish the point of contact for security reports on your website
  2. Respond to security reports within a reasonable time frame
1.2 Customer testing
  1. On request, enable your customers or their delegates to test the security of your application
  2. Test on a non-production environment if it closely resembles the production environment in functionality
  3. Ensure non-production environments do not contain production data
1.3 Self-assessmentPerform annual (at a minimum) security self-assessments using this document
1.4 External testingContract a security vendor to perform annual, comprehensive penetration tests on your systems
1.5 TrainingImplement role-specific security training for your personnel that is relevant to their business function
1.6 Compliance
  1. Comply with all industry security standards relevant to your business such as PCI DSS, HITRUST, ISO27001, and SSAE 18
  2. Comply with local laws and regulations in jurisdictions applicable to your company and your customers, such as GDPR, Binding Corporate Rules, and Standard Contractual Clauses
1.7 Incident handling
  1. Notify your customers about a breach without undue delay, no later than 72 hours upon discovery
  2. Include the following information in the notification:
  3. Relevant point of contact
  4. Preliminary technical analysis of the breach
  5. Remediation plan with reasonable timelines
1.8 Data sanitizationEnsure media sanitization processes based on NIST SP 800-88 or equivalent are implemented
2 Application design controls

Control Description
2.1 Single Sign-OnImplement single sign-on using modern and industry standard protocols
2.2 HTTPS-only

  1. Redirect traffic from HTTP protocol (port 80) to HTTPS (port 443)
This does not apply to secure protocols designed to run on top of unencrypted connections, such as OCSP
  1. Produce a clear scan using a widely adopted TLS scanning tool
  2. Include the Strict-Transport-Security header on all pages with the includeSubdomains directive
2.3 Content Security PolicySet a minimally permissive Content Security Policy
2.4 Password policyIf password authentication is used in addition to single sign-on:
  1. Do not limit the permitted characters that can be used
  2. Do not limit the length of the password to anything below 64 characters
  3. Do not use secret questions as a sole password reset requirement
  4. Require email verification of a password change request
  5. Require the current password in addition to the new password during password change
  6. Verify newly created passwords against common passwords lists or leaked passwords databases
  7. Check existing user passwords for compromise regularly
  8. Store passwords in a hashed and salted format using a memory-hard or CPU-hard one-way hash function
  9. Enforce appropriate account lockout and brute-force protection on account access
2.5 Security librariesUse frameworks, template languages, or libraries that systemically address implementation weaknesses by escaping the outputs and sanitizing the inputs.
Example: ORM for database access, UI framework for rendering DOM
2.6 PatchingApply security patches with a severity score of "medium" or higher, or ensure equivalent mitigations are available for all components of the application stack within one month of the patch release
2.7 LoggingKeep logs of:
  1. Users logging in and out
  2. Read, write, delete operations on application and system users and objects
  3. Security settings changes (including disabling logging)
  4. Application owner access to customer data (access transparency)
Logs must include user ID, IP address, valid timestamp, type of action performed, and object of this action. Logs must be stored for at least 30 days, and should not contain sensitive data or payloads.
2.8 Backup and Disaster recovery
  1. Securely back up all data to a different location than where the application is running
  2. Maintain and periodically test disaster recovery plans
  3. Periodically test backup restoration
2.9 EncryptionUse available means of encryption to protect sensitive data in transit between systems and at rest in online data storages and backups
3 Application implementation controls

Control Description
3.1 List of dataMaintain a list of sensitive data types that the application is expected to process
3.2 Data flow diagramMaintain an up-to-date diagram indicating how sensitive data reaches your systems and where it ends up being stored
3.3 Vulnerability preventionTrain your developers and implement development guidelines to prevent at least the following vulnerabilities:
  1. Authorization bypass. Example: Accessing other customers' data or admin features from a regular account
  2. Insecure session ID. Examples: Guessable token; a token stored in an insecure location (e.g. cookie without secure and httpOnly flags set)
  3. Injections. Examples: SQL injection, NoSQL injection, XXE, OS command injection
  4. Cross-site scripting. Examples: Calling insecure JavaScript functions, performing insecure DOM manipulations, echoing back user input into HTML without escaping
  5. Cross-site request forgery. Example: Accepting requests with an Origin header from a different domain
  6. Use of vulnerable libraries. Example: Using server-side frameworks or JavaScript libraries with known vulnerabilities
3.4 Time to fix vulnerabilitiesProduce and deploy patches to address application vulnerabilities that materially impact security within 90 days of discovery.
4 Operational controls

Control Description
4.1 Physical accessValidate the physical security of relevant facilities by ensuring the following controls are in place:
  1. Layered perimeter controls and interior barriers
  2. Managed access to keys
  3. Entry and exit logs
  4. Appropriate response plan for intruder alerts
4.2 Logical access
  1. Limit sensitive data access exclusively to users with a legitimate need. The data owner must authorize such access
  2. Deactivate redundant accounts and expired access grants in a timely manner
  3. Perform regular reviews of access to validate need to know
4.3 Subprocessors
  1. Publish a list of third-party companies with access to customer data on your website
  2. Assess third-party companies annually against this baseline