Security at Reckon

Information Security Management System

Reckon Limited maintains an Information Security Management System (ISMS) that complies with and has been independently certified to the requirements of the ISO/IEC 27001:2013 standard. This ISMS has been applied broadly throughout Reckon with the following scope statement: “The systems and services in place to protect the information of the Reckon Business Group, and it’s customers “. This includes all products sold under the Reckon brand. 

Click here to see a copy of Reckon’s ISO/IEC 27001:2013 certificate.

The ISMS consists of a set of Formal Policies and Procedures that are approved and reviewed at least annually. These Policies and Procedures include: Acceptable Use Policy 

• Business Continuity and Disaster Recovery Plan 
• BYOD Policy 
• Change Management Policy 
• Data Breach Response Plan 
• Disciplinary Policy 
• Employment Screening Policy 
• Information Security Policy 
• Objectives and Responsibilities 
• Awareness & Training 
• Mobile and Teleworking Policy 
• Security Event and Incident Management Policy and Procedures 
• Password Policy 
• Clear Screen and Desk Policy 
• Access Control Policy 
• Physical Security and Working in Secure Area’s Policy 
• Disposal and Destruction Policy 
• Backup Policy 
• Information Classification Policy 
• Policy on the use of Cryptographic controls 
• Remote Access Policy 
• Risk Management Framework 
• Secure Development Policy 
• Supplier Security Policy 

All policies are reviewed at least annually. 

PCI Compliance 

Reckon is fully compliant with the Payment Card Industry Data Security Standard 3.2.1 and maintains an Attestation of Compliance under Self-Assessment Questionnaire A (SAQ A – All Cardholder Data Functions Fully Outsourced) 

Privacy Policy 

Reckon products and services are covered by the Reckon Privacy policies found on the Reckon Website. We have specific privacy policies for the different countries we operate in:  

• Australia: https://www.reckon.com/au/policies/privacy/ 
• New Zealand: https://www.reckon.com/nz/policies/privacy/ 

Confidentiality 

All Reckon employees and suppliers are retained under contracts that have confidentiality agreements. 

Background Checks 

All new Reckon employees and contractors complete employment verification and criminal record checks. 

Training 

All Reckon staff complete security awareness training annually. This training includes the following topics: 

• Security foundations 
• Cyber-attack evolution 
• Social engineering 
• Online and remote threats
• Phishing
• Internal threats

Suppliers

A formal Supplier Security Policy is in place. Supplier reviews are conducted annually to ensure compliance. All Suppliers are reviewed and risk assessed according to this policy. 

Risk assessments consider the nature and sensitivity of data the supplier has access to, and appropriate security controls are then enforced. The following controls are assessed where relevant: 

• Compliance certifications (eg ISO/IEC 27001:2013) 
• Data Hosting Location 
• Employee Screening 
• Employee Security Awareness Training 
• Confidentiality 
• Data Ownership
• SLA
• Privacy Policy
• Data breach reporting
• Authentication
• Encryption
• External reviews & penetration testing

API Partners

Where a partner wishes to access Reckon Data via API, they need to pass a supplier risk assessment, and additional security checks are enforced in line with the ABSIA Security Standard for Add-On Marketplaces. This has been enforced for all API partners. https://www.absia.asn.au/industry-standards/addon-security-standard/about-standards/ 

Data Hosting 

Reckon software products primarily store data in Amazon Web Services (AWS) in the Sydney (Australia) region. AWS Sydney maintains an array of current certifications including ISO/IEC 27001:2013 that require strict industry-standard security mechanisms. 

Reckon does not outsource the management of environments in AWS data centers, however, we do hold support contracts and may from time to time receive support assistance from AWS in managing the environments. Reckon staff do not have physical access to these data centers. 

Reckon uses a wide array of additional vendors and software to provide services to you and to run our business. Please visit our Data subprocessors page for a complete list of vendors we use including the location the data is stored. 

Internal Data Access Controls 

Reckon has formal access control and data classification policies, procedures and approvals. Access to the administration of production systems is granted only to a small number of staff who have a specific need to do so. This access is required to facilitate deployments, upgrades and emergency troubleshooting only. 

Multi-factor authentication is enforced for all internal access to the administration of AWS Environments. 

Customer Data Handling Procedures 

From time to time, we may request a copy of your data to diagnose issues. Strict procedures are in place to ensure: 

• Your data is only ever stored in classified internal systems with restricted access control and multi-factor authentication. 
• Your data is only ever used for the purpose it is requested.
• Your data is deleted once the purpose has been completed. 

Spot checks are conducted regularly to ensure these procedures are followed. 

Data in Test Environments 

Production data is not used in test environments, however, there is provision to do so in our policies if all personally identifiable information is removed or de-identified. 

Incident Management 

Reckon has a documented security incident management and response procedure that covers all incidents affecting breaches of confidentiality, integrity, and availability of information. This procedure includes identifying, containing, resolving, communicating and documenting security incidents. Root cause analysis is conducted for all security incidents and improvement recommendations are documented and implemented. 

Data Breach Response 

Reckon has a Data Breach Response Plan that meets the requirements of the OAIC Notifiable Data Breaches Scheme. This is reviewed at least annually. 

Business Continuity and Disaster Recovery 

Reckon maintains a Business Continuity Plan and a Disaster Recovery Plan that is tested annually. 

Reckon Production systems hosted in AWS are architected for high availability and durability. Componentry is redundant across 3 geographically separated data centers (AWS Availability Zones) within the same AWS Region (Sydney). Systems are designed to cope with the failure of an entire data center, and servers scale up and down daily as load patterns change. 

Backups 

All systems are architected to ensure the durability of data, and are designed to ensure data can be recovered in case of overall system failure (e.g. Disaster Recover). These backups are not designed to allow the restoration of specific customer datasets. 

Reckon Production systems hosted in AWS are architected in such a way that persistent data is simultaneously replicated across 3 geographically separated data centers (AWS Availability Zones) within the same AWS Region (Sydney). 

Where this architecture is either not possible or not in place, specific backups are taken for disaster recovery purposes. These are taken at least daily (usually more frequently) and are retained for at least 3 days. Backups of data that are encrypted, remain encrypted. These specific backups are stored in AWS S3 File storage in the Sydney region (and replicated across 3 availability zones) 

Backup restoration tests are performed at least once a year. 

Availability 

We have achieved and will continue to target uptime of at least 99.9% 

Security Reviews and Penetration Tests 

Reckon engages Solution architects from AWS to conduct Well Architected reviews of our architecture when we build out new platforms. These reviews include all 5 Pillars, including the Security Pillar. The recommendations of these reviews are documented, risk assessed, and improvements then made to ensure industry security standards are met.  

Reckon engages Cyber CX for Penetration Testing. An annual penetration test cycle is in place. 

Authentication 

Reckon cloud products enforce complex passwords with minimum length requirements.
  Reckon Accounts Hosted includes the option to enforce MFA and in other products high-privilege functions such as lodging via GovConnect require a mandatory multi-factor authentication (MFA) challenge.
 

Encryption in Transit 

All data transiting over public networks is encrypted using the Transport Layer Security protocol.
 

Encryption at Rest 

All products encrypt customer data at rest using the AES 256 encryption algorithm.

Networking and firewalls. 

We keep segregated networks and maintain separate firewalls between each network. Load balancers are separated from front-end systems, which are separated from back-end systems. Procedures including approvals are in place for making changes to networks and firewalls. 

Our corporate, development and staging networks are completely separated from production networks. 

Logging and Monitoring 

System, Access, Firewall and API audit logs are kept and retained for at least 12 months. Logs are monitored for availability, anomalies and security risks with flagged entries alerted to team members who maintain an on-call rotation.