At MYOB, we protect your data by using industry leading practices and technologies. We ensure the management and monitoring of all our products and related services is ongoing, adapting where necessary to address changes in Information and Cyber Security Risk and Data Protection areas.
Governance
We value security governance, it underpins the establishment of information security policy and standards, the adoption of security risk-based approaches, conformance with internal and external requirements, and fostering a security positive environment and culture.
At MYOB, the Information Security Management System (ISMS) is aligned and certified annually to the ISO 27001 standard.
We have an established information security policy along with relevant security standards outlining our information security objectives and what needs to be done to achieve them. The purpose of our information security policy and standards is to guide the protection of customer and employee information and data.
Leading cloud service providers
MYOB partners with leading cloud service suppliers who provide key infrastructure and hosting services.
Microsoft Azure production platform hosted in Australia. For details about Security, Privacy, Compliance and Audits in Microsoft Azure, refer to Azure Trusted Cloud.
The Amazon Web Services production platform is hosted in Australia. For details about Security, Privacy, Compliance and Audits in Amazon Web Services ANZ, refer to Security and Compliance for Australia and New Zealand.
Building resilience
MYOB has an established Business Resilience framework with implemented processes, procedures and controls to ensure the required level of continuity of information security. MYOB verifies the established and implemented information security controls at regular intervals to ensure they are effective.
Incident management
MYOB has adopted threat modelling to understand and identify threats and ensure controls are put in place to protect customers’ data and minimise the risk of security incidents.
Incident management at MYOB is governed by an established policy and procedures, implemented by a dedicated internal security and incident management team. Any security incidents are handled according to the specified escalation timeframes and the type of incident. MYOB’s incident management procedures align with relevant obligations in the Australian and New Zealand privacy law, including obligations relating to mandatory data breach notifications.
People
MYOB has technology teams located in both Australia and New Zealand. Our cloud storage providers are hosted in Australia by Microsoft Azure and Amazon Web Services.
We have a dedicated internal security team responsible for security monitoring and incident management of MYOB online products and services and ensuring secure application development and testing practices.
MYOB has an established onboarding practice and conducts relevant assessments of employees, contractors and third-party personnel. This may include verification of academic qualifications, verification of professional qualifications, police checks and character references. Upon completion of employment at MYOB, the departure process is triggered to ensure all equipment is returned and system access is terminated.
The use of technology within MYOB is described in the acceptable usage policy governing the use of the corporate network, internet, email and software.
MYOB employees and contractors are required to undertake appropriate compliance training when they join MYOB, followed by ongoing refresher training.
Independent security testing
MYOB engages external security vendors to technically assess our products both during and post-development. Assessments are aligned to the Open Web Application Security Project (OWASP) Application Security Verification Standard, which provides:
application developers and application owners with a yardstick to assess the degree of trust that can be placed in our online products; and
guidance to our product engineers about building security controls to satisfy application security requirements.
Application security
At MYOB, we have a policy that outlines the security requirements for applications developed in-house and by third parties. This policy defines application security testing activities and their role in identifying application vulnerabilities. These requirements also include the adoption of security development processes and practices such as those documented by SAFEcode and Open Web Application Security Project (OWASP).
Formal change control procedures are documented and enforced to ensure the integrity of systems, applications and products, from the early design stages through all subsequent maintenance efforts. Introduction of new systems and major changes to existing systems follow a formal process of documentation, specification, testing, quality control and managed implementation.
Adoption of automated tooling, including security scan tools provided by leading vendors, supports secure development practices. Development, test and operational environments are separated to reduce the risk of unauthorised access or changes to the operational environment. Access to program source code is restricted in line with the relevant policy.
Access control
At MYOB, access control is governed by a policy that sets appropriate user access restriction, management, monitoring and review as well as clear articulation of roles and responsibilities. We provide access to systems and information following the principles of “need to know” and “least privilege” and these form part of our access control policy. Care is taken that no single person can access, modify or use MYOB assets without authorisation or detection based on the principle of separation of duties.
Cryptography
MYOB will ensure proper and effective use of cryptography to protect the confidentiality and integrity of information according to its data classification. Encryption of data in transit and at rest is implemented in accordance with our encryption policy.
Operations
All systems are kept up to date with appropriate patch levels in accordance with the relevant internal policy, which also includes implementation of protective mechanisms against malware in all systems.
MYOB operates services by industry leading vendors to monitor inbound and outbound traffic that could impact services, including enterprise firewalls, proxy services, endpoint protection, cloud security services, denial of service protection solutions and vulnerability management.
We have an established audit and logging practice which is governed by an internal policy that sets out the requirements for the management of logs in technology platforms and security events.