Skip to content

Security Best Practices

EGKits SaaS V10 provides enterprise-grade identity, authorization, and audit capabilities — but effective security depends on how each tenant configures policies, roles, and integrations. This guide defines recommended standards for administrators and security officers.

#Security principles

Principle Application in EGKits
Least privilege Grant minimum permissions required for each role
Defense in depth Combine MFA, RBAC, network controls, and audit
Separation of duties Split admin, finance approval, and audit access
Zero trust for APIs Scope keys narrowly; rotate regularly
Auditability Retain audit trail; review privileged actions

#Identity and authentication

#Multi-factor authentication (MFA)

  • Require MFA for all administrative roles without exception.
  • Require MFA for finance roles with posting, approval, or export permissions.
  • Prefer authenticator apps (TOTP) over SMS where possible.
  • Document MFA reset procedure requiring out-of-band identity verification.
  • Review MFA enrollment status monthly from Administration > Users.

#Password and session policy

Configure under Administration > Security Policies:

Setting Recommended value
Minimum password length 12+ characters
Password complexity Upper, lower, number, symbol
Password history Prevent reuse of last 5 passwords
Session idle timeout 30–60 minutes for standard users
Admin session timeout 15–30 minutes
Concurrent sessions Limit for privileged accounts

#Single sign-on (SSO)

  • Use SSO for enterprises with centralized identity (Azure AD, Okta, etc.).
  • Maintain at least one break-glass local admin account stored in a secure vault.
  • Map IdP groups to EGKits roles explicitly — avoid default super-admin mapping.
  • Monitor IdP certificate expiry; renew 30 days before expiration.

#Role-based access control (RBAC)

#Role design standards

  1. Start from seeded roles — customize rather than creating redundant roles.
  2. Name roles by functionFinance Clerk, Sales Manager, not User Type 3.
  3. Avoid permission sprawl — if a role needs >80% of module permissions, split duties.
  4. Document role intent in your internal governance wiki with permission matrix.
  5. Review quarterly — remove unused roles; audit membership.

#Segregation of duties matrix

Function Create Approve Post to GL Export
Requester
Approver
Accountant
Auditor ✓ (read-only)

Configure approval workflows so the same user cannot create and approve the same document class where policy requires separation.

#API keys and integrations

Standard Detail
One key per integration Never share keys across systems
Minimal scopes Request only required module permissions
No keys in source control Use secret managers or environment variables
Rotation schedule Rotate every 90 days or on personnel change
Revoke immediately On compromise suspicion or decommission
Log all API usage Review Audit Trail for anomalous patterns

Disable unused API keys rather than leaving them dormant.

#Data protection and tenant isolation

  • Confirm users access only their tenant URL — train staff to recognize phishing domains.
  • For dedicated-database plans, restrict database credentials to infrastructure team.
  • Export sensitive reports only through authenticated sessions — avoid emailing unencrypted attachments.
  • Apply branch scoping so regional staff cannot view other regions unless required.
  • Use Document Archive retention policies aligned with legal hold requirements.

#Audit and monitoring

  1. Enable Audit Trail review cadence — weekly for admins, monthly for standard tenants.
  2. Alert on: bulk exports, role changes, API key creation, failed login spikes.
  3. Retain audit logs per your compliance framework (SOX, GDPR, local tax law).
  4. Correlate EGKits audit entries with IdP sign-in logs for SSO tenants.
  5. Include security review in onboarding and offboarding checklists.

#Offboarding checklist

Step Owner
Disable user account HR notifies IT
Revoke API keys owned by user Integration admin
Reassign owned records Department manager
Remove from approval chains Finance admin
Confirm MFA devices invalidated Identity admin

#Compliance alignment

EGKits provides controls that support common frameworks — implementation responsibility remains with the customer:

Control area EGKits capability
Access control RBAC, MFA, SSO
Change management Audit trail, approval workflows
Data integrity Validation rules, posting controls
Availability Platform SLA (per contract)
Confidentiality Tenant isolation, encryption in transit

Consult legal and compliance teams for jurisdiction-specific requirements (e-invoice, payroll, PII).

#Incident response

  1. Contain — disable compromised accounts and API keys immediately.
  2. Assess — review Audit Trail for unauthorized transactions or exports.
  3. Notify — follow internal IR plan; contact EGKits support for platform issues.
  4. Remediate — reset credentials, patch integration, tighten policies.
  5. Document — post-incident review with timeline and preventive actions.

Reconnecting to the server…

Please wait, or reload the page.