More than Just Words
Our clients entrust EPSS with the security of their information and we make it a priority to guard this trust and to take our client’s security and privacy concerns seriously. We strive to ensure that data entrusted to us is handled securely. This Security Overview is aimed at being transparent about our security infrastructure and practices, to help reassure our clients that their data is appropriately protected. For a more detailed report on our security structure, prospective clients may request a copy of our EDUCAUSE Higher Education Cloud Vendor Assessment Tool. This tool has been adopted by many universities in the United States as a common platform to assess the security structure of cloud vendors.
- Authentication: User data in our database is logically segregated by account-based access rules. User accounts have unique usernames and passwords that must be entered each time a user logs on. EPSS issues a session cookie only to record encrypted authentication information for the duration of a specific session. The session cookie does not include the username, id, or password of the user.
- Passwords: User application passwords have minimum complexity requirements. Passwords are individually salted and hashed before being stored.
- Privileged Users: All privileged user accounts require the utilization of two factor authentication, regular password modification, and have significant complexity requirements.
- Data Residency: All EPSS user data (production, development, and backup) is stored on servers located in the United States.
All EPSS information systems and infrastructure are hosted in world-class data centers. These data centers include all the necessary physical security controls you would expect in a data center these days (e.g., 24×7 monitoring, cameras, visitor logs, entry requirements). In addition, these data centers are SSAE 16 Type 2 certified.
- Connectivity: Fully redundant IP network connections with multiple independent connections to a range of Tier 1 Internet access providers.
- Power: Servers have redundant internal and external power supplies. Data centers have backup power supplies, and are able to draw power from the multiple substations on the grid, several diesel generators, and backup batteries.
- Uptime: Continuous uptime monitoring, with immediate escalation to staff for any downtime.
- Backup Frequency: Database backups occur twice per day and full site backups occur once per day at a geographically disparate site located in the United States.
- Firewalls: Utilizing both a hardware and software firewall all incoming and outgoing traffic is continuously monitored for unusual traffic. The integrated system blocks access to our systems as appropriate.
- Access Control: Secure VPN, 2FA (two-factor authentication), and role-based access is enforced for systems management by authorized engineering staff.
- Logging and Auditing: Central logging systems capture and archive all internal systems access including any failed authentication attempts.
- Encryption in Transit: All communications to and from our data center is conducted via encrypted traffic utilizing Transport Layer Security (TLS). This ensures that user data in transit is safe, secure, and available only to intended recipients. Our application endpoints are TLS only and score an “A” rating on SSL Labs‘ tests. We also employ Forward Secrecy and only support strong ciphers for added privacy and security.
- Patching: Latest security patches are applied to all operating systems, applications, and network infrastructure to mitigate exposure to vulnerabilities. All patches are applied in a timely manner, Typically within 48 hours of being released.
- Third Party Scans: Our environments are continuously scanned using best of breed security tools. These tools are configured to perform application and network vulnerability assessments, which test for patch status and basic misconfigurations of systems and sites.
- Penetration Testing: External organizations perform penetration tests on a regular basis.
Organizational & Administrative Security
- Information Security Policies: We maintain internal information security policies, including incident response plans, and regularly review and update them.
- Employee Screening: We perform background screening on all employees, to the extent possible within local laws.
- Training: We provide annual security and technology use training for employees.
- Service Providers: We screen our service providers and bind them under contract to appropriate confidentiality and security obligations if they deal with any user data.
- Access: Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis.
- Audit Logging: We maintain and monitor audit logs on our services and systems.
Software Development Practices
- Stack: We code in PHP and Perl and run on SQL Server, Windows, and Centos.
- Coding Practices: Our engineers use best practices and industry-standard secure coding guidelines which align with the OWASP Top 10.
Compliance and Certifications
Handling of Security Breaches
Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if EPSS learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Notification procedures include providing email notices or posting a notice on our website if a breach occurs. Notification are made in the most expedient time possible. EPSS notifies impacted clients within 72 hours of determining that a breach has occurred and notifies impacted individuals within 30 days.
This Security Overview was last updated on: Tuesday, July 3, 2018. Should we update, amend or make any changes to this Security Overview, those changes will be posted here.