Information Security Overview
Meteor Learning’s information security safeguards are consistent with Federal and State Laws and industry best practices to protect the confidentiality, integrity and availability of Institution and student information. Meteor Learning uses a multi-pronged strategy to ensure the privacy and security of institutions, partners and students’ data. This is achieved by building our Information Security program and associated policies on the National Institute of Standards and Technology’s security standards for non-federal organizations (NIST 800-171), as well as layering on additional defenses and protocols that leverage industry leading network, communication and hardware security principles. Meteor Learning’s data security policy strictly adheres to the guidelines and recommendations prescribed by FERPA (Family Educational Rights And Privacy Act).
Meteor Learning’s core security policy includes the following:
Dedicated Information Security Team
Meteor Learning has a dedicated and experienced Information Security Team who is responsible for establishing and overseeing all aspects of internal and external information and data security policies and procedures including client institutions, employer partners and students.
Personnel Security and Access Control
Meteor Learning employees are required to agree and uphold Meteor Learning’s Information Security Policy upon joining. Meteor Learning employs role-based access controls on systems with client information that are consistent with job duties and contractual requirements. Access to client information is limited to authorized company employees on a “need to know” basis. Authorized employees must use individual account and multi-factor authentication credentials (if required) to gain access to client information. All Meteor employees are required to be certified with FERPA training.
As educational institutions face increasing threats around student data privacy, Meteor Learning continues to adapt its security standards to address new security threats and vulnerabilities. Meteor Learning is committed to upholding the highest data privacy and information security standards. These measures are detailed in the subsequent sections of this document. Meteor Learning does not sell, or otherwise use student data other than for contractual and R&D purposes, and will never allow third party access to student data that identifies associated individuals in any way without explicit permission to do so. Meteor Learning complies with National Institute of Standards and Technology’s (NIST) security standards specifications for non-federal organizations (NIST 800-171). To learn more about NIST 800-171, please refer to https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-2/draft/documents/sp800-171r2-draft-ipd.pdf.
Meteor Learning provides multiple levels of data security measures as follows:
1. All data at-rest is stored in a physically secured location provided by Amazon’s cloud infrastructure and Google Enterprise secure data storage.
2. For data stored in application databases, Meteor Learning provides two levels of protection: Virtual Private Clouds and logical separation of each client into distinct database partition using multi-tenancy architecture.
3. Access to client data is logged, restricted, and controlled by authorized Meteor Learning personnel on an as-needed basis.
4. All student data are encrypted such that it cannot be associated with a specific student or an institution.
5. All data at-rest are encrypted with AES-256 encryption algorithm.
Information Classification and Handling
Meteor Learning classifies and handles information assets according to specified handling procedures, as specified in Meteor Learning’s Master Service Agreement. All student data is classified into categories specified by the FERPA guidelines: Personally Identifiable Information (PII), such as social security number, student ID, etc.; and Directory Information (DI), such as name, email address, etc. Meteor Learning does not collect or process any personally Identifiable Information (PII) of students.
Secure Data Transfer
Meteor Learning requires all transmission of data to/from Meteor Learning to use secure file transfer protocol (SFTP) or secure web services. Data transmitted via SFTP (usernames, passwords, other PII) is authenticated and encrypted during transmission using RSA 2048 bit encryption guaranteeing the highest levels of security. All in-transit data over the Internet is transmitted securely using Secure HTTP protocol.
Meteor Learning follows rigorous coding practices including static code analysis to address security vulnerabilities (e.g. SQL Injection) during the development and testing phases. Furthermore, each new product release is tested for security vulnerabilities using Amazon’s security assessment service (Amazon Inspector).
Meteor Learning’s software platform is hosted in a secure Virtual Private Network (VPC) within Amazon Web Services’ (AWS) platform infrastructure. The applications themselves are isolated into its own private network with the most restrictive access policies. Users are never allowed direct access to the application serves OR the database. All access to application and data is facilitated by secure RESTful web services. Users can access the application server or database only through the web-tier after completing multi-factor authentication checks.
Meteor Learning uses a hardened version of Amazon Linux that is configured according to the security guidelines from the National Security Agency (NSA). Every tier of the architecture (web, application, database) is deployed using the most restrictive user access using strong authentication and authorization scheme. Meteor Learning uses Amazon Trusted Advisor that interactively monitors and detects port-level and other security vulnerabilities.
Meteor Learning uses Amazon’s secure Virtual Private Cloud (VPC) for hosting its infrastructure. We leverage AWS with the most restrictive set of access controls. Amazon Web Services Firewalls are enforced with the most restrictive ingress rules to protect the systems that will house client data. Wireless access points are continuously scanned for rogue access points and maintain a list which is periodically reviewed for classification. Systems are setup to email alerts for the following categories – Rogue AP/Device/DHCP server detected, SSID/MAC-spoofing AP detected, LAN Rogue AP detected. Our system use the WPA-2 authentication standard.
Full backups of client data are performed daily, and are secured and protected. All sensitive data are encrypted with AES-256 encryption algorithm at rest in backups. Meteor Learning’s production data center, development and validation environments are all hosted through Amazon (AWS) infrastructure which has the following certifications – SOC 1, PCI DSS L1, FISMA Moderate, ISO 27001, FIPS 140-2 800-171. This infrastructure is managed according to the best security practices as well as a variety of security compliance standards (additional details available at http://aws.amazon.com/security/).
Meteor Learning pro-actively monitors its infrastructure against rouge and/or unauthorized access or security breaches by deploying best of the breed auditing and log file analysis and management tools. We have instrumented our applications at all tiers with detailed logging and auditing capabilities. The log files are constantly monitored for usage patterns and incidences such as denial of service attacks, suspicious IP addresses, unauthorized data access, etc. Upon identifying an incident, the system sends out email alerts to the Meteor Learning Information Security Committee.
In the event of a potential security breach, the Meteor Learning information security team will perform a risk-based assessment of the situation and develop appropriate mitigating strategies. Once a potential breach has been appropriately vetted, confirmed and tracked, the appropriate Meteor Learning project managers will be notified and would seek to contact the client’s primary point of contact to brief him or her on the situation and provide resolution status updates.
Meteor Learning has a Disaster Recovery and Business Continuity Plan, which includes roles and responsibilities, escalation and notification procedures to management, elements of action, feedback and postmortem analysis.
Meteor Learning’s Disaster Recovery and Business Continuity objective is to, under the worst-case scenario, be able to restore its service to full functionality within one business day and lose no more than one day’s data. In order to ensure this level of preparedness, the company takes the following actions:
- Database backups are performed daily and data is stored on a remote DR location.
- Automated scripts are maintained so that a complete infrastructure can be provisioned within hours of a loss of the primary infrastructure.
With all Meteor Learning infrastructure hosted on AWS Cloud infrastructure and a geographically distinct backup site for our production systems, coupled with hosting centers in distinct geographical locations, Meteor Learning expects to remain functional in case of disasters that are not global in nature.
Meteor Learning provides the capability to permanently destroy any Client Confidential Information and Client Data from Meteor Learning’s system as per the contractual agreement. Client information is destroyed such that it cannot be recovered or reproduced.