Compliance & Security FAQ
What do we do to ensure that we deliver a secure application through its lifecycle?
We use static code testing and automated testing of the OWASP top 10 for every deployment. We don’t use a formal framework but leverage the Higher Education Cloud Vendor Assessment Toolkit (HECVAT) to ensure we meet best practices as a vendor in the higher education space.
What controls do we use to ensure that your data is protected from internal and external threats?
We leverage multiple safeguards to prevent the institution’s data from being compromised which can be broken down in the categories that follow:
Access, Authorization, and Accounting (AAA)
uConnect prefers SSO, supporting SAML2 or CAS. We ask that first name, last name, ePPN, and mail be released as attributes to ensure profiles linked correctly. If the institution doesn’t have support for SSO then we can create static profiles for staff and end-users.
uConnect uses two-factor authentication with least privileges for the staff member to perform their role. All access to institution data is logged and reviewed by AWS’s GuardDuty in real-time and any anomalies are reported to uConnect’s staff in real-time.
Software Development Lifecycle (SDLC)
uConnect uses a continuous development release cycle for minor releases and regular maintenance windows for large release and infrastructure changes. All releases go through static code testing and automated scanning to help ensure security and no code regressions. All major releases and infrastructure changes go through formal change management and notification of all impacted stakeholders.
Network and Perimeter Security (NETSEC)
uConnect uses a web application firewall (WAF) and an intrusion prevention and detection system (IPS/IDS) on the perimeter for all traffic and an IDS/IPS with automated review of all network traffic for internal traffic.
All institution traffic is encrypted over public internet using TLS and AES-256 to our platform and institution data is segregated from uConnect’s internal and management traffic.
Staff Awareness and Training
All staff with access to institution data has had background checks performed and have had annual security awareness training. All development and systems staff have undergone annual training for OWASP Top 10 vulnerabilities and SDLC best practices.
How do we minimize data exposure?
We store only the information required to meet our obligations with the institution. This includes analytics and logging data for platform usage and security and the data outlined in our agreement. We only allow the storage and processing of institution data in the United States and don’t allow staff or subcontractors to store or access institution data outside of the United States.
How do we respond to legal orders or demands for data?
uConnect will forward the request and redirect the third party to the institution’s legal contact, if available, if not the institution’s primary contact. If the request or redirection was unsuccessful we will attempt to provide reasonable notice of disclosure of data to the institution including a copy of the request before fulfilling the request.
How do we respond to unauthorized access to data or institution’s resources?
uConnect will notify the institution within 24 hours of identifying the security incident and providing the institution with a high-level view of impact. uConnect will then take steps to isolate and mitigate the damage from the incident as much possible. uConnect will then follow up with a detailed report of cause and what steps uConnect will take going forward to prevent future incidents.
When using sub-contractors, how do we ensure the institution’s data is safe?
We use AWS for hosting and storage of institution data and can provide either AWS’s SOC II with NDA or you can view AWS’s SOC III at https://d1.awsstatic.com/whitepapers/compliance/AWS_SOC3.pdf For all other providers we require that they sign individual NDA’s and submit proof of security awareness training for all employees of the provider and also ensure both insurance and background check requirements are met.
What would we do in an event where our business was impacted delivering the institution’s service?
We have a disaster recovery plan that includes failover to another availability zone automatically and manual intervention using off-site backups to another region in case of catastrophic failure. Backups of media and static files are performed daily with thirty day retention and institution data backed up every four hours with three day retention and daily with thirty day retention. We test backups monthly and availability zone failover after major changes or annually whichever comes first.