Policies and Procedures

Introduction

GradesFirst delivers a secure application environment in which our users can safely record sensitive student information. We understand the weight of importance that data security, confidentiality, and compliance carry. This documentation describes relevant application capabilities along with our infrastructure, processes, and procedures.

Confidentiality

GradesFirst understands the sensitive nature of all client data. All employees at GradesFirst are required to sign a nondisclosure agreement (NDA).

GradesFirst will never share or sell any information from our customers. Any request to disclose data that is not specifically authorized by our clients must be approved in writing (either by letter or email) by said clients before the request will be accommodated, unless the disclosure is required by law.

In the case of legal action, we will submit to the necessary rules and regulations of the local, state, or federal entity as required by law and will coordinate all of our actions (as much as is feasibly possible) with the institution or university in question.

FERPA

GradesFirst is FERPA Compliant, providing the granular permissions necessary to ensure that only educational representatives that have legitimate need and right to see a student's information can access that information.

All GradesFirst employees are required to read, acknowledge, and comply with the Family Educational Rights and Privacy Act (FERPA). GradesFirst has on record a signed copy for each employee stating they will abide by FERPA.

GradesFirst does not request or store any medical or financial information. Therefore, neither HIPPA nor the Gramm-Leach-Bliley Act (GLBA) apply to our application. 

Updates and Releases

Platform updates and releases will only be performed in response to critical workflow disruptions.

Supported Browsers

Since GradesFirst is Internet software, it is accessed through a web browser. We provide full support for these browsers:

  • Chrome latest version

  • Firefox latest version

  • Internet Explorer 11+

  • Safari 11+

Application Security

Web Security

Within the GradesFirst application, all data is transferred between the user and the application using a secure Camellia 256-bit Secure Sockets Layer (SSL) connection over HTTPS. 

Passwords

  • GradesFirst passwords must be at least 6 characters and no more than 40 characters in length. Your GradesFirst Administrator may set a minimum password length as well.

  • The GradesFirst Administrator can also determine when and if user passwords will expire. Options for this setting include: Never, 45 days, 90 days, 180 days, or 365 days.

  • When a user account is first created, the user is assigned a default password that consists of eight random characters and symbols.

  • Password values are not actually stored in the database, but an irreversible, one-way SHA-1 hash is stored in its place.

  • For security, all passwords are filtered out of log files and only show up as [FILTERED].

Encryption

User IDs, including Primary ID and Alternate ID, are encrypted in the GradesFirst database using 256-bit encryption. 

Application Roles and Permissions

Through the User Roles administration screen in GradesFirst, clients can create their own custom roles and assign specific permissions to those roles at a granular level. Clients can then assign those roles to users either through data imports or by editing users in the GradesFirst user interface. Users can be assigned to multiple roles. Specific users can also be assigned specific permissions. 

Import Security

Import data is transferred via HTTPS or SFTP to provide security in transit. Schools can choose to encrypt their import files using GPG before transmission to provide additional in-transit security. Details of how to encrypt import files can be found in the GradesFirst Data Integration Guide.


All imported data files are encrypted immediately after they are received to provide security at rest. The encrypted files are kept in a secure location for 5 days in case they are needed for customer support. After 5 days, the files are automatically deleted.


Data Retention

GradesFirst allows clients to determine and manage their own data retention policy. Clients have complete control over their data. The application includes a user interface and data import mechanisms that allow clients to alter and remove information. When information is deleted from the GradesFirst application, it is completely removed from our databases.

Disaster Recovery

The GradesFirst application and client data are hosted on Amazon’s EC2/EBS platform. AWS ensures business continuity by having multiple data centers across multiple geographic regions to help ensure maximum protection through redundancy. This is the same type of state-of-the-art redundancy used by Fortune 500 companies across the globe.

GradesFirst creates backups of all production data every 24 hours on Amazon EC2. All database backups are encrypted and stored on a secured server that is only accessible by GradesFirst dedicated servers. We retain 30 database backups, which amounts to 30 days of history. We also create snapshots of our application servers every 24 hours. In the unlikely event of a need to perform a disaster recovery, we would work with our hosting provider (Engine Yard) and our infrastructure provider (Amazon) to provision new EC2 server instances from our snapshots. We would then restore our drive backups. We generally test our data backups once per quarter.


Infrastructure Security

Network/Internet Access to GradesFirst Servers Hosted by AWS

GradesFirst has built its entire infrastructure on top of the Amazon EC2/EBS which allows for system stability, security, and data redundancy. We do not rely on individual servers or locations to host our data or services.

All servers run firewalls that allow only authorized traffic. Application servers only allow access from the Internet via dedicated SSH, HTTP, and HTTPS ports.

The GradesFirst staging, demo, training, and production servers are protected by firewalls and intrusion detection systems. The AWS network provides significant protection against traditional network security issues. The following are a few examples of said protection: Distributed Denial of Service (DDoS) Attacks, Man in the Middle (MITM) Attacks, and Port Scanning.

Access to servers is managed and controlled via SSH keys and RSA authentication. All servers have root access turned off from SSH and use a non-standard login. Server access lists are reviewed monthly. We restrict access to production-level data to select developers at GradesFirst. Background checks are performed on employees that have root access to client data.

Physical Security of the GradesFirst Data Center Hosted by AWS

All GradesFirst servers are hosted with Amazon’s EC2/EBS platform. This is the same platform Amazon.com uses. As part of its commitment to creating a world-class cloud computing environment, AWS has sought and successfully completed the SAS70 Type II Audit of their operational procedures and security. The data center is Tier 4, Class A, SAS70 Type II and Safe Harbor compliant. Physical access is strictly controlled 24/7 both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Furthermore, all physical access to data centers by Amazon employees is logged and audited routinely.

AWS Employee Access

Data center access and information are granted to employees and contractors who have a legitimate business need for such privileges. All staff with potential access to customer data are required to undergo an extensive background check (as permitted by law) commensurate with their position and level of access to data. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

Operating System and Component Updates

GradesFirst uses professional services from Engine Yard to ensure our servers and software have the latest and most critical patches available. This helps protect GradesFirst and our client’s data from even the most recent threats. Servers are also performance optimized for stability and efficient handling of  the GradesFirst application and data.


Hardware Decommissioning 

When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that ensures customer data are not exposed to unauthorized individuals. AWS uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitation”) to destroy data, as part of the decommissioning process.

GradesFirst Security Reviews

GradesFirst developers meet regularly to evaluate the current status of tech trends, security developments, performance issues, and scaling needs as they relate to our technology. When issues of concern arise, we conference with Engine Yard to address those issues and implement the most appropriate course of action to ensure adequate performance and protection of the GradesFirst system and our clients’ data.

Application Monitoring and Logging

Monitoring

GradesFirst employs a monitoring application (Nagios) that alerts our team if the GradesFirst servers become unavailable. Also, with our managed hosting, if we were to have reliability issues with any of our services (application, database, logging, etc.), we would be alerted via Engine Yard and AWS.

Logging

We maintain "Created At", “Updated At”, “Created By”, and "Updated By" audit attributes on records in our databases. This gives us the ability to identify who was the last person to make a change to a particular item and when that change was made.

For auditing and troubleshooting purposes, we also log each individual change that is made to an item in our database. The change log captures exactly what item changed and when, the fields that changed, and the old and new values for each field.

We also log:

  • All web requests received by the GradesFirst application

  • All successful and unsuccessful login attempts

  • All emails and text messages sent

    These logs are retained for 30 days. 


Data Breach Policies and Procedures

GradesFirst has taken significant measures to provide a safe and secure application and infrastructure. As with any application that holds sensitive information, there is always a possibility of a data breach. In the unlikely event a breach occurs, we will follow these steps:

  1. Identify breach

  2. Notify client(s) within one business day of identified breach

    1. Inform the client to the best of our ability of how the incident occurred

    2. Disclose what data was lost/stolen to the best of our ability

    3. Explain how this breach has affected them

  3. Provide client(s) with a verbal and/or written plan of action within three days

  4. Implement that plan of action and take steps to ensure said breach does not re-occur as soon as reasonably possible

  5. Lastly, determine whether or not a law enforcement agency should be contacted based on the location and details of the incident

Discontinuing Use of GradesFirst

In the event a client decides to discontinue their use of GradesFirst, data can be extracted directly from the site using the Reports feature. The top reports we suggest to retrieve your data are:

  • Advisor & Tutor Summaries Detail Report – includes all summary reports submitted
  • Tutor Appointment Details Report – includes all data for tutor appointments
  • Advisor Appointment Details Report – includes all data for advising appointments
  • Check in Report – includes anything that is not an appointment, general check ins
  • Student Progress Reports – includes a summary report of submitted progress reports
  • All Recorded Attendances – includes a list of all attendances taken
  • Alerts – includes all alerts filed for students
  • Cases – includes all cases created for alerts filed for students
  • Study Hall History Log Report – includes the history of study hall logs
  • If you actively use other site functionality, please export the corresponding report

Instructions:

  • Depending on your length of system use, separating the export by term or calendar year will make the export more manageable
  • EAB requests you extract these data exports after regular business hours
  • Show/hide additional columns of information in report results by either hovering over a column header of the report or selecting Show/Hide Columns from the “Actions” drop down menu.


In addition to these reports, APIs are available with directions listed here: https://gradesfirst.atlassian.net/wiki/spaces/GFDOC/pages/6914074/API. Please note that there may be differences in the export results between the platform reports and the APIs due to student enrollments and active status within a term.

The client is responsible for extracting this data prior to their contract end date. EAB will then remove all data associated with the client from our system.

Appendix

1. FERPA – Family Educational Rights and Privacy Act.

The regulations provide that educational agencies and institutions that receive funding under a program administered by the U. S. Department of Education must provide students with access to their education records, an opportunity to seek to have the records amended, and some control over the disclosure of information from the records. With several exceptions, schools must have a student's consent prior to the disclosure of education records.

2. SAS70 Type II

Statement on Auditing Standards No. 70 (SAS70) Type II Audit, is an unbiased opinion from its independent auditors that certifies a service organization has had an in-depth audit of its controls (including control objectives and control activities), which in the case of AWS relates to operational performance and security to safeguard customer data.

3. Title II of HIPAA

Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. This is intended to help people keep their information private, though in practice it is normal for providers and health insurance plans to require the waiver of HIPAA rights as a condition of service.

4. GLBA – Gramm-Leach-Bliley Act

The Financial Privacy Rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected. The notice must also identify the consumer’s right to opt-out of the information being shared with unaffiliated parties per the Fair Credit Reporting Act.

5. Amazon Web Services Security Center

Additional information about AWS certifications, accreditations, security and background information of their services may be found at http://aws.amazon.com/security/#5.  From within this site you may obtain an official copy of their Amazon Web Services Overview of Security Processes whitepaper PDF file.

References

[1] Family Policy Compliance Office (FPCO) Home, 6/16/2009, U.S. Department of Education

[2] Amazon Web Services; Certifications and Accreditations, 11/27/2009, Amazon.com

[3] Health Insurance Portability and Accountability Act, 12/01/2009, Wikimedia Foundation, Inc.

[4] Gramm–Leach–Bliley Act, 11/25/2009, Wikimedia Foundation, Inc.