Escolar Documentos
Profissional Documentos
Cultura Documentos
GNRL-10 Web Link to Product Privacy Notice Please See: Updated Privacy Policy.pdf
000000 1
Documentation Vendor Answers
DOCU-02 Have you completed the Cloud Security Alliance (CSA) self assessment or CAIQ? No
DOCU-03 Have you received the Cloud Security Alliance STAR certification? No
Do you conform with a specific industry standard security framework? (e.g. NIST
DOCU-04 No
Special Publication 800-53, ISO 27001, etc.)
DOCU-05 Are you compliant with FISMA standards (indicate at what level)? Yes
COMP-02 Describe how long your organization has conducted business in this product area. Beginning in 2015
000000 2
How many higher education, commercial customers and government customers
COMP-03 do you serve in North America? Please provide a higher education customer We are currently running 38 higher edu
reference if available.
Can user access be customized to allow read-only access, update access, or no-
HLAP-01 Yes
access to specific types of records, record attributes, components, or functions?
HLAP-02 Describe or provide a reference to how user security administration is performed? Users can access certain levels of prote
000000 3
Describe or provide a reference to the controls that are in place to secure their
HLAP-03 Data is stored in Postgres, where it is e
remote environment and connection to institution's data.
encryption. Our services are only acces
HLAP-05 Does the system provide data input validation and error messages? Yes
Describe or provide a reference to the types of authentication, including We invite participants to create account
HLAA-02 standards-based single-sign-on (SSO, InCommon), that are supported by the institution. When creating accounts, par
web-based interface? security guidelines.
000000 4
Does the system (servers/infrastructure) support external authentication services
HLAA-04 No
(e.g. Active Directory, LDAP) in place of local authentication?
HLBC-02 Is there a documented communication plan in your BCP for impacted clients? No
Are all components of the BCP reviewed at least annually and updated as needed
HLBC-03 No
to reflect change?
Does your organization conduct an annual test of relocating to this alternate site
HLBC-04 No
for business recovery purposes?
000000 5
HLCH-01 Do you have a Change Management Plan? If so, can it be shared? No
How and when will the Institution be notified of major changes to your We will notify the institution of any such
HLCH-02
environment that could impact our security posture? changes.
Do you have documented procedures on how security risks are mitigated until
HLCH-03 Yes
patches can be applied? If so, can it be shared?
HLDA-01 Is institution data physically and logically separated from that of other customers. Yes
Is sensitive data encrypted in transport and storage (e.g. disk encryption and at-
HLDA-02 Yes
rest)?
Do backups containing institution data ever leave the United States of America
HLDA-03 No
either physically or via network routing?
000000 6
Database Vendor Answers
HLDB-01 Does the database support encryption of specified data elements in storage? Yes
List all data centers and their cities, states (provinces), and countries where
Our servers are hosted in the cloud. We
HLDC-01 institution data will be stored (including within the United States). Does your
own data center.
company own these data centers?
Does your company own the physical data center where institution data will
HLDC-02 No
reside? If so, do these servers reside in a co-located data center?
HLDC-03 Does the hosting provider have a SOC 2 Type 2 report available? Yes
Does the physical barrier fully enclose the physical space preventing unauthorized
HLDC-04 Yes
physical contact with any of your devices?
000000 7
HLDR-01 Do you have a Disaster Recovery Plan (DRP)? If so, can it be shared? Yes
Are any disaster recovery locations outside the United States? If so, please
HLDR-02 No
provide the locations.
Are all components of the DRP reviewed at least annually and updated as needed
HLDR-03 Yes
to reflect change?
Are you utilizing a web application firewall (WAF) and / or a stateful packet
HLFI-01 No
inspection (SPI) firewall?
Do you have a documented policy for firewall change requests? If so, can it be
HLFI-02 No
shared?
Does your organization have physical security controls and policies in place? If
HLPH-01 Yes
so, can it be shared?
000000 8
HLPH-02 Are employees allowed to take home customer data in any form? Yes
Can you share the org chart, mission statement and policies for your information
HLPP-01 Yes
security unit?
Are information security principles designed into the product and / or SDLC life
HLPP-02 Yes
cycle?
HLPP-03 Do you have a formal incident response plan? If so, can it be shared? Yes
HLPP-04 Do you have a documented information security policy? If so, can it be shared? Yes
Are systems that support this service managed via a separate management
HLSY-01 No
network?
000000 9
Vulnerability Scanning Vendor Answers
Have your systems and applications had a third party security assessment
HLVU-01 Yes
completed in the last year? If so, can the results be provided?
Are your applications scanned for vulnerabilities prior to new releases? If so, can
HLVU-02 Yes
the results be provided?
000000 10
Version 1.06
ment Code
ational Inc.
provides a web application where mentors and students can access content to support their mentorship, and educators can
and individual-level data about the mentorships in their program.
ed Privacy Policy.pdf
er
e & Operations
ollective.org
nalyst/Engineer Name
ain.edu
000000 11
Additional Information Guidance
000000 12
unning 38 higher education programs
am serves as our information security unit; hence the org chart is identical to
ering organization. We have three full-time engineers and a head of product &
gement and customer support teams consist of two product managers, a head
stomer support associates, two student success managers, and a head of
sical environment, the Mentor Collective office is secured with passkeys only
s. We do not store hard copies of documents. Employees use two-factor
all computers.
000000 13
ostgres, where it is encrypted at rest with AES-256, block-level storage
rvices are only accessible over HTTPS. Credentials are protected with 2FA.
nts to create accounts based on whether they are identified by the partner
Include user-end and adminstrative
reating accounts, participants set up a password with standard password
authentication types.
.
000000 14
Additional Information Guidance
000000 15
This can be created.
nstitution of any such major environmental changes via email at the time of the
Our services use HTTPs to encrypt data in transport and our databases
Provide a detailed description.
use AES-256 encryption at rest.
000000 16
Additional Information Guidance
We hash user passwords, but otherwise rely on block-level encryption Describe the type of encryption that is
for our databases, as discussed above. supported.
Yes, we use AES-256 encryption as discussed above. Describe how encryption is leveraged.
sted in the cloud. We use Amazon Web Services (AWS) and do not have our
000000 17
We regularly update our disaster recovery processes in accordance
Describe that process.
with changes to our infrastructure
000000 18
Some employees bring computers home but if they have downloaded
any data they are required to encrypt their hard drive and Provide a detailed description.
permanently delete the data when they finish using it.
Developers escalate security incidents when they are encountered as Provide a brief summary of your incident
part of monitoring. See: Patch Documentation.pdf response plan.
000000 19
Additional Information Guidance
000000 20
000000 21
APPL-04
APPL-05
000000 22
APPL-08
APPL-12
APPL-20
APPL-21
AAAI-02
AAAI-05
AAAI-12
000000 23
AAAI-14
AAAI-18
BCPL-01
BCPL-05
BCPL-06
BCPL-11
000000 24
CHNG-02
CHNG-03
CHNG-13
CHNG-15
DATA-02
DATA-04
DATA-25
DATA-26
DATA-31
000000 25
DBAS-01
DBAS-02
DCTR-10
DCTR-01
DCTR-02
DCTR-06
000000 26
DRPL-01
DRPL-04
DRPL-13
FIDP-01
FIDP-04
FIDP-09
FIDP-10
PHYS-01
000000 27
PHYS-02
PPPR-01
PPPR-08
PPPR-11
PPPR-18
SYST-01
SYST-04
000000 28
VULN-02
VULN-03
000000 29
Acknowledgments
The Higher Education Information Security Council Shared Assessments Working Group contributed
their vision and significant talents to the conception, creation, and completion of this resource.