Here is a list of 5 popular questions from school district tech directors:
1. Because your platform stores and transmits personally-identifiable information on minors, can you provide in detail, the controls that are in place for network security and privacy?
FinalForms web servers are hosted on Amazon Web Service (AWS) and the databases on Amazon Relational Database Service (RDS) allowing us to utilize many of their available security features.We chose AWS specifically because of its prolific scale, redundancy, and emphasis on data privacy & security.Remote password authentication is disabled on our servers.Access is only allowed by public/private key authentication and only available to FinalForms developers. Inbound connections are restricted to public services using amazon's built in firewalls. Database access is limited to only internal authorized hosts and connections require credentials.
2. Is the software and data hosting outsourced or provided FinalForms?
Physical servers hosted on Amazon Web Services (AWS) and database software on Amazon Relational Database Service (RDS). The software was written and is maintained by FinalForms.
3. Is data encrypted in transmission and at rest?
Web site connections require HTTPS encryption and remote server connections are fully encrypted. Disk encryption is not an option currently offered by Amazon because they do not expose the attached disks it uses for data storage. Sensitive pieces of information (such as passwords) are encrypted within the database itself.
4.What network & physical security elements are in place?
We host the entirety of our infrastructure on Amazon Web Services. Among its long list of physical security benefits available online are:
Amazon has unmatched experience in designing, constructing, and operating large-scale data centers. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. Worldwide facilities have been audited and granted many certifications. AWS has a publicly available SOC 3 Report.
We have several privacy policies of our own in place that ensure the highest level of security is taken when handling client information outside of our web application.
Client information is never stored physically without consent from a client administrator.
5. Do you have formal information security and data privacy programs in place?
We have policies on how client data is to be handled securely and enforce these policies using software configurations wherever possible.
- - - - -
More information on AWS Compliance can be found here
- - - - -
More information about our specific programs and FinalForms Security can be found here
Posted on Dec 15, 2014
by Clay Burnett