Security

  • FinalForms Security FAQs



    Here is a list of 5 popular questions from school district tech directors:

    1. Because your platform stores and transmits personally-identifiable information on minors, can you provide in detail, the controls that are in place for network security and privacy?

    FinalForms web servers are hosted on Amazon Web Service (AWS) and the databases on Amazon Relational Database Service (RDS) allowing us to utilize many of their available security features.We chose AWS specifically because of its prolific scale, redundancy, and emphasis on data privacy & security.Remote password authentication is disabled on our servers.Access is only allowed by public/private key authentication and only available to FinalForms developers. Inbound connections are restricted to public services using amazon's built in firewalls. Database access is limited to only internal authorized hosts and connections require credentials.

    2. Is the software and data hosting outsourced or provided FinalForms?

    Physical servers hosted on Amazon Web Services (AWS) and database software on Amazon Relational Database Service (RDS). The software was written and is maintained by FinalForms.

    3. Is data encrypted in transmission and at rest?

    Web site connections require HTTPS encryption and remote server connections are fully encrypted. Disk encryption is not an option currently offered by Amazon because they do not expose the attached disks it uses for data storage. Sensitive pieces of information (such as passwords) are encrypted within the database itself.

    4.What network & physical security elements are in place?

    We host the entirety of our infrastructure on Amazon Web Services. Among its long list of physical security benefits available online are:

    Amazon has unmatched experience in designing, constructing, and operating large-scale data centers. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. Worldwide facilities have been audited and granted many certifications. AWS has a publicly available SOC 3 Report.

    We have several privacy policies of our own in place that ensure the highest level of security is taken when handling client information outside of our web application.

    Client information is never stored physically without consent from a client administrator.

    5. Do you have formal information security and data privacy programs in place?

    We have policies on how client data is to be handled securely and enforce these policies using software configurations wherever possible.

    - - - - -

    More information on AWS Compliance can be found here
    http://aws.amazon.com/compliance/

    - - - - -

    More information about our specific programs and FinalForms Security can be found here
    http://www.finalforms.com/finalforms-security-data-privacy-and-compliance


     

  • FinalForms Security, Data Privacy, and Compliance


    All data is strictly held as confidential.

    Military Grade Physical Controls + Enterprise Grade Security = Piece of Mind

    FinalForms is hosted in entirety on our infrastructure on Amazon Web Services (AWS) EC2 and S3 instances. We chose AWS specifically because of its prolific scale, redundancy, and emphasis on data privacy & security.

    The Amazon Web Services infrastructure is designed and managed according to the highest standards for security and data protection, including SOC 1, 2, 3, PCI DSS Level 1, ISO 27001, FIPS 140-2, and more, as well as military-grade physical controls. Enterprise-grade security ensures data stays secure with SSL encryption. To provide continuous availability, FinalForms is deployed on multiple data centers. Every piece of data is automatically copied to multiple locations for redundancy – ensuring data is always available.

    Our technology partnership with Amazon Web Services enables us to meet our commitment to securing customer data.


    SecurityFrequently, FinalForms is used to store sensitive student health & demographic information on behalf of various school systems. Knowing this from the outset, we have thoroughly researched and then crafted a rock-solid solution from the ground up, rigorously vetting at every layer, that meets national educational industry standards.

    In this document we give a detailed account of the steps we've taken at each layer to meet, not just the medical information standards, but a multitude of other regulation programs.

     

    Physical Security

    We host the entirety of our infrastructure on Amazon Web Services (AWS) EC2 and S3 instances. We chose AWS specifically because of its prolific scale, redundancy, and emphasis on data privacy & security. Among its long list of physical security benefits the highlights are:

    • Amazon has unmatched experience in designing, constructing, and operating large-scale data centers.
    • AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection.
    • Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means.
    • Authorized staff must pass two-factor authentication no fewer than three times to access data center floors.
    • All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
    • Worldwide facilities have been audited and granted many certiciations.
    • Linked is the AWS SOC 3 Report.

    We have several policies of our own in place that ensure the highest level of security is taken when handling client information outside of our web application.

    • Developer machines do not store sensitive information locally.
    • Client information is never stored physically without consent from a client administrator.

     

    Technical Security

    As mentioned before, we host our infrastructure on Amazon Web Services (AWS). Amazon is widely considered to be the leader for infrastructure as a service (IaaS) providers. They are compliant with a wide range of regulations and provide granular control over your network. Here are just a few of the many security benefits they provide:

    • Host Operating System Security:
      • AWS employees with a business need are required to use their individual cryptographically strong SSH keys to gain access to the host.
      • All access is logged and routinely audited.
      • When an AWS employee no longer has a business need to administer EC2 hosts, their privileges on and access to the hosts are revoked.
    • Guest Operating System Security:
      • We have complete control over our virtual instances.
      • AWS administrators do not have access to our instances, and cannot log into the guest OS.
    • Firewall
      • Amazon provides a complete firewall solution.
      • This mandatory inbound firewall is configured in a default deny mode and the we must explicitly open any ports to allow inbound traffic.
    • Denial Of Service (DoS) Security:
      • Standard DDoS mitigation techniques such as SYN floods and connection limiting are in use.
      • Amazon maintains internal bandwidth which exceeds its provider-supplied Internet bandwidth.
    • Man In the Middle (MITM) Security:
      • All of the AWS APIs are available via SSL-protected endpoints which provides server authentication.
    • Spoofing Security:
      • The Amazon-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.
    • Port Scanning Security:
      • Port scans of Amazon EC2 instances are generally ineffective because, by default, all inbound ports on Amazon EC2 instances are closed.

     

    Outside of the AWS provided features, we implemented and ensure:

    • All administrative activity involving our servers is performed over an encrypted connection.
    • Client information is not stored digitally outside of the secure AWS infrastructure.
    • Verbose logging is enabled wherever possible, leaving clear audit trails.
    • Backups are run periodically and regularly tested for success in recovery situations.
    • Intrusion detection systems alert administrators of suspicious activity.

     

    Administrative Privacy

    The FinalForms workforce, itself, has been structured to minimize contact with student data. Specifically, no more than 4 trained individuals will ever have access to that data. Data is only ever accessed without school staff present in secure development settings via SSH or through the FinalForms administrative interface, both encrypted connections.

    Linked is our Privacy Policy and Terms of Service.

     

RSS Feed

List of Articles