Security Policy

Revised: 6/25/2018

OVERVIEW

Vocareum’s Information Security policies require our underlying systems to be managed in a way that protects our clients and our Information Assets from unauthorized use, access, disclosure, modification, destruction, or loss. This policy was created to ensure that employees perform these procedures consistently on all of Vocareum’s systems.  Vocareum may update its Information Security policies from time to time and post them here.

1. RESPONSIBILITIES

While all Vocareum personnel including employees, contractors, consultants, and temporary employees are responsible for ensuring information security on a day-to-day basis, the primary responsibility for ensuring compliance is with Systems Manager Group and Corporate Information Assurance Group.

1.1. CORPORATE INFORMATION ASSURANCE GROUP

The Corporate Information Assurance Group is responsible for performing risk assessments, preparing security action plans, evaluating security products, leading investigations into any alleged system security compromises, incidents, or potential security problems.

1.2. SYSTEM MANAGER GROUP

System Managers are responsible for coordinating security-related activities including establishing approved user privileges, monitoring access control logs, and performing such security actions for the systems they manage. They are also responsible for reporting suspicious system activities to the Corporate Information Assurance Group promptly.

It is often necessary for System Managers to have privileged access to systems to perform their responsibilities. To protect Vocareum, the integrity of controls, and the confidentiality of information, privileged access is used for approved business purposes only.

2.    SECURITY ARCHITECTURE

Vocareum’s security architecture is based upon the following components. While making modifications to the system, these principles are always followed –

  • All data is stored in Amazon Web Services (AWS). Vocareum relies on Amazon’s Security Tools and Services to prevent data from being
  • All user interactions happen through a browser The session credentials are validated for every interaction with the webserver.
  • All transmissions are encrypted through
  • Strict authentication control for all Vocareum employees and contractors who might have privileged
  • All Vocareum-provided client machines have anti-virus solutions installed on If employees are using their personal devices to access Vocareum’s servers, they are required to maintain appropriate anti-virus capabilities on their device.
  • Direct access to Vocareum’s servers is available only through Vocareum’s network or specific IP addresses that are enabled to let engineers work Access to these servers require two-factor authentication (e.g., requires at least two separate factors for identifying users).
  • User data is stored in either MySQL databases or file systems, hosted on Access to this data requires another level of authentication and is permitted depending on the user’s role.
  • Access to data is through Vocareum run Vocareum run servers are accessible only by Vocareum web servers and require SSL certifications.
  • Run servers are not accessible by the external

3.   NETWORK ARCHITECTURE

4.  SYSTEM ACCESS CONTROL

All systems that are permanently or intermittently connected to any Vocareum network have password access controls.

4.1. ACCESS CONTROLS

A unique username and password are required for each user and must implement user privilege restriction mechanisms. Vocareum will regularly review the list of people and services with access to the systems.

4.2. PASSWORD REQUIREMENTS

  • All default passwords must be changed before any system is used for Vocareum’s
  • All passwords on the system must satisfy the following complexity requirements :
    • contain at least 8 characters;
    • contain at least three (3) of the following symbol sets: uppercase letters; lowercase letters; numbers; and symbols, such as: ` ! ““ ? $ ? % ^ & * ( ) _ – + = { [ } ] : ; @ ‘‘ ~ # | \ < , > ? / .
    • do not match previous passwords, the user’s login, or common name;
    • must be changed whenever an account compromise is suspected or assumed; and
    • may be replaced at the user
  • Enhanced password requirements include:
    • must be replaced after no more than 90
  • The initial password assigned to a new account or the reset password is a pseudo-random series of characters. This password must not be reused for multiple users and must not be generated through some predictable
  • This policy applies to passwords associated with end-user accounts, as well as passwords associated with the administrator and other privileged

4.3. ENFORCING PASSWORD REQUIREMENTS

  • Configure systems to automatically enforce all password-related provisions of the End User Information Security Policy including:
    • Encouraging users not to choose easily guessable passwords
    • Encouraging users to change passwords frequently
  • Employ a screen-locking function that launches automatically when there is no activity on a
  • Do not send or store passwords “in the clear” on any system, including Vocareum’s private internal network, file servers, scripts, operating system environment variables, and Send and store passwords only in encrypted form.
  • Mask, suppress, or otherwise obscure the display and printing of passwords so that unauthorized parties will not be able to observe or subsequently recover
  • Store passwords assigned to individual users only in the form of one-way Do not store passwords in retrievable form, even if they are encrypted.

4.4. COMMUNICATING PASSWORDS

  • Although it is always preferable to transmit passwords through an encrypted channel, it is acceptable to:
    • Send pre-expired passwords in the clear
    • Provide temporary passwords in the clear to vendors and other third parties as long as the password will be valid for one week or less
  • Never ask users for their passwords
  • Change any permanent password immediately if it has been communicated in the clear or shared with any unauthorized
  • Immediately deactivate temporary passwords when they are no longer

4.5. SINGLE SIGN-ON

  • Single Sign-On enables users to sign in once with the same credentials across approved
  • An approved application can request an SSO URL for a particular user by submitting a request that includes the application authentication token and user email

4.6. PRIVILEGED ACCOUNTS

  • Some accounts need to have special privileges to help customers address These accounts can view customer data. Only System Managers should have access to these Privileged Accounts. Under no circumstance should anyone, not a System Manager have this privilege unless explicitly approved by the Corporate Information Assurance Group.
  • System access by Privileged Accounts requires two-factor

4.7. DISPOSING OF COMPUTERS

If a device was used to access Vocareum web servers or there is any possibility that the device has any customer or Vocareum data, it is required that the content of the disk be deleted before disposing of the disk. For MACs, use the disk deletion utility that comes with the OS X release. For Windows and Linux, install and run Secure Erase software.

5.   DEALING WITH PASSWORD ATTACKS AND COMPROMISES

5.1.   LIMITED PASSWORD ATTEMPTS

To prevent password guessing attacks, the system strictly limits the number of consecutive attempts to enter an incorrect password. After ten unsuccessful attempts to enter a password, the account is suspended until reset by the user. When the account is reset by the user, the user is notified through email of such a reset. The user should be encouraged to report to Vocareum if the reset was unauthorized by the user.

5.2. COMPUTER SECURITY INCIDENT RESPONSE MANAGEMENT

Whenever system security has been compromised, or even if there is a convincing reason to believe that it has been compromised, the responsible System Manager immediately activates the Computer Security Incident Response Management process, as described below:

  • Investigate to understand the nature and extent of the compromise
  • Determine what steps are necessary to be certain that the system is restored to a trusted state. Depending on the compromise, this may include changing all system management passwords, expiring all user passwords, notifying users of the compromise, reloading the system from trusted media, rebooting the system, reviewing all recent changes to privileges, and performing any other necessary activities.
  • In case there is a suspicion of any customer data being compromised, notify the customer of the suspected breach and actions taken by

6.  USER ACCOUNTS

6.1. USER ROLES

  • System Managers:
    • Authorized by the Corporate Information Assurance
    • System Managers have special privileges to help customers set up courses and address These accounts can view customer data. Other than System Managers, no one should have this privilege unless explicitly approved by the Corporate Information Assurance Group.
    • Requires two-factor authentication
  • Organization Admin:
    • Authorized by System Managers or higher
    • May create assignments, Assign Teachers & Graders, Enroll Students, perform Grading, generate organization-level reports
    • May require two-factor authentication
  • Course Teacher:
    • Authorized by Organization Admin or higher
    • May create assignments, Assign Teachers & Graders, Enroll Students, perform Grading, generate course-level reports
    • May require two-factor authentication
  • Grader:
    • Authorized by Course Teacher or higher
    • May perform Grading, generate course-level reports
  • Student:
    • Authorized by Course Teacher or higher
    • May view and work on their assignments, participate in team assignments and peer review
    • Password authentication or single sign-on

6.2. CREATING USER ACCOUNTS

Student accounts can be created in one of the following ways:

  • manual input
  • CSV upload
  • LMS enrollment (via LTI integration) All other accounts are created

6.3. STORING USER RECORDS

When available, Vocareum stores user’s email, and an optional name, student ID with the user record. It is stored in a single table. The rest of the system refers to the user by an id managed by Vocareum. The user record is encrypted at rest and the key to decrypt it is managed through AWS KMS.

6.4. SUSPEND USER ACCOUNT

An organization admin, a teacher who enrolled the student, or the user can request that a user’s own account be suspended. Vocareum will suspend the account if the user is not enrolled in an active class.

7.  DATA STORAGE, APPLICATION STORAGE, RECOVERY

7.1. DATA STORAGE

Vocareum stores user data in the following places –

  • All transaction data that includes student identity are stored in SQL tables in RDS, managed database service provided by These are encrypted at rest using AWS KMS for key management.
  • The current submission data is stored on distributed file systems managed by NFS
  • A copy of student submission is stored as objects in
  • All-access to student identity and data are tracked by a unique ID, and Vocareum will maintain a secure record.

7.2. BACKUP

  • All NFS data is backed up every two The hourly backups are rotated every 24 hrs. One backup copy per day is retained every month.
  • All RDS data is backed up once every 24 hrs.

All backup services are provided by AWS. Backup data is stored in S3.

8.   DATA RETENTION AND TRANSMISSION

8.1. ARCHIVING A COURSE

Students no longer have access to a course when the course becomes inactive. Teachers can still access the course for 30 days after the end date. After 30 days, courses are “archived”; i.e., all the course-related data is moved from NFS to S3.

8.2. DE-IDENTIFYING A COURSE

Unless specifically requested by the organization, all course content is de-identified automatically after one year. From that point onwards there will be no mechanism to map the student grade or the student work to the student.

8.3. REQUESTING A DELETION

An organization can request that all data related to the course be deleted in the one-year period when the data is archived. Vocareum will delete all data related to the course from its systems promptly (but within no more than 72 hours after a request). This will include de-identifying the student record as well as deleting the backup copies stored in S3.

8.4. RETRIEVING ARCHIVED DATA

When the course content is archived, a teacher can automatically request a retrieval of the archived data by visiting the course. A retrieval request from the backup will automatically be launched, and the teacher automatically notified when the retrieval is complete. The data will be available for use for one week, after which it will be automatically archived again.

8.5. DATA TRANSMISSION

Vocareum transmits user data in the following manner –

  • Common Internet protocols (e.g., AS2, HTTP, XML/HTTP) over TLS 2 or greater, with certificate-based authentication
  • SFTP or SSH connections, using 128-bit (or stronger) symmetric encryption and host key verification

8.6. DATA EXPORTER INFORMATION

In addition to the above policy, Vocareum adheres to the following policies for Data Exporter Information.

  • Vocareum will restrict access to Data Exporter Information to only those people with a “need-to-know” for a Permitted
  • Vocareum will regularly review the list of people and services with access to Data Exporter Information, and remove accounts that no longer require This review must be performed at least once every 180 days. Vocareum will isolate Data Exporter Information at all times (including in storage, processing, or transmission) from Vocareum or any third party information.
  • Vocareum will track all access to Data Exporter Information by unique ID and will maintain a secure record of that access for at least the trailing 90 days, or such longer period specified by data exporter based on the classification and sensitivity of the Data Exporter
  • If Vocareum uses any Third Party Systems that store or otherwise may access unencrypted Data Exporter information, Vocareum will perform a security review of the Third Party Systems and their security controls and will provide Data Exporter periodic reporting about the Third Party System’s security
  • Vocareum will ensure that any remote access to servers holding Data Exporter Information requires two- factor authentication (e.g., requires at least two separate factors for identifying users).

9.  OTHER REQUIREMENTS

9.1. INSTALLING SOFTWARE AND PACKAGES

From time to time, Vocareum installs software and packages on machines run by students. These updates must always be logged. First, an attempt is made to install them through AWS release and, if it not available, then the best effort is made to sure that the install happens through a reputable source.

9.2. SECURE SOFTWARE DEVELOPMENT PROCESS

At Vocareum, we continuously assess the security of all our products. Developers conduct pre- and post-commit code reviews regularly. All code is reviewed prior to testing to ensure that secure coding practices are employed. During the testing process, the new code is exercised and the full application is reviewed and scanned before release. The product owner is required to sign-off that these reviews have occurred.

9.3. WEB APPLICATION FIREWALL AND DDOS SECURITY

Vocareum currently relies on Cloudflare to provide these security services.

9.4. SERVER PATCH

A monthly review of all patches should be done, and all security patches should be scheduled no later than 120 days and sooner if the specific instance requires it. The result of these reviews must be logged.

9.5. WHITE LIST IP ADDRESS

In certain cases, it is necessary to provide external access to certain applications or domains. This is accomplished through whitelisting of specified IP addresses with approval from the Corporate Information Assurance Group. All whitelisted IP addresses must be logged.