Professional Documents
Culture Documents
SERVICEPROVIDERSECURITYASSESSMENTQUESTIONNAIRE
1.Describeyourpoliciesandproceduresthatensureaccesstogovernmentinformationislimitedtoonlythose
employees/Contractorswhorequireaccesstoperformyourproposedservices.
ElearningExpertsmaintainsaformalsecurityprogrammateriallyinaccordancewithindustrystandardsthatis
designatedto:(i)ensurethesecurityandintegrityoftheCustomerContent(ii)protectagainstthreatsorhazardsto
thesecurityofintegrityofCustomerContentand(iii)preventunauthorizedaccesstoCustomerContent.
CorporateofficesecuritymeasuresincludeCCTVandabusinesssecuritysystem.
Onlyauthorizedpersonnelhaveaccesstomanagementnetworksandapplicationnetworks.Remoteaccessto
networksandservicesisachievedviaindustrystandardencryptionprotocolsandvirtualprivatenetworking(VPN).
Administrativeandremoteaccessishighlyrestrictedandisapprovedbyseniormanagementusingleastprivilege
principles.Grantingandrevocationofaccesscanbeaccomplishedinsecondsbyseniormanagement.
Additionally,inapplicationcomputingenvironments,eachhostedsiteisexecutedinitsownsecuritycontext,with
permissionsandaccessseparatefromothersites.Suchmeasuresprovidealayerofseparationsothatonesite
cannotaccessdatafromanothersite.
2.Describeyourdisasterrecoveryandbusinesscontinuityplans.
Localbackupsareperformeddailyandstoredexternallytotheproductionapplicationenvironment.Thesebackups
canberestoredtoaproductionlearningsiteintheeventofunexpecteddataloss.
Inadditiontolocaldatabackups,disasterrecoveryandbusinesscontinuityincludesoffsitebackupsofthe
componentsandconfigurationsrequiredforthecompleterestorationofthelearningmanagementsystem.Remote,
offsitebackupsaretransmittedviaencryptedchannelstoanAmazonEC2instance.Theoffsitedisasterrecovery
consistsof:
nightlycopyoffullbackups
24hourrecoverytimepoint(RTP)
clientaccesstoremotedatabackup
abilitytorestorebackuptorunningEC2instance
Intheeventofadisasternecessitatingtheneedforanoffsitedisasterrecovery,thelastavailableoffsitebackup
snapshotisrestoredtoarunninginstanceofthelearningmanagementsystem.Theoffsiteapplicationanddatabase
serverinstancecanbescaleduptosupportproductionworkloaddemand.
Continuityplansincluderedundanciesateverylevel,includingutilitypower,generator,UPS,Internetprovider,
network,server,powersupply,virtualmachine,anddisk/storageredundancies.
ElearningExperts10April2014ServiceProviderSecurityAssessmentQuestionnaire1
3.WhatsafeguardsandpracticesdoyouhaveinplacetovetemployeesandContractorswhohaveaccessto
governmentinformation?
National,State,andCountycriminal,EVerify,andeducationalbackgroundchecksareperformedonallemployees
andanypersonnelwhohaveaccesstogovernmentinformation.Additionally,professionalreferencesareutilizedto
vetthequalityandexperienceofsuchpersonnel.Backgroundchecksarerepeatedannually.
ThesecurityandconfidentialityofourclientsdataiscoveredinNewHireOrientation,documentedinamandatory
confidentialityagreementsignedbyallemployees,contractors,andinterns,andiscontinuallyreinforcedbyour
internalsecuritypolicies.Securityisdiscussedwithstaffduringprojectmeetingsandthroughcompanywide
communications.
4.DescribeandexplainyoursecuritypoliciesandproceduresrelatedtouseofContractors/subcontractors.
Whenevercontractors/subcontractorsareemployedforaspecifictask,wecreatedevelopmentenvironmentsfor
eachtowhichonlyrestrictedaccessisgrantedonneedtohavebasis.Suchdevelopmentenvironmentsare
segregatedintermsofnetwork,firewallandvpnaccessfromallotherproductionvirtualorphysicalservers.Random
dataisgenerallyusedtosimulateproductionenvironmentfortestingpurposes.
5.Listanycertificationsthatyouhavethatdemonstratethatadequatesecuritycontrolsareinplacetoproperly
store,manageandprocessgovernmentinformation(forexample,ISOorSSAEcertifications).Willthese
certificationsbeinplaceforthedurationofthecontract?Willyouprovidethestatewithmostrecentandfuture
auditreportsrelatedtothesecertifications?
ThehostingfacilityatCavernTechnologiesisSSAE16TypeIIcompliantandSAS70certified.Thesecompliance
measuresandcertificationswillbeinplaceforthedurationofthecontract.Tothatend,anIndependentService
Auditor'sReportontheDescriptionofaServiceOrganizationsSystemandtheSuitabilityoftheDesignand
OperatingEffectivenessofControlsdocumentcanbeprovideduponrequest.
6.Describethepolicies,proceduresandpracticesyouhaveinplacetoprovideforthephysicalsecurityofyour
datacentersandothersiteswheregovernmentinformationwillbehosted,accessedormaintained.
ThecomputingclusterislocatedinaprivatesuiteinsideofaSSAE16TypeIIcertifieddatacenterinamanmade
caveoutsideofKansasCity.Accesstothedatacenteritselfismonitoredbyclosedcircuitcameras,controlledby
AdvancedBiometricsandonlyallowedtoauthorizedElearningExpertspersonnel.Accesstoourprivatesuiteis
restrictedwithbiometricscansandonlygrantedtoauthorizedElearningExpertspersonnelanddatacenter
maintenancepersonnel.
7.Willgovernmentinformationbeencryptedatrest?Willgovernmentinformationbeencryptedwhen
transmitted?Willgovernmentinformationbeencryptedduringdatabackups?
Productiondataisneveratrestandhencedoesnotlenditselftoencryptionatrest,althoughaccesstodatais
strictlycontrolledviaaforementionedphysicalsecurityprotocols.Alldataintransmissionbetweenthedatacenter
andexternalhostsisencryptedwithSSL.Localbackupsarenotencryptedastheyresideinasecuredatacenter.
Remote/offsitedisasterrecoverybackupsareblocklevelencrypted,meaningthatwhenthedisasterrecovery
host(s)areoffline(atrest)thebackupdataisinanencryptedstate.Furthersecurityenhancementsarepossibleas
partofacustomizeddeployment.
ElearningExperts10April2014ServiceProviderSecurityAssessmentQuestionnaire2
8.Describesafeguardsthatareinplacetopreventunauthorizeduse,reuse,distribution,transmission,
manipulation,copying,modification,accessordisclosureofgovernmentinformation.
Accesstotheserverswheredataresidesisonlyallowedtoseniorstaffandemployeeswithimmediateaccessneed,
andthenonlyunderdirectsupervision.Beyondthat,accesstobackendenvironmentisnotallowedasamatterof
policytoanyonebeitlowerlevelstaffmembersorthirdpartycontractors.Allmaintenanceanddiagnosticsare
performedwiththeuseoftoolsthatinteractwithdatainacontrolledandsecuredmanner.Ifitbecomesnecessaryto
interactwithgovernmentdataonthebackendserversinawayotherthanbyusingapprovedtools,escalationto
seniorpersonnelorexecutivelevelstaffwouldberequired.AllaccesstoserversisperformedthroughVPNbyusing
encryptedkeysforauthentication.
9.Whatcontrolsareinplacetodetectsecuritybreaches?Doyoulogtransactionsandnetworkactivity?How
longdoyoumaintaintheseauditlogs?
Networkmonitoringtoolsandnotificationsexisttodetectsecuritybreaches.Firewalllogsandunapprovednetwork
activityareloggedandkeptforaminimumof30days.
TheTotaraapplicationalsosupportsanumberofsecurityfeatures,includingabilitytoallow/denyspecificIP
addressesandblocks.Antivirusscanningoffilesuploadedintotheapplicationisconfiguredonthelearning
managementsysteminstance.
10.Howwillgovernmentinformationbemanagedaftercontracttermination?Willgovernmentinformation
providedtotheContractorbedeletedordestroyed?Whenwillthisoccur?
Contractterminationpolicyincludesremovalofalldataforaclientfromtheapplicationexecutionenvironment
(includingapplication,database,andstorageservers)withinamonthoftermination.Clientdataexistinginlocal
backupsnapshotsarepurgedaftera3monthperiodstartingatthepointofdataremovalfromtheapplication
executionenvironment.
Remote/offsitedisasterrecoverybackupsaredestroyedwithinonemonthoftermination.
11.Describeyourincidentresponsepoliciesandpractices.
IncidentResponseOutline
Discoveryofincident
ReportofincidenttoCEO,COO,andCTO
Investigationofincident
Resolutionofincident
Documentationofincident
Securityincidentsaffectingclientsarereportedtoaffectedclients.
12.Identifyanythirdpartywhichwillhostorhaveaccesstogovernmentinformation.
NothirdpartywillhostorhaveaccesstogovernmentinformationonanyfacilityownedandoperatedbyElearning
Experts.
ElearningExperts10April2014ServiceProviderSecurityAssessmentQuestionnaire3