Information Security Policy
User Security
-
Authentication: User data in our system is logically segregated by account-based access rules. User accounts have unique usernames and passwords that must be entered each time a user logs on.
-
Passwords: User application passwords are stored internally hashed and are accessible on a need-to-know basis.
-
Data Encryption: Certain sensitive user data, such as credit card details and account passwords, are stored and transmitted in encrypted format and processed through a third-party entity (Paypal).
-
Privacy: It is the policy of the Contractors Institute to never sell student information or any collected information with student identities attached.
-
Data Residency: All Contractors Institute data is backed up via geographically disparate data centers on a regular basis.
Physical Security
All Contractors Institute information systems and infrastructure that are locally installed are located in locked and monitored areas that are regularly checked for intrusion attempts.
-
Power: Internal servers have redundant internal and external power supplies.
-
Uptime: Continuous uptime monitoring, with immediate escalation to our ISP in the event of a failure.
-
Backup Frequency: Backups occur weekly at multiple geographically disparate sites.
Network Security
-
Testing: System functionality and design changes are verified in an isolated test “sandbox” environment and subject to functional and security testing prior to deployment to active production systems.
-
Firewalls: Contractors Institute network security includes an external gateway with an active firewall attached.
-
Access Control: Secure VPN, 2FA (two-factor authentication), and role-based access is enforced for systems management by authorized engineering staff.
-
Logging and Auditing: Central logging systems capture and archive all internal systems access including any failed authentication attempts.
Vulnerability Management
-
Patching: Latest security patches are applied to all operating systems, applications, and network infrastructure to mitigate exposure to vulnerabilities.
Organizational & Administrative Security
-
Employee Screening: We perform background screening on all employees, to the extent possible within our technological capabilities.
-
Training: We provide ongoing security and technology use training for employees.
-
Access: Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis.