Information Security

Information Security Policy

User Security

  • Authentication: User data in our system is logically segregated by account-based access rules. User accounts have unique usernames and passwords that must be entered each time a user logs on. 

  • Passwords: User application passwords have are stored internally hashed and are accessible on a need-to-know basis.

  • Data Encryption: Certain sensitive user data, such as credit card details and account passwords, are stored and transmitted in encrypted format and processed through a third-party entity (Paypal).

  • Privacy: It is the policy of the Contractors Institute to never sell student information or any collected information with student identities attached. 

  • Data Residency: All Contractors Institute data is backed up via geographically disparate data centers on a regular basis.

Physical Security

All Contractors Institute information systems and infrastructure that are locally installed are located in locked and monitored areas that are regularly checked for intrusion attempts. 

  • Power: Internal servers have redundant internal and external power supplies. 

  • Uptime: Continuous uptime monitoring, with immediate escalation to our ISP in the event of a failure. 

  • Backup Frequency: Backups occur weekly at multiple geographically disparate sites.

Network Security

  • Testing: System functionality and design changes are verified in an isolated test “sandbox” environment and subject to functional and security testing prior to deployment to active production systems.

  • Firewalls: Contractors Institute network security includes an external gateway with an active firewall attached.

  • Access Control: Secure VPN, 2FA (two-factor authentication), and role-based access is enforced for systems management by authorized engineering staff.

  • Logging and Auditing: Central logging systems capture and archive all internal systems access including any failed authentication attempts.

Vulnerability Management

  • Patching: Latest security patches are applied to all operating systems, applications, and network infrastructure to mitigate exposure to vulnerabilities.

Organizational & Administrative Security

  • Employee Screening: We perform background screening on all employees, to the extent possible within our technological capabilities.

  • Training: We provide ongoing security and technology use training for employees.

  • Access: Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis.

Handling of Security Breaches

Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. Our breach notification procedures are consistent with our obligations under various state and federal laws and regulation, as well as any industry rules or standards that we adhere to. 

Your Responsibilities

Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. 

 

Menu
Contractors Institute