Service Overview

As a provider of technology solutions to schools, Coursemojo’s commitment to data privacy and security is essential to our organization. This overview of Coursemojo’s Information Security Program describes physical, technical and administrative safeguards Coursemojo implements to protect student data in our care.

Service Hosting

Coursemojo leverages Amazon Web Services (AWS) as its cloud hosting provider. Within AWS, Coursemojo utilizes Virtual Private Clouds (VPCs), which provide an isolated cloud environment within the AWS infrastructure. External network traffic to a VPC is managed via gateway and firewall rules, which are maintained in source code control to ensure that the configuration remains in compliance with Coursemojo security policy. In addition, the production VPCs and the development VPCs are isolated from each other and maintained in separate AWS accounts.

Information Security Programs

Coursemojo maintains a comprehensive information security program based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the NIST SP 800-53 Rev. 5 family of information security controls. These provide a robust framework of best practices from which an organization can build its security policies and protocols based on identified risks, compliance requirements, and business needs. They cover critical practice areas, including access control, configuration management, incident response, security training, and other information security domains.

Policy Execution

Adherence to the internal Coursemojo information security policy is an obligation of every Coursemojo employee. Coursemojo conducts a series of internal monitoring procedures to verify compliance with internal information security policies, and all Coursemojo employees undergo criminal background checks. In addition, any third-party contractors who come into contact with systems that may contain student data are contractually bound to maintain security and privacy of the data.

Access control

Coursemojo’s access control principles dictate that all student data we store on behalf of customers is only accessible to district-authorized users and to a limited set of internal Coursemojo users who may only access the data for purposes authorized by the district. Districts maintain control over their internal users and may grant or revoke access.

In limited circumstances and strictly for the purposes of supporting school districts and maintaining the functionality of systems, certain Coursemojo users may access Coursemojo systems with student data. All such access to student data by Coursemojo technicians or customer support requires both authentication and authorization to view the information.

Encryption

Data encryption is an important element of our protection of all data at rest and in transit, and is reviewed and updated as appropriate annually, based on the latest standards and guidelines published by OWASP and NIST.

• In transit: Coursemojo encrypts all student data in transit over public connections, using Transport Layer Security (TLS), commonly known as SSL, using industry-standard protocols, ciphers, algorithms, and key sizes.
• At rest: Coursemojo encrypts student data at rest using the industry-standard AES-256 encryption algorithm.

Building security controls into applications

Coursemojo applications are also developed to minimize security vulnerabilities and ensure industry-standard application security controls are in place.

As part of the development process, Coursemojo has a set of application security standards that all applications handling student data are required to follow, including:

• Student data is secured using industry standard encryption when in transit between end-users and Coursemojo systems.
• Applications are built with password brute-force attack prevention.
• User sessions expire after a fixed period of time.

We also conduct manual and automated static code analysis as well as dynamic application security testing to preemptively identify vulnerabilities published by industry leaders such as OWASP (Open Web Application Security Project)

Risk assessments

Coursemojo periodically conducts risk assessments, aimed at identifying and prioritizing security vulnerabilities, and coordinates remediation of the vulnerabilities. Coursemojo engages AWS inspection monitors to continually look for vulnerabilities and advise on remediation of vulnerabilities and incident response.

Penetration testing

Coursemojo conducts quarterly penetration testing.  The purpose of this testing is to test for application security vulnerabilities in the production environment, involving a combination of automated and manual testing.

Vulnerability management

Coursemojo ensures that its systems are free of known vulnerabilities in several ways. Every production server runs vulnerability detection software that compares the installed software against a global database of known vulnerabilities. Secondly, we employ real time network monitoring that reports on any potentially malicious traffic. Lastly we continually test our applications against common malicious internet traffic. Violations in any of these areas will alert one of our operations teams, who are available around the clock.

Endpoint security

Access to production systems at Coursemojo is restricted to a limited set of internal Coursemojo users to support technical infrastructure, troubleshoot customer issues, or other purposes authorized by the district. In addition, Coursemojo requires multi-factor (MFA) authentication methods for access to all production systems. MFA involves a combination of something only the user knows and something only the user can access. For example, MFA for administrative access could involve entering a password as well as entering a one-time passcode sent via text message to the administrator’s mobile phone. The use of MFA reduces the possibility that an unauthorized individual could use a compromised password to access a system.

Infrastructure security

Network filtering technologies are used to ensure that production environments with student data are properly segmented from the rest of the network. Production environments only have limited external access to enable customers to use our web interfaces and other services. In addition, Coursemojo uses firewalls to ensure that development servers have no access to production environments.

Other measures that Coursemojo takes to secure its operational environment include system monitoring to detect anomalous activity that could indicate potential attacks and breaches.

Security training

At Coursemojo, we believe that protecting student data is the responsibility of all employees. We implemented an ongoing information security awareness training program that all employees participate in.

Monitoring

Intrusion detection and prevention systems (IDS/IPS) are in place to analyze the network device logs, monitor the network and report anomalous activity for appropriate resolution.

Incident response

Coursemojo maintains a comprehensive Security Incident Response Policy Plan, which sets out roles, responsibilities and procedures for reporting, investigation, containment, remediation and notification of security incidents. Coursemojo works with reputable firms for incident response and digital forensics support.

Coursemojo’s products are built to facilitate district compliance with applicable data privacy laws, including FERPA and state laws related to the collection, access and review and disclosure of student data. Coursemojo’s Customer Privacy Policy describes the types of information collected and maintained on behalf of our school district customers and limitations on use and sharing of that data.

In the course of customer security assessment, the following documentation can be provided by Coursemojo upon customers’ request:

• Penetration Testing Report
• Risk Assessment Report