Data Protection and Resiliency in Cerego

Policies and Procedures

Q: Is a senior official or officer within Cerego directly responsible for the oversight and implementation of the security policies?

A: Yes


Q: Does Cerego employ procedures to ensure compliance with privacy laws and regulatory requirements related to maintaining security, confidentiality, and protection of third-party personal information (e.g., information pertaining to customers’ employees, customers, and/or producers)?

A: Yes


Q: Can Cerego submit documents proving it maintains liability insurance and preferably cyber risk insurance?

A: Yes


Q: Does Cerego publish and enforce security policy document(s)?

A: Yes


Q: Does Cerego communicate these procedures to subcontractors who may have access to customer data?

A: Yes


Q: Does Cerego monitor these procedures?

A: Yes


 

Disaster Recovery and Business Continuity

     General

Q: Does Cerego have a Disaster Recovery and/or Business Continuity Plan?

A: Cerego performs daily backups of our databases which are stored off-site as well as maintaining a redundant database for immediate failover.


Q: Does Cerego test its recovery plans?

A: Cerego performs automatic testing of our database failover and recovery procedures.


Q: What type of testing does Cerego conduct? (e.g., Paper walk-through, simulation drills)

A: Manual testing is performed every several months.


Q: Does Cerego test the recovery procedures for efficacy?

A: Cerego has data integrity checks to make sure data is self-consistent.


Q: How long does Cerego estimate it takes to restore products or services should a serious business interruption occur? (e.g., Interruption that lasts more than one business day).

A: Cerego database failures are restored immediately through an automated failover, otherwise we can restore from a backup that is at most one day old. Database restoration should take no longer than a few hours.


Q: How does Cerego define “uptime” and “downtime”? (e.g., is the system down if more than 5% of users are affected? Is the system “down” if it is so slow users cannot function regardless of whether they can log in?)

A: Application Specific: “downtime” is considered time(s) where critical application functionality (student study, instructor analytics, etc.) is not available across the user base.


Q: Does Cerego have prearranged recovery locations?

A: Cerego stores all data off-site in highly secured cloud-based services.


Q: Does Cerego own its own data center?

A: No


Q: Where are the data center(s) located?

A: Cerego uses only AWS data centers on US soil.


Q: What is Cerego’s approach to scalability?

A: Cerego uses AWS auto-scaling groups across all of our stack.


Q: How does Cerego handle load balancing?

A: All Cerego endpoints are behind an Elastic Load Balancer.


Q: How does Cerego ensure access to backup and redundant power?

A: Cerego uses multiple AWS availability zones.


Q: What tools does Cerego use for API monitoring?

A: We use Cloudwatch and Datadog to monitor uptime and notify on-call engineers. You can find the status of our platform at status. cerego.com.


Q: What platform is Cerego hosted on?

A: Cerego runs 100% on AWS.


     Data Security

Q: Who has access to user data?

A: Only authorized employees.


Q: How does Cerego prevent clients from accessing each other's data?

A: Cerego has a rigorous permission subsystem that protects clients from having their data accessed by other users.


Q: Does Cerego employ mechanisms that facilitate secure data exchange such as SSL, TLS, SFTP, VPN, etc?

A: Cerego mandates TLSv1.2+ for all web-based access and key only SSH, enforced two-factor authentication, and IP restriction for server maintenance.


Q: Does Cerego employ a “Default Deny” for all data except where a customer explicitly grants access?

A: Yes


 

Identity and Access Management

     General

Q: How and where does Cerego store user IDs and Passwords? How does Cerego secure the information and what type of encryption is used? (e.g. Active Directory)

A: Cerego only stores bcrypt hashes of passwords, raw passwords are never stored.


     Authentication

Q: What user authentication methods does the hosted service support?

A: Cerego uses OAuth2 for API and SSO access; email/password for front-end access.


Q: Does Cerego support authentication methods such as Federation (SAML compliant) or single sign-on?

A: OAuth2, LTI, and SAML are supported for single sign-on.


Q: Does the hosting service provide authentication mechanisms?

A: Yes


Q: Can Cerego’s system be configured to require strong passwords?

A: Yes, clients can require that passwords be composed of at least 1 uppercase, 1 lowercase, 1 symbol, 1 number and be at least 12 characters long.


Q: Can customers (partner organizations) dictate password criteria as needed to ensure compliance with applicable security standards?

A: Yes, within existing options.


Q: Does Cerego encrypt all passwords during network transit?

A: Yes. Cerego encrypts all requests with TLSv1.2+.


Q: Are passwords encrypted in storage?

A: Yes. Cerego encrypts all passwords using the bcrypt blowfish algorithm.


     Authorization

Q: How does Cerego maintain authorization controls?

A: Cerego sessions expire every 2 weeks.


Q: Can Cerego configure authorization process controls to automatically disable user accounts or access privileges after a defined period of non-use?

A: Yes


Q: Does Cerego’s system offer the ability to restrict access within the application based on roles assigned to authorized users?

A: Yes


     Accounting

Q: Can Cerego’s security controls detect and report unauthorized access attempts?

A: Yes


Q: Are all attempted and successful logins logged, including date/time, userid, source network address, and maintained for at least one year?

A: Yes


Q: Can Cerego’s system provide easy-to-read security reports that identify users and their access levels for periodic review?

A: Yes


 

Incident Response

Q: Are security incidents monitored and tracked until resolved?

A: Yes


Q: Does Cerego have a breach response plan that includes notifying customers if sensitive data is unknowingly or accidentally released?

A: Yes


Q: Is incident information and common vulnerabilities or threats shared with data hosting customers?

A: Under NDA, when appropriate.


Q: Will a third party ever have access to the service provider’s hardware or systems that store a partner organization’s Restricted Data?

A: No


Q: Are Cerego’s database and web server access and error logs regularly reviewed for anomalies that could indicate a compromise?

A: Yes


Q: What process does Cerego have in place to identify security breaches on vendor-managed systems (e.g., file integrity checks)?

A: We make extensive use of AWS Security Audit Services


Q: In case of a security breach or unexpected exposure of Restricted Data, what are the Cerego incident response procedures?

A: Cerego will work together with the partner organization to message and handle the response.


Q: What is Cerego’s process for disclosing any data requests, such as subpoenas or warrants, from a third party?

A: See our Terms of Service for more information.


Q: Has Cerego ever experienced a breach of customer data?

A: No


 

Network Infrastructure

Q: Which intrusion prevention/detection systems does Cerego employ?

A: Application and Network anomaly detection; Monitoring of security policy violations and application/networked services availability; Logging of account success and failures events


 

Application Security

Q: What software development life-cycle methodologies does Cerego use to develop its software (e.g., TSP-Secure, SAMM, Microsoft SDL, OWASP, NIST SP800-64 rev 2)?

A: Application Specific, we also follow OWASP recommended best practices for session management.


Q: Are security components identified during each phase of the software development life-cycle?

A: Yes


Q: Does the service provider have change management policies in place?

A: Yes


Q: Are customers notified of changes?

A: Yes, Application Specific


Q: Does Cerego regularly perform source code audits?

A: Yes


Q: Are source code audits performed by someone other than the person or team that wrote the code?

A: Yes


 

Firewall

Q: Does Cerego employ firewall services to protect the network?

A: Yes


Q: Is Cerego’s firewall installed on a dedicated system and is kept up-to-date?

A: Yes


Q: Does Cerego allow non-standard (>1024) IP ports to pass through the firewall?

A: No


Q: Does Cerego regularly scan and verify all the allowable services provided by the firewall server?

A: Yes


Q: Does Cerego use firewall-reporting tools to analyze the firewall log?

A: Yes


Q: Does Cerego periodically document and verify security policies on the firewall?

A: Yes


Q: Does Cerego protect internal IP address range(s)? (e.g., use NAT/RFC 1918)

A: Yes


 

Malware Controls

Q: Does Cerego scan all emails for malware?

A: Yes


Q: Is there an explicit policy requiring anti-malware software on networked computers?

A: Yes


Q: Does Cerego have centralized administration of malware control, such as distribution of signature updates, reporting, policy enforcement, and vendor management?

A: Yes


Q: Are additional measures in place to protect against malware?

A: Yes


Q: Does the malware checking software run in the background with established frequency of scanning, etc.?

A: Yes


Q: Does Cerego allow installation of personal and non-corporate software or hardware on network computers?

A: Yes


Q: Does Cerego employ Application Whitelisting to ensure non-approved programs such as malware cannot execute on managed workstations?

A: Yes