Q: Is a senior official or officer within Cerego directly responsible for the oversight and implementation of the security policies?
Q: Does Cerego employ procedures to ensure compliance with privacy laws and regulatory requirements related to maintaining security, confidentiality, and protection of third-party personal information (e.g., information pertaining to customers’ employees, customers, and/or producers)?
Q: Can Cerego submit documents proving it maintains liability insurance and preferably cyber risk insurance?
Q: Does Cerego publish and enforce security policy document(s)?
Q: Does Cerego communicate these procedures to subcontractors who may have access to customer data?
Q: Does Cerego monitor these procedures?
Q: Does Cerego have a Disaster Recovery and/or Business Continuity Plan?
A: Cerego performs daily backups of our databases which are stored off-site as well as maintaining a redundant database for immediate failover.
Q: Does Cerego test its recovery plans?
A: Cerego performs automatic testing of our database failover and recovery procedures.
Q: What type of testing does Cerego conduct? (e.g., Paper walk-through, simulation drills)
A: Manual testing is performed every several months.
Q: Does Cerego test the recovery procedures for efficacy?
A: Cerego has data integrity checks to make sure data is self-consistent.
Q: How long does Cerego estimate it takes to restore products or services should a serious business interruption occur? (e.g., Interruption that lasts more than one business day).
A: Cerego database failures are restored immediately through an automated failover, otherwise we can restore from a backup that is at most one day old. Database restoration should take no longer than a few hours.
Q: How does Cerego define “uptime” and “downtime”? (e.g., is the system down if more than 5% of users are affected? Is the system “down” if it is so slow users cannot function regardless of whether they can log in?)
A: Application Specific: “downtime” is considered time(s) where critical application functionality (student study, instructor analytics, etc.) is not available across the user base.
Q: Does Cerego have prearranged recovery locations?
A: Cerego stores all data off-site in highly secured cloud-based services.
Q: Does Cerego own its own data center?
Q: Where are the data center(s) located?
A: Cerego uses only AWS data centers on US soil.
Q: What is Cerego’s approach to scalability?
A: Cerego uses AWS auto-scaling groups across all of our stack.
Q: How does Cerego handle load balancing?
A: All Cerego endpoints are behind an Elastic Load Balancer.
Q: How does Cerego ensure access to backup and redundant power?
A: Cerego uses multiple AWS availability zones.
Q: What tools does Cerego use for API monitoring?
A: We use Cloudwatch and Datadog to monitor uptime and notify on-call engineers. You can find the status of our platform at status. cerego.com.
Q: What platform is Cerego hosted on?
A: Cerego runs 100% on AWS.
Q: Who has access to user data?
A: Only authorized employees.
Q: How does Cerego prevent clients from accessing each other's data?
A: Cerego has a rigorous permission subsystem that protects clients from having their data accessed by other users.
Q: Does Cerego employ mechanisms that facilitate secure data exchange such as SSL, TLS, SFTP, VPN, etc?
A: Cerego mandates TLSv1.2+ for all web-based access and key only SSH, enforced two-factor authentication, and IP restriction for server maintenance.
Q: Does Cerego employ a “Default Deny” for all data except where a customer explicitly grants access?
Q: How and where does Cerego store user IDs and Passwords? How does Cerego secure the information and what type of encryption is used? (e.g. Active Directory)
A: Cerego only stores bcrypt hashes of passwords, raw passwords are never stored.
Q: What user authentication methods does the hosted service support?
A: Cerego uses OAuth2 for API and SSO access; email/password for front-end access.
Q: Does Cerego support authentication methods such as Federation (SAML compliant) or single sign-on?
A: OAuth2, LTI, and SAML are supported for single sign-on.
Q: Does the hosting service provide authentication mechanisms?
Q: Can Cerego’s system be configured to require strong passwords?
A: Yes, clients can require that passwords be composed of at least 1 uppercase, 1 lowercase, 1 symbol, 1 number and be at least 12 characters long.
Q: Can customers (partner organizations) dictate password criteria as needed to ensure compliance with applicable security standards?
A: Yes, within existing options.
Q: Does Cerego encrypt all passwords during network transit?
A: Yes. Cerego encrypts all requests with TLSv1.2+.
Q: Are passwords encrypted in storage?
A: Yes. Cerego encrypts all passwords using the bcrypt blowfish algorithm.
Q: How does Cerego maintain authorization controls?
A: Cerego sessions expire every 2 weeks.
Q: Can Cerego configure authorization process controls to automatically disable user accounts or access privileges after a defined period of non-use?
Q: Does Cerego’s system offer the ability to restrict access within the application based on roles assigned to authorized users?
Q: Can Cerego’s security controls detect and report unauthorized access attempts?
Q: Are all attempted and successful logins logged, including date/time, userid, source network address, and maintained for at least one year?
Q: Can Cerego’s system provide easy-to-read security reports that identify users and their access levels for periodic review?
Q: Are security incidents monitored and tracked until resolved?
Q: Does Cerego have a breach response plan that includes notifying customers if sensitive data is unknowingly or accidentally released?
Q: Is incident information and common vulnerabilities or threats shared with data hosting customers?
A: Under NDA, when appropriate.
Q: Will a third party ever have access to the service provider’s hardware or systems that store a partner organization’s Restricted Data?
Q: Are Cerego’s database and web server access and error logs regularly reviewed for anomalies that could indicate a compromise?
Q: What process does Cerego have in place to identify security breaches on vendor-managed systems (e.g., file integrity checks)?
A: We make extensive use of AWS Security Audit Services
Q: In case of a security breach or unexpected exposure of Restricted Data, what are the Cerego incident response procedures?
A: Cerego will work together with the partner organization to message and handle the response.
Q: What is Cerego’s process for disclosing any data requests, such as subpoenas or warrants, from a third party?
A: See our Terms of Service for more information.
Q: Has Cerego ever experienced a breach of customer data?
Q: Which intrusion prevention/detection systems does Cerego employ?
A: Application and Network anomaly detection; Monitoring of security policy violations and application/networked services availability; Logging of account success and failures events
Q: What software development life-cycle methodologies does Cerego use to develop its software (e.g., TSP-Secure, SAMM, Microsoft SDL, OWASP, NIST SP800-64 rev 2)?
A: Application Specific, we also follow OWASP recommended best practices for session management.
Q: Are security components identified during each phase of the software development life-cycle?
Q: Does the service provider have change management policies in place?
Q: Are customers notified of changes?
A: Yes, Application Specific
Q: Does Cerego regularly perform source code audits?
Q: Are source code audits performed by someone other than the person or team that wrote the code?
Q: Does Cerego employ firewall services to protect the network?
Q: Is Cerego’s firewall installed on a dedicated system and is kept up-to-date?
Q: Does Cerego allow non-standard (>1024) IP ports to pass through the firewall?
Q: Does Cerego regularly scan and verify all the allowable services provided by the firewall server?
Q: Does Cerego use firewall-reporting tools to analyze the firewall log?
Q: Does Cerego periodically document and verify security policies on the firewall?
Q: Does Cerego protect internal IP address range(s)? (e.g., use NAT/RFC 1918)
Q: Does Cerego scan all emails for malware?
Q: Is there an explicit policy requiring anti-malware software on networked computers?
Q: Does Cerego have centralized administration of malware control, such as distribution of signature updates, reporting, policy enforcement, and vendor management?
Q: Are additional measures in place to protect against malware?
Q: Does the malware checking software run in the background with established frequency of scanning, etc.?
Q: Does Cerego allow installation of personal and non-corporate software or hardware on network computers?
Q: Does Cerego employ Application Whitelisting to ensure non-approved programs such as malware cannot execute on managed workstations?