Scribd
Upload
23 views3 pages

Security Overview: Keeping Data and Transactions Secure

The document discusses the security measures and policies that 360Alumni has in place to protect client and user data. It outlines 360Alumni's security policy, payment security practices, data classification policies, background checks, disaster recovery processes, network topology diagrams, development processes, regular security testing, and reliance on AWS and third party SOC reports. It then provides answers to frequently asked questions about what personal information is collected and stored, how it is used, privacy and password settings, data hosting, and monitoring processes.

Uploaded by

Jimmy Stephenson
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
23 views3 pages

Security Overview: Keeping Data and Transactions Secure

The document discusses the security measures and policies that 360Alumni has in place to protect client and user data. It outlines 360Alumni's security policy, payment security practices, data classification policies, background checks, disaster recovery processes, network topology diagrams, development processes, regular security testing, and reliance on AWS and third party SOC reports. It then provides answers to frequently asked questions about what personal information is collected and stored, how it is used, privacy and password settings, data hosting, and monitoring processes.

Uploaded by

Jimmy Stephenson
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Security​ ​Overview  

Keeping​ ​Data​ ​and​ ​Transactions​ ​Secure 


Security​ ​isn’t​ ​just​ ​about​ ​protecting​ ​data,​ ​it’s​ ​about​ ​protecting 
people.​ ​360Alumni’s​ ​executive​ ​and​ ​engineering​ ​teams​ ​have  
gone​ ​the​ ​extra​ ​mile​ ​to​ ​ensure​ ​that​ ​our​ ​clients​ ​communities  
are​ ​actively​ ​maintained​ ​in​ ​a​ ​secure​ ​environment,​ ​providing  
their​ ​users​ ​with​ ​the​ ​confidence​ ​to​ ​share​ ​information​ ​and  
conduct​ ​transactions​ ​safely. 
360Alumni​ ​takes​ ​this​ ​responsibility​ ​very​ ​seriously​ ​and​ ​follows 
industry​ ​best​ ​practices​ ​to​ ​ensure​ ​that​ ​every​ ​base​ ​is​ ​covered. 
 
What​ ​It​ ​Is  Why​ ​It​ ​Matters 

Security​ ​Policy  Our​ ​Security​ ​Policy​ ​covers​ ​data​ ​classification,​ ​access​ ​control,​ ​employee/ 
contractor​ ​computers​ ​and​ ​mobile​ ​devices,​ ​360Alumni​ ​servers,​ ​continuity 
planning,​ ​and​ ​more.​ ​It​ ​is​ ​reviewed​ ​and​ ​updated​ ​annually​ ​and​ ​available​ ​upon 
request.  

Payment​ ​ ​Security   We​ ​are​ ​PCI​ ​compliant,​ ​therefore​ ​as​ ​payments​ ​are​ ​collected​ ​for​ ​certain​ ​activities​ ​on 
our​ ​platform,​ ​payment​ ​card​ ​information​ ​and​ ​transactions​ ​are​ ​conducted​ ​securely. 
We​ ​do​ ​not​ ​store​ ​credit​ ​card​ ​information​ ​on​ ​our​ ​servers.  

Data​ ​Classification  Proper​ ​data​ ​classification​ ​is​ ​the​ ​foundation​ ​to​ ​an​ ​effective​ ​security​ ​policy. 
Policy 

Background​ ​Checks  Background​ ​checks​ ​are​ ​conducted​ ​on​ ​every​ ​employee​ ​with​ ​access​ ​to​ ​client​ ​data. 
This​ ​includes​ ​a​ ​limited​ ​number​ ​of​ ​engineers​ ​and​ ​certain​ ​members​ ​of​ ​the​ ​client 
support​ ​team.  

Disaster​ ​Recovery  In​ ​the​ ​unlikely​ ​event​ ​of​ ​a​ ​catastrophic​ ​failure,​ ​we​ ​are​ ​prepared​ ​to​ ​get​ ​our​ ​services 
Processes  back​ ​online​ ​with​ ​minimal​ ​downtime​ ​and​ ​no​ ​loss​ ​of​ ​data. 

Network​ ​Topology  Our​ ​Network​ ​Topology​ ​Diagram​ ​illustrates​ ​some​ ​of​ ​the​ ​physical​ ​and​ ​logical 
Diagrams  protections​ ​we​ ​have​ ​in​ ​place​ ​against​ ​attacks. 

Documented  Properly​ ​designed,​ ​developed,​ ​tested,​ ​and​ ​deployed​ ​software​ ​ensures​ ​a​ ​positive 
Development  experience​ ​for​ ​our​ ​customers,​ ​even​ ​as​ ​we​ ​rapidly​ ​innovate​ ​and​ ​add​ ​features.​ ​All 
Processes  code​ ​is​ ​peer​ ​reviewed​ ​prior​ ​to​ ​being​ ​deployed​ ​to​ ​production. 

Regular​ ​Security  We​ ​regularly​ ​use​ ​third​ ​parties​ ​to​ ​perform​ ​independent​ ​security​ ​assessments​ ​of 
Testing  our​ ​sites​ ​on​ ​a​ ​page-by-page​ ​basis.​ ​Additional​ ​internal​ ​testing​ ​using​ ​Arachni, 
BurpSuite​ ​and​ ​OpenVAS​ ​is​ ​performed​ ​as​ ​well. 

SOC-1,​ ​SOC-2,​ ​SOC-3  Our​ ​site​ ​relies​ ​on​ ​Amazon​ ​Web​ ​Services.​ ​We​ ​rely​ ​on​ ​their​ ​external​ ​auditors​ ​to 
Reports  ensure​ ​that​ ​Amazon’s​ ​internal​ ​policies​ ​and​ ​procedures​ ​are​ ​being​ ​followed.  
The​ ​SOC​ ​reports​ ​are​ ​complete​ ​examination​ ​of​ ​the​ ​security​ ​at​ ​Amazon​ ​Web 
Services,​ ​conducted​ ​quarterly​ ​by​ ​a​ ​third​ ​party.  

We​ ​are​ ​happy​ ​to​ ​share​ ​copies​ ​of​ ​the​ ​latest​ ​reports​ ​or​ ​provide​ ​supporting​ ​documentation​ ​for​ ​any​ ​of​ ​the​ ​above​ ​upon​ ​request. 

360Alumni​ ​Security​ ​Overview,​ ​page​ ​1 


360Alumni​ ​LLC​ ​ ​|​ ​ c
[email protected]​​ ​ ​|​ ​ ​+1​ ​(424)​ ​888-0360 
 
Security​ ​Overview  
Q&A
What​ ​Personally​ ​Identifiable​ ​Information​ ​(PII)​ ​is​ ​collected​ ​and​ ​stored? 
Our​ ​customers​ ​provide​ ​lists​ ​of​ ​member​ ​names.​ ​These​ ​records​ ​may​ ​contain​ ​home​ ​address,​ ​email 
address,​ ​date​ ​of​ ​birth​ ​and/or​ ​phone​ ​number(s),​ ​or​ ​other​ ​potentially​ ​PII​ ​fields.​ ​Their​ ​alumni​ ​can​ ​further 
enrich​ ​this​ ​data,​ ​providing​ ​additional​ ​contact​ ​information.   

What​ ​does​ ​360Alumni​ ​do​ ​with​ ​this​ ​data? 


All​ ​alumni​ ​data​ ​collected​ ​&​ ​stored​ ​on​ ​360Alumni​ ​is​ ​solely​ ​for​ ​the​ ​use​ ​and​ ​benefit​ ​of​ ​our​ ​customer​ ​and 
their​ ​alumni.​ ​360Alumni​ ​only​ ​has​ ​limited​ ​access​ ​in​ ​order​ ​to​ ​perform​ ​maintenance​ ​and​ ​customer 
support. 

What​ ​is​ ​the​ ​procedure​ ​if​ ​a​ ​business​ ​separation​ ​between​ ​360Alumni​ ​and​ ​a​ ​client​ ​would​ ​occur? 
Per​ ​our​ ​terms​ ​of​ ​service,​ ​360Alumni​ ​will​ ​provide​ ​and/or​ ​return​ ​any​ ​data​ ​which​ ​belongs​ ​to​ ​the​ ​client,​ ​if​ ​a 
written​ ​request​ ​is​ ​made​ ​within​ ​30​ ​days.​ ​After​ ​30​ ​days,​ ​the​ ​data​ ​will​ ​be​ ​removed​ ​from​ ​our​ ​systems.​ ​See 
https://www.360alumni.com/customer-terms-of-service-360alumni​​ f​ ​o​r​ ​m​or​ ​e​ ​i​n​f​o​r​m​a​t​i​o​n​. 

Are​ ​your​ ​applications​ ​fully​ ​FERPA-compliant?   


The​ ​Family​ ​Educational​ ​Rights​ ​and​ ​Privacy​ ​Act​ ​protects​ ​the​ ​privacy​ ​of​ ​student​ ​educational​ ​records.​ ​The 
U.S.​ ​Department​ ​of​ ​Education’s​ ​Privacy​ ​Technical​ ​Assistance​ ​Center​ ​(PTAC)​ ​has​ ​provided​ ​guidelines​ ​for 
schools​ ​and​ ​third​ ​party​ ​service​ ​providers​ ​(such​ ​as​ ​360Alumni)​ ​in​ ​Responsibilities​ ​of​ ​Third​ ​Party​ ​Service 
Providers​.​ ​360Alumni​ ​provides​ ​full​ ​transparency​ ​about​ ​how​ ​data​ ​provided​ ​to​ ​us​ ​is​ ​used,​ ​and​ ​assumes 
that​ ​any​ ​data​ ​provided​ ​to​ ​360Alumni​ ​that​ ​is​ ​not​ ​designated​ ​for​ ​admin-only​ ​fields​ ​and/or​ ​set​ ​to​ ​default 
visibility​ ​of​ ​“private”​ ​shall​ ​be​ ​made​ ​available​ ​to​ ​other​ ​authenticated​ ​members​ ​of​ ​the​ ​community​ ​with​ ​full 
access. 

How​ ​are​ ​passwords​ ​stored? 


Users​ ​can​ ​benefit​ ​from​ ​a​ ​streamlined​ ​authentication​ ​process​ ​by​ ​using​ ​our​ ​federated​ ​authentication 
system​ ​with​ ​their​ ​existing​ ​FaceBook​ ​or​ ​LinkedIn​ ​accounts.​ ​If​ ​a​ ​user​ ​logs​ ​in​ ​with​ ​a​ ​traditional​ ​email​ ​& 
password,​ ​their​ ​password​ ​is​ ​hashed​ ​and​ ​stored​ ​in​ ​our​ ​database.​ ​We​ ​have​ ​a​ ​password​ ​reset​ ​mechanism, 
but​ ​are​ ​unable​ ​to​ ​directly​ ​recover​ ​passwords. 

Can​ ​members​ ​manage​ ​their​ ​privacy​ ​settings​ ​and​ ​easily​ ​hide​ ​their​ ​entire​ ​listing,​ ​or​ ​elements​ ​of​ ​their 
listing?​ ​Can​ ​this​ ​be​ ​the​ ​default​ ​“Hidden”​ ​for​ ​new​ ​users? 
Contact​ ​information​ ​as​ ​part​ ​of​ ​a​ ​user’s​ ​profile​ ​(e-mail,​ ​phone,​ ​address,​ ​social​ ​media​ ​links)​ ​as​ ​well​ ​as 
date​ ​of​ ​birth​ ​can​ ​be​ ​set​ ​to​ ​either​ ​Private​ ​(not​ ​displayed​ ​to​ ​the​ ​alumni​ ​community)​ ​or​ ​Public​ ​(displayed​ ​to 
registered​ ​users​ ​of​ ​the​ ​alumni​ ​community). 

Where​ ​is​ ​your​ ​site/data​ ​hosted? 


360Alumni​ ​uses​ ​Amazon​ ​Web​ ​Services,​ ​the​ ​world’s​ ​leading​ ​hosting​ ​service,​ ​to​ ​house​ ​all​ ​user​ ​data.​ ​Our 
primary​ ​servers​ ​are​ ​based​ ​in​ ​the​ ​us-east-1​ ​region​ ​(Ashburn,​ ​VA).​ ​AWS’s​ ​physical​ ​security​ ​protocols​ ​are 
detailed​ ​at​ ​http://aws.amazon.com/security/ 

   

360Alumni​ ​Security​ ​Overview,​ ​page​ ​2 


360Alumni​ ​LLC​ ​ ​|​ ​ c
[email protected]​​ ​ ​|​ ​ ​+1​ ​(424)​ ​888-0360 
 
Security​ ​Overview  

Q&A 
What​ ​processes​ ​do​ ​you​ ​have​ ​to​ ​monitor​ ​the​ ​site​ ​performance​ ​and​ ​protect​ ​from​ ​outages? 
360Alumni​ ​performs​ ​24x7​ ​monitoring​ ​using​ ​internal​ ​and​ ​external​ ​tools​ ​to​ ​detect​ ​and​ ​respond​ ​to​ ​any 
increase​ ​in​ ​latency​ ​or​ ​errors​ ​in​ ​our​ ​web​ ​site,​ ​application,​ ​and​ ​database​ ​servers.​ ​A​ ​global​ ​team​ ​is​ ​in​ ​place 
to​ ​address​ ​any​ ​issues. 

What​ ​methods​ ​do​ ​you​ ​use​ ​in​ ​the​ ​system​ ​to​ ​provide​ ​data​ ​security?  
All​ ​web​ ​pages​ ​are​ ​encrypted​ ​with​ ​HTTPS​ ​connection​ ​between​ ​our​ ​servers​ ​and​ ​end-users.​ ​360Alumni’s 
architecture​ ​is​ ​a​ ​standard​ ​3-tier​ ​solution​ ​architecture​ ​behind​ ​a​ ​load​ ​balancer​ ​and​ ​firewalls.​ ​Access​ ​to​ ​all 
servers​ ​is​ ​controlled​ ​through​ ​IP​ ​whitelists​ ​and​ ​SSH​ ​keys.​ ​The​ ​application​ ​servers​ ​are​ ​separated​ ​from​ ​the 
database​ ​servers​ ​by​ ​firewall​ ​rules,​ ​and​ ​the​ ​database​ ​servers​ ​are​ ​only​ ​accessible​ ​from​ ​the​ ​application 
servers.​ ​There​ ​is​ ​no​ ​direct​ ​access​ ​to​ ​the​ ​database​ ​servers​ ​from​ ​outside​ ​IP​ ​addresses.  

Are​ ​your​ ​credit​ ​card​ ​processing​ ​services​ ​PCI​ ​compliant? 


Yes.​ ​We​ ​are​ ​PCI​ ​compliant​ ​and​ ​use​ ​Authorize.net​ ​and​ ​Heartland​ ​Payment​ ​Systems.​ ​ ​No​ ​credit​ ​card​ ​data 
is​ ​stored​ ​or​ ​processed​ ​on​ ​our​ ​servers.   

What​ ​is​ ​360Alumni’s​ ​approach​ ​to​ ​backups​ ​and​ ​disaster​ ​recovery? 


In​ ​addition​ ​to​ ​regular​ ​backups​ ​above​ ​industry​ ​standards,​ ​we​ ​have​ ​multiple​ ​layers​ ​of​ ​physical​ ​and​ ​logical 
redundancy​ ​within​ ​Amazon​ ​Web​ ​Services.​ ​We​ ​have​ ​designed​ ​the​ ​system​ ​to​ ​be​ ​resilient​ ​to​ ​failures 
within​ ​an​ ​AWS​ ​region.​ ​Should​ ​a​ ​disaster​ ​occur​ ​at​ ​our​ ​main​ ​server​ ​site​ ​in​ ​VA,​ ​a​ ​mirrored​ ​server​ ​in​ ​another 
location​ ​will​ ​immediately​ ​resume​ ​service.​ ​For​ ​more​ ​information,​ ​see 
https://d0.awsstatic.com/whitepapers/compliance/soc3_amazon_web_services.pdf 

Does​ ​360Alumni​ ​have​ ​appropriate​ ​Liability,​ ​Cybersecurity​ ​and​ ​Errors​ ​&​ ​Omissions​ ​coverage? 
Yes.​ ​ ​360Alumni​ ​has​ ​General​ ​Liability,​ ​Cyber​ ​Liability,​ ​Errors​ ​&​ ​Omissions,​ ​Crime,​ ​Worker’s 
Compensation​ ​and​ ​Umbrella​ ​coverage.​ ​Additional​ ​information​ ​ ​can​ ​be​ ​provided​ ​upon​ ​request.

The​ ​above​ ​items​ ​are​ ​subject​ ​to​ ​change.​ ​Please​ ​see​ ​the​ ​latest​ ​customer​ ​terms​ ​of​ ​service​ ​and/or​ ​as​ ​your​ ​contract​ ​for​ ​the​ ​latest 
information​ ​around​ ​360Alumni’s​ ​security​ ​policies.

360Alumni​ ​Security​ ​Overview,​ ​page​ ​3 


360Alumni​ ​LLC​ ​ ​|​ ​ c
[email protected]​​ ​ ​|​ ​ ​+1​ ​(424)​ ​888-0360 
 

You might also like