During the past several months there have been numerous changes to several Credentials services, all in the name of improving security. There has been a significant amount of positive feedback on these enhancements but at the same time, questions have been raised that need to be addressed. The majority of the questions revolve around the “What? Why? & How?” of our security policies. I intend to address those questions in a very broad sense in this article but stay tuned, as there will be further insight in future installments.
The simple answer to what we are securing is everything. We pull all sorts of information from your student information systems on a daily basis and all of that information must be kept secure. We collect identifiers that relate to name, location, contact information and payment data.
So why would a telephone number or address be treated like a Social Security or Credit Card number? They are certainly less important but that information is part of who you are and can be compiled into a profile that can be used to impersonate you. Criminals will typically use data from multiple breaches to compile an individual’s profile. For example a criminal could use payment information from the recent Target hack and check names against home addresses from the Office of Personnel Management breach. That alone is enough to begin making fraudulent charges against your current credit cards or even open new accounts. Add those bits of data to the United Airlines breach of where you recently traveled to. Perhaps you have a password that uses your last vacation destination as part of the name? Or maybe that’s a security question you have on file with the bank? Your profile is built a little bit more every time more data is added from another breach. Suddenly those unimportant pieces of information pile up and seem pretty valuable. That is the stance we take at Credentials; every piece of information is valuable to someone so we keep it secure.
We have a few basic principles on how we keep this information protected. First, if we don’t need it any more we don’t keep it. This is the easiest concept to understand and implement. We regularly re-evaluate what data we’re keeping, why we’re keeping it, and how long we should keep it. Ideally it’s only as long as it takes to process and deliver the product. If there is nothing worthwhile in our systems to steal, there is less risk to us, our client institutions and the students and alumni we serve. Second, when data is being moved around we encrypt it. Several of the big upgrades this year revolved around upgrading encryption ciphers for HTTPS and SSH. Both are securely designed protocols, but require upkeep to continue enhancing their encryption standards over time as new threats are discovered. In order to stay ahead of those threats we have to continue upgrading our own standards. Third, we upgrade software and systems on a regular basis. Several of the updates this year involved making big changes to some core software and systems that halted services for a small number of customers. Cutting off access to our services is never an intended consequence of upgrades but we feel it is better to keep moving forward and devoting resources to bring customers up to our levels of security rather than risk everyone’s data by maintaining minimal levels. Plan on seeing more of these upgrades coming on a very regular basis. Four, watch what is happening. Who accessed the data? When did they access it and for what purpose? We restrict who can talk to our systems and why they can talk to us. We put up alarms and alerts to notify security personnel when something even looks suspicious. ToD and eSS firewall restrictions put in place this year were a large inconvenience but were necessary to make sure data was more secure and to make these security policies more consistent with Credentials’ policies. Again, we want to decrease risk by maintaining high standards.
Finally, and most importantly, we verify everything. Not just running a few reports and scans or having some employees fill out some forms and check a few boxes. We understand that the data sent to us is important and you can’t just take our word for how well we secure or systems. At Credentials, we voluntarily submit our company to an annual Payment Card Industry Data Security Standards (PCI DSS) external audit. We believe self-assessment is not enough when it comes to trusting us with your data. Every year Crowe Horwath QSAs come into our offices to interview personnel, document systems, examine protocols, and review policy and procedures for compliance. We have successfully completed and passed the PCI audit for the past 6 years and are currently in the process of doing so again this year with our newly acquired platforms eScrip-Safe Network and Transcripts on Demand ordering system included in the process. Most of the changes I’ve mentioned have been made to those systems in order to bring them in line with the security of the Credentials platforms.
Security is paramount at Credentials, it’s part of our culture. Protecting your data is paramount to us. Our passion for security help keep your school’s records and student data secure, while also being critical to us staying in business.