STAR Autism Support Security Details
STAR Autism Support (SAS) is committed to keeping your information secure. In order to prevent unauthorized access or disclosure we have put in place physical, electronic and managerial procedures to safeguard and secure the information we collect online. See the information below:
User Data and Information
Users are required to provide an email address and password as login credentials for accessing the system. No other information is required. The information provided by users is protected by the security measures listed below. Additionally, should any unauthorized disclosure of the user’s information occur, SAS will take the actions detailed in the Unauthorized disclosure section below.
Student Data and Information
No personally identifiable student information or data is required. Student ID numbers can be automatically or manually assigned, depending on the needs of the implementing district/organization. Additional information provided related to students would be at the district or organizations discretion and subject to their specific policies and procedures. Any information or data relating to students that is provided is protected by the security measures listed below. Additionally, should any unauthorized disclosure of student information occur, SAS will take the actions detailed in the Unauthorized disclosure section below.
Security Measures in Place
Data Management and Protection
All data in transit is encrypted via SSL (preference to TLS1.2). The application does not allow non SSL connections, so all data will be encrypted in transit.
There are a limited number of SAS-managed system administrator accounts. Authentication is performed via HTTPS. Passwords are stored only after applying a hash with a salt. The hash is currently being calculated with SHA2. Authorization is done via specific user roles. Any administrative actions are only accessible to a system administrator role. All administrator access is limited to authorized employees of SAS.
Vulnerability Assessment
Vulnerabilities are reviewed and assessed at least monthly by the programming team. Patches are submitted monthly or immediately when a critical vulnerability is identified.
Amazon
The Links application is hosted within Amazon’s AWS Cloud. General Cloud security best practices are followed. Each tier of the application has limited ingress; that is, the web servers only allow ingress via the Load Balancer, and the database has network ingress limited to the web servers.
Any permissions to AWS resources are controlled via IAM roles, following the principal of least privilege. Changes to AWS infrastructure are all auditable via AWS CloudTrail.
In limited circumstances (e.g. deployments) it may be necessary for an administrator to access a web server. Any direct access to the servers themselves is logged. Ingress to the server is allowed only for the duration of the login session.
Data Auditing
Any modifications or deletions of user or student data within the Links application create audit entries detailing what change was made and what user made it. Data can be analyzed or retrieved if deemed necessary, for either recovery or security purposes.
Unauthorized disclosures and SAS procedures pertaining thereto
Within 24 hours of the SAS IT team identifying a breach, the appropriate account manager is notified and the impacted customer(s) is notified. Action is immediately taken to ensure the breach has been closed. An action plan is then generated with input from the customer as to next steps and resolution. Depending on the breach and customer needs, this can include communication with users and/or parents.
User Responsibilities
It is your responsibility to know and comply with your organization, district or state policies regarding student information. SAS is not liable for any user disclosure within the system that violates district policies or protocols.