Information SecurityDisaster PreparednessSecure BackupCloud ComputingData ClassificationIT Resource MonitoringAcceptable UseAuthentication ManagementResponsible MarketingEqual Opportunity

Information Security

CCRA continues to invest in the latest technology to ensure confidential and sensitive information are both respected and protected.

Our security policies cover network and computer systems and applications, operational processes and procedures and physical locations.

We follow the guiding principles recommended by the SANS Institute Information Security Research resource center, which are as follows:

  • All users and entities are authenticated.
  • Principle of “least access” is appropriately applied.
  • Risk exposure is balanced with the cost of risk mitigation.
  • Security measures are proactively implemented.
  • We will promote information classification, awareness and governance.
  • We will use comprehensive architectural planning to ensure that all elements of the information security program are defined and planned.
  • We will carefully balance the business need to quickly offer new products and services against the security risks it might pose to our customers or damage to our company brand or reputation.
  • We will invest in information security at or above industry benchmarks for our business.
  • We will adopt security industry standards where appropriate.
  • We will evolve the practice of information security with our external and internal customers (Best practice sharing on standards, solutions architecture, technology, processes and policies)

Disaster Preparedness

Our servers are all located in a Savvis data center. Savvis Data Centers offer world-class facilities for Power Management, Heating/Ventilation/Air Conditioning (HVAC), Fire Suppression, Seismic Engineering, Physical Security, Tier 1 Internet connectivity and access to our Intelligent IP and IP MPLS network. Our servers which power your services are protected with redundant power, internet, switches, cooling, fire suppression, security devices and remote hands gold support.

In addition, we have all of our servers and data securely replicated to a cloud based backup for easy and fast recovery in the event of any server loss.

This security enables us to spend less time concerned with infrastructure, and more time spent working on additional features, automation and innovation for our clients.

Secure Backup

  1. Top-notch data security and data integrity, and a unique pass phrase recovery system based on the best open standards (AES-256, HMAC-SHA-256, RSA-3072, TLS/SSL, PBKDF2, FIPS 197, NIST 800-38A). All file data is stored encrypted on disk and is doubly-encrypted while in transit. We cannot access your encryption key/data under any circumstances. We have sophisticated measures to continually guard against and repair silent data corruption.
  2. Single solution for remote and local backups, allowing you to simplify setup and monitoring and deliver a better customer experience. Now a single product can be used to instantly backup and restore data locally and remotely.
  3. High-speed fully automated block-level incremental backup engine, supporting unlimited versioning, compression, Exchange 2003/2007 & SQL Server, open and locked files, very large files ( > 4GB), network mapped drives, and visual/manual editing of arbitrarily complex policies.
  4. Easy to use, centralized provisioning, management, notification, and monitoring features. Instant email notification of errors/warnings, lack of backup, and unexpected disk usage changes.
  5. Best in class backend infrastructure, layered on redundant storage with additional software-based forward error correction (above and beyond redundant storage), end-to-end data integrity checks (software and hardware), and proactive, automated file-integrity scanning for absolutely zero data loss.
  6. Reverse-delta incremental backup strategy ensures that the most recent backup is always a full backup, while the transmitted incremental and stored historical deltas are still small. This allows for faster restores and also means that once the full backup is uploaded the first time (or preloaded via USB disk), only incremental backups are needed from that time forward (in contrast to forward-delta systems like tape backups where you have to periodically perform a full backup).

    Our cloud based backup solution strives to minimize recovery time (Near-Zero Recovery Time Objective) and provide 5-minute recovery point granularity. It is scalable and allows recovery of backups to any location or virtual machine, even with dissimilar hardware from the backup source. It also allows granular object-level recovery for both files and application level objects such as emails.

Cloud Computing

We utilize the full efficiency and agility of cloud computing by virtualizing, pooling and automating all data center resources—servers, storage, networking, security and availability—and tying everything together with policy-based provisioning and automated operations management. The result is a software-defined data center where:

  • Capacity expands and contracts as needed.
  • Applications can be provisioned on-demand.
  • Every application is assured of the right levels of performance, compliance and security.
  • IT can shift resources and budget away from infrastructure management and maintenance, toward creating innovations that give your company an edge.

Data Classification

Purpose

To provide the basis for protecting the confidentiality of data at CCRA by establishing a data classification system. Further policies and standards will specify handling requirements for data based on their classification.

Scope

This standard applies to all data or information that is created, collected, stored or processed by CCRA, in electronic or non-electronic formats.

Policy

All data at CCRA shall be assigned one of the following classifications. Collections of diverse information should be classified as to the most secure classification level of an individual information component with the aggregated information.

  1. Restricted: Data in any format collected, developed, maintained or managed by or on behalf of the university, or within the scope of university activities, that are subject to specific protections under federal or state law or regulations or under applicable contracts. Examples include, but are not limited to medical records, social security numbers, credit card numbers, driver licenses, employee records and export controlled technical data.
  2. Sensitive : Data whose loss or unauthorized disclosure would impair the functions of CCRA, cause significant financial or reputational loss or lead to likely legal liability. Examples include, but are not limited to, confidential client information, financial information, strategy documents and information used to secure CCRA's physical or information environment.
  3. Open : Data that does not fall into any of the other information classifications. This data may be made generally available without specific information owner’s designee or delegate approval. Examples include, but are not limited to, advertisements, job opening announcements, company marketing materials, regulations and policies, staff publication titles and press releases.


Responsibilities

  1. Data owners are responsible for appropriately classifying data.
  2. Data custodians are responsible for labeling data with the appropriate classification and applying required and suggested safeguards.
  3. Data users are responsible for complying with data use requirements.
  4. Data users are responsible for immediately referring requests for Restricted or Sensitive information to the President and CTO.

IT Resource Monitoring

Procedure for Monitoring of IT Resources

CCRA may monitor IT resources and retrieve communications and other records of specific users of CCRA IT resources, including individual login session and the content of individual communications, without notice. The criteria and steps required for approval of such monitoring or retrieval without notice are set forth in this policy. A request for such monitoring or retrieval of records and documents must be provided to the CTO (or designee) with the necessary approvals. Approvals must be obtained from the President and CEO (or designee) who supervises the unit requesting such access. If the records are being monitored or retrieved for the purposes of reviewing or investigating employee conduct, the approval of Human Resources is also required.

Prior approval is not required to monitor CCRA IT resources or retrieve communications and other records in the following situations:

The communications and/or records have been made accessible to the public, as by posting to a webpage.

A person’s authorization to access or use any CCRA IT resources ends, for example upon termination of employment or appointment.

The monitoring or retrieval is in response to an emergency. An emergency occurs when there is an imminent threat to life or property and there is not sufficient time available to obtain approval. In such a situation, monitoring or retrieval may be conducted without prior approval, with notification to the appropriate leadership as soon as possible. The scope of access should be reasonable in relation to the emergency situation involved.

Approval may be granted to monitor communications or retrieve records when any one or more of the following situations apply:

It reasonably appears necessary or appropriate to do so to protect the integrity, security or functionality of CCRA or other computing resources.

It reasonably appears necessary or appropriate to do so to comply with legal or contractual requirements or to protect CCRA from liability or disruption. Examples of situations in which access and retrieval are authorized under this paragraph include but are not limited to responses to public records requests, subpoenas, court orders, and discovery requests.

There is reasonable cause to believe that the user has violated or is violating the Acceptable Use Policy or that the user has violated, or is violating, any other CCRA rule, regulation, policy, or collective bargaining agreement, or any other law or regulation and the access is reasonable in relation to the believed violation.

It is part of any investigation or review of an already asserted, threatened or potential complaint or grievance or of a credible allegation of a violation of the law, including without limitation local, state or federal law, or foreign law as applicable, CCRA rule, regulation or policy, or the subject of a law enforcement review or investigation, and the scope of access to the account or activity is reasonable in relation to the complaint, grievance or allegation. An account appears to be engaged in unusual or unusually excessive activity.

CCRA has a legitimate need to access an account or activity and the access is reasonable in relation to the need.

The results of any such general or individual monitoring, including but not limited to the contents and records of individual communications, may be released pursuant to a public records request. In addition, CCRA, in its discretion, may disclose the results of any such general or individual monitoring for any legitimate purpose to appropriate CCRA staff or law enforcement agencies and may use those results in appropriate external and internal disciplinary and other proceedings.

Acceptable Use

Acceptable Use of Information Technology Resources

This represents a summary of CCRA’s Acceptable Use Policy. Users are required to comply with the entire policy. Approval requirements are detailed in the full policy.

CCRA's Information Technology (IT) resources are to be used for CCRA-related business purposes. Some examples of IT resources are computers, software, networks, and electronic devices. This policy applies to all users of CCRA's IT resources, whether affiliated with the CCRA or not, and to all users of those resources, whether in HQ or from remote locations. Users are responsible for following the CCRA's Acceptable Use Policy.

General Rules

  1. Users of CCRA's IT resources must comply with all applicable legal requirements.
  2. Users are responsible for any activity originating from their accounts. Users shall not share their accounts and passwords.
  3. Users shall not use IT resources to gain unauthorized access to anything.
  4. Disruptive use of CCRA's IT resources is not permitted.
  5. Occasional personal use of CCRA's IT resources by employees is permitted when it does not consume a significant amount of those resources, is otherwise in compliance with this policy, and meets with the approval of the supervisor.
  6. CCRA may monitor the activity and accounts of any users of CCRA's IT resources.
  7. Communications made concerning CCRA business are generally subject to state Public Records Law and retention requirements.
  8. Users must not augment CCRA's network infrastructure without prior approval.


Additional requirements apply to the collection, use, storage, and maintenance of Restricted Data.

Consequences of Violations

Users who violate this policy may be subject to penalties and disciplinary action, including expulsion, dismissal, or revocation of user access.

Authentication Management

Authentication mechanisms such as passwords are the primary means of protecting access to computer systems and data. It is essential that these authenticators be strongly constructed and used in a manner that prevents their compromise.

Scope:

This policy applies to all passwords and other authentication methods used at CCRA.

Policy:

  1. Access to all CCRA data and systems not intended for unrestricted public access requires authentication.
  2. Passwords and other authenticators must be constructed to have a resistance to attack commensurate with the level of system or data access granted to the account.
  3. Systems must be designed and configured to protect passwords during storage and transmission.
  4. No one may require another to share the password to an individually assigned CCRA account, for example as a condition of employment or in order to provide technical support.


Responsibilities:

  1. All employees of CCRA are responsible for any activity that occurs as a result of the use of authentication methods issued to them.
  2. All employees of CCRA are responsible for protecting the password or authentication method associated with an individually assigned CCRA account. Passwords may not be shared or disclosed to anyone else.
  3. All employees of CCRA are responsible for reporting any suspicious use of assigned authentication mechanisms. Anyone that reasonably believes his or her password to be known by anyone else must change it immediately. Lost or stolen authentication devices are to be reported immediately.
  4. Information Security Managers are responsible for verifying that information systems under their control, and those intended for acquisition or development by their unit, comply with this policy.
  5. The Chief Technology Officer is responsible for implementing systems and specifications to facilitate unit compliance with this policy.

Responsible Marketing

CCRA adheres to all applicable laws when it comes to marketing and your privacy. We do not share your information with third parties and we always take it seriously when you opt-out of a communication.

Equal Opportunity

We assure equal opportunity of employment for all applicants and employees of CCRA without regard to race, color, religion, national origin, gender, disability, age, marital status or sexual preference.