Cybersecurity Policy

Overview

Skill Struck’s mission of promoting equity in computer science education relies on the security and efficiency of our systems. We want our partner schools and their administrators, teachers, and students to know that Skill Struck is a trustworthy guardian of sensitive data.

This document details our information and cyber security program. Principles of an effective security program include being threat-driven, using automation to scale, and balancing the investment between prevention and response. We regularly adjust our security practices to align with the NIST Cybersecurity Framework.

Our program has three focus areas: product security, infrastructure security, and IT security. The following sections describe each focus area and the set of security activities we practice within each.

Product security

The goal of Skill Struck’s product security efforts is to clarify the security and privacy impact of new features as they are being created to let Skill Struck engineering continuously improve the Skill Struck product safely.

Secure Software Development Lifecycle

We have an application security review process that applies to all new development projects. It includes threat modeling and code review. Security design reviews occur for any major change. We have a secure code review process that identifies high-risk code for manual review by our software engineers. We use automation in our software development build pipeline that analyzes code for potential vulnerabilities through unit tests.

Our engineer portal includes application security training material with secure coding guidelines specific to our technology stack, which all new engineering hires review.

We have an active bug-finding program that includes a team reviewing the Skill Struck platform daily to ensure that all reported bugs are fixed in a timely manner. We’re responsive to security inquiries sent to support@skillstruck.com.

Security Features

Skill Struck does not give log file information or student usage information to third parties, except (i) those service providers engaged to support and assist in administering Skill Struck’s Site, or (ii) in a sanitized form disassociated from IP address or other personal data, or (iii) as authorized or directed by the school. Skill Struck stores, transmits, and displays student data only via secure and FERPA-compliant methods. Only selected members of the Skill Struck staff have access to student data, and are required to be FERPA certified and must log in to the platform using 2-factor authentication. 

Skill Struck protects against password brute forcing by rate-limiting login attempts. After 5 failed login attempts, then the following guesses require ReCAPTCHA each time. Skill Struck salts and hashes passwords using SHA256, a high-cost hashing function recommended by NIST. Skill Struck requires two-factor authentication for administrator, teacher, and student account access.

We use Content Security Policy (CSP) to detect and prevent unauthorized Javascript from running in the context of our applications.

Infrastructure security

Our infrastructure security efforts focus on accelerating the pace of our development teams by providing the underlying tools, systems, processes, and knowledge resources to build secure and privacy-protecting systems.

All of Skill Struck’s infrastructure runs in the cloud. Our primary cloud provider, AWS, conforms to security standards including PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, and NIST 800-171. See https://aws.amazon.com/compliance/ for more details.

Change Management

We have a change management process for our infrastructure that includes source code control, peer code review, logging, and alerts for unusual behavior. All production changes are deployed with an automated system that detects reliability issues and reverts problematic deploys. Our automation allows us to safely and reliably deploy code to production dozens of times per day.

Availability and Disaster Recovery

Our availability is 99.9% or higher.

We have established a set of practices and tools to defend against automated Denial of Service (DoS) attacks against Skill Struck’s infrastructure. Skill Struck uses Cloudfront to defend against these attacks.

Since our service is based entirely in the cloud, our disaster recovery plan is based on best practices from AWS for maintaining resiliency in the case of disaster. We use multiple AWS availability zones to safeguard against single data-center issues.

Skill Struck generates data backups regularly and stores them securely with our cloud provider. All backups stored offsite are encrypted and deleted securely when they become obsolete - in no case longer than 60 days. Skill Struck’s production systems are housed in a tier-1 hosting facility that is monitored 24 hours a day, 7 days a week. Access to these systems requires prior written approval from Skill Struck management and all access is logged and monitored. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, Skill Struck cannot guarantee its absolute security.

Data Encryption in Storage and Transit

We encrypt all Personally Identifiable Information (PII) in transit outside of our private network and at rest in our private network. All data is encrypted via SSL in transit and by rest by Amazon Web Services. We use industry-standard cryptography (AES-256) and access control keys that are regularly audited and rotated. Read more about our security encryption with AWS by referring to their Encryption Reference Guide.

Data Isolation

Skill Struck uses logical separation to process data in a multi-tenant environment. The code controls are tested before every production deployment. Data processing occurs in containerized environments with limited access to external resources. Services use ephemeral credentials for services to access data stores. All data is stored in the USA.

Network Isolation

Skill Struck limits external access to network services by running them inside of a Virtual Private Cloud (VPC) and blocking all unnecessary ports from external traffic. Access to our production network is limited to necessary personnel, logged, and secured using multiple-factor authentication. We use a bastion SSH host to gate all system-level access to production infrastructure.

Logging

Skill Struck maintains a centralized log for product and infrastructure events and metrics. Tightly access-controlled and integrity protected log backups are persisted to access-controlled archival stores on S3. All system-level actions performed in production environments with elevated permissions (sudo) are logged.

Threat Detection

We have monitoring, alerting, and response processes for suspicious activity occurring in our infrastructure.

Secret Storage

No secret data (passphrases, API keys, QR Codes for 2-factor, etc) are sent using tools like Gmail, Dropbox or Slack. We have purpose-built tools for storing and transferring this data in accordance with our security requirements.

Patching

We regularly update our operating systems images, container images, language runtimes, and language libraries to the latest known supported versions.

IT security

Policies and Standards

Our information security policy is documented in our Employee Portal. We have a Skill Struck Data Classification standard that describes the different types of data that our employees work with and how that data should be handled.

Device Policies

Our device policy describes best practices for device configuration and software usage for Skill Struck devices. It mandates full disk encryption for all devices that have access to sensitive data, the use of screen locks after a period of inactivity, and remote wipe capabilities. It also describes our permitted software and software update practices.

Account Policies

Our account policies state that all passwords should be securely stored and generated with a password manager, and mandates the use of 2FA for sensitive accounts. It also defines the OAuth authorization policies for accounts with sensitive data access (e.g. GSuite) and the techniques to avoid phishing.

Accounts are activated when an employee joins and deactivated when an employee leaves, using automated processes where possible.

Security Training

We create a culture of security for all Skill Struck employees through activities like security awareness training, which is completed during onboarding. Our security program that details each of these components is documented in our Employee Portal. All new hires must read the information security policy and undergo information security training, and existing employees have regular refresher training.

Third-Party Software

We have a third-party software security review process that must be completed before using new services at our organization on official, company-owned devices. The level of verification varies based on the risk profile of the service in question.

Background Checks

All Skill Struck employees undergo criminal background checks and sign agreements barring any use of confidential information outside of the scope of their work with the company.

Cyber Insurance

We have cyber liability insurance with coverage of 1 million US dollars. We also cater our cyber insurance coverage to specific schools and districts as needed.

Other Security Practices

External Security Assessment

We conduct an annual external security assessment of our applications. We make the reports associated with these assessments available for our users, upon request.

Cyber Incident Management and Response Plan

In the event that Skill Struck management discovers that student data or personal information has been accessed or obtained by an unauthorized individual, Skill Struck shall provide notification to the school’s representatives within a reasonable amount of time of the incident, not to exceed 48 hours. Immediately following the discovery of the breach, Skill Struck’s security team will address and resolve the security deficiency accordingly. Such notification will be provided via email and a phone call to the school’s authorized student data privacy representative, and will include the following: