Security and Operations Policy
Updated Aug 2023
Introduction
Information and data are foundational for the Open Learning Initiative’s (OLI), and are essential to almost all of our work. Our information includes: course content; learning models; user information; learner-interaction data; aggregated course analytics; software; computer systems; publications; website; and many other forms. Whatever form the information takes, or whatever means by which it is shared or stored, it must be appropriately protected.
OLI will protect its information assets in ways that are both appropriate and effective, as well as satisfactory to interested parties inside OLI, Carnegie Mellon University, our partners institutions/organizations. This will help enable OLI to fulfill its responsibilities and to enable our staff to continue their mission and to provide service to our clients.
Our ability to protect our information assets will enable us to maintain and improve our reputation and ensure that we meet our research, academic, and professional goals. In addition, it will ensure that we do not lose opportunities for partnership or our ability to service our partners, instructors, or students.
As a part of Carnegie Mellon University, OLI is supported and subject to governance by the University’s Information Security Office (ISO). We work to align our work with ISO’s broader policies, practices and recommendations: https://www.cmu.edu/iso/index.html
Objective
Our objective is to protect OLI’s customers, users, operations and professional standing from security issues. We maintain a level of security that is appropriate and aligned with industry standards. We leverage the collective security and access procedures of our cloud-hosted partners to protect confidential or sensitive data from loss or compromised security breaches. At the same time, we must ensure users can access data as required for them to work effectively.
It is not anticipated that this policy can eliminate all malicious data theft. Rather, its primary objective is to increase user awareness and avoid accidental loss scenarios.
Security issues can include confidentiality (people obtaining or disclosing information inappropriately), integrity (information being altered or erroneously validated, whether deliberate or accidental) and availability (information not being available when it is required). A wide definition of security will be used to include all types of incident that pose a threat to the effective use of information. This includes performance, consistency, reliability, accuracy and timeliness.
Principles
We will:
● Use all reasonable, appropriate, practical and effective security measures to protect our partners’ important processes and assets.
● Continually review our use of security measures so that we can improve the way in which we protect our organization and its relationships.
● Protect and manage our information assets to enable us to meet our contractual, legislative, privacy and ethical responsibilities.
Framework and Practices
OLI’s security approach aligns with the Payment Card I Data Security Standards (PCI DSS) as part of our broader institutional PCI compliance[1]. We are guided in these efforts the CIS Critical Security Controls framework, operationalized by use of the CIS Workbench[2].
The OLI platform undergoes regular security scans and audits at three levels. Our internal platform team performs scans using CIS workbench quarterly and remediates as appropriate. Our ISO team supports compliance audits, including use of per-server CrowdStrike agents; the ISO team also coordinates external review. This external PEN test is done quarterly, currently by SecurityMetrics as part of ou rPCI DSS compliance.
Roles and Permissions
All staff, past and present, permanent, honorary, and temporary of OLI have an obligation to protect our information assets, systems, and infrastructure. They will, at all times, act in a responsible, professional, and security-aware way, maintaining an awareness of and conformance to this Policy.
Everyone will respect the information assets of our clients and third parties whether or not such protection is required contractually, legally or ethically.
All members of OLI are responsible for identifying security shortfalls in our existing security practices and/or improvements that could be made. These should be reported to a direct supervisor and/or the Director of OLI.
All members who have supervisory responsibility are required to actively promote best practice amongst their supervised staff.
Defined Roles and Permissions
OLI’s security roles and their permissions are as follows:
OLI shall provide all employees and contracted third parties with access to the information they need to carry out their responsibilities as effectively and efficiently as possible.
- All organization staff and contractors shall be granted access to the data and applications required for their job roles.
- Each user shall be identified by a unique user ID assigned by Carnegie Mellon University so that individuals can be held accountable for their actions.
- The use of shared identities is permitted only where they are suitable, such as training accounts or service accounts.
- Records of user access may be used to provide evidence for security incident investigations.
- Access shall be granted based on the principle of least privilege, which means that each program and user will be granted the fewest privileges necessary to complete their tasks.
- All organization staff and contractors shall access sensitive data and systems only if there is an operational need to do so and they have approval from management.
- Sensitive systems shall be logically isolated in order to restrict access to authorized personnel only.
When an employee is hired they are given access to their appropriate level. Any access needed beyond the pre-designated scope is reviewed by OLI’s Lead Architect and is ultimately assessed and granted/denied by the Director. When an employee is terminated, their access is removed immediately.
Hosting Partners
OLI works with world-class hosting partners.
- Amazon: OLI hosts data and multiple applications on Amazon's AWS system.
- FreshDesk: OLI conducts customer support using FreshDesk’s ticketing system.
- Agile CRM: OLI hosts data in this marketing-operations application
- Carnegie Mellon University: CMU provides several technologies employed by OLI: email; Box and G-Suite storage; credit-card processing
All physical server security is handled by these partners. These companies have strict security and access procedures.
https://aws.amazon.com/compliance/data-center/perimeter-layer/
https://www.agilecrm.com/privacy-policy
https://www.cmu.edu/iso/governance/policies/index.html
In addition, OLI hosts a Wordpress content system, whose security is governed by the CMU policies listed in the link above.
Data Privacy
OLI staff uses and manages different types of data which require different levels of security.
Types of Data
The types of data used and managed by OLI are:
- Personally Identifiable Information (PII): OLI works to minimize the amount of PII that is collected from users; Current practice collects (at most), First Name, Last Name and Email address; these are set by the user or provided via LTI.
- Other personal data: This might include email contents, classwork documents, etc. OLI policy is to not collect or store personal data. If future learning activities require personal data, this policy will be updated to reflect these specific data.
- Public: Includes openly licensed content and attributions, already-released marketing
material, commonly known information, etc. There are no requirements for public information.
- Operational: Includes data for basic business operations, communications with vendors, employees, etc. (non-confidential). The majority of data falls into this category, including learning data, enrollment data and integration information.
- Critical: Any information deemed critical to the organization’s operations (often this data is operational or confidential as well). It is extremely important to identify critical data for security and backup purposes.
- Confidential: Any information deemed proprietary to the organization or Carnegie Mellon University. Access to data classified as ‘Confidential’ or ‘Restricted’ shall be limited to authorized persons whose job responsibilities require it, as determined by management. The responsibility to implement access restrictions lies with the Lead Architect and Director.
Data Security
Data security is maintained by the Roles and Permissions used within OLI and with security best practices on the OLI Platform. Together with our hosting partners we continually improve on our security best practices. Our hosting partners monitor and patch system-level security problems. Our development staff monitor and patch application-level security problems.
LTI Credentials
OLI receives basic information such as students’ names and email addresses from institutional customer’s Learning Management Systems (LMSs). LTI credentials used to create a single sign-on experience for users, and the credentials are delivered in a secure environment.
Learning Data Practices
OLI adheres to transparent, responsible and ethical practices around data ownership, sharing and use. OLI is also committed to compliance with institutional, state and federal policies regarding appropriate handling and use of learner data.
Learning data is captured to support the proper functioning of the courseware and learning science research. OLI seeks to advance learning science by yielding insights about learning and how to improve learning efficacy using data collected through courseware as well as related learner data from institutions.
Specific data captured by OLI courseware include:
- De-identified usage information
- Personally identifiable information (PII) including name, email, usage and OLI-assessment results to facilitate a variety of personalized functions within the courseware (e.g. teaching interactions, gradebook population, etc).
- OLI maintains records of course data (student names, emails, in-course scores, etc.) in order to assist with any data discrepancies or questions at any point from our institutional partners. As this data may also be transferred by an instructor to their LMS, campus policies regarding data storage and timelines required to retain/download grades at a specific institution may apply and are outside of the scope of this policy.
- We delete data at the request of the user, using practices in compliance with GDPR requirements.
OLI’s understanding is that any and all data created by students through their use of OLI's systems during the course of the engagement are owned by the students. Because they are the creators of these data, US law automatically vests copyright in the students. Use of a system or technology in the creation of data does not interfere with this grant of rights, in the same way that Microsoft does not hold copyright in the documents an individual creates in Word or the presentations a person creates in Powerpoint. Neither OLI nor their institutional partners can make an ownership claim on data created by students simply because they use our systems to create them.
Where appropriate, we seek consent from students and faculty to use learning data for research and analytical purposes. Implemented with process oversight from Carnegie Mellon University’s Institutional Review Board (IRB), this approach uses an opt-in/opt-out form to confirm user consent for authorized researchers and research communities to use their de-identified data in research studies. Students may opt in or opt out repeatedly, allowing them to change their minds about participation at any point.
Data Retention
OLI maintains two weeks’ worth of nightly database backups.
Testing and Reporting
Security Testing
Security testing, also known as a vulnerability assessment, a security audit, or penetration testing, is an important part of maintaining the organization’s network security. We perform regular internal security audits and work with our hosting partners to continually assess security needs and practices. We rely on our partnership with AWS to support OLI via their disaster recovery plan, stateful packet inspection (SPI) firewall, and intrusion detection systems. In addition to AWS tools, we also utilize New Relic for real time monitoring. All application code is reviewed for security purposes before it is deployed.
Communication of Incidents
OLI has a defined Incident Management Policy which includes procedures and communication strategies for urgent incidents, as well as defined processes for off hours support and monitoring. In the event of a breach, the Lead Architect will notify the Director. Scale, scope and impact of the breach will be reviewed and a coordinated rapid response will be initiated to include communication with affected customers.
Security Policy Review
The organization’s security policies are reviewed at least annually. Additionally, the policies are reviewed when there is an information security incident or a material change to the organization’s security policies. As part of this evaluation the organization reviews:
- Any applicable regulations for changes that affect the organization’s compliance or the effectiveness of any deployed security controls.
- If the organization’s deployed security controls are still capable of performing their intended functions.
- If technology or other changes have an effect on the organization’s security strategy.
- If any changes need to be made to accommodate future IT security needs.
Open Learning Initiative | 5000 Forbes Ave. Pittsburgh, PA 15213 | oli.cmu.edu