In the spirit of National Data Privacy Day – established in the United States in 2014 and recognized each year on January 28 – we are sharing the top 5 critical practices and protocols we use to protect client and student data:
SOC Certification
ISTS is SOC 2 Type 2 compliant as defined by the American Institute of Certified Public Accountants (AICPA). In addition, our datacenter partner Flexential is SAS-70 (SOC-1 & SOC-2) certified and adheres to SSAE 16/ISAE 3402 and ISO 27002.
Always-On Data Encryption
ISTS encrypts all data, both in motion and at rest. Data in motion utilizes TLS 1.2 as a cryptographic protocol. All data at rest is encrypted utilizing Advanced Encryption Standard with a 256-bit key (AES-256). The transmission of non-public data to and from devices to and from the internet is secured via approved strong encryption protocols.
Application Security
We execute daily vulnerability scans and retain a firm to perform semi-annual network penetration testing to ensure that no data can leak between clients. Furthermore, ISTS utilizes secure design principles following OWASP.
Physical Security
All data ISTS collects is stored in a certified Flexential facility and is logically separated between clients. These datacenters utilize biometric fingerprint readers, card/pin access, combination lock cabinets, and 24/7/365 monitored video surveillance. Physical access to systems requires trifactor authentication. Access to any privileged system by ISTS personnel from outside of the direct ISTS network requires two-factor authentication.
Employee Compliance
ISTS does not store or permit storage of data on mobile devices including laptops, PDAs and USB storage. As a condition of employment, each ISTS employee must read and sign ISTS’ written confidentiality and security policies – which cover remote access, clean desk and other data-protecting policies – as well as complete security training annually.