Coursedog

Submit a Ticket My Tickets
Welcome
Login  Sign up

Security FAQs

Table of Contents

Overview
Privacy, Security & Data Residency
Storage & Transfer of Data
Vendor Responsibilities, Data Governance, Disaster Recovery Plan
Management of System Access and Security
Data Protection, Integrity & Authorization
Breach Notification & Data Handling Following Contract Termination
Related Articles

Overview

This article captures answers to commonly asked questions pertaining to security. 


Privacy, Security & Data Residency

How do you protect privacy? 

  • Coursedog takes privacy seriously for all of our institutions. 

  • We ensure compliance to data access laws and our product team tracks these as they evolve to ensure these are always met in advance of timelines for compliance.

  • We use best-in-class technology (AWS, MongoDB and others) in conjunction with encryption to process and store data securely at rest and during transfer.

  • For the tools outlined in this bid we are not accessing information relevant to PCI or personal information level data as curriculum and catalog processes involve course and program information.

  • For instructor information and logins, we encrypt this information as outlined below.

  • We have the ability to set up data purge cycles if needed to adhere to data retention policies and we have backups and Disaster Recovery processes in place to recover data in the event they are ever needed. 


What laws and standards do you regularly track?

PCI, CASL, FOIPPA, FERPA, PII and many others. 


Storage & Transfer of Data

Is there storage or transfer of data involved?

Yes. All Coursedog products involve the transfer and storage of data (but what is transferred and stored varies by product) but is typically course, program, section, and event information.


Will a third party (e.g. vendor or service provider) have access to the information?


Is the data encrypted in storage? Please list Encryption algorithms used.

  • All Coursedog data is encrypted at rest with AES-256, an industry standard encryption algorithm.

  • See Coursedog Security Overview for more information.


Is the data encrypted in transit? Please list Encryption algorithms/standards used.

  • Yes, all Coursedog data is encrypted in transit using TLS 1.2, a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet.

  • Coursedog uses HTTPS to encrypt traffic between the web server and the user’s browser. We do not serve any resources over insecure HTTP.

  • Coursedog uses HSTS (HTTP Strict Transport Security) to ensure that browsers will only allow opening a secure connection to our servers. This protects against protocol downgrade and cookie hijacking attacks.

  • Coursedog supports almost all University-supported authentication techniques and prefers Shibboleth/CAS single sign on. We support Azure AD and have many clients using Coursedog in conjunction with it.

  • See our Security Overview for more information.


Will user passwords be stored within the system? If “Yes”, will the passwords be hashed?

  • Coursedog supports and recommends Single Sign On (SAML/CAS), but we also offer email/password for authentication.

  • If a customer uses email/password, these are stored encrypted.


What hashing algorithm is used for hashing of the passwords?

  • Our database is encrypted with AES-256, an industry-standard encryption algorithm.

  • Coursedog encrypts all user information before we store credentials in our database.

  • Coursedog uses randomly generated session tokens to identify users, which are sent over HTTPS in every request so we can ensure that data is only accessible by users with the correct privileges. We implement session timeouts consistent with industry best practices.

  • The Coursedog database and backups are managed by MongoDB, a reputable industry leader. Only our servers are IP whitelisted to access the database, and the connection between our server and database is encrypted. Coursedog takes advantage of MongoDB's expertise in creating a strong security profile.


Vendor Responsibilities, Data Governance, Disaster Recovery Plan

Are any other third parties involved in storing and processing the data?


Does your environment provide for single-tenant capabilities? If not, describe how your product or environment separates data from different customers (e.g., logically, physically, single tenancy, multi-tenancy).

  • Yes. Coursedog is hosted and each client has their own dedicated instance.

  • Databases are hosted separately via MongoDb Atlas, which itself is in an AWS VPC.

  • We also utilize a multi-tenant database architecture, so each client is on their own database. The application and databases are hosted by AWS VPC in the US. See AWS security details


What controls are in place to protect customer information?

  • Coursedog is a schedule and curriculum planning tool and therefore does not store any sensitive data (e.g. FERPA, PII, credit cards, etc.).

  • The data stored is limited to sections, courses, programs, rooms, terms, etc. in order to build a schedule. See the integration specs for your SIS for more information.

  • Coursedog follows industry best practices such as PCI and FERPA when storing data.

  • All of our infrastructure is hosted in the industry leading cloud (AWS SOC Audit report) solution.

  • Our database is encrypted at rest with AES-256, an industry standard encryption algorithm.

  • We encrypt all user information before we store credentials in our database.

  • Coursedog uses randomly generated session tokens to identify users, which are sent over HTTPS in every request so we can ensure that data is only accessible by users with the correct privileges.

  • We implement session timeouts consistent with industry best practices.

  • Our database and database backups are managed by MongoDB, a reputable industry leader.

  • Only our servers are IP whitelisted to access the database, and the connection between our server and database is encrypted.

  • Coursedog takes advantage of MongoDB's expertise in creating a strong security profile.

  • Learn more:


What security audits have been performed and do customers have access to them?

Coursedog has completed the HECVAT and SecurityScorecard audits which can be found on our Security Overview page.


Does Coursedog have a mirrored site for a Disaster Recovery situation?

  • Yes. Coursedog typically hosts client data in the Amazon Web Service East DC and we have the ability to host it in other AWS DCs if desired (see here).

  • Further, AWS has best-in-class disaster recovery capabilities that – in the event of a server outage – automatically provisions another server and can replicate data off-site in unforeseen events to other data centers for recovery and back-up purposes.


What is Coursedog’s Data Backup (frequency, types of backups, etc.)?

  • Coursedog database (DB) clusters are backed up every 8 hours, and Coursedog performs test recoveries monthly.

  • Learn more about our Data Backup Policy.


What is Coursedog’s Disaster Recovery Procedure (DRP)? 

Overview

  • Coursedog uses Amazon Web Services for our infrastructure which has robust disaster recovery protocols. For more information on this see their Disaster Recovery (DR) overview which details their approach to active and passive DR.

  • The DR plan is tested at least once per year. Coursedog will notify schools at least 5 business days prior to testing of the DR plan if it will impact normal service.

  • The principal objective of our Disaster Recovery Procedure (DRP) is to develop, test, and document a well-structured and easily understood plan which will help Coursedog recover as quickly and effectively as possible from an unforeseen disaster or emergency which interrupts Business Continuity.

  • The DRP will rely principally on key members of management and staff who will provide the technical and management skills necessary to achieve a smooth technology and business recovery.

Procedure Breakdown

Our procedure includes: 

  • Key personnel contact info and a calling tree.

    • Whoever discovers the incident calls members of the calling tree: Infrastructure Team Lead → Infrastructure Tech Lead → CTO

    • CTO is responsible for activating the DRP for disasters identified in this procedure.

  • A procedure overview: 

    • Procedure Updating

    • Procedure Documentation Storage

    • Backup Strategy

  • Triggering events that would lead to activation of our DRP:

    • Loss of Coursedog Web App service.

    • Loss of Coursedog Catalog App service.

    • Loss of Coursedog Events App service.

    • Total loss of data in Database Cluster.

    • Partial loss of data in Database Cluster.

  • Disaster recovery team responsibilities: 

    • Coordinate activities with the Disaster Recovery Team, first responders, etc.

    • Establish facilities for an emergency level of service within 1 business hour.

    • Restore key services within 2 business hours after the incident.

    • Recover to business as usual within 2 to 12 hours after the incident.

  • Forms

    • Disaster Recovery Event Recording Form

      • All key events that occur during the disaster recovery phase must be recorded.

      • An event log should be started at the commencement of the emergency, maintained, and completed by the disaster recovery team leader.

    • Disaster Recovery Activity Report

      • On completion of the disaster recovery response, the disaster recovery team leader should prepare a report on the activities undertaken. 

      • The report will include:

        • A description of the emergency or incident.

        • Those people that were notified of the emergency (including dates).

        • Actions taken and outcomes.

        • An assessment of the impact on normal business operations.

        • Lessons learned.

    • Monitoring Business Recovery Task Progress Form

      • The progress of recovery tasks must be closely monitored during this period of time.

  • Communications: 

    • It is very important during the disaster recovery that all affected people and clients are kept properly informed. The information given to all parties must be accurate and timely. In particular, an estimate of the timing to return to business-as-usual should be announced with care.

    • Internal communication should be carried through the most convenient means, messaging apps, video calls, phone calls, email, etc., depending on the involved parties.

    • External communication to affected clients should be carried through e-mails within 30 minutes of discovering the outage.

    • Notice to clients must include the start time of the outage, duration, or anticipated duration of the outage.

    • Impacted clients should be provided with regular updates during the incident, at least every 6 hours.

    • Clients will also be informed once the incident is resolved.

    • In the event of a breach of privacy or data involving Client Information, Coursedog will promptly notify the University in writing as soon as practicable with the following details:

      • The specific nature of the affected Client Information

      • The date and time the breach occurred, if known

      • The cause of the breach

      • The responsible parties

      • Measures taken to address the breach and minimize potential harm

      • Steps taken to prevent similar breaches from happening in the future.

  • Returning Recovered Business Operations

    • This process should be formalized in order to ensure that all parties understand the change in overall responsibility and the transition to business-as-usual.

    • Once normal business operations have been restored, it will be necessary to return the responsibility for specific operations to the appropriate business unit leader.


What is Coursedog’s Business Continuity Plan (BCP)?

  • We monitor and log our uptime, and set our SLA at 99.5% uptime.

  • Coursedog maintained at least 99.9% uptime for the production application in 2023.

  • You can view and subscribe to our status uptime page to receive notifications of any alerts. Coursedog will use the status page to post updates in the event of an outage.

  • In a typical disaster recovery scenario, Coursedog can achieve swift recovery times thanks to our utilization of Terraform and MongoDB Atlas Cloud.

  • The restoration of our infrastructure, managed via Terraform, can be completed within a span of 1 to 1.5 hours. Terraform allows us to codify our infrastructure, enabling us to efficiently build it up in any new site within this timeframe.

  • Simultaneously, our database recovery through MongoDB Atlas can be achieved within 45 minutes. We are able to restore data from the last point of restoration, ensuring data consistency and integrity.

  • Coursedog uses automation tools to notify an on-call senior engineer of incidents in the infrastructure. If an incident is detected, the on-call engineer asserts the impact and fixes the issue directly, creates work items for other engineers, or follows our Disaster Recovery Procedure (captured above) and Incident Response Policy.

  • These effective recovery procedures enable Coursedog to recover from a potential disaster scenario promptly, thus minimizing downtime and maintaining business continuity.


What is Coursedog’s management approach to production and non-production (e.g. DevOps approach)?

  • A dedicated production and staging/test account are included in the license fee for the duration of the partnership.

  • All initial integration and configuration will take place within the staging/test environment to be thoroughly tested before being pushed to production.

  • There is no additional cost for maintaining the staging environment throughout the duration of the partnership.


How does Coursedog support physical security pertaining to the data center such as physical access and security measures, alarm system, control of authorized access to buildings and rooms, CCTV, etc.?

  • Coursedog uses a best-in-class infrastructure provider, Amazon Web Services, for hosting.

  • AWS has industry leader physical security protocols and policies in place to limit access to data centers. This includes access controls, alarms, CCTV and much more. See the AWS controls overview to learn more.


What other provisions are in place for ongoing integrity and availability of client data?


Management of System Access and Security

Does Coursedog support varied types of system access administrator roles?

  • Yes. Coursedog has the ability to create, manage, and remove permission sets.

  • For each permission set you can determine exactly what is possible for users to do from aggregate actions to field-level controls. Once these are created users can be assigned to them.

  • Institutions may have multiple administrator roles that have a variety of types of access in this set up.


Does Coursedog support role-based access (RBAC), attribute-based access control (ABAC) or policy-based control (PBAC)? 

  • As mentioned above for administrators, Coursedog gives you the ability to create, manage, and remove permissions for all varieties of roles following RBAC.

  • Products come pre-loaded with a set of roles, but you can create custom roles as well – and set different permissions for each role.

  • Permissions can be set on a product-wide level, with additional role-based permissions available on the field-level. 


Does the system support the definition of security groups which can be assigned to users?

  • You can use role settings, as outlined in the previous two questions, to achieve this.

  • In other words: For each permission set you can determine exactly what is possible for users to do, from aggregate actions to field-level controls.

  • Once roles are created, you can assign users the applicable role.

Does Coursedog automatically lock the session or log-out an account after a period of inactivity?

  • User inactivity will automatically log out a user after 24 hours.

  • See here for more information. 


Does the system support row and column based security? Can different users be provided with access to a subset of information thus providing an ability to, for example, separate data by departments?

  • Yes. Coursedog provides an advanced, self-service roles management panel to easily configure Users and Roles and their capabilities.

  • Additionally, we offer configuration on a field-level basis which can be time period specific for determining read/write access. This allows critical fields to be protected and only editable by Super Admins.

  • For example, you can also provide edit access for departments to ONLY the courses associated with their department, and read-only access to all other departments. This enables our tools to support the concept of row and column based security. 


Does your system support integration with Shibboleth or other SAML2 implementations? Do you support SSO using Azure Active Directory?

  • Coursedog supports federated authentication to our platform through the SAML 2.0 or CAS protocols. 

  • Many of our clients leverage Active Directory and are able to easily manage this in conjunction with the use of Coursedog.

  • Coursedog can also sync roles and users from external Identity Management Systems (IDM). 

    • The sync occurs in real time and only at the point login.

    • The user is created and assigned roles based on “attributes” that are sent to Coursedog at the point of authentication. 

  • Learn more:


Does your solution support data masking for confidential information (e.g., SIN)?

Yes. The answer captured above for “What controls are in place to protect customer information” applies here. Additionally: 

  • All of our infrastructure is hosted in the industry leading cloud (AWS SOC Audit report) solution.

  • All data transfers are encrypted in transit over HTTPS (TLS1.2). 

  • Coursedog uses HSTS to ensure browser security.


Data Protection, Integrity & Authorization

Is Coursedog vulnerable to cross-site scripting attacks?

  • No. Where possible, defenses against attacks are incorporated directly into the design. For example, use of MongoDB maintains a separation of the data in the query from the query itself, making an SQL injection type attack fundamentally impossible.

  • Our use of a REST API is beneficial because session state information is not stored on the server, mitigating state-based attacks.

  • Coursedog’s web-based design helps our solutions be fundamentally more secure, as does our dedication to ensuring our arch solution (infrastructure or web) is highly secure.

  • Coursedog never requires clients to install custom software to access our products. By running in the browser sandbox, our software by default runs with extremely limited privileges unlike an installed executable.

  • Modern browser sandboxes have been tried and tested for many years and are used by millions of people to protect their computers from malicious actors while on the web.

  • In a web browser sandbox, Coursedog cannot access confidential local files or install viruses or keyloggers on Customer’s machines, even if the system were compromised.

  • This design isolates the Coursedog system from the rest of our Customers’ networks.

  • We audit our infrastructure regularly, ensuring deployments are up-to-date and are indeed required to run.

  • Coursedog uses industry-best tools to monitor our infrastructure and is notified of anomalies and attacks.

  • Coursedog has over 15 metrics in place to detect DDoS, fish for data, penetration testers, slowdowns in response times, etc.

  • The Coursedog backend engineering team also follows AWS best practices for server-level penetration testing.

  • Learn more: 


Can you describe measures taken to eliminate SQL injection vulnerabilities?

As noted above, our use of MongoDB maintains a separation of the data in the query from the query itself, making an SQL injection type attack fundamentally impossible.


Are audit logs – that include login, logout, actions performed, timestamp, and source IP address – available to customers? 

Yes. Coursedog provides user audit logs that include the user, date, time, action performed, and a description. IP address is stored and available upon request.


Can you provide more information regarding Coursedog’s ability to log security/authorization changes and security events? 

  • Coursedog logs at the network, infrastructure, integration, authentication, and application levels.

  • Integration, authentication, and user activity logs can be found in our Admin Dashboard. Access to the Admin Dashboard is limited to Coursedog users with administrator permissions (RBAC) and the internal Coursedog team. The tools allows you to manage the following items:

    •  Logging between Coursedog and the SIS

    •  Filterable and searchable

    •  Detailed and exportable

    •  Configure push notifications

    •  User activity (user, date, time, action performed, and a description)

    •  Single Sign On (SSO) Settings - Coursedog recommends you use single sign on (SSO) to leverage institutional authentication policies (e.g. MFA) for all admin access to Coursedog.

  • All changes made to course, program, and section data are recorded and visible in an activity log within the application.

  • Coursedog follows industry best practices for network monitoring and logging. See here for more information on our infrastructure and application architecture. 


Breach Notification & Data Handling Following Contract Termination

What is Coursedog’s incident response process?

Please see our incident response policy here


When will clients be informed about a security breach?

  • If a data breach occurs, Coursedog will promptly notify the University in writing as soon as practicable.

  • That communication will include the following information:

    • The nature of Client Information that was breached.

    • When the breach occurred, if known.

    • How the breach occurred.

    • Who was responsible for the breach.

    • What steps Coursedog has taken to mitigate the breach.

    • What measures Coursedog has taken to prevent further breaches.


Have you had a data breach within the past 18 months and if so, was any client data exposed?  

No. By the time this article was drafted, we have never had a data breach. 


Can you describe the nature of your most severe data breach and how it influenced improvements of your information security?

N/a. We have never had a data breach.


What are the options and processes for extracting / migrating client data into a different system upon contract termination?  Are there any additional costs?

  • Clients retain all rights and ownership over their data.

  • Coursedog stores all customer data in its own private database and therefore can be easily exported in the application or removed upon request.

  • Coursedog provides open APIs as well as export (CSV) functionality to export data for clients at the end of the partnership.

  • Once the client confirms the data has been extracted, we purge the data from our servers. There are no additional costs to this process. 


How do you ensure that a client's data is fully and securely destroyed at the end of the contract?

  • Coursedog stores all customer data in a virtual private database using MongoDB.

  • We can and will provide all customer data at the end of the contract.

  • Upon termination all data will be destroyed using MongoDB best practices which involves dropping the database, clearing customer S3 buckets of all client data. 


Is Crypto-shredding part of the process of securely destroying client data after migration?

Coursedog does not typically use crypto-shredding as part of client data destruction following a migration. That said, we can support this if a client requests it.


Related Articles

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.