Information security at Amplify
Information security at Amplify
As a provider of technology solutions to schools, Amplify’s commitment to data privacy and security is essential to our organization. This overview of Amplify’s Information Security Program describes physical, technical and administrative safeguards Amplify implements to protect student personal information in our care. While it is not possible to completely secure against all digital threats, we believe that by following the industry best practices described below, we provide appropriate protections for student personal information in our care.
Amplify Education, Inc. (Amplify) is a privately held company founded in 2000 as Wireless Generation. Amplify’s products include assessment and intervention, curriculum and instruction, professional development services and consulting services for K-12 education.
Amplify leverages Amazon Web Services (AWS) as its cloud hosting provider. Within AWS, Amplify utilizes Virtual Private Clouds (VPCs), which provide an isolated cloud environment within the AWS infrastructure. External network traffic to a VPC is managed via gateway and firewall rules, which are maintained in source code control to ensure that the configuration remains in compliance with the Amplify Security policies. In addition, the production VPCs and the development VPCs are isolated from each other and maintained in separate AWS accounts.
Policies & standards
Information security program
Amplify maintains a comprehensive information security program based on the internationally recognized industry security standard ISO27002. The ISO27002 standard provides a robust framework of security controls from which an organization can build its security protocols based on identified risks, compliance requirements, and business needs. The ISO27002 standard covers access control, change management, training, and other information security domains.
Amplify’s Information Security Task Force, administered by a senior member of the executive team, has primary responsibility for the development, maintenance, and implementation of the Amplify information security program. The Information Security Task Force is responsible for all information risk management activities within the company and is composed of technology, business and legal leaders from the organization.
Adherence to the internal Amplify information security policy is an obligation of every Amplify employee. Amplify conducts a series of internal monitoring procedures to verify compliance with internal information security policies, and all Amplify employees undergo annual criminal background checks. In addition, any third-party contractors who come into contact with systems that may contain student personal information are contractually bound to maintain security of the data.
Data access controls
Amplify’s access control principles dictate that all student personal information we store on behalf of customers is only accessible to district-authorized users and to a limited set of internal Amplify users who may only access the data for purposes authorized by the district. Districts maintain control over their internal users and may grant or revoke access.
In limited circumstances and strictly for the purposes of supporting school districts and maintaining the functionality of systems, certain Amplify users may access Amplify systems with student personal information. All such access to student personal information by Amplify technicians or customer support requires both authentication and authorization to view the information.
- In transit: Amplify encrypts all student personal information in transit over public connections, using Transport Layer Security (TLS), commonly known as SSL, using industry-standard ciphers, algorithms, and key sizes.
- At rest: Amplify encrypts student personal information at rest using the industry-standard AES-256 encryption algorithm.
Application security by design
Building the right roles into applications
Permissions within Amplify applications are designed on the principle that school districts control access to all student data. To facilitate this, Amplify applications are designed so that roles and permissions flow from the district to the individual user. For example, applications that offer schools a way to collect and report on assessment results have a web interface that requires district administrators to authorize individuals to view student personal information.
Security controls within applications are used to ensure that the desired privacy protections are technically enforced within the system. For example, if a principal is supposed to see only the data related to his or her school, Amplify ensures that, throughout the design and development process, our products restrict principals from seeing records for any students outside his or her school.
To make sure Amplify applications properly enforce permissions and roles, our development teams conduct reviews early in the design process to ensure roles and permissions are an essential component of the design of new applications.
Building security controls into applications
Amplify applications are also developed to minimize security vulnerabilities and ensure industry-standard application security controls are in place.
As part of the development process, Amplify has a set of application security standards that all applications handling student personal information are required to follow, including but not limited to:
- Student personal information is secured using industry standard encryption when in transit between end-users and Amplify systems.
- Applications are built with password brute-force attack prevention.
- Sessions expire after a fixed period of time.
We also conduct deeper technical reviews of code for security vulnerabilities that can be exploited to gain unauthorized access to data, common web and mobile vulnerabilities published by industry leaders such as OWASP (Open Web Application Security Project).
Amplify periodically engages a security consulting firm to conduct risk assessments, aimed at identifying and prioritizing security vulnerabilities. The Information Security Task Force coordinates remediation of the vulnerabilities. The security consulting firm also provides ongoing advice on current risks and advises on remediation of vulnerabilities and incident response.
Amplify periodically engages third-party firms to conduct security assessments of our technical systems to check for security vulnerabilities. The purpose of this testing is to see whether there are any technical vulnerabilities that eluded our normal processes for detecting vulnerabilities in our systems. We select third-party firms on the basis of their experience and reputation in the industry. Third-party testing involves a combination of automated and manual testing to check for vulnerabilities in our systems. These tests are conducted annually, at a minimum.
Amplify ensures that its systems are free of known vulnerabilities in several ways. Every production server runs vulnerability detection software that compares the installed software against a global database of known vulnerabilities. Secondly, we employ real time network monitoring that reports on any potentially malicious traffic. In addition, a third-party security firm continually reviews all of our system logs for potential security breaches. Lastly we continually test our applications against common malicious internet traffic. Violations in any of these areas will alert one of our operations teams, who are available around the clock.
Access to production systems at Amplify is restricted to a limited set of internal Amplify users to support technical infrastructure, troubleshoot customer issues, or other purposes authorized by the district. In addition, Amplify is completing implementation of two-factor authentication methods for access to all production systems. Two-factor authentication involves a combination of something only the user knows and something only the user can access. For example, two-factor authentication for administrative access could involve entering a password as well as entering a one-time passcode sent via text message to the administrator’s mobile phone. The use of two-factor authentication reduces the possibility that an unauthorized individual could use a compromised password to access a system.
Network filtering technologies are used to ensure that production environments with student personal information are properly segmented from the rest of the network. Production environments only have limited external access to enable customers to use our web interfaces and other services. In addition, Amplify uses firewalls to ensure that development servers have no access to production environments.
Other measures that Amplify takes to secure its operational environment include system monitoring to detect anomalous activity that could indicate potential attacks and breaches.
At Amplify, we believe that protecting student personal information is the responsibility of all employees. We implemented a comprehensive information security training program that all employees undergo upon initial hire, with an annual refresh training. We also provide information security training for specific departments based on role.
Amplify implemented intrusion detection and prevention systems (IDS/IPS) to monitor the network and report anomalous activity for appropriate resolution.
Amplify maintains a comprehensive Security Incident Response Policy Plan, which sets out roles, responsibilities and procedures for reporting, investigation, containment, remediation and notification of security incidents.
In addition to penetration testing and other proactive security testing and monitoring outlined above, Amplify is undergoing a Type 2 SOC 2 examination. In the Spring of 2017, Amplify successfully completed the Type 1 SOC 2 examination of controls relevant to security. The Type 1 SOC 2 examination is formally known as a Report on Controls at a Service Organization Relevant to Security. The examination was conducted by Schellman & Company, LLC, and their report states that Amplify’s systems meet the criteria for the security principle and opine on management’s description of the organization’s system and the suitability of the design of controls to protect against unauthorized access, use, or modification.
Amplify is currently undergoing a Type 2 SOC 2 examination for the 2017/18 period. Type 2 reports opine on the operating effectiveness of controls over the review period. This means that our auditors will confirm whether we have continued to follow security controls we have established over the period of time of the review. Following the completion of the Type 2 SOC 2 examination, Amplify plans to perform the examination on an annual basis.
SOC 2: Amplify successfully completed the Type 1 SOC 2 examination of controls relevant to security and is undergoing a Type 2 SOC 2 examination (for more information, see above, under “Audits”).
In the course of customer security assessment, the following documentation can be provided by Amplify upon customers’ request:
- Penetration Testing Report
- SOC 2 Type 1 Report
- “Personal Information” means any student information defined as personally identifiable information under FERPA or as personal information under the Children’s Online Privacy Protection Act (“COPPA”). This includes the student’s name, address, email, social security number and other information that, alone or in combination, would allow a reasonable person in the school community to identify the student with reasonable certainty.
- “School district” means a local educational agency, school network, independent school or other school system.