Security Overview

Commitment to Security and Privacy

AERDF is committed to preserving the trust of researchers, teachers, parents and students. AERDF has developed a comprehensive security and privacy program that carefully considers data protection across the tools and services provided to researchers and developers. 

A centralized set of tools, via aerdf.cloud, has been made available to AERDF researchers and developers to support various activities, including collecting and managing data, analyzing data, and building applications. The following is a comprehensive summary (not a fully exhaustive list) of the security policies and controls implemented in aerdf.cloud. Additional details on the following policies and controls can be provided upon request. Please reach out to help@aerdf.cloud with any questions or concerns.

Architecture

Box, Inc. 

Box is a Cloud Content Management Platform for storing and managing valuable information. AERDF has subscribed to the Enterprise Plus tier of Box, which provides the richest set of security tools to manage users and access. In addition to granular security customization, Box Shield, Box Governance, Box Sign, Box Relay, Box Platform, Box Zones, Box GxP, Box Content API and Reporting APIs, and other enhanced services. Box covers multiple compliance and regulatory needs–including SOC 2, GDPR, HIPAA, ITAR, PCI DSS, FedRAMP, StateRAMP, and more. 

AERDF-hosted 

The rest of the aerdf.cloud tools are self-hosted, using Amazon Web Services (AWS). These include identity and access management, virtual private networks, collaboration tools for developing content, software, and documentation, and online services for interacting with research partners. 

Security Controls

SOC 2 Type 2 Audit

AERDF can provide a completed SOC 2 Type 2 report upon request.

Access controls

AERDF has in place policies, procedures, and controls designed to:

  1. Limit access to information systems to properly authorized persons.

  2. Prevent personnel and others who should not have access from obtaining access.

  3. Remove access in a timely manner in the event of a change in responsibilities or employment status.

  4. Ensure only those with an actual need-to-know will have access to any sensitive research data.

  5. Ensure that access granted to any sensitive data is based on least-privilege principles 

  6. Require user identifiers to be unique and readily identify personnel to whom it is. assigned, and no shared or group User IDs are used for access to any sensitive data.

  7. Conduct periodic access reviews to ensure personnel with access to data still require it.

Password requirements

AERDF-owned systems require passwords to have a minimum of 15 characters, and at least one of each of the following: uppercase letter, lowercase letter, number, and a special character. Accounts are locked for a period of time after 6 failed sign-in attempts.

Multi-factor authentication (MFA)

MFA is enforced for access to Box, and for any user accounts with administrative access to systems.

Single sign-on (SSO)

SSO capability is provided across all applications.

Malware scanning

All files transmitted via self-hosted applications or Box are scanned for malware.

Data encryption

Box is FIPS 140-2 certified, and every file is encrypted using AES 256-bit encryption at rest and in transit. All self-hosted applications are protected with key encryption, and files in transit are proxied over HTTPS, which is protected with TLS encryption. In addition, any applications with additional network firewalls utilize 256-bit AES encryption.

Intrusion detection

Box Shield is configured to quickly deliver alerts on logins from suspicious locations, anomalous activities, and abnormal access patterns. 

Patch management and system updates

Operating system level vulnerabilities are remediated in a timely manner. Production servers are scanned to test patch compliance on a routine basis. 

Logging and monitoring

All access to data is logged and mechanisms are in place for retaining activity logs. 

Penetration Testing

The systems and networks are tested by third-party red teams annually.

Personnel security 

System administrators

System administrators of aerdf.cloud must comply with the following: background checks upon hire, annual security awareness training, and annual review and acknowledgment of each of AERDF’s Information Security policies.

AERDF Staff

AERDF Staff working directly with R&D Programs are required to complete security awareness training and CITI training–pertaining to Human Subjects Research (HSR) and Socio-Behavioral Education (SBE).

Security Policies

Incident response plan

AERDF is prepared to respond to cybersecurity incidents to protect its systems and data, and to prevent disruption of services. AERDF’s Incident Response SOP provides the required controls for reporting and handling an incident handling, as well as incident prevention, detection, and risk assessment.

Business continuity plan (BCP)

All self-hosted systems are backed-up daily and recovery processes are in place and tested regularly.

Change management

AERDF maintains policies and procedures for managing changes to production systems, applications, and databases. A process exists for AERDF to perform security assessments of changes into production.

Vendor management

AERDF has policies and procedures for engaging with third-party vendors, including elements for managing vendors, due diligence, risk assessments and contract management.

Data Management Policies and Practices

AERDF has policies and practices outlined for managing AERDF-research data.

Information classification

AERDF has defined classification labels to identify sensitive information and policies and procedures for handling and labeling sensitive information.

Version control

Teams can leverage Box to keep track of data versions, and software development tools (i.e. Gitlab) to manage code development across a team of contributors.

Automated reporting

Scanning is implemented to monitor and detect for violations to data security and privacy policies.

Data retention and disposal

AERDF has policies and procedures for ensuring proper disposal of any identifiable data after the retention period has expired. In addition, AERDF has a built-in Box procedure for ensuring data goes through the proper approval channels prior to disclosure.