CollegeNET - Security

Security & Data Protection

CollegeNET is a pioneer in Software as a Service (SaaS) technology holding several patents related to web-based commerce. We adhere to the highest standards of security for protecting our customers’ data and privacy. These standards cover all three areas of Internet security and data privacy: (1) secure transmission of data over the Internet, including financial transactions, (2) protection of networks and systems from external attack, and (3) user privacy.

Data Transmission
Every step of processing an online transaction, from the submission of data by the user to the final data download to your institution, has been designed with security in mind. All personal information collected by CollegeNET and transmitted over the Internet uses Secure Sockets Layer (SSL) to protect against unauthorized access from third parties, loss and fraud. The SSL protocol delivers server authentication, data encryption and message integrity. It is layered beneath application protocols (HTTP, HTTPS, SMTP, Telnet, FTP, etc.) and layered above the connection protocol TCP/IP, allowing SSL to operate independently of the Internet application protocols. Information thus arrives from the customer to the CollegeNET server privately and unaltered.

Financial Transaction Security – PCI-DSS Compliance
CollegeNET is in compliance with the strict requirements of the Payment Card Industry Data Security Standards (PCI-DSS). We are SOC2 compliant, and undergo yearly audits by CoalFire and quarterly external network scans by Ambiron TrustWave. CollegeNET is classified as both a Level One Service Provider and a Level Three Merchant for auditing purposes.

Network and System Protection
CollegeNET's secure systems are configured to prevent intrusions and protect from abuse in day-to-day use by a combination of the features described below.

We strictly and continuously monitor access to our servers. Administrative access is restricted to a few approved static IP addresses on our secured local network. All administrative access must be attained through encrypted Secure SHell (SSH) or Remote Desktop (RDP).

Although administrative credentials are not allowed to cross the network unencrypted, the network is fully switched to prevent sniffing of network traffic. Our firewalls are Cisco ASAs in redundant configurations. The ASA firewall is one of the strongest in the industry. In addition to the ASAs, some of the machines in our network use firewalling software, configured to respond automatically to unwanted probing.

Every staff member is required to use a strong password for each machine they access. Staff accounts are randomly checked and run through many of the same password cracking utilities used by attackers.

All CollegeNET servers are audited regularly for vulnerabilities. We update our scanning utilities with the latest security exploits. Although our servers are firewalled, they are configured, by default, not to trust each other. This helps to contain and minimize the impact of any attack. All services not in use are shut off, and the remaining services are updated and secured before a machine is brought live on our network.

Multiple Intrusion Detection Systems (IDS) monitor our network in real time. The IDS locally and remotely monitor the logs, file systems, network traffic and services running on each machine. The IDS are monitored remotely and will automatically page the on-call Systems Administrator if a failure of the IDS occurs.

At least one System Administrator is on call 24 hours a day, 7 days a week. The system pager will contact the on-call Systems Administrator if any system or security issue arises.

CollegeNET servers use a combination of Linux and Windows operating systems. These operating systems were selected based on their reliability, scalability, efficiency and security. All software and operating systems are updated with the latest patches and updates before they go live, and are kept up-to-date while online.

The routers, firewalls and switches are top of the line Juniper, Cisco and Brocade equipment in redundant configurations. CollegeNET maintains diverse physical connections to multiple upstream ISPs. We own our own portable network block to facilitate load balancing and rapid disaster recovery.

Automated network backups are performed on a regularly scheduled basis with encrypted archives stored at an off-site facility for quick restoration in case of the need for disaster recovery. In addition to the backups, our servers use RAID technology to greatly increase the reliability of the information while on disk.

User Data Privacy
CollegeNET has a strict policy never to give, sell, rent or trade any personally identifiable information to third parties for marketing or other purposes. See our Privacy Statement.