Stock-Trak Inc. Data Privacy and Security Plan
- Outline how you will implement applicable data security and privacy contract requirements over the life of the Contract.
- Stock-Trak’s data is stored in a secure Type 2, SOC 2, professionally managed hosting facility. Student PII is automatically deleted after 1 year of user inactivity. Stock-Trak has appointed specific personnel who are responsible for ensuring compliance with its data privacy and security agreements as well as striving to adhere to national data privacy and security standards. Stock-Trak’s management team has allocated the necessary resources to making sure these objectives are carried out and achieved on an ongoing basis.
- Specify the administrative, operational and technical safeguards and practices that you have in place to protect PII.
- Stock-Trak has implemented procedures to ensure minimal student PII is collected. Data is protected via a firewall and also encrypted in transit and at rest. All its staff are trained in data security and privacy procedures and have signed confidentiality agreements in place. Stock-Trak regularly undergoes security audits conducted by independent 3rd parties and then follows up to remediate any vulnerabilities that may be discovered.
- Address the training received by your employees and any subcontractors engaged in the provision of services under the Contract on the federal and state laws that govern the confidentiality of PII.
- We require that all employees complete a security awareness training program as well as attend ad-hoc training sessions covering specific, security related topics.
- Outline contracting processes that ensure that your employees and any subcontractors are bound by written agreement to the requirements of the Contract, at a minimum.
- All employees are required to sign confidentiality agreements as well as an acknowledgement that they have completed the security training. Stock-Trak also has agreements in place with any 3rd party contractors that may have access to PII.
- Specify how you will manage any data security and privacy incidents that implicate PII and describe any specific plans you have in place to identify breaches and/or unauthorized disclosures, and to meet your obligations to report incidents to the EA.
- Stock-Trak has created a formal incident response plan to provide a well-defined, organized approach for handling security breaches.
- Describe how data will be transitioned to the EA when no longer needed by you to meet your contractual obligations, if applicable.
- PII is deleted after 1 year of inactivity or within 30 days upon written request by an EA.
- Describe your secure destruction practices and how certification will be provided to the EA.
- PII is deleted after 1 year of inactivity. Stock-Trak will provide written certification that PII has been deleted upon request from an EA.
- Outline how your data security and privacy program/practices align with the EA’s applicable policies.
- PII data is protected within a secure SOC Type II facility. All PII data is encrypted and only accessible to authorized personnel who are properly trained and under confidentiality agreements. Stock-Trak does not share or disclose PII data to 3rd parties and deletes PII data after 12 months of inactivity or upon written request from an EA. Stock-Trak has a team responsible for data security and privacy and also conducts security audits on a regular basis to ensure that appropriate standards are being adhered to.
- Outline how your data security and privacy program/practices materially align with the NIST CSF v1.1 using the Framework chart below
Function | Category | Contractor Response |
IDENTIFY (ID) | Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy. | Stock-Trak utilizes the services of a fully managed, hosting service provider. Servers and databases are located in a SOC 2 type facility, which undergoes regular security audits. All servers are behind a firewall and incoming traffic must also pass through Imperva’s DDOS protective firewall. Only authorized staff will have access to PII data via a secure VPN connection (requires multi-factor authentication and secure passwords). All PII is encrypted at rest and in transit. All staff and contractors who have access to PII are under signed confidentiality agreements and are trained to adhere to industry standard security policies and procedures. Servers are fully monitored, and Operating systems are patched regularly as required. All data is backed up daily, offsite. |
Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. | Stock-Trak establishes organizational goals, objectives, and priorities on a regular basis. A team is in place to manage all aspects of maintaining industry standards for data privacy and security. The team can be reached by sending an email to privacy@stocktrak.com. The team also utilizes 3rd party cyber security specialists on an ad-hoc basis if needed. | |
Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. | Stock-Trak has measures in place (including policies and procedures) to protect PII from loss, misuse and unauthorized access, disclosure, alteration, and destruction. We have security policies in place that all employees must adhere to along with clearly defined information systems roles in place both internally and with our external contractors. | |
Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. | Stock-Trak engages with a Cyber Security firm on a regular basis to perform an internal audit, and remediates identified vulnerabilities based on a risk assessment. We receive communication from various sources on threat and vulnerabilities, and we remediate vulnerabilities based on determined levels of risk to the business. All new data privacy agreements are vetted with senior management prior to being executed. | |
Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. | Stock-Trak engages with a Cyber Security firm for a regular audit to determine vulnerabilities. We assess the risks associated with the vulnerabilities to determine our risk tolerance levels and remediate issues accordingly. | |
Supply Chain Risk Management (ID.SC): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks. | Stock-Trak’s senior leadership are aware of all supply chain risks and have contractual agreements with all external vendors. Suppliers and third-party partners are reassessed regularly to confirm they are meeting their contractual obligations. | |
PROTECT (PR) | Identity Management, Authentication and Access Control (PR.AC): Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions. | Stock-Trak’s data center requires badge access to limit entry to those who require access for their job function. Visitors must be identified and escorted into the facility. Remote access requires two-factor authentication and is limited to those who require it. Those restricted staff members have access to the database via a secure VPN connection. Processes are in place to give and remove access to designated staff and contractors. |
Awareness and Training (PR.AT): The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity‑related duties and responsibilities consistent with related policies, procedures, and agreements. | All Stock-Trak employees are required to complete an initial and on-going data privacy and security training program to handle personal information. All employees have unique login credentials to access personal information through a secure VPN connection (which includes MFA) and access is limited to those employees who require access for the normal course of business. Members of the executive team, IT team, and Development team are part of the Incident Response Team and are aware of the necessary actions to take in the event of a cyber security breach. | |
Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. | Stock-Trak’s database is hosted within TierPoint’s facilities, and both data at rest and data in transit are encrypted. These secure servers are patched and secured with managed endpoints. Processes are in place to automatically delete PII after 1 year of user inactivity. All data access requires unique login credentials. The IT specialist maintains an up-to-date inventory of hardware and software assets as well as monitors capacity and investigates alerts generated by the system. | |
Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets. | Stock-Trak secures access to its data center through requiring badge access, and guests and visitors are required to be identified and escorted on premise. The IT Specialist ensures that hard drives and other retired storage assets are destroyed, to prevent data recovery from these assets by unauthorized individuals. We have processes in place to destroy PII after 1 year of user inactivity. Stock-Trak has backup config of firewall appliance settings. We have a firewall appliance that scans all incoming traffic. We perform testing on our staging sites prior to migration into production and automatic backups are done daily by our hosting service provider. Both Stock-Trak and its Managed hosting service provider (currently TierPoint) engage with Cyber Security firms to perform security audits on a regular basis and the results of the security tests are shared with appropriate stakeholders. The Incident Response team will test recovery plans and review results annually, to ensure that the plan meets organization requirements. When employees and nonemployees leave the organization, HR provides notification to disable network and e-mail accounts. | |
Maintenance (PR.MA): Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures. | Stock-Trak’s IT specialist ensures that all system components are regularly maintained and observed for quality control. Other standard maintenance (such as operating system patches and upgrades) are performed by our hosting service provider whenever required. | |
Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. | The technical security solutions are managed both by Stock-Trak’s IT and security personnel as well as its professionally managed hosting service provider (currently TierPoint). TierPoint is responsible for maintaining the firewall, conducting the daily backups, monitoring the servers, applying regular patches and updates, etc. The system also uses Imperva firewall to protect against DDOS attacks and filter out non-human traffic. | |
DETECT (DE) | Anomalies and Events (DE.AE): Anomalous activity is detected and the potential impact of events is understood. | Stock-Trak’s IT specialists review logs and monitor network traffic and are alerted in the event of abnormal traffic patterns and other network anomalies. The IT specialist and Development team investigate alerts, escalating events as appropriate to senior management, who may invoke the incident response plan. We can see real time connections from our resources, where incidents are investigated, based on the sensitivity of data involved. We have thresholds set to alert the team of incidents, and guidelines on when to escalate issues accordingly. |
Security Continuous Monitoring (DE.CM): The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures. | All key network components are monitored 24/7/365. Monitoring is performed by Stock-Trak’s professionally managed, hosting service provider within a secure, Soc 2, Type 2 datacenter facility. The Imperva firewall and DDOS protection is an added layer of monitoring and security. Thresholds are established which generate automatic alerts. Logs are checked regularly for anomalies. | |
Detection Processes (DE.DP): Detection processes and procedures are maintained and tested to ensure awareness of anomalous events. | Stock-Trak has a dedicated IT specialist who is responsible for the identification of anomalous activity. We perform penetration tests through a Cyber Security firm to assess the company’s ability to detect attacks. Senior management is responsible for selecting remediation actions to be performed. The incident response plan includes steps for escalating incidents to the Incident Response team, which determines the appropriate stakeholders and when to communicate details of the incident to affected parties. We incorporate back into our security practices all lessons learned from testing and documented incidents. | |
RESPOND (RS) | Response Planning (RS.RP): Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents. | Stock-Trak has an Incident Response Plan in place to be enacted in the event of a cybersecurity breach. Stock-Trak has a close working relationship with its managed hosting service provider as well as a 3rd party specializing in security and data privacy. |
Communications (RS.CO): Response activities are coordinated with internal and external stakeholders (e.g. external support from law enforcement agencies). | Stock-Trak maintains an incident response plan, which outlines the roles and responsibilities of key team members and external parties. The incident response plan details steps to escalate incidents depending on the severity. It includes a list of contact information for all individuals that we have contractual agreements with, should a breach occur. | |
Analysis (RS.AN): Analysis is conducted to ensure effective response and support recovery activities. | Stock-Trak has designated employees (including management). IT Specialist receives alerts and determines if an event or incident must be investigated. If escalation is not required, the alert is closed. Events and incidents are investigated and triaged, based on the sensitivity of data and assets involved. The executive team will engage a Cyber Security firm for incidents requiring forensic investigation. | |
Mitigation (RS.MI): Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident. | The members of the incident response team will maintain an incident response plan that includes steps necessary to contain and mitigate incidents. Stock-Trak already greatly mitigates risk by allowing its customer user base to register accounts without requiring any personal information. | |
Improvements (RS.IM): Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities. | Stock-Trak’s Incident Response Team will meet to discuss all lessons learned after an incident and update the incident response plan based on the results of a security related incident and the associated activities and results thereof. | |
RECOVER (RC) | Recovery Planning (RC.RP): Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents. | Stock-Trak has a well-defined plan in place, outlining key roles and responsibilities in the event of a cybersecurity breach. Our environment is hosted with TierPoint where we perform daily, offsite backups. In the event of a disaster, TierPoint will bring up our environment in one of their secondary data centers where we can restore data from the last daily backup. |
Improvements (RC.IM): Recovery planning and processes are improved by incorporating lessons learned into future activities. | Stock-Trak’s incident response team will discuss all lessons learned after an incident response. The team will review the Incident Response plan on an annual basis to ensure any necessary changes are incorporated. | |
Communications (RC.CO): Restoration activities are coordinated with internal and external parties (e.g. coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors). | Stock-Trak’s Incident Response Team is responsible for coordinating and managing the communication to all external and internal parties during an incident. In addition, the members of the Incident Response Team will determine next steps for repairing reputational damage and communicate with external stakeholders. Throughout the response and recovery process, the development team and/or the contracted Cyber Security firm will provide timely updates to the team. |