Information Security Policy

Protection of Client Information

Staff will not disclose names or email addresses of users of a Niche Academy academy to anyone who is not an administrator or a supervisor of a specific academy. This applies to both written and spoken communications.

Niche Academy staff, including contractors, will not disclose names or email addresses of Niche Academy users to any administrator or supervisor of a Niche Academy academy outside the scope of their own academies.

Staff will not discuss or disclose any confidential information that may be stored in Niche Academy to anyone other than an authorized administrator of the academy where that information is stored. This may include personally identifiable information such as names and health conditions.

It is the policy of Niche Academy that each user of the Niche Academy platform should have their own account except in cases where group access is authorized for specific tutorials.

When Niche Academy terminates an employment relationship with an employee, privileged access to Niche Academy for that employee is also immediately terminated.

Any changes to administrative access to a Niche Academy must be explicitly authorized by an existing administrator of that academy. Whenever a new administrative user is added, all existing administrators of that academy are notified of the change.

Users have the right to make changes to their own name, email, and password. 

Users may request that they be completely removed from the system.

 

Security Architecture

All workstation machines used by Niche Academy staff to administer Niche Academy must run Anti-virus software. Avast or Sophos are recommended solutions.

Employees are required to regularly keep their workstations up to date with the most recent releases of the operating systems and browsers they use.

All servers used for Niche Academy’s cloud-based platform are updated to the latest patch levels at least twice a year. 

All direct operating system level access to Niche Academy’s cloud servers is done over a secure shell connection secured with private key encryption. Only specifically authorized IP address are allowed to make that connection. Only explicitly authorized employees are provided with the private key required to make that connection.

Separate servers are used for testing and production. Multiple layers of separation are employed. Routine code development is performed on individual employee workstations. The first level of testing is done with committed code deployed to a “nightly” test server. Code branches that are deemed to be ready for pre-release testing are deployed to a “release” test server that mirrors our production environment. Only after all testing has been successfully completed on the release server is the code committed to our master branch and deployed to our production server.

 

Configuration

All user communication with the Niche Academy application and the Niche Academy website is over a secured (SSL) connection. 

All passwords are stored in a hashed form using MD5 encryption. Further, all generated passwords used for new accounts are unique.

 

Product Design

If specific security vulnerabilities are identified in our application or in the systems supporting our service, it is the policy of Niche Academy to address those issues immediately in a “Hotfix” deployment.

It is the policy of Niche Academy to regularly run a security analysis of the Niche Academy application and take action upon the results. This includes static analysis of the code and dynamic analysis of the live application. 

 

Access Control

Employees are not allowed to share passwords or accounts on the systems used in creation and maintenance of the Niche Academy platform including the AWS Console, our TeamCity build server, Quickbooks, Hubspot, and Github. The only exception would be for rare cases in which licensing is for the company and more than one employee has a need to access the system. This would include, for example, developers who are aware of the credentials used by an API for interaction between the Niche Academy platform and a third party platform.

Employees are granted the least amount of access absolutely required to perform their tasks. Developers, as a rule, don’t have commit access to the master branch of github. Commits to master would only be performed by one of the owners after thorough testing of a release branch.

When Niche Academy terminates an employment relationship with an employee, that employees access to Niche Academy systems is immediately revoked.

 

Monitoring

A senior member of Niche Academy staff will perform an annual audit of Niche Academy systems to verify that there are no unauthorized or obsolete accounts this includes systems used for the following purposes:

  • CRM
  • Build Management
  • Accounting
  • Database and Application Server allowed IPs
  • Code Repository
  • Google Suite
  • Internal Chat

 

The annual audit also includes a review of the data currently stored on our systems and whether the current security policies are adequate to the sensitivity of those systems.

Niche Academy logs all attempts to access application system servers with a secure shell, both failed and successful. These logs indicate the account used in the attempt, the time of the attempt, and the source IP for the attempt. These logs are reviewed forensically whenever there is an indication of suspicious activity.

Niche Academy requires all employees to take basic security training.

 

Physical Security

Employees are required to lock their workstations when they will be away from it for more than a few minutes. This applies whether in the office or away from it.

The last person out of the building at the end of the day needs to lock the building. 

Employees who have a key to the building are responsible for safeguarding it. 

Lost or stolen keys must be reported immediately. 

Part of the responsibility of having a key is making sure that you never leave anyone in the building at the end of the day that does not have one.

Employees who carry a company computer with them away from the office are responsible for the physical security of that machine. Any suspected loss or compromise of a company machine must be reported immediately.

Employees are required to use disc encryption to secure data in local storage. 

 

Contingency

Niche Academy takes regular snapshots of our application database using the AWS RDS service.

Niche Academy tags all release branches of our code base that are deployed to production in order to provide an emergency recovery mechanism.

 

Incident Response

In the event of a security breach, it is the policy of Niche Academy to notify all affected and potentially affected customers within 24 hours of becoming aware of the incident. An exception to this policy is allowed if law enforcement determines that disclosing the breach would impede investigation. 

In the event of an outage, Niche Academy will notify customers within one hour of first becoming aware of the incident.

Third party investigators will be engaged in the event that a security breach goes beyond the ability of Niche Academy staff to handle on their own or if Niche Academy management determines that third party involvement would be important to restoring the confidence of customers.