VR Study Trips' security requirements below. These security requirements were passed June 2020.
1. Does your product have role-based access controls that segregate the work actions, privileges, and access to protected data of all system users (e.g. student, administrator, teacher, etc.)? Yes
2. Can your product remove a user’s privileges without having to delete their account and reset their password without knowing the password? Yes
3. Do all company system administrator accounts with elevated access to protected data meet all of the following password requirements? If all system administrators use Multi-Factor Authentication (MFA), answer yes.
a. passwords contain at least 12 characters
b. passwords contain at least 1 number, 1 uppercase letter, and 1 special character
c. passwords cannot be the same as the previous 5 account passwords
d. can not contain any common dictionary words
e. maximum invalid password attempts cannot exceed 5
Yes
4.Does your product automatically lock a company system administrator’s account after five or fewer consecutive failed attempts? If all system administrators use Multi-Factor Authentication (MFA), answer yes. Yes
5. Are passwords and data transmitted through web browsers encrypted in transit using TLS 1.2 protocol or greater? Yes
6. Are all user account passwords salted and hashed when stored at rest? Yes
7. If your product requires files to be installed on user computers, has it been successfully tested to operate in an environment where common anti-malware scanning technologies are implemented to remove malicious software? n/a
8. Does your product automatically create backups of transactional data that can be restored with no more than 1 day of data loss? Yes
9.Does your product have a mechanism to synchronize time between all networked resources in your application environment with an NTP server or other time protocol? Yes
10. Does your product persistently track each user’s session activity, except using IP session tracking, to ensure that users are uniquely identified for the variable duration of their use of your product? Yes
11. Is your product's computer source code systematically examined during the development process to find common security vulnerabilities? Yes
12. Are all the major system components of your product scanned for common vulnerabilities before releasing it to production for customer use (e.g. web server, database server, etc.)? Yes
1. Do you plan to transmit, collect, use, require or request Personally Identifiable Information (PII)? Yes
2. Is your organization currently ISO 27001 Certified? No
3. Do you have a set of internally published policies approved by your management that defines your approach to information security that are regularly reviewed? Yes
4. Do you manage information security through assigned segregated roles and responsibilities (e.g. Chief Information Security Officer, Network Administrator, Incident Handler, etc.)? Yes
5. Does your organization provide a secure connection for teleworking employees with privileged access to protected District data (e.g. VPN)? n/a
6. Are administrators, who are responsible for maintaining equipment that house protected District data, subject to a pre-employment background check? Yes
7. Are employees, who will access or disclose protected District data, required to complete information privacy and security training annually? Yes
8. Are you capable of complying with data destruction methods for physical media upon request from school districts? Yes
9. Is there a process for the timely revocation and granting of access rights for all user roles in your product? Yes
10. Are administrator system user accounts regularly reviewed for removing unnecessary or unauthorized elevated access rights? Yes
11. Are accountability, authentication, and authorization methods in place to restrict access to utility programs that are capable of overriding your product's system and application controls? Yes
12. Does your product restrict users to a single application session that times out after 30 minutes of inactivity? Yes
13. Do you have role-based controls to restrict access to your product's source code? Yes
14. Does your product encrypt protected District data "at rest" on storage media using no less than 128-bit AES (e.g. files, laptops, servers, etc.)? Yes
15. Is protected District data encrypted in transit between your application and your database server using no less than 128-bit AES? Yes
16. Do you have a system for securely generating, distributing, storing, revoking, logging, and auditing encryption keys? Yes
17. Are offices, rooms, and facilities (that protect District data) physically secured with a minimum mortise lock, and are the keys securely managed? Yes
18. Do you have a documented policy to limit the unauthorized removal of District data from your organization's premises? Yes
19. Does your organization have formal procedures in place to identify, approve, and record significant changes to systems that process protected information? Yes
20. Can your product automatically log authentication attempts, application events, security events, database events, and administrator commands issued by users with root system privileges? Yes
21. Do you have anti-malware software installed and updated regularly on servers hosting District data? Yes
22. Does your product automatically create and time-stamp audit records when changes occur in the following?
a. User access
b. User privileges
c. Database schema objects
Yes
23. Does your product have the ability to export audit and transactional records in a human readable file format for review and analysis? Yes
24. Are audit logs retained for at least 90 days on storage media? Yes
25. Are servers or equipment that house protected District data on a regular security patch schedule? Yes
26. Does your organization restrict the use of unsecure and deprecated network connection protocols and services? (e.g. Telnet, WEP, SSL, SMB v1, etc.) Yes
27. Is your product's application environment segregated from the Internet through the use of a stateful firewall to ensure that access to District data is protected? Yes
28. Do you regularly monitor sub-contractors who may be responsible for maintaining your product or have access to protected District data to ensure that they comply with District information security requirements and regulatory requirements? Yes
29. Does your organization have formal procedures for monitoring, detecting, analyzing, and reporting of information security events and incidents? Yes Compliance
30. Does your product implement technical controls to ensure that the allowed number of LAUSD users do not exceed the maximum number of licenses permitted? Yes