Faculty Success is a Software as a Service (SaaS) provider, and the security of our service is of the utmost importance. We understand that you, as our client, may wish to verify certain aspects of our security, to ensure we are living up to our own high standards. However, we are also providing service to hundreds of colleges and universities, and we cannot allow unsanctioned security or penetration testing to affect other clients' use of our service.
This article outlines Faculty Success requirements and recommendations for clients who wish to perform their own security audit of our service.
Your IT policies may require that certain scans be run to audit vendor security as part of a due diligence process. These scans may be one-time, or could be run on a recurring basis.
If Faculty Success determines that a security scan is causing a detriment to the system, we may temporarily block all requests from the source until we are able to contact the Faculty Success Administrator. This block may impact other users on the campus which originate from the same source, such as a campus proxy server.
- Simple network or port scans (TCP/UDP)
You may run simple, non-intrusive network or port scans on Beta and Production systems at any time. For more information about your Beta environment, see the Beta Environment article.
- Encryption Analysis (SSL/TLS)
You may analyze the security of our SSL/TLS encryption configuration Beta and Production systems at any time.
- Web and/or Web Service Scans (HTTP/HTTPS)
You may scan our servers for vulnerabilities over HTTP/HTTPS within the restrictions listed below.
- Notify your Success Consultant of the anticipate schedule for all intensive scans, and the single source IP address where the scans will originate.
- You must submit to your Success Consultant the single source IP address from which all scans will originate.
- Schedule intensive scanes outside Faculty Success core business hours of 7:00 AM - 7:00 PM US/Central.
- Limit scans to URLs within your own organization; for example, a client named "YourU" should limit scans to http://server.digitalmeasures.com/login/youru*.
- Run scans against our test system at beta.digitalmeasures.com
- Limit the scan rate to no more than 120 requests per minute
- Run authenticated user scans using a dummy or sample account to ensure that real user data is not affected.
- Configure the scanning tool to use an identifiable HTTP "User-Agent" string, and notify your Success Consultant of this value. An ideal User-Agent string would include your campus's name, security scanning tool in use, and the date of the scan; for example "YourU SAINT testing 2015-01-011"
Other Scans or System Analysis
If your needs include a type of scan or system analysis not categorized above, you will need to submit further details to Faculty Success prior to commencing. Please contact your Success Consultant directly with specific information on the purpose of the scan, the software tool(s) that you will use, the scope of anticipated impact, as well as your preferred schedule for the test.
Faculty Success reserves the right to restrict the types, target systems, and timing of scans at our sole discretion. If Faculty Success detects that a security scan is causing a detriment to the system, we may temporarily block all requests from the source until we are able to contact your campus's Faculty Success Administrator. It is important to note that such a block may prevent other users on the campus that originate from the same source from accessing the system.
Faculty Success will provide approval of a requested scan in the form of an email from your Success Consultant addressed to the requesting party and the campus's Faculty Success Administrator. Correspondence will include a formal approval statement, confirmation of the test schedule, and a re-statement of the potential loss of system use. We will grant approval for requests that meet all of the criteria stated above.