Cumulo Learningtm Details: Security Structure

  • Access is granted via a user name and a password. On July 1 this will be shored up more by eliminating the possibility of having login credentials emailed on request. At that point, logins will need to be reset after navigating through a "Captcha" screen and answering a security question that the end user created upon their first login. As well, all H51 Software site access for all of our products will be managed from a central database, separate from the product database itself.
  • The next line of security towards gaining unauthorized access to school, family, and student data is a filter that requires a session variable to authenticate. Session variables are created upon logging in and reside only on the server. If the session variables are not found the attempt at access is driven back to the login page.
  • There is constant work taking place to stay ahead of the malicious attacks known as SQL Injection, where attempts are made to gain access to the database itself. It should be noted that absolutely no user or school financial data is kept in our servers.
  • We are also in the process of encrypting all dynamic urls that appear in web browsers to further thwart attempts to glean data from the site.
  • Our application runs on a dedicated/isolated platform on Windows Server 2008 R2/IIS-7.5 and is kept up to date on all security patches. We do not send error messages to the end user, but rather send a custom error page. Details of the error are sent to our engineers so that work can begin on the fix.
  • All user-supplied data is validated on the server side to avoid malicious data submissions.
  • Most data changes are logged by recording a time stamp and the UID of the person making the change.
  • Cumulo Learning adheres to the letter and intent of FERPA, which states in part:
    Schools may disclose, without consent, "directory" . However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify parents and eligible students annually of their rights under FERPA. The actual means of notification (special letter, inclusion in a PTA bulletin, student handbook, or newspaper article) is left to the discretion of each school.

    None of this information is disclosed via unsecured web access and some of it is disclosed to logged on users. The notification of involved parties is left to the schools.
  • Users have one log in that grants access to any schools that they are enrolled in, that they work in, or that they have students enrolled in. If a user has accounts in multiple schools a screen will come up asking them to select the school that they wish to access.
  • User accounts time out after 20 minutes of inactivity and after 2 hours regardless of activity.

Downloadable Files

Cumulo Learning Image