Updated on September 8, 2020
Sibme website is hosted and customer data resides on Amazon AWS infrastructure, which (i) has highly secure data centers with state-of-the art electronic surveillance and multi-factor access control systems, (ii) is staffed 24×7 by trained security guards, and (iiii) its access is authorized strictly on a least privileged basis. AWS has achieved ISO 27001 certification and has been validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). In addition, AWS undergoes annual SOC 1 audits and have been successfully evaluated at the Moderate level for Federal government systems as well as DIACAP Level 2 for DoD systems. Access to Sibme data portal management with AWS is limited to only a few key employees and is protected by a two-factor authentication mechanism for access, requiring authorized team members to first log in using their email address and password, then enter a six-digit access code that refreshes every 30 seconds from a linked mobile device. All private data exchanged with Sibme is always transmitted over SSL. Here are some useful links relating to their own security and continuity plans:
AWS Cloud Security: https://aws.amazon.com/security/
AWS Compliance: https://aws.amazon.com/compliance/
Authentication for users happens at app.sibme.com/users/login using email and password authentication, via sign-in via Google, or SSO via an organization’s authentication process (i.e. Microsoft Azure/AD, Canvas, etc.). All requests made through Sibme in a browser are done via TLS/SSL. Sibme keeps a robust set of logs for auditing purposes
Sibme is LTI Compliant and we follow the LTI standard when integrating with customer’s LMS’. For more information on LTI Compliance and LTI integrations, please visit the IMS Global Learning Tools Interoperability® page.
Sibme requires its Vendors, such as Amazon AWS to achieve key compliance controls and objectives as well as establish controls to support operations and compliance. More information on AWS System and Organization Controls (SOC) can be found on their site.
Sibme maintains Payment Card Industry Data Security Standard (“PCI”) compliance in connection with processing user credit card charges. As required by the PCI compliance standard, Sibme quarterly undergoes extensive third party security and penetration tests to ensure our payment site is secure. Please view our PCI Compliance certificate from SecurityMetrics.
The U.S. Family Educational Rights and Privacy Act (“FERPA”) is designed to protect student identity and academic information from unauthorized disclosure to third parties. Sibme complies with all relevant provisions as follows:
Sibme is compliant with U.S. Children’s Online Privacy Protection Act (“COPPA”) requirements regarding the capture and use of images of children under the age of 13. Key elements include:
Sibme is designed to comply with applicable software accessibility requirements of Section 508 of the U.S. Rehabilitation Act. The system is designed to work with native accessibility tools within Windows and Mac operating systems as well as the enhanced functions included in modern web browsers. For details related to our Section 508 compliance, please see our Voluntary Product Assessment Template (VPAT). Sibme is also designed to comply with the Web Content Accessibility Guidelines (WCAG) version 2.1, levels A and AA. For more about WCAG 2.1 compliance, see Web Content Accessibility Guidelines (WCAG) Overview.
If you have additional questions regarding Sibme’s security or privacy, please contact us at Sibme Support at any time.
Sibme has a Data Breach Notification Policy, which describes a process to quick and efficient recovery from security incidents, respond in a systematic manner to incidents and carry out the steps necessary to handle an incident, and minimize disruption to critical computing services or loss or theft of sensitive or mission critical information. Sibme will determine whether the compromised system is a low risk or a high risk data and whether the system affected is considered a high critically system. “High Critically System” is when it meets either of the following criteria: (i) stores, transmits, or provides access to High Risk Data (as defined below) or (2) loss of access could have a significant impact on Sibme as a whole and the overall institution risk from downtime is high. “High Risk Data” is defined when either of the following conditions apply: (A) the data is governed by laws or regulations that requires Sibme to report to the government and/or provide notice to individuals if the data is breached, or (B) the unauthorized use, access, or alteration of the data could have a significant adverse impact on Sibme or an individual community member. For example, social security numbers and national identification numbers, driver’s license numbers, passport and visa numbers, operating system passwords, application passwords, and API keys, central authentication credentials, financial information, health information, special categories of data under GDPR.
Sibme will risk classify the data by taking into account the (i) inherent attributes of the data; (ii) source of the data; (iii) regulation or policy governing the data; and (iv) relationship of the data to previously disclosed data. The classification of specific data is subject to change as the attributes of that data change (e.g. its elements, content, uses, importance, method of transmission, or regulatory context).