Our System Policy
The purpose of this policy is to maintain a comprehensive level of security to protect data and information systems from unauthorized access. This policy defines the rules necessary to achieve this protection and to ensure the secure and reliable operation of Genesis Information Systems.
This policy affects all employees of Genesis Educational Services. Employees who deliberately violate this policy will be subjected to disciplinary action up to an including termination.
Only authorized Genesis Employees are granted access to Genesis systems. System access control is to be achieved via unique user IDs and MFA (multi factor authentication) which are to provide individual accountability.
All employees must be screened prior to hire.
Employees are required to attend informational security awareness training.
Policies in place require HR to immediately notify IT of terminations and transfers.
All Genesis employee system actions will be logged and stored indefinitely.
Genesis does not allow ANY 3rd party vendor ASP/hosted system access.
Procedures for access to mission critical systems and sensitive data include user authorization and authentication protected by MFA (multi factor authentication).
Internet Security
Internet accessible systems are tested for vulnerabilities prior to being placed in production.
Only services that are required by a specific business need and that have been assessed for their impact on security are enabled.
All essential protocols are securely configured, and non-essential protocols are disabled.
Firewall(s) are configured to ensure source(s), destination(s), and protocol(s) are as specific as possible.
No internal systems containing client information or in the same network are exposed directly to the internet.
Customer data is restricted based on the principle of least privilege (PoLP). Role-based access controls (RBAC) are strictly enforced.
Internal System Security
Applications on internal web servers run in non-privileged mode.
Server performance metrics (CPU, disk, memory, hardware, etc.) are monitored.
Genesis cloud network (housed in AWS) protected by an application firewall with DDOS protection, anti-virus, and intrusion detection/prevention systems (IDS/IPS) in place to monitor and mitigate threats.
AWS CloudTrail and AWS CloudWatch log security-relevant events and are audited regularly.
Secure Development Practices
All application code undergoes internal security reviews and vulnerability assessments before deployment
Testing for web applications includes checking for session management weaknesses, cross-site scripting, SQL injection and other common vulnerabilities.
Encryption
Public/private keys are used for the encryption of sensitive information during transmission.
Encryption keys are securely controlled.
SSL TLSv1.2 or greater is required for data transferred over public networks.
Passwords are stored using a hash salt encryption algorithm.
Full disk encryption is used for locally stored materials (e.g. on laptops, workstations, etc.).
Disaster and Incident Recovery
Systems are backed up regularly and stored securely in multiple, geographically separate locations.
A formal incident response plan is in place, ensuring timely identification, containment, and recovery from security incidents.
A disaster recovery plan is in place, ensuring minimal disruption in case of an outage or security breach.
Genesis Cloud and Data Backup Service is housed in an Amazon Web Services (AWS) us-east Data Center which maintains strict access controls. Some specific controls listed below are in place. Additional information can be found at: https://aws.amazon.com/compliance/data-center/controls/
AWS Identity and Access Management (IAM)
AWS Key Management Services (KMS)
Compliance with security frameworks such as CIS, ISO, SOC, PCI-DSS, and NIST is supported.
This policy is reviewed and updated periodically to address emerging security threats and changes in regulatory requirements.