Information and data are foundational for the REAL Chem Courseware, and are essential to almost all of our work. Our information includes: course content; learning models; user information; learner-interaction data; aggregated course analytics; software; computer systems; publications; website; and many other forms. Whatever form the information takes, or whatever means by which it is shared or stored, it must be appropriately protected.
OLI will protect its information assets in ways that are both appropriate and effective, as well as satisfactory to interested parties inside OLI, Carnegie Mellon University, our partners institutions/organizations. This will help enable OLI to fulfill its responsibilities and to enable our staff to continue their mission and to provide service to our clients.
Our ability to protect our information assets will enable us to maintain and improve our reputation and ensure that we meet our research, academic, and professional goals. In addition, it will ensure that we do not lose opportunities for partnership or our ability to service our partners, instructors, or students.
As a part of Carnegie Mellon University, OLI is supported and subject to governance by the University’s Information Security Office (ISO). We work to align our work with ISO’s broader policies, practices and recommendations: https://www.cmu.edu/iso/index.html
Our objective is to protect REAL Chem courseware customers, users, operations and professional standing from security issues. We maintain a level of security that is appropriate and aligned with industry standards. We leverage the collective security and access procedures of our cloud-hosted partners to protect confidential or sensitive data from loss or compromised security breaches. At the same time, we must ensure users can access data as required for them to work effectively.
It is not anticipated that this policy can eliminate all malicious data theft. Rather, its primary objective is to increase user awareness and avoid accidental loss scenarios.
Security issues can include confidentiality (people obtaining or disclosing information inappropriately), integrity (information being altered or erroneously validated, whether deliberate or accidental) and availability (information not being available when it is required). A wide definition of security will be used to include all types of incident that pose a threat to the effective use of information. This includes performance, consistency, reliability, accuracy and timeliness.
We will:
OLI’s security approach aligns with the Payment Card I Data Security Standards (PCI DSS) as part of our broader institutional PCI compliance. We are guided in these efforts the CIS Critical Security Controls framework, operationalized by use of the CIS Workbench.
The OLI platform undergoes regular security scans and audits at three levels. Our internal platform team performs scans using CIS workbench quarterly and remediates as appropriate. Our ISO team supports compliance audits, including use of per-server CrowdStrike agents; the ISO team also coordinates external review. This external PEN test is done quarterly, currently by SecurityMetrics as part of ou rPCI DSS compliance.
All staff, past and present, permanent, honorary, and temporary of OLI have an obligation to protect our information assets, systems, and infrastructure. They will, at all times, act in a responsible, professional, and security-aware way, maintaining an awareness of and conformance to this Policy.
Everyone will respect the information assets of our clients and third parties whether or not such protection is required contractually, legally or ethically.
All members of OLI are responsible for identifying security shortfalls in our existing security practices and/or improvements that could be made. These should be reported to a direct supervisor and/or the Director of OLI.
All members who have supervisory responsibility are required to actively promote best practice amongst their supervised staff.
OLI’s security roles and their permissions are as follows:
When an employee is hired they are given access to their appropriate level. Any access needed beyond the pre-designated scope is reviewed by OLI’s Lead Architect and is ultimately assessed and granted/denied by the Director. When an employee is terminated, their access is removed immediately.
OLI works with world-class hosting partners.
All physical server security is handled by these partners. These companies have strict security and access procedures.
https://aws.amazon.com/compliance/data-center/perimeter-layer/
https://support.freshdesk.com/support/solutions/articles/196893-data-storage-and-data-security-in-freshdesk-
https://www.agilecrm.com/privacy-policy
https://www.cmu.edu/iso/governance/policies/index.html
In addition, OLI hosts a Wordpress content system, whose security is governed by the CMU policies listed in the link above.
REAL Chem staff uses and manages different types of data which require different levels of security.
The types of data used and managed by OLI are:
Data security is maintained by the Roles and Permissions used within OLI and with security best practices on the OLI Platform. Together with our hosting partners we continually improve on our security best practices. Our hosting partners monitor and patch system-level security problems. Our development staff monitor and patch application-level security problems.
OLI receives basic information such as students’ names and email addresses from institutional customer’s Learning Management Systems (LMSs). LTI credentials used to create a single sign-on experience for users, and the credentials are delivered in a secure environment.
REAL Chem adheres to transparent, responsible and ethical practices around data ownership, sharing and use. OLI is also committed to compliance with institutional, state and federal policies regarding appropriate handling and use of learner data.
Learning data is captured to support the proper functioning of the courseware and learning science research. OLI seeks to advance learning science by yielding insights about learning and how to improve learning efficacy using data collected through courseware as well as related learner data from institutions.
Specific data captured by OLI courseware include:
We delete data at the request of the user, using practices in compliance with GDPR requirements.
OLI’s understanding is that any and all data created by students through their use of OLI's systems during the course of the engagement are owned by the students. Because they are the creators of these data, US law automatically vests copyright in the students. Use of a system or technology in the creation of data does not interfere with this grant of rights, in the same way that Microsoft does not hold copyright in the documents an individual creates in Word or the presentations a person creates in Powerpoint. Neither OLI nor their institutional partners can make an ownership claim on data created by students simply because they use our systems to create them.
Where appropriate, we seek consent from students and faculty to use learning data for research and analytical purposes. Implemented with process oversight from Carnegie Mellon University’s Institutional Review Board (IRB), this approach uses an opt-in/opt-out form to confirm user consent for authorized researchers and research communities to use their de-identified data in research studies. Students may opt in or opt out repeatedly, allowing them to change their minds about participation at any point.
OLI maintains two weeks’ worth of nightly database backups.
Security testing, also known as a vulnerability assessment, a security audit, or penetration testing, is an important part of maintaining the organization’s network security. We perform regular internal security audits and work with our hosting partners to continually assess security needs and practices. We rely on our partnership with AWS to support OLI via their disaster recovery plan, stateful packet inspection (SPI) firewall, and intrusion detection systems. In addition to AWS tools, we also utilize New Relic for real time monitoring. All application code is reviewed for security purposes before it is deployed.
Communication of Incidents
OLI has a defined Incident Management Policy which includes procedures and communication strategies for urgent incidents, as well as defined processes for off hours support and monitoring. In the event of a breach, the Lead Architect will notify the Director. Scale, scope and impact of the breach will be reviewed and a coordinated rapid response will be initiated to include communication with affected customers.
The organization’s security policies are reviewed at least annually. Additionally, the policies are reviewed when there is an information security incident or a material change to the organization’s security policies. As part of this evaluation the organization reviews:
Open Learning Initiative | 5000 Forbes Ave. Pittsburgh, PA 15213 | oli.cmu.edu