Skip to main content

General Security Controls

Updated

The LeaderU platform features an easy-to-use interface allowing users to access content and resources to help with their learning objectives. FranklinCovey's LeaderU has applied industry best practices, security frameworks, and privacy policies to protect user data. For additional information please see our Privacy page in the footer of the LeaderU website found here: https://www.leaderu.us/privacy

PERSONNEL SECURITY

  • New employees must pass a criminal background check.
  •  Least privilege access control is used for all application, OS, database, and network permissions. User access privileges are audited on a quarterly basis. 
  • Access to a system is removed within twenty-four hours of employees leaving the company. 
  • New employees must sign off on an acceptable user security policy. 
  • Employees undergo security training annually. 
  • Users of LeaderU and our clients can request access to be deleted and data to be destroyed at any time via support@leaderu.us

DISASTER RECOVERY AND BUSINESS CONTINUITY

  • Comprehensive disaster recovery and business continuity plan tested annually. 
  • Snapshots and onsite/offsite backups of all critical systems. 
  • Backups are tested for validity. 
  • Backups are encrypted before sending offsite. 
  • The disaster recovery plan is in place in case of large-scale interruption to the current infrastructure. 
  • Data center takes advantage of multiple internet connection paths ensuring uptime. 
  • Power to the data center uses both UPS systems and backup generators to ensure power availability.

SECURITY POLICIES/RISK ASSESSMENT

  • Full security policy covering 22 topics. 
  • Risk assessment is formally reviewed annually. 
  • Applications developed around OWASP standards and static code analysis are performed regularly. 
  • Development, staging, and production are segregated, and only approved code progresses through the SDLC. 
  • Vulnerability scans run on systems and any outstanding issues are included in the development cycle.

OPERATIONAL SECURITY

  • Customer data is used only for the performance of contractual services. 
  • Data is encrypted at rest and in motion. 
  • System admins are only able to connect to the data center from approved locations that have been whitelisted. 
  • All media used within the data center is disposed of securely. 
  • All critical security patches are put in place within seventy-two hours of notification. 
  • Non-critical patches are done every month. 
  • Antivirus software is used to detect and remove malicious software. 
  • Audit logs are aggregated by a SEIM product, and alerts are created for anomalies. 
  • User accounts are not shared and assigned to individual users. 
  • User passwords are hashed and salted at rest and encrypted in motion using an industry leader in PII protection. 
  • Firewalls are in place around the perimeter of the data center, and individual servers use firewall rules to only allow authorized protocols originating from authorized sources. 
  • Firewalls and servers are hardened to industry standards, removing unnecessary protocols.
  • IDS/IPS system in place to detect malicious traffic before it enters the network. 
  • All systems are monitored, and alerts are generated based on availability and response time. 
  • Networks are segmented physically based on traffic type. Default passwords are changed on all systems before going into production. 

If your company requests a security assessment, please note that FranklinCovey will submit a self-assessment via a link. There is a 10-business-day turnaround, and the request requires an MNDA in place. If additional questions are requested, please notify your client partner.

Related articles

Powered by Zendesk