Technical, Security, and Compliance Overview

Network Security 

Liaison understands that network security is key to data protection. The following active monitoring practices and independent security audits help protect against any external network threats:

• Secure Isolated Network
• Network Firewalls
• DDOS Attack Prevention
• Intrusion Detection
• Security Event Management
• Internal and External Network Scanning

Family Educational Rights and Privacy Act (FERPA) Compliance

Liaison performs all services in compliance with all applicable laws and regulations, including the Family Educational Rights and Privacy Act (20 USC §1232g) (FERPA). FERPA is a federal law in the United States that protects the privacy of students' personally identifiable information (PII). Under FERPA, Liaison is considered to be a third-party vendor. 

To help education stakeholders learn about data privacy, confidentiality, and security practices related to student-level longitudinal data systems and other uses of student data, the US Department of Education established the Privacy Technical Assistance Center (PTAC). PTAC maintains a website that outlines the responsibilities of third-party service providers under FERPA. You can visit PTAC's site to learn more about the practices to which Liaison adheres.  

Voluntary Product Accessibility Templates (VPATs)

Voluntary Product Accessibility Templates (VPATs) are documents that indicate Liaison International's product conformance with Section 508 of the Rehabilitation Act of 1973. In order to meet the highest standards in delivery, Liaison partners with third party auditing firms with expertise in 508 analysis. These organizations continuously monitor and audit our compliance status, which allows our technical team to address any deficiencies.

User Settings and Permissions 

Liaison ensures that each user has a unique username and follows industry-standard best practices for password creation. WebAdMIT administrators can control user settings and access to specific programs, such as:

• Controlling who has access to certain permissions and groups
• Configuring interviews and assignments as private reviews
• Controlling access to programs, panels, permissions, and settings

Data Center

Liaison houses its systems in a state-of-the-art data center. Additionally, we partner with cloud services such as Amazon Web Services and Google Cloud. Some of the benefits of using these data centers and cloud services include:

• 24/7 network, equipment, and data monitoring
• Proactive fault identification, reporting, and problem resolution
• Card and biometric security systems
• Physical and electronic security
• Uninterrupted Power Supplies (UPS) and backup generators equipped on site
• N+1 or greater redundancy for all essential systems and networking devices to reduce single points of failure
• SOC 1 and SOC 2*
• PCI certified compliance data center*
• SAS70 Type II / SSAE16 certified

*Supporting documentation is available upon request with a signed non-disclosure agreement. Please reach out to your Liaison point-of-contact for more information. 

Personally Identifiable Information (PII) and Data Encryption

Personally Identifiable Information (PII) refers to information that can be used to identify or track an individual. Liaison uses industry-standard best practices (i.e. technical, physical, and administrative safeguards) to protect sensitive personal information from unlawful use and unauthorized disclosure. These best practices mean that: 

• Data is fully encrypted on a secure network
• Data is transferred over SHA-256 and RSA 2048
• Data is encrypted in transit and at rest
• Encryption keys are stored in secure off-site locations
• Integrated third-party products must comply with Liaison's PII security policy and PII compliance program

To learn more about PII and the types of information that fall into that category, visit https://en.wikipedia.org/wiki/Personally_identifiable_information. 

Data Privacy 

Liaison adheres to stringent data privacy guidelines that focus on data collection that is relevant, lawful, and not excessive. This data is retained for no longer than is necessary to fulfill its intended purpose and is stored in a secure environment. To maintain both the integrity and privacy of this data, we take the following precautions:

• Access to sensitive data is monitored and restricted to authorized personnel
• Procedures are in place for reporting privacy breaches and data misuse
• Data is stored and deleted in a secure manner

Data Breach Incident Response Plan

Liaison maintains an Incident Response Plan that not only provides a well-defined, organized approach for handling any potential threat to computers, but also details the appropriate action to be taken when the source of the intrusion or incident at a third party is traced back to the organization. The plan identifies and describes the roles and responsibilities of the Incident Response Team, who is responsible for putting the plan into action.

Data Movement

Liaison's WebAdMIT API allows developers to automate admissions tasks. For example, institutions can use our Export API to extract applicant data from WebAdMIT for analysis, processing, or other integration with on-campus systems. For more information, visit our Integration Help Center.

Payment Card Industry Compliance

Liaison has in place the required security controls to be PCI-DSS compliant. We are scanned and audited regularly to meet strict security standards.* Additionally, Liaison utilizes the latest updates and standards of Transport Layer Security (TLS). We do not store credit card information and we encrypt data in transit using SHA-256 and RSA 2048.

*Supporting documentation is available upon request with a signed non-disclosure agreement. Please reach out to your Liaison point-of-contact for more information. 

GDPR

Protection of data is a primary focus for Liaison and its partners. We understand that our partners and users trust our tools and services to protect their privacy, and this is a responsibility we administer with attention and care.

The European Union has recently granted new data rights to European residents under the General Data Protection Regulation (GDPR). While the majority of its provisions are already supported by our existing processes, agreements, and policies, we will be making a few changes to ensure we adhere to these new provisions.

What will be changing in the Liaison products?

We will be providing more clarity for our users around the data we collect, how it is used, and with whom it is shared. To do this, we will be updating our Terms & Conditions and our Privacy Policy.

We will ask our users to accept these policies and the various ways we process their data in support of our services.

How will Liaison support our partners and clients in response to the new regulation?

Liaison’s tools and services exist to collect data from our users and, with the consent of these users, transmit it to our partners, schools, and programs. If we receive a request from a user to take action on their data under the rights afforded to them by the GDPR, we will coordinate a response to the request with the appropriate partners.

As is required under the new regulation, we have processes and procedures in place that will allow us to effectively access, rectify, or erase data as deemed appropriate.

Where can I learn more about GDPR?

The European Commission's website serves as a primary source of information about the GDPR.

Information Security Policy

Liaison's Information Security Policy provides details on general security, personnel security, physical security, encryption, communications and operations, systems development and maintenance, business continuity/disaster recovery, and additional controls.

Information Systems Use Policy

Liaison's Information Systems Use Policy ensures appropriate protection of Liaison’s networks, computers, servers, and the information transmitted over both local and external networks by providing rules and instructions set forth in policies, standards, guidelines, and procedures. Liaison’s Ethics and Acceptable Use policy outlines the appropriate use of information systems at Liaison. These systems provide users with access to information system resources and communications networks, all within an environment of openness, trust, and integrity. Liaison is committed to protecting itself and its staff from unethical, illegal, or damaging actions performed by individuals using these systems. 

This policy and all supporting policies apply to all Liaison network users, including but not limited to: full-time employees, part-time employees, temporary employees, visitors, contractors, and consultants. This includes individuals affiliated with third parties who access Liaison’s computer networks. Any use of Liaison’s computer network resources is governed by this policy. 

Patch Management Policy and Procedure

Liaison's Patch Management Policy and Procedure provides the processes and guidelines necessary to:

1. Maintain the integrity of network systems and data by applying the latest operating system and application security updates/patches in a timely manner
2. Establish a baseline methodology and timeframe for patching and confirming patch management compliance

Desktops, laptops, servers, applications, and network devices represent access points to sensitive and confidential company data, as well as access to technology resources and services. Ensuring updates and patches are distributed and implemented in a timely manner is essential to maintain system stability and mitigate malware, exploitation, and security threats.

The processes addressed in this policy affect all company managed systems, including desktops, laptops, servers, network devices, and applications that connect to the company network.

Uptime Metrics

Liaison employs its best efforts to meet or exceed the following service level standards:

1. Availability:  Liaison shall maintain 99.5% System availability on a monthly basis, not including scheduled downtime, maintenance, and force majeure.
2. Scheduled Maintenance:  Liaison will:
   • Notify the Institution of upcoming scheduled maintenance periods at least 24 hours in advance of the maintenance period
   • Generally perform scheduled maintenance outside of business hours (Monday-Friday, 9AM-6PM ET)
   • Generally limit scheduled maintenance to less than 12 hours per month
3. Unscheduled Outages/Disruption of Availability:  Liaison shall promptly notify the Institution of any unscheduled outages or disruptions to availability. Notification will include identification of the severity of the outage, communication protocol (e.g., who will provide updates and how often), contact name for unscheduled communications/updates, and estimated time for resolution, if known.