Recently I was asked by a large university to send them a copy of our HECVAT.
"What the heck is a HECVAT" I thought?
Little did I know it at the time but the HECVAT would be the next step on our journey to making Mazévo more safe and secure for our customers.
It turns out that HECVAT stands for Higher Education Community Vendor Assessment Tool. It was created by an organization called REN-ISAC in association with Internet2 and Educause. In their words, the HECVAT "attempts to generalize higher education information security and data protection questions and issues regarding cloud services for consistency and ease of use."
While the assessment was created for higher education institutions the questions and underlying security principles they point to are applicable to any organization.
It contains all the questions about security and privacy that we have been fielding from customers and prospective customers in an ad-hoc basis since we began.
When we started Mazévo not only did we want to create a room scheduling system that is innovative but we wanted to create something of the highest quality that delights customers. While privacy and security are not often the most exciting topics (for most people anyway) you can't have a reliable high quality product unless security is prioritized from the begining.
When building a cloud based software application such as Mazévo, system security and availability can't be underestimated. Especially if you want to do it right. Some of the top challenges with security are:
- It's mostly invisible Security is not some shiny new feature that you can point to and see what it is doing. It is something that is happening behind the scenes that most users are minimally aware of.
- It is always changing Just when you think you have everything figured out a new threat is identified that must be accounted for. Nothing stays the same for long. Which leads to the last point.
- It's a journey rather than a destination This means you can never sit back and say "We did it. We don't have to think about security any more." You always have to work to keep up with the changing tech landscape and stay one step ahead of evolving threats.
The HECVAT highlights the major areas of security that are of concern to software providers like Mazévo who utilize the cloud to deliver their services. These areas include the obvious and not so obvious. I want to share with you what those areas are and what we are doing to address each one. While this is not a comprehensive list it should give you a better idea about how we protect your information.
Cloud Service Provider Security. We use Microsoft Azure as our cloud provider at Mazévo. Azure is the backbone of our system since this is where the system runs from and the data is housed here. We choose a top tier cloud vendor for the best possible dependability and security available. As with other top cloud providers, Azure performs yearly audits and produces reports (i.e. SOC 2 report) that verifies they are following standards and practices ensuring services remain secure and available.
Just having a top cloud provider is not enough though. What we do on our end is also important for keeping Mazévo secure and available.
Privacy Policy - We have a written policy on how we use your personal information. We will never share your data unless it is with your permission or as required by law.
Application Security - Mazévo allows you to control how others in your organization access your scheduling information. This is done through your Mazévo user account security levels. For more information see our Guide to User Security in Mazévo. These accounts are locked with secure, encrypted passwords. Mazévo can also leverage Single Sign On (SSO) if your organization uses it. SSO enables your users to log in quickly, conveniently, and securely using a single password that works across multiple systems at your organization.
Confidential Information in Mazévo - Mazévo is not designed to store sensitive data such as credit cards or personal financial account information, drivers license or social security numbers, employment, financial or heath information.
Employee Access to Customer Data - From time to time we may need to access a customers data in order to help them in configuring their system or to solve a problem. Only authorized Mazévo employees are allowed to access customer data in this capacity.
Separating Customer Data - Mazévo is built using a multi-tenant architecture. This means that one instance of the software is shared among multiple customers. Mazévo is designed to prevent one customer from ever accidentally or maliciously accessing another customers data.
Tracking & Logging What Users are Doing in Mazévo - Logging is one way to ensure that you have a record of what happened if something goes wrong to pinpoint the problem. It is also useful so that you have a record of any changes that users are making to scheduling information in the system. Mazévo keeps a detailed history of every change ever made to an event or data element in the system.
Plans for Business Continuity and Disaster Recovery - To minimize the possibilities of emergencies such as natural disasters and power outages, all of Mazévo's critical systems are hosted with cloud providers in multiple regions of the US. This will allow them to quickly recover quickly if disaster strikes. While this helps, if emergency strikes it is important to still be prepared. A business continuity plan and disaster recovery plan provide the steps needed to overcome a disruption in the event of an emergency.
Secure Data Backups - All data in Mazévo is backed up regularly and can be restored quickly as necessary.
Firewalls and Intrusion Monitoring - Mazévo uses sophisticated monitoring and protections to prevent unauthorized access to all systems. This includes a high grade web application firewall and tightly controlled network level firewalling.
At Mazévo our primary security focus is to safeguard our customers' and users' data. We also value being as transparent as possible in how we protect your data which is why we created this security overview. As we continue to grow we will continue to invest in security resources to protect our customers' data. Please reach out if you have questions about any security topics related to Mazévo products and services.
