Cumulo Learningtm Details: Security Structure
- Access is granted via a user name and a password. On July 1 this will be shored up more by eliminating the possibility of having
login credentials emailed on request. At that point, logins will need to be reset after navigating through a "Captcha" screen and
answering a security question that the end user created upon their first login. As well, all H51 Software site access for all of
our products will be managed from a central database, separate from the product database itself.
- The next line of security towards gaining unauthorized access to school, family, and student data is a filter that requires a session
variable to authenticate. Session variables are created upon logging in and reside only on the server. If the session variables are not
found the attempt at access is driven back to the login page.
- There is constant work taking place to stay ahead of the malicious attacks known as SQL Injection, where attempts are made to gain
access to the database itself. It should be noted that absolutely no user or school financial data is kept in our servers.
- We are also in the process of encrypting all dynamic urls that appear in web browsers to further thwart attempts to glean data from
- Our application runs on a dedicated/isolated platform on Windows Server 2008 R2/IIS-7.5 and is kept up to date on all security
patches. We do not send error messages to the end user, but rather send a custom error page. Details of the error are sent to our
engineers so that work can begin on the fix.
- All user-supplied data is validated on the server side to avoid malicious data submissions.
- Most data changes are logged by recording a time stamp and the UID of the person making the change.
- Cumulo Learning adheres to the letter and intent of FERPA, which states in part:
Schools may disclose, without consent, "directory" …. However, schools must tell parents and eligible
students about directory information and allow parents and eligible students a reasonable amount of time to request that the school
not disclose directory information about them. Schools must notify parents and eligible students annually of their rights under
FERPA. The actual means of notification (special letter, inclusion in a PTA bulletin, student handbook, or newspaper article) is left
to the discretion of each school.
None of this information is disclosed via unsecured web access and some of it is disclosed to logged on users. The notification of
involved parties is left to the schools.
- Users have one log in that grants access to any schools that they are enrolled in, that they work in, or that they have students
enrolled in. If a user has accounts in multiple schools a screen will come up asking them to select the school that they wish to
- User accounts time out after 20 minutes of inactivity and after 2 hours regardless of activity.