Anthology has a robust product security program that is aligned to NIST standards and is certified to the ISO 27001 standard for information security management systems and maintains a data privacy information management system certified to ISO 27701. As a cloud service provider entrusted with the security of our clients’ data, we have incorporated the ISO 27017 and ISO 27018 controls into our compliance framework.
Anthology's security program implements a global approach to our operations through a secure controls framework, utilizing a comprehensive set of high standards that align with the evolving landscape of global and regional security standards. Several of Anthology’s products complete annual SOC 2 Type 2 examinations and/or hold additional regional certifications and authorizations. We actively maintain responses to the Higher Education Community Vendor Assessment Toolkit (HECVAT) for our clients, enabling transparency and trust in our data privacy practices. We are committed to continuous improvement and to frequently engage in independent, third-party assessments of our practices to push the bar on our compliance program, security features and robustness in Anthology products.
Built with security in mind
Anthology is committed to providing our clients with secure applications. Anthology develops our products according to a set of security engineering guidelines derived from many organizations such as the Open Web Application Security Project (OWASP), including specific countermeasures for OWASP Top Ten vulnerabilities. Anthology incorporates these security practices in all phases of the software development lifecycle (SDLC).
Anthology follows best practice guidance from many organizations to help strengthen the security of our products and programs, including:
- National Institute of Standards and Technology (NIST)
- SANS Institute
- Open Web Application Security Project (OWASP)
- Center for Internet Security (CIS)
Secure coding and the OWASP top 10 vulnerabilities
Anthology products are developed according to a set of development guidelines that are derived from OWASP, including specific countermeasures for OWASP Top Ten vulnerabilities.
Anthology performs internal security testing at the code-level (static analysis) and application-level (dynamic analysis) for selected products in support of our compliance objectives. Furthermore, in line with best practices, Anthology obtains security penetration testing from third-party security vendors.
Vulnerability Management Commitment and Disclosure Policy
Anthology's vulnerability management program is governed by this public-facing Vulnerability Management Commitment and Disclosure Policy. No software is perfect - in the event a security vulnerability is identified in a released product, Anthology's Security Team is ready to respond.
Anthology is committed to resolving security vulnerabilities carefully in accordance with the risk of the vulnerability. Such resolutions may lead to the release of a Security Advisory and/or any needed product update for our clients. In order to protect our clients and their data, we request that vulnerabilities be responsibly and confidentially reported to us so that we may investigate and respond.
Anthology’s products are complex. They run on diverse hardware and software configurations and are connected to many third-party applications. All software modifications—big or small—require thorough analysis, as well as development and implementation across multiple product lines and versions. The software must also undergo localization, accessibility, and testing appropriate to its scope, complexity, and severity. Given the critical importance of our products to our clients, Anthology must ensure that they run correctly not only in our testing facilities, but also in customer environments. Accordingly, Anthology cannot commit to product updates on specific timelines, but we are committed to working expeditiously.
Malicious parties often exploit software vulnerabilities by reverse engineering published security advisories and product updates. It is important for clients to update software promptly and use our severity rating system as a guide to appropriately schedule upgrades.
Testing for security vulnerabilities
If customers determine that additional vulnerability testing is required, customers should conduct all vulnerability testing against their non-production instances of our products to minimize the risk to data and services. Testing against instances that could impact other customers and disruptive testing such as denial-of-service attacks, social engineering attacks against Anthology staff, and physical attacks on Anthology offices are not permitted.
Use best efforts to (a) avoid accessing, retaining, or otherwise processing personal information, (b) impacting end users experience or the stability and reliability of production systems, and (c) destroying or manipulating any data in the systems.
Do not use exploits unless (and to the extent) necessary to confirm the vulnerability. Exploits must not be used to exfiltrate data, establish persistent command line access, or gain lateral access to other systems.
How to report a vulnerability
Anthology appreciates and values the contributions of our customers and of security researchers in improving the security of our products and service offerings. We encourage the responsible disclosure of any vulnerabilities that may be found in our solutions via our Vulnerability Disclosure Program.
Anthology security commitment
To all vulnerability reporters/researchers who follow this Policy and provide contact information, Anthology will do the following:
- Acknowledge receipt of your report;
- Investigate in a timely manner, confirming where possible the potential vulnerability;
- Provide a plan and timeframe for addressing the vulnerability if appropriate; and
- Notify the vulnerability reporter when the vulnerability has been resolved.