Last updated: 1 June 2020

This Statement of Security Practices describes the data protection policies and processes that CITI Program follows for the provision of its products and services. See also CITI Program’s Terms of Service, Privacy and Cookie Policy, Copyright Policy, and Accessibility Policy, which together constitute our agreements with and commitments to organizational and individual customers.

CITI Program values the trust that its customers place in us. We take seriously our responsibility to protect customers’ information; and we strive for transparency around our information security practices. This document describes those efforts.

Overall Approach

We implement a spectrum of physical, technical, and administrative security safeguards for data we collect, use, and disclose about individual customers and the organizations with which they may be affiliated. We regularly assess our security practices, and continuously monitor the infrastructure that delivers our products and services for threats, vulnerabilities, and possible attacks.

Physical Security

CITI Program’s servers and supporting technical infrastructure are hosted in the highest level of secured data centers (Tier-4 rated). These hosting facilities provide full 24/7 physical security with respect to personnel access and protection of equipment capacity, including connectivity, electrical, and environmental-control infrastructure redundancies. All our core infrastructure and data storage are in the United States.

CITI Program personnel work (and house their personal workstation/computing devices) in environments that generally provide appropriate physical and technical security. Such security is continually reviewed.

Technical Security

Access Control

Access to CITI Program’s core infrastructure is only permitted through secure connectivity (e.g., VPN) and, where deemed appropriate, requires multi-factor authentication. Our password policy for such systems includes risk-mediated requirements for length, complexity, expiration, reuse, and lockout/timeout. Less stringent controls are required for all customer (learner and subscriber organization administrator) accounts. Institutions using Single Sign On determine their own password requirements.

CITI Program grants access to its core infrastructure and data on a need-to-know/need-to-use basis using least-privilege rules, reviews infrastructure and data access permissions continually, and revokes access immediately after employee or contractor termination. All contractors with access to CITI Program data are required to execute agreements that ensure compliance with CITI Program’s security program and applicable laws.

Encryption

CITI Program’s systems encrypt data in transit using secure cryptographic protocols. Where appropriate given the sensitivity, some data is also encrypted at rest. Additional application-level encryption is also applied for storage or transfer when appropriate to the sensitivity of the data at issue.

Logging and Monitoring

CITI Program’s systems record transaction information to log repositories for troubleshooting, security reviews, and ongoing analysis. Logs are preserved in accordance with industry standards and, where applicable, legal-regulatory requirements.

On request, we will provide customers with reasonable assistance and access to log copies or summaries in the event of a security incident affecting their account or the accounts of affiliated individuals whom they sponsor. Note that for some enquiries related to purely internal institutional matters (e.g., suspected learner cheating) there may be a fee for research and provision of logs.

Administrative Security

General Compliance

CITI Program’s infrastructure, and the policies and standard operating procedures governing its use, are designed for compliance with generally accepted industry standards and applicable legal-regulatory requirements.

Security Policies and Procedures

CITI Program maintains, regularly reviews, and as necessary updates its information security policies and associated standard operating procedures. CITI Program’s information security policies and procedures are based on, among other sources, the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Human Resources Management

CITI Program conducts background screening at the time of hire (to the extent permitted or facilitated by applicable laws). We require employees, contractors, and other affiliates of third-party partners to sign non-disclosure agreements appropriate to their level of access. Persons with access to sensitive CITI Program data must acknowledge information security policies and procedures, and complete periodic (re)training on these as appropriate to their job-specific responsibilities.

Asset Management

CITI Program’s asset management includes identification, classification, retention, and, as necessary, secure disposal of information and information-holding assets. Company-issued devices are equipped with appropriate encryption and antivirus software, among other protections.

Code Development and Change Management

CITI Program’s systems and programming teams employ secure coding techniques and best practices, including a focus on priority vulnerabilities and countermeasures such as the OWASP Top Ten.

Development/testing and production environments are separated. Code changes are peer- and end-user tested and logged for quality, performance, audit, and forensic purposes prior to deployment into production.

Risk and Vulnerability Management

CITI Program risk and vulnerability management efforts include, but are not limited to, classification of data by type and infrastructure for storage and transfer, to assure appropriate security protections; identification and remediation of identified security vulnerabilities on servers, clients (workstations), network equipment, and applications; and periodic review of all practices. All environments, including development, test, and production instances, are periodically assessed for vulnerabilities by our own personnel, and where appropriate by trusted third parties. Critical patches are applied to servers and workstations on a priority basis and as appropriate for all other (non-critical) types of patches.

Incident Management

CITI Program’s security policies and procedures include incident management, which cover initial response, investigation, customer notification (see next), public communication, and remediation.

Breach Notification

Despite best efforts no method of transmission over the Internet and no method of electronic storage can be perfectly secure. We cannot guarantee absolute security. However, if CITI Program learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are designed to be consistent with our obligations under applicable country, (U.S.) state, and federal laws and regulations, as well as industry rules or standards applicable to us. We are committed to keeping our customers fully informed of any matters relevant to the security of their accounts and to providing customers all information necessary for them to meet their own organizational and legal-regulatory reporting obligations.

Business Continuity

CITI Program’s server and other infrastructure design includes hosting environments at dispersed datacenter locations, in order to ensure business continuity. Transitions between these environments are tested.

CITI Program’s databases are continuously copied to backups, which are stored at different U.S. locations. Backup data are encrypted as appropriate to the sensitivity and the medium, and stored in secure environments to assure their confidentiality and integrity; and they are tested periodically to ensure availability of the data they contain.

Customers’ Security Responsibilities

Keeping data secure also requires that subscribing organizations and individual learners follow appropriate information security practices as well. These steps can include, but are not limited to: using sufficiently complex passwords for accounts and storing them safely, changing them as appropriate; not sharing account credentials with other persons; and reporting to us immediately if there is a reasonable basis to believe any account or its associated information has been compromised.

Each organization and learner must also ensure that there are sufficiently robust security protections on their own systems, such as by keeping server and personal computer / workstation software current (operating system and web browser updates, for example); installing anti-virus and other protective software; and keeping devices physically secure. Organizations with which learners are affiliated typically have information security resources to assist or provide advice about these measures, and those should be leveraged when appropriate.

Contact Us

We welcome your comments or questions. You may contact us at:

Privacy Concerns: privacy@citiprogram.org
Security Concerns: security@citiprogram.org
Telephone: 888.529.5929 (U.S.) or +1.305.907.3351 (outside U.S.)

Postal Address:
CITI Program, a division of BRANY
101 NE 3rd Avenue, Suite 320
Fort Lauderdale, FL 33301


Other Legal