When it comes to managing financial aid and institutional scholarships, you need a solution that checks all the boxes, providing you with the automation and capabilities needed to manage the most complex financial aid scenarios. But in addition to the right functionality, it’s important to understand how well (or not!) your solutions provider handles security and privacy of your systems and your data. As cybersecurity risks continue to grow, it’s imperative that you feel confident that your financial aid solutions provider is taking every step necessary to mitigate risk and protect your institution from vulnerabilities.
At Regent Education, we take our role in mitigating cybersecurity risks and protecting our customers’ systems and data very seriously. We are committed to delivering solutions that provide you with peace of mind, taking into account the confidentiality and integrity of your data, the availability of our solutions, and the specific privacy policies and compliance requirements of our customers. Our dedicated security team addresses potential issues quickly and provides 24/7 system monitoring and alerting to stay ahead of any potential issues that may arise.
SOC I and SOC II Compliance
Regent Education solutions are both SOC I, Type 2 and SOC II, Type 2 compliant. But what, exactly, does that mean? First and foremost, SOC I and SOC II address different aspects of security and privacy. SOC I compliance focuses on financial controls while SOC II compliance focuses on availability, security, processing integrity, confidentiality, and privacy. SOC II compliance is important for all SaaS providers because it focuses on security controls, a big concern for organizations and institutions looking to implement SaaS-based solutions. SOC I compliance focuses on transaction and security processing controls which are essential for revenue software.
Many organizations focus their compliance efforts on SOC I or SOC II, but few have earned both. But being compliant with both SOC I and SOC II ensures that our solutions cover all the bases when it comes to controls related to security and transactions.
Our holistic, financial aid solutions are 100% cloud-based, and they have been since 2019. We adhere to defined service commitments and system requirements covering everything from policies and procedures for the acceptable use of assets, code of conduct, and confidentiality/NDA agreements to user access, data center utilization, and data protection. As well, Regent’s policies and procedures provide guidance for establishing effective internal controls to facilitate both the availability of our solutions to support critical activities and the implementation of appropriate technologies and controls over our suite of solutions. We also maintain a Security Operations Plan, which is a group of policies and procedures that support our Information Security Policy and provide guidelines for appropriate conduct by Regent users.
Access and Communication
With Regent Education, it’s easy to stay in touch with our experts and get quick resolution to any issues that may arise. Our customer web portal makes it easy to access system information, including uptime statistics and ticket status. Here, customers can open new support tickets and report system issues, enabling our team to quickly and efficiently address concerns as they arise. Customers can also see any server disruptions and the status of their tickets so they always know where they are in the queue. The portal also gives customers access to a Knowledge Base filled with helpful tips and tricks as well as training on our solutions.
Keeping all data protected and secure is a top concern for Regent Education. We’ve defined clear policies that guide information owners when classifying, collecting, using, retaining, and disclosing information. And because all data in our systems is provided either by the Department of Education or directly from the client, we classify it as confidential or restricted given that it may include personally identifiable information (PII).
Regent has implemented a formal, ongoing risk assessment process to identify and manage risks that could affect our ability to provide secure, reliable services for our customers. Our cross-functional Security Committee is proactive, providing ongoing training and education for our internal team. They also identify significant risks in their respective areas of responsibility, monitoring the effects of changes such as acquisitions, reorganizations, new or renovated information systems, and new personnel, and developing and implementing initiatives to mitigate potential sources of risk.
Risks are managed through their treatment process by the security team. Risks are reported to the Security Committee on a quarterly basis to provide all levels of management clear understanding.
Regent performs monitoring activities to assess the quality of the overall control environment over time and takes corrective actions to address deviations from our company policy and procedures. We use a risk-based approach to ensure that enterprise-wide risks are prioritized and addressed through the development of policies, procedures, and controls. In addition, we use anti-malware protection on all servers as well as the laptops of Regent employees to ensure our systems are properly protected.
Backup and Recovery
Regent has a formal policy in place for the backup and restoration of the critical production system, network, and configuration data. We’ve designed our backup strategy to minimize data loss in the event of a hardware or software failure. We backup systems, applications, and network files regularly, and have an established, documented schedule for all other required backups.
Regent’s Chief Product Officer is responsible for the oversight of network security as well as the day-to-day administration of the firewall, anti-malware, servers, and user administration. Any network security event, including administrator activities, are logged and reviewed on an as-needed basis.
As well, all medium and high-rated suspicious and malicious incidents are subject to a security assessment by our Security Operations team. Once they receive an alert and classify it as an incident, they create an incident response ticket in the dedicated Regent Security Management incident response portal and begin an investigation.
We take suspicious and malicious incidents very seriously and aim to resolve them as quickly and efficiently as possible. We have a defined incident escalation process and notification mechanisms in place, and all crucial security violations are communicated to executive management once confirmed. From there, executive management notifies senior management, compliance personnel, and customers (if needed). We also prepare root cause analysis for high severity incidents so that we can update policies, procedures, and systems to reflect the incident and resolution to the problem. Our senior management compliance personnel review all of these resolution events as well.
Earlier this year, Regent Education received TX-RAMP provisional certification for its solutions. And while this certification only applies to institutions within the state of Texas, it demonstrates our ability and willingness to help our customers manage security and risk and to comply with a wide range of certifications and policies, beyond just the basics that many solutions meet. If your institution has questions about certifications or policies specific to your state or institution, please reach out. We’re happy to explore how we can help.