Liszt Information Security Policy

1. Purpose

The purpose of this policy is to define the information security practices for Liszt to ensure confidentiality, integrity, and availability of institutional and student data, with alignment to FERPA and industry best practices.

2. Scope

This policy applies to all systems, applications, and data associated with Liszt, including hosted infrastructure, managed databases, and integrations with institutional services.

3. Roles and Responsibilities

Developer/Administrator: Responsible for implementing, monitoring, and maintaining security controls.

Institutional Partners: May define additional requirements that Liszt will support.

4. Security Practices

Access Control

Administrative access is limited to the developer via SSH key authentication and least-privilege accounts.

No shared credentials are used.

System Hardening

Servers use secure baseline configurations with SELinux enforcing and host-level firewalls.

Only required services and ports are enabled.

Encryption

TLS is enforced for all data in transit.

Databases use provider-managed encryption for data at rest.

Patch Management

Security patches and OS updates are applied promptly using package managers.

Vulnerabilities are tracked through vendor advisories.

Backups and Recovery

Databases are backed up daily using managed provider backups.

Application servers can be redeployed quickly in case of failure.

Data Privacy

Liszt collects only minimal information (name, institutional email, student ID number, scheduling data).

Sensitive identifiers (SSNs, financial data, health information) are never collected.

All practices align with FERPA requirements.

Monitoring and Logging

System and application logs are retained for monitoring and troubleshooting.

Alerts and provider monitoring tools are used to detect anomalies.

5. Review Cycle

This policy will be reviewed annually and updated as needed to reflect evolving security requirements and institutional needs.