2U
our objective is always to provide the safest possible environment for our learners – and our users and our instructors trust us with their data – so protecting data at rest is one extremely critical dynamic .” So there is data at rest , and then there is data in transit , and these all fall within Andreu ’ s remit as CISO .
“ Now , there are some obvious challenges with the space given that we can ’ t control what a student has on their machine ”, says Andreu , “ and I can ’ t control how they operate from their personal machine . So , given these challenging environments , there are multiple protective elements we have put in place in order to maintain the safest possible learning environment for our customers .”
of traditional security focuses more on networking devices and networking nuances . Layer seven , or application security is a totally different animal , because you ' re dealing with elements at a data level – not at a network level . So to me , application security is the cornerstone of my entire programme here . We ' ve put a lot of work into it , but it really encompasses movements on both sides of the equation .”
This means that Andreu and his team have to address security at the core . “ In other words , we need to make sure that our software engineers are coding with certain models in their minds , which are protective mechanisms at a code-level ,” says Andreu . “ And then we have the other side , which is where we add elements like web application firewalls and content inspection at the actual delivery points – right on ingress and egress .
“ And so to me , I see application security as an entire ecosystem within itself . Data security is really paramount to us because
Risk and Compliance Since Andreu joined 2U , they ’ ve built an enterprise risk management committee , the responsibility of which is to understand the identified areas of risk that 2U brings to the table . The committee then makes decisions in terms of priorities in addressing those risks , implementing mitigating controls within certain areas and calculating how much budget they ' re going to put into those decisions .
“ That committee is really at the heart of our risk management ,” he says . “ As a company , from a compliance perspective , we are mandated by a number of partnerships to have several assessments and compliance requirements . So , for instance , we are required to have SOC-2 ( type-two ) within certain business units , we pursue the UK cyber essentials certification , we also are required to have PCI-compliance , all the way to externally validated compliance and so on . From a compliance perspective then , we ' re pretty broad in terms of the requirements that we have to meet .” cybermagazine . com 123