Security & Compliance
At Stratus, we take information security very seriously.The certifications/standards we follow are dictated by several factors:
- Federal Requirements
- State Requirements
- Customer Requirements
- Strategic Partner Requirements
Believing that we should meet the highest level of compliance standards, Stratus complies with and/or has certified to the following:
1. The Payment Card Industry Data Security Standard (PCI DSS)
Stratus is currently a PCI DSS v3.2 Level 1 Service provider. Our primary business is payment processing which requires us to conform with PCI DSS.
2. ISO/IEC 27001:2013 Information Security Management
ISO/IEC 27001:2013 is the international standard for information security management. By implementing the standard, organizations can identify security risks and put controls in place to manage or eliminate them, gain stakeholder and customer trust that their confidential data is protected, and help achieve preferred supplier status helping to win new business.
3. Health Insurance Portability and Accountability Act (HIPAA)
HIPAA was created to protect the privacy of an individual’s identifiable health information. It is enforced by the Office for Civil Rights. Some of the components of HIPAA include the national standards for the security of electronic protected records and breach notification rules.
As with PCI, HIPAA is in scope for us because we serve the healthcare industry, utilizing third parties who require us to conform to HIPAA standards.
4. Federal Information Security Management Act of 2002 (FISMA, NIST SP800-53 Rev 4)
FISMA is a set of standards to protect information within federal agencies as well as contractors that work on behalf of the federal government. This is an important requirement for us because we have numerous companies that are doing work on behalf of the US government regarding student loans.
5. Financial Services Modernization Act of 1996 (GLBA Safeguards Rule – Gramm-Leach-Bliley Act)
GLBA covers a wide variety of companies within the financial industry, but usually deals with safeguarding a customer’s nonpublic personal information. Specifically, it requires financial institutions to explain their information sharing practices and how they safeguard consumer sensitive personal information.