This article contains information about the SIRAS program with regard to technical systems architecture, security and privacy standards.
 

Product Information and Software Architecture

SIRAS is a Software as a Service providing educators across California with a comprehensive suite of tools for developing IEPs, 504s, and SST Plans.

J2EE Java Enterprise Edition 11
JavaServer Faces / Primefaces UI component library

RedHat Jboss Application Server

Platform agnostic

Deployed to Microsoft SQL Server
Ubuntu Linux

 

Hosting Infrastructure

100% Microsoft Azure cloud hosted on virtual machines and blob storage

List of environments:

• Dev/test
• Demo
• 3 server groups: VCOE, Kern, Main each with:
  - SQL Database server
  - Training webserver
  - Production webservers
  - load balancer
  - blob storage for uploaded attachments
• Central SFTP for data transfer

 

SOC-2 and HIPAA Compliance

SIRAS passed with no issues an independent audit for security vulnerabilities undertaken by Ventura County Office of Education.
SIRAS recently demonstrated HIPAA compliance for California State Special Schools.

Program Data Privacy and Confidentiality:

• Student data is only accessible to authenticated user accounts, within strictly assigned scope at the individual, school or district level.
• Individual forms are accessible to be shared externally via encoded secure links.

Data Security

• SSL encryption required
• All points of logical access to system resources are strictly controlled and behind VPN.
• 100% of server resources are on Azure secured behind 2FA
• SQL database backups are stored in private Azure Cloud storage
• The data at rest is encrypted via Bitlocker.

Availability:

• Full database backups taken hourly to geo-replicated storage
• Redundant web servers via load balancer

Processing Integrity:

• Automated processes monitored via logs
• Webserver processes monitored via logs
• User updates logged via database

 

SDLC - Development Lifecycle/Process

Testing is done in development and training environments.

Single dedicated developer with 15 years at SIRAS Systems.

Test-driven development model
Java's Maven build tool provides secure checksum access to linked libraries.
Agile methodology: iterative design with frequent deployment
Web-based ticketing system for bug and feature tracking

Subversion source control

 

Data Modification Auditing within application

Access logs for changes made to student and user data are recorded with User, Date, Field ID, From and To values.
Updates made to forms are recorded with user and date.
Created On, Last Modified, Last Modified By and Last Validated are recorded for most database entities.
Last Login, Login Attempts, IP Address, User Agent are recorded for User logins.
Secure link access is similarly recorded.

 

Data Security and Redundancy

All data encrypted at rest within Azure behind secure VPN.

Database backups taken hourly and stored on geo-replicated blob with a simple restore plan.

Uploaded files are also geo-replicated on blob storage.

 

User-enabling Feature Design

Customizable search query builder
Custom statistical reports, lists, and more
Save custom query or field set
User preferences for UI

Accessibility standards are baked into Primefaces UI

 

Roadmap

The SIRAS tech stack is massively and easily scalable by only adding more resources to SQL and additional webservers.
The Java ecosystem has proven to be extremely functionally useful with a huge number of available open source libraries to tap into whenever necessary.

SIRAS has no plans or needs to change technical architecture for the forseeable future, other than minor updates of the existing libraries.