// clarity by microsoft

Information Security Policy for School EdTech

1. Purpose

This Information Security Policy establishes guidelines to protect the confidentiality, integrity, and availability of information within the organization. We are committed to safeguarding our data assets while complying with all applicable legal, regulatory, and contractual requirements. This policy aims to ensure the protection of customer data, mitigate risks, and maintain business continuity.

2. Scope

This policy applies to all employees, contractors, and third-party service providers who access the organization’s information systems, including hardware, software, networks, and communication channels.

3. Commitment to Data Security

Our organization is deeply committed to ensuring the security and privacy of data across all platforms. This includes meeting relevant compliance standards such as GDPR, SOC 2, and other regulatory frameworks, as well as pursuing ISO 27001 certification to further strengthen our information security management system (ISMS).

We acknowledge our responsibilities as a data processor and remain dedicated to continually improving our security practices to protect customer data and enhance trust.

4. Information Classification and Handling

  • Classification: Information is classified based on sensitivity (e.g., Public, Internal Use, Confidential, Restricted).
  • Handling: All employees and contractors must handle data according to its classification. Confidential and restricted data must be encrypted and accessible only to authorized personnel.

5. Access Control

  • Authentication: All users must authenticate with unique credentials. Access will be granted based on the principle of least privilege, ensuring users only have access to the information necessary for their roles.
  • Two-Factor Authentication: For administrative operations, two-factor authentication is mandatory to secure access.
  • Access Rights Review: User access rights will be periodically reviewed to ensure appropriateness.

6. Data Protection and Encryption

  • Encryption: All sensitive data, including personally identifiable information (PII) and financial data, is encrypted both at rest and in transit using AES-256 encryption or other industry-standard encryption protocols.
  • Backup and Redundancy: Automated backups are taken daily and securely encrypted. Backups are retained for up to 7 days to ensure data recovery in the event of a disaster.

7. Network and Host Security

  • Cloud Hosting Security: Our platform is hosted on Amazon AWS, leveraging secure data centers with military-grade perimeter protection, professional security staff, video surveillance, and state-of-the-art intrusion detection systems.
  • Network Security: We utilize Distributed Denial of Service (DDoS) protection, and Man-in-the-Middle (MITM) attack prevention mechanisms to safeguard against unauthorized network intrusions.
  • Host Security: Secure SSH keys and restricted IP access are required for server access. Critical operations are logged to a centralized server for review.

8. Application Security

  • Secure Access: All application servers utilize HTTPS with industry-standard encryption to secure user connections.
  • Vulnerability Protection: We employ safeguards against common vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF).
  • Application Hardening: Regular vulnerability assessments are conducted to ensure that our applications remain secure against evolving threats.

9. Monitoring and Incident Response

  • Continuous Monitoring: We utilize both internal and external monitoring tools to track system performance and detect anomalies that could indicate security breaches. Alerts are immediately sent to the security team for rapid response.
  • Incident Reporting: Any suspected security incidents should be immediately reported to the security team. An incident response plan is in place to investigate, contain, and remediate security incidents promptly.

10. Physical Security

  • Access Control: Physical access to critical systems and data storage areas is restricted to authorized personnel only. All facilities are protected by security measures, including perimeter security, access controls, and video surveillance.

11. Compliance and Legal Requirements

We comply with all relevant legal, regulatory, and contractual obligations related to data protection and privacy, including:

  • General Data Protection Regulation (GDPR)
  • SOC 2
  • ISO 27001 (in progress)
  • EU-U.S. Privacy Shield for data transfers from the EU to the U.S.

12. Third-Party Risk Management

  • Vendor Access: Any third-party vendor with access to sensitive data must comply with this policy and undergo a security assessment before access is granted.
  • Contracts and Security Clauses: All third-party contracts include clauses outlining security requirements, including breach notification procedures and access control measures.

13. Security Awareness and Training

  • Employee Training: All employees must receive regular security training to recognize and mitigate potential threats, such as phishing attacks and social engineering.
  • Security Culture: We foster a security-conscious culture, ensuring that data security is embedded in all aspects of our operations and team processes.

14. Disclosure and Vulnerability Reporting

If you identify any potential vulnerabilities or security concerns, please report them immediately to [email protected]. We take all reports seriously and will investigate the issues promptly.

15. Policy Review and Updates

This Information Security Policy will be reviewed annually and updated as necessary to address emerging security threats, changes in technology, or shifts in regulatory requirements. All updates will be communicated to relevant parties.

16. Enforcement

Violations of this policy may result in disciplinary actions, including termination, legal action, or other penalties, depending on the severity of the infraction.

17. Approval and Acknowledgment

By signing below, employees acknowledge that they have read, understood, and agree to comply with the terms of this Information Security Policy.

Signature: ____________________________
Name: ______________________________
Date: _______________________________