Data Security Policy

Data Security Policy

Alignment with Common Cybersecurity Frameworks

The Art of Education University (“AOEU”) is guided by the NIST Cybersecurity Framework v1.1 (“NIST CSF”) and the Center for Internet Security Controls v8 (“CIS Top 20”).

In terms of NIST’s implementation tiers, AOEU is currently best described as:

  • Risk Management Process: Tier 2, Risk Informed
  • Integrated Risk Management Program: Tier 3, Repeatable
  • External Participation: Tier 3, Repeatable

System Security

All enterprise and end-user systems are secured in accordance with the guidance from the NIST CSF and the CIS Top 20. Our enterprise systems are 100% compliant with these guidelines; our end-user (staff) systems are compliant with 85% (CIS) and 71% (NIST) of the controls in each of those frameworks. Our compliance with both frameworks is improving rapidly as we implement a formal and comprehensive information security program, phase one of which will achieve full compliance of these two frameworks by the end of the 2022 calendar year.

Mobile Device Management

All mobile devices are centrally managed, continuously configured by policy, fully encrypted, and can be erased remotely if lost or stolen.

Encryption

All end-user workstations are encrypted. All enterprise systems encrypt data at rest and in transit using 256-bit encryption.

Vulnerability Scans

Network, enterprise systems, and end-user devices are regularly monitored for vulnerabilities.

Access Control Management and Monitoring

All access is controlled by strong passphrases in accordance with NIST guidelines (NIST Special Publication 800-63B). Access to resources is based on role and aligns with the principle of least privilege. Accounts are deprovisioned when no longer in use.

Software Inventory, License Management and Patch Management

All end-user software is inventoried. Operating systems and applications are kept up-to-date via centralized management software.

Personally Identifiable Information (PII)

Our FLEX and PRO products collect the following PII from teachers or administrators using the system. No student data is collected in either system.

  • First and Last Name
  • Date of Birth
  • Email Address
  • Password (created for use on AOEU systems)
  • Address including street address, city, state, and country

AOEU utilizes a subcontractor to perform database administration, report creation, and data security. All AOEU employees and subcontractors with access to PII undergo annual FERPA training and certification. Subcontractors are bound by FERPA and by contract to protect all customer data and handle it securely.

In the case of a breach or suspected breach that would impact customer data, AOEU will proactively contact all potentially affected parties.

At the end of the contract, all PII and account data will be deleted by AOEU.

Location of Enterprise Data

All enterprise data resides in the cloud, hosted by best-in-class Software-as-a-Service providers and hosting providers, stored in the United States, and is compliant with FERPA requirements.

Backup, Recovery and Disaster Recovery (DR)

Enterprise systems and end-user systems are automatically backed up on regular schedules. Restoration is tested regularly. Both live data and backup copies are fully encrypted at rest and in transit.

FERPA Compliance

While FLEX and PRO do not store any student data, all AOEU employees and contractors who have access to any user data undergo annual FERPA certification.

Date of most recent review: September 19, 2022