Print / Save as PDF

(Drafted March 2026. Pending Governing Board Approval)

Policies & Standards

All information security and cybersecurity policies and standards supporting the Information Security & Cybersecurity Program Policy. “Touches” refer to CIS Critical Security Controls (v8) Implementation Group 1 unless noted.

• Information Security & Cybersecurity Program Policy

  High‑level governance, frameworks (CIS v8 IG1, NIST CSF), roles, review cycle.

  Touches: Controls 1–3, 4, 5, 7, 11, 14, 15, 17.

• Asset & Configuration Management Standard

  Inventory of cloud systems and credentials used to access them; baseline configuration of those systems. No tracking of individual devices or hardware.

  Touches: Control 1 (hardware assets), Control 2 (software assets), Control 4 (secure configuration).

• Identity, Account, and Access Management Policy

  Account lifecycle, roles, least‑privilege, MFA for admins, periodic access reviews.

  Touches: Control 5 (Account Management) and Control 6 (Access Control Management).

• Data Protection & Privacy Policy

  Data classification (at a simple level), storage/handling rules, encryption “where feasible,” retention and disposal.

  Touches: Control 3 (Data Protection), intersects with Control 11 (Data Recovery) and Control 15 (Service Provider Management).

• Vulnerability & Patch Management Standard

  How you keep OS/applications updated, how you respond to “high” or “critical” vulnerabilities, basic cadence.

  Touches: Control 7 (Continuous Vulnerability Management) and parts of Control 4.

• Logging & Monitoring Standard

  What logs you keep (e.g., cloud admin actions, sign‑ins, endpoint alerts) and minimal retention; who reviews them and when.

  Touches: Control 8 (Audit Log Management), supports Control 17.

• Email, Web, and Endpoint Protection Standard

  Spam/malware filtering, attachment/URL defenses, basic web protections (e.g., student content filters if applicable), antivirus/EDR expectations.

  Touches: Control 9 (Email and Web Browser Protections), Control 10 (Malware Defenses).

• Backup & Recovery Standard

  What gets backed up, how often, where, how long you keep it, and a requirement to periodically test restoration.

  Touches: Control 11 (Data Recovery) and supports Control 3 (Data Protection).

• Service Provider / Vendor Security Policy

  Minimal security language you expect in contracts, due‑diligence questions, how you track critical vendors.

  Touches: Control 15 (Service Provider Management).

• Security Awareness & Training Policy

  Who must take training, how often, and core topics (phishing, passwords, device care, student data handling).

  Touches: Control 14 (Security Awareness and Skills Training).

• Incident Response Plan

  Roles, phases (detect, triage, contain, eradicate, recover), communications, when to notify law enforcement, parents, regulators/authorizers.

  Touches: Control 17 (Incident Response Management) and uses info from Controls 8, 11, 14.