(Drafted March 2026. Pending Governing Board Approval)
Information Security & Cybersecurity Program Policy
1. Purpose
Colearn Academy establishes this Information Security & Cybersecurity Program Policy to protect student, staff, and institutional information and to support the reliable operation of instructional and administrative systems. This policy defines the overall approach, roles, and expectations for managing cybersecurity risk at Colearn Academy.
2. Scope
This policy applies to all employees, contractors, vendors, volunteers, and any other individuals or entities that access Colearn Academy information systems or handle Colearn Academy data, regardless of physical location or state of operation.
Operating context: Colearn Academy is a virtual school with no physical building and no school-owned hardware. Devices used for school purposes are owned by families or students.
3. Governance and Roles
3.1 Information Security Lead
Colearn Academy designates the Director of Technology and Systems as the Information Security Lead. The Information Security Lead is responsible for coordinating cybersecurity activities, overseeing implementation of this and related policies, and serving as a primary point of contact with authorizers and applicable agencies on cybersecurity matters.
3.2 Reporting
The Information Security Lead will provide at least one annual update to school leadership and the governing board summarizing: (a) results of cybersecurity assessments, (b) key risks and gaps relative to baseline controls, and (c) progress on the cybersecurity roadmap and planned next steps.
3.3 Frameworks and Standards
Colearn Academy uses widely recognized cybersecurity frameworks appropriate for K–12 environments, including the CIS Critical Security Controls (with emphasis on Implementation Group 1) and the NIST Cybersecurity Framework core functions (Identify, Protect, Detect, Respond, Recover), as references for organizing and prioritizing safeguards. Specific technologies and vendors are selected based on risk, feasibility, and available resources.
3.4 Governance Alignment
Colearn Academy will coordinate with its authorizers and applicable state requirements in each jurisdiction. In South Carolina, the School is currently authorized by the Limestone Charter Association and will join the Charter Institute at Erskine (Erskine Charter) in the next school year. In Arizona, Colearn Academy operates as its own district. Public information on the South Carolina authorizers can be found at:
- Limestone Charter Association (current): https://limestonecharter.org
- Charter Institute at Erskine (joining next school year): https://erskinecharters.org
4. Cybersecurity Roadmap
Colearn Academy will maintain a written cybersecurity roadmap that identifies prioritized initiatives for improving security over a multi‑year period. The roadmap will be based on assessment results and will be reviewed at least annually and updated as needed.
5. Policy Relationships
This overarching policy is supported by topic‑specific policies and standards, including but not limited to: Asset & Configuration Management, Identity & Access Management, Data Protection & Privacy, Vulnerability & Patch Management, Logging & Monitoring, Email/Web/Endpoint Protection, Backup & Recovery, Service Provider Management, Security Awareness & Training, and Incident Response.
6. Review
This policy will be reviewed at least annually by the Information Security Lead and updated as necessary to reflect changes in risk, technology, or regulatory requirements.