This document describes technical and organizational measures and security controls implemented by Achieve3000 to protect the data Customers entrust to us as part of the Achieve3000 Services.
Within this document, the following definitions apply:
- “Customer” – any subscriber to the Achieve3000 service.
- “Achieve3000 Service” – educational products and services Achieve3000 offers to Customers
- “Service Data” – data we gather and use in delivering Services to Students and Administrators through subscribing schools, school districts, and other educational institutions. May also be referred to as Customer Data, Student Data, or District Data
- “Personnel” – Achieve3000 employees and authorized individual contractors/vendors.
Organization of Information Security
To outline Achieve3000’s information security structure.
1. Achieve3000 employs full-time dedicated trained/certified security Personnel responsible for information security
2. Achieve3000 has a set of information security policies, approved by management and disseminated to all Personnel.
3. All Achieve3000 Personnel have signed legally reviewed confidentiality agreements
4. Achieve3000 Personnel are given training in information security on a regular basis.
To protect the physical assets that contain Service Data.
1. Achieve3000 Services operate from industry certified third-party data centers with a defined and protected physical perimeter, strong physical controls including access control mechanisms, controlled delivery and loading areas, surveillance, and security guards.
2. Each data center is audited and ISO-27001, SOC-2 certified
3. Only authorized Personnel have access to the data center premises housing Service Data and access is controlled through a security registration process requiring a government issued photo ID.
4. Power and telecommunications cabling carrying Service Data or supporting information services at the production data centers are protected from interception, interference and damage.
5. The production data centers and their equipment are physically protected against natural disasters, unauthorized entry, malicious attacks, and accidents.
6. Equipment at the production data center is protected from power failures and other disruptions caused by failures in supporting utilities, and is appropriately maintained.
To ensure systems containing Service Data are used only by authorized, authenticated users.
1. Access to Achieve3000 systems is granted only to Achieve3000 Personnel and/or to authorized employees of Achieve3000’s subcontractors; access is strictly limited as required for those persons to fulfill their function.
2. All users access Achieve3000 systems with a unique identifier.
3. Achieve3000 has established a password policy that prohibits sharing of passwords and requires passwords to be changed on a regular basis and default passwords to be altered.
4. Achieve3000 has a comprehensive process to deactivate system / Services access when Personnel leaves Achieve3000 or a job function within Achieve3000.
5. All access or attempted access to systems is logged and monitored.
To ensure Personnel entitled to use systems gain access only to the Service Data that they are authorized to access.
1. Access to Service Data is limited to authorized Personnel only.
2. Personnel training covers access rights and general guidelines on definition and use of Service Data
To ensure Service Data is not read, copied, altered, or deleted by unauthorized parties in transit or at rest.
1. Customer access to Achieve3000 Service websites are protected by the most current version of Transport Layer Security (TLS).
2. Achieve3000 uses Strong Encryption (minimum of 256-bit encryption) of Service Data for both internal and external data transmissions
3. Service Data are stored in encrypted file systems with the encryption keys stored and maintained in separate secured systems.
4. Upon request of the Customer, Achieve3000 will destroy Service Data within a reasonable time frame.
Confidentiality and Integrity
To ensure Service Data remains confidential throughout processing and remains intact, complete and current during processing activities.
1. Achieve3000 has a formal background check process and carries out background checks on all new Personnel
2. Achieve3000 has a central, secured repository of product source code, which is accessible only to authorized Personnel
3. Achieve3000 conducts security testing that includes code review, penetration testing, and static code analysis on a periodic basis to identify flaws.
4. All changes to software on the Achieve3000 Service are via a controlled, approved release mechanism within a formal change management process.
5. All encryption and other cryptographic functionality used within the Achieve3000 Service use industry standard encryption and cryptographic measures aligned with the standards promulgated with FIPS 140-2
6. Each data center from which Achieve3000 Services are delivered is designed with multi-tier network infrastructure and equipped with network perimeter protection (i.e. redundant firewalls), intrusion detection systems and endpoint-protection systems (anti-malware and anti-virus)
To ensure Service Data is protected from accidental destruction or loss, and there is timely access, restoration or availability to Service Data in the event of a Service incident.
1. Achieve3000 uses high level of redundancy when storing Service Data within the production data center.
2. Achieve3000 maintains a Disaster Recovery site in a geographically separate data center
3. Each data center has multiple power sources and backup power generators to safeguard power availability to the data center
4. Each data center has multiple access points to the Internet to safeguard connectivity
5. Each data center is monitored 24x7x365 for power, network, environment and technical issues.
6. Achieve3000 maintains a robust Disaster Recovery program that includes well-defined and updated plans and regular testing and retrospectives.
7. Achieve3000 Services are protected against Denial of Service attacks with the use of multi-layer DDoS protection and mitigation services.
To ensure each Service Data is processed separately for each Customer.
1. Achieve3000 uses logical separation within its multi-tenant architecture to enforce data segregation between the Service Data of Customers.
2. In each step of processing, Service Data received from a Customer is assigned a unique identifier so data of that Customer is always logically separated from the data of each other Customer.
3. Customers only have access to their own Service Data through the use of secure mechanisms.
In the event of any security breach of Service Data, the effect of the breach is minimized and the Customer is promptly informed.
1. Achieve3000 maintains an up-to-date incident response plan that includes responsibilities, how information security events are assessed and classified as incidents
2. In the event of a security breach, Achieve3000 will notify Customers without undue delay after becoming aware of the security breach.
To ensure Achieve3000 regularly tests, assesses and evaluates the effectiveness of the technical and organizational measures.
1. Achieve3000 conducts regular internal and external audits of its security practices
2. Achieve3000 ensures that Personnel are aware of and comply with the technical and organizational measures set forth in this document
3. Achieve3000 conducts at least semi-annual penetration tests of the Achieve3000 service using both internal tools and external security services