Runestone Academy Ltd

WRITTEN INFORMATION SECURITY PLAN

LAST UPDATED: [09/16/2020]

 

I. OBJECTIVE:

 

The objective of Runestone Academy Ltd (“Runestone Academy”) in the development and implementation of this comprehensive written information security program (“WISP”), is to create effective administrative, technical and physical safeguards for the protection of data developed by Runestone Interactive, data provided by Runestone Interactive customers and data collected by Runestone Interactive from the users of its services (collectively the “Data”). The WISP sets forth our procedure for evaluating and addressing our electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting Data. 

 

II. PURPOSE: 

 

The purpose of the WISP is to better: (a) ensure the security and confidentiality of Data; (b) protect against any reasonably anticipated threats or hazards to the security or integrity of such Data; and (c) protect against unauthorized access to or use of such Data.

 

III. SCOPE:  

 

In formulating and implementing the WISP, Runestone Interactive has addressed and incorporated the following protocols:

 

a.         identified reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing Data; 

 

b.         assessed the likelihood and potential damage of these threats, taking into consideration the sensitivity of Data; 

 

c.         evaluated the sufficiency of existing policies, procedures, customer information systems, and other safeguards in place to control risks;  and

 

d.         implemented regular monitoring of the effectiveness of those safeguards.

 

IV. DATA SECURITY COORDINATOR:  

 

Runestone Interactive has designated Bradley Miller to implement, supervise and maintain the WISP. This designated employee (the “Data Security Coordinator”) will be responsible for the following: 

 

a.              Implementation of the WISP including all provisions outlined in Section VII: Daily Operational Protocol; 

 

b.              Training of all employees; 

 

c.              Regular testing of the WISP’s safeguards; 

 

d.              Evaluating the ability of any of our third party service providers to implement and maintain appropriate security measures for the Data to which we have permitted them access, and requiring such third party service providers by contract to implement and maintain appropriate security measures;

 

e.              Reviewing the scope of the security measures in the WISP at least annually, or whenever there is a material change in our business practices that may implicate the security or integrity of records containing Data; and

 

f.               Conducting an annual training session for all managers, employees and independent contractors who have access to Data on the elements of the WISP. All attendees at such training sessions are required to certify their attendance at the training, and their familiarity with our requirements for ensuring the protection of Data. 

 

V. INTERNAL RISK MITIGATION POLICIES:  

 

To guard against internal risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing Data, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory: 

 

a.         We will only collect Data of clients, customers or employees that is necessary to accomplish our legitimate business transactions or to comply with any and all federal, state or local regulations.

 

b.         Access to records containing Data shall be limited to those employees whose duties, relevant to their job description, have a legitimate need to access said records, and only for this legitimate job-related purpose.

 

c.         Written and electronic records containing Data shall be securely destroyed or deleted at the earliest opportunity consistent with business needs or legal retention requirements. 

 

d.         A copy of the WISP is to be distributed to each current employee and to each new employee on the beginning date of their employment.  It shall be the employee’s responsibility for acknowledging in writing, by signing the attached sheet, that he/she has received a copy of the WISP and will abide by its provisions. Employees are encouraged and invited to advise the WISP Data Security Coordinator of any activities or operations which appear to pose risks to the security of Data.   If the Data Security Coordinator is involved with these risks, employees are encouraged and invited to advise any other manager or supervisor or business owner. 

 

e.         All employment contracts, where applicable, will be amended to require all employees to comply with the provisions of the WISP and to prohibit any nonconforming use of Data as defined by the WISP

 

f.          Terminated employees must return all records containing personal data, in any form, in their possession at the time of termination.  This includes all data stored on any portable device and any device owned directly by the terminated employee

 

g.         A terminated employee’s physical and electronic access to records containing Data shall be restricted at the time of termination.  This shall include remote electronic access to personal records, voicemail, internet, and email access.  All keys, keycards, access devices, badges, company IDs, business cards, and the like shall be surrendered at the time of termination.

 

h.         Disciplinary action will be applicable to violations of the WISP, up to and including termination, irrespective of whether Data was actually accessed or used without authorization.

 

i.          All security measures shall be reviewed at least annually to ensure that the policies contained in the WISP are adequate to meet all applicable federal and state regulations.  

 

j.          Should our business practices change in a way that impacts the collection, storage, and/or transportation of records containing Data the WISP will be reviewed to ensure that the policies contained in the WISP are adequate meet all applicable federal and state regulations.

 

k.         The Data Security Coordinator or his/her designee shall be responsible for all review and modifications of the WISP and shall fully consult and apprise management of all reviews including any recommendations for improves security arising from the review.

 

l.          The Data Security Coordinator or his/her designee shall ensure that access to Data in restricted to approved and active user accounts.

 

m.        Current employees’ user ID’s and passwords shall conform to accepted security standards.  All passwords shall be changed at least annually, more often as needed.

 

VI. EXTERNAL RISK MITIGATION POLICIES:

 

a.         Firewall protection, operating system security patches, and all software products shall be reasonably up-to-date and installed on any computer that stores or processes Data

 

b.         Data shall not be removed from the business premises in electronic or written form absent legitimate business need and use of reasonable security measures, as described in this policy 

 

c.         All system security software including, anti-virus, anti-malware, and internet security shall be reasonably up-to-date and installed on any computer that stores or processes Data.

 

d.         There shall be secure user authentication protocols in place that:

 

1.         Control user ID and other identifiers;

 

2.        Assigns passwords in a manner that conforms to accepted security standards, or applies use of unique identifier technologies; and

 

3.         Control passwords to ensure that password information is secure.

 

 VII. DAILY OPERATIONAL PROTOCOL

 

This section of our WISP outlines our daily efforts to minimize security risks to any computer system that processes or stores Data, ensures that physical files containing Data are reasonable secured and develops daily employee practices designed to minimize access and security risks to Data of our clients and/or customers and employees.  

 

The Daily Operational Protocol shall be reviewed and modified as deemed necessary at a meeting of the Data Security Coordinator and personnel responsible and/or authorized for the security of Data. Any modifications to the Daily Operational Protocol shall be published in an updated version of the WISP.  At the time of publication, a copy of the WISP shall be distributed to all current employees and to new hires on their date of employment.

 

a.         Recordkeeping Protocol:  We will only collect Data of clients and customers and employees that is necessary to accomplish our legitimate business transactions or to comply with any and all federal and state and local laws.

 

1.         Within 30 days of the publication of the WISP or any update the Data Security Coordinator or his/her designee shall perform an audit of all relevant company records to determine which records contain Data, assign those files to the appropriate secured storage location, and to redact, expunge or otherwise eliminate all unnecessary Data in a manner consistent with the WISP

 

2.         Any Data stored shall be disposed of when no longer needed for business purposes or required by law for storage.  Disposal methods must be consistent with those prescribed by the WISP.

 

3.         Any paper files containing Data of clients or employees shall be stored in a locked filing cabinet.  Only department heads and the Data Security Coordinator will be assigned keys to filing cabinets and only those individuals are allowed access to the paper files.  Individual files may be assigned to employees on an as-needed basis by the department supervisor.

 

4.         All employees are prohibited from keeping unsecured paper files containing Data in their work area when they are not present (e.g. lunch breaks).

 

5.         At the end of the day, all files containing Data are to be returned to the locked filing cabinet by department heads or the Data Security Coordinator.

 

6.         Electronic records containing Data shall not be stored or transported on any portable electronic device, sent or transmitted electronically to any portable device, or sent or transported electronically to any computer, portable or not, without being encrypted. The only exception shall be where there is no reasonable risk of unauthorized access to the Data or it is technologically not feasible to encrypt the data as and where transmitted.

 

7.         If necessary for the functioning of individual departments, the department head, in consultation with the Data Security Coordinator, may develop departmental rules that ensure reasonable restrictions upon access and handling of files containing Data and must comply with all WISP standards.  Departmental rules are to be published as an addendum to the WISP.

 

b.         Access Control Protocol:  

 

1.         All our computers shall restrict user access to those employees having an authorized and unique log-in ID assigned by the Data Security Coordinator

 

2.         All computers that have been inactive for 5 or more minutes shall require relog-in

 

3.         After 5 unsuccessful log-in attempts by any user ID, that user ID will be blocked from accessing any computer or file stored on any computer until access privileges are reestablished by the Data Security Coordinator or his/her designee  

 

4.         Access to electronically stored records containing Data shall be electronically limited to those employees having an authorized and unique login ID assigned by the Data Security Coordinator

 

5.         Where practical, all visitors who are expected to access areas other than common retail space or are granted access to office space containing Data should be required to sign-in with a Photo ID at a designated reception area where they will be assigned a visitor’s ID or guest badge unless escorted at all times.  Visitors are required to wear said visitor ID in a plainly visible location on their body, unless escorted at all times.

 

6.         Where practical, all visitors are restricted from areas where files containing Data are stored.  Alternatively, visitors must be escorted or accompanied by an approved employee in any area where files containing Data are stored

 

7.         All computers with an internet connections or any computer that stores or processes Data must have a reasonably up-to-date version of software providing virus, anti-spyware and anti-malware protection installed and active at all times.

 

8.         An inventory of all company computers and handhelds authorized for Data storage shall be maintained by the company, which shall be made known only to the Data Security Coordinator and other managers on a “need to know” basis:

 

c.         Third Party Service Provider Protocol:  Any service provider or individual that receives, stores, maintains, processes, or otherwise is permitted access to any file containing Data (“Third Party Service Provider”) shall be required to meet the standards forth in this Agreement. Each contract with a Third Party Service Provider shall be reviewed by the Data Security Coordinator.  

 

VIII. Breach of Data Security Protocol:  Should any employee know of a security breach at any of our facilities, or that any unencrypted Data has been lost or stolen or accessed without authorization, or that encrypted Data along with the access code or security key has been acquired by an unauthorized person or for an unauthorized purpose, the following protocol is to be followed: employees are to notify the Data Security Coordinator or department head in the event of a known or suspected security breach or unauthorized use of Data.

In the event of a breach we will notify all affected parties (schools) in a timely mannner and act to close the breach as quickly as possible.