Organization: Aina Design Corp
Applies To: hawaii.mokunet.us · kuleana.ainadesign.org · huikoeaina.ainadesign.org · ainadesign.org
Version: 1.0
Effective Date: February 20, 2026
Next Review: February 20, 2027
Policy Owner: Security Lead
This policy defines how access to Aina Design Corp systems and district project data is requested, granted, reviewed, and revoked — ensuring that only authorized individuals can access student and organizational data, and only to the extent their role requires.
This policy applies to all users of Aina Design Corp platforms, including:
•
Internal staff (employees and contractors)
•
District and school administrators
•
Teachers and school staff
•
Students (where platform access is granted)
•
System-to-system (API) integrations
3. Access Roles and Permissions
All platform access is governed by role-based access control (RBAC). The defined roles are:
User management, configuration, all data
View all schools in their district, manage district staff
View all classes at their school, manage school staff
View/manage students in assigned classes
View/upload own work, view assigned content
Approved partner or auditor access
No individual shall have access beyond what their assigned role requires. Exceptions require written authorization from the Security Lead.
•
All accounts are provisioned through a documented, approved request.
•
District and school administrators are provisioned only after confirmation from the authorized district point of contact.
•
Student accounts are provisioned through school-authorized batch processes or teacher invitation only.
4.2 Authentication Requirements
•
All administrative accounts require multi-factor authentication (MFA).
•
Passwords must meet minimum complexity requirements (12+ characters, mixed case, numbers, symbols).
•
Single Sign-On (SSO) via district identity providers is supported and preferred where available.
Shared or group accounts are prohibited for any role with access to student data. Every individual must have a uniquely identified account.
All administrative and privileged accounts reviewed for continued need
Account deactivated within 24 hours of role change or departure
All district-project-specific access revoked upon project completion
Full review of all access roles and permissions
Reviews are documented and stored as audit evidence.
Privileged (administrative) access to production systems:
•
Is granted only to authorized engineers with a documented business need
•
Requires approval from the Security Lead
•
Is logged comprehensively — all actions are attributed to the individual
•
Is reviewed quarterly and revoked when no longer required
Upon separation from Aina Design Corp or termination of a district relationship:
1.
All accounts are disabled within 24 hours.
2.
API keys and tokens associated with the individual or integration are rotated.
3.
Access review is documented and stored.
8. District Partner Access Controls
District partners define their own access expectations through the Project Data Governance Plan. Aina Design Corp implements those expectations as platform controls. Changes to district access rules require written authorization from the district data governance contact.
This policy is reviewed annually. Access control configurations are reviewed quarterly.
Security Lead: _________________________
Data Governance Lead: _________________________
Date Approved: _________________________