SECURITY
Effective February 20, 2026
·
Review February 20, 2027
·
Security Lead
Access Control Policy
Organization: Aina Design Corp
Applies To: hawaii.mokunet.us · kuleana.ainadesign.org · huikoeaina.ainadesign.org · ainadesign.org
Version: 1.0
Effective Date: February 20, 2026
Next Review: February 20, 2027
Policy Owner: Security Lead
1. Purpose
This policy defines how access to Aina Design Corp systems and district project data is requested, granted, reviewed, and revoked — ensuring that only authorized individuals can access student and organizational data, and only to the extent their role requires.
2. Scope
This policy applies to all users of Aina Design Corp platforms, including:
Internal staff (employees and contractors)
District and school administrators
Teachers and school staff
Students (where platform access is granted)
System-to-system (API) integrations
3. Access Roles and Permissions
All platform access is governed by role-based access control (RBAC). The defined roles are:
Role
Access Scope
Example Actions
Platform Admin
Full system
User management, configuration, all data
District Admin
District-wide data
View all schools in their district, manage district staff
School Admin
School-specific data
View all classes at their school, manage school staff
Teacher
Class-level data
View/manage students in assigned classes
Student
Own data only
View/upload own work, view assigned content
Read-Only Reviewer
Scoped view access
Approved partner or auditor access
No individual shall have access beyond what their assigned role requires. Exceptions require written authorization from the Security Lead.
4. Account Provisioning
4.1 New Accounts
All accounts are provisioned through a documented, approved request.
District and school administrators are provisioned only after confirmation from the authorized district point of contact.
Student accounts are provisioned through school-authorized batch processes or teacher invitation only.
4.2 Authentication Requirements
All administrative accounts require multi-factor authentication (MFA).
Passwords must meet minimum complexity requirements (12+ characters, mixed case, numbers, symbols).
Single Sign-On (SSO) via district identity providers is supported and preferred where available.
4.3 Shared Accounts
Shared or group accounts are prohibited for any role with access to student data. Every individual must have a uniquely identified account.
5. Access Reviews
Frequency
Scope
Quarterly
All administrative and privileged accounts reviewed for continued need
At offboarding
Account deactivated within 24 hours of role change or departure
At project close
All district-project-specific access revoked upon project completion
Annually
Full review of all access roles and permissions
Reviews are documented and stored as audit evidence.
6. Privileged Access
Privileged (administrative) access to production systems:
Is granted only to authorized engineers with a documented business need
Requires approval from the Security Lead
Is logged comprehensively — all actions are attributed to the individual
Is reviewed quarterly and revoked when no longer required
7. Offboarding
Upon separation from Aina Design Corp or termination of a district relationship:
1.
All accounts are disabled within 24 hours.
2.
API keys and tokens associated with the individual or integration are rotated.
3.
Access review is documented and stored.
8. District Partner Access Controls
District partners define their own access expectations through the Project Data Governance Plan. Aina Design Corp implements those expectations as platform controls. Changes to district access rules require written authorization from the district data governance contact.
9. Review Cadence
This policy is reviewed annually. Access control configurations are reviewed quarterly.
10. Sign-Off
Security Lead: _________________________
Data Governance Lead: _________________________
Date Approved: _________________________