Information Security Policy
Organization: Aina Design Corp
Applies To: hawaii.mokunet.us · kuleana.ainadesign.org · huikoeaina.ainadesign.org · ainadesign.org
Version: 1.0
Effective Date: February 20, 2026
Next Review: February 20, 2027
Policy Owner: Security Lead
This policy establishes the foundational security requirements that govern how Aina Design Corp protects the confidentiality, integrity, and availability of information assets — including student data — across all platforms it operates on behalf of district partners.
•
All Aina Design Corp employees, contractors, and volunteers
•
All systems, applications, and infrastructure operated by Aina Design Corp
•
All district partner data processed or stored on Aina Design Corp platforms
•
Third-party service providers acting on behalf of Aina Design Corp
Security and privacy controls must be incorporated into system design from the beginning of any project — not added after the fact. Every new feature or service must undergo a privacy and security review before deployment.
Access to systems and data is granted on a need-to-know, least-privilege basis. No individual or system should have access beyond what is necessary to perform their assigned function.
Aina Design Corp employs multiple, overlapping security controls — including access controls, encryption, logging, and monitoring — so that no single control failure results in a breach.
All access to sensitive systems and student data is logged and attributable to an individual identity. Shared or anonymous accounts are prohibited for administrative functions.
3.5 Continuous Improvement
Security posture is reviewed and improved on a regular cadence. Security incidents, near-misses, and audit findings are all inputs to the improvement process.
4. Core Security Requirements
Multi-factor authentication (MFA) required for all administrative access
Data encrypted in transit (TLS 1.2+) and at rest
Quarterly review of all user accounts and permissions
Critical patches applied within 14 days of release
Third-party vendors assessed for security posture before onboarding
All security events reported and investigated within 24 hours
5. Roles and Responsibilities
Security Lead
Owns this policy, manages risk, and leads incident response. Ensures all platforms are maintained to security baseline standards.
Data Governance Lead
Ensures district project data flows comply with this policy. Maintains data inventory and classification records.
Engineering Team
Implements security controls in code and infrastructure. Participates in code reviews with security as a criterion.
All Staff
Complete annual security training. Report suspected incidents immediately. Never share credentials or bypass security controls.
6. Compliance and Alignment
This policy is aligned with:
•
SOC 2 Trust Service Criteria (Security, Availability, Confidentiality)
•
ISO/IEC 27001:2022 Information Security Management
•
FERPA (Family Educational Rights and Privacy Act) — student data handled as an authorized School Official
•
Hawaii State DOE data governance expectations
Violations of this policy may result in disciplinary action up to and including termination or contract cancellation. Violations involving student data may also result in notification obligations to affected districts and, where required by law, to affected families.
This policy is reviewed annually by the Security Lead and approved by organizational leadership. Material changes are communicated to all staff and relevant district partners within 30 days.
Security Lead: _________________________
Executive Sponsor: _________________________
Date Approved: _________________________