SECURITY
Effective February 20, 2026
·
Review February 20, 2027
·
Security Lead
Information Security Policy
Organization: Aina Design Corp
Applies To: hawaii.mokunet.us · kuleana.ainadesign.org · huikoeaina.ainadesign.org · ainadesign.org
Version: 1.0
Effective Date: February 20, 2026
Next Review: February 20, 2027
Policy Owner: Security Lead
1. Purpose
This policy establishes the foundational security requirements that govern how Aina Design Corp protects the confidentiality, integrity, and availability of information assets — including student data — across all platforms it operates on behalf of district partners.
2. Scope
This policy applies to:
All Aina Design Corp employees, contractors, and volunteers
All systems, applications, and infrastructure operated by Aina Design Corp
All district partner data processed or stored on Aina Design Corp platforms
Third-party service providers acting on behalf of Aina Design Corp
3. Policy Statements
3.1 Security by Design
Security and privacy controls must be incorporated into system design from the beginning of any project — not added after the fact. Every new feature or service must undergo a privacy and security review before deployment.
3.2 Least Privilege
Access to systems and data is granted on a need-to-know, least-privilege basis. No individual or system should have access beyond what is necessary to perform their assigned function.
3.3 Defense in Depth
Aina Design Corp employs multiple, overlapping security controls — including access controls, encryption, logging, and monitoring — so that no single control failure results in a breach.
3.4 Accountability
All access to sensitive systems and student data is logged and attributable to an individual identity. Shared or anonymous accounts are prohibited for administrative functions.
3.5 Continuous Improvement
Security posture is reviewed and improved on a regular cadence. Security incidents, near-misses, and audit findings are all inputs to the improvement process.
4. Core Security Requirements
Area
Requirement
Authentication
Multi-factor authentication (MFA) required for all administrative access
Encryption
Data encrypted in transit (TLS 1.2+) and at rest
Access Reviews
Quarterly review of all user accounts and permissions
Patch Management
Critical patches applied within 14 days of release
Vendor Assessment
Third-party vendors assessed for security posture before onboarding
Incident Response
All security events reported and investigated within 24 hours
5. Roles and Responsibilities
Security Lead
Owns this policy, manages risk, and leads incident response. Ensures all platforms are maintained to security baseline standards.
Data Governance Lead
Ensures district project data flows comply with this policy. Maintains data inventory and classification records.
Engineering Team
Implements security controls in code and infrastructure. Participates in code reviews with security as a criterion.
All Staff
Complete annual security training. Report suspected incidents immediately. Never share credentials or bypass security controls.
6. Compliance and Alignment
This policy is aligned with:
SOC 2 Trust Service Criteria (Security, Availability, Confidentiality)
ISO/IEC 27001:2022 Information Security Management
FERPA (Family Educational Rights and Privacy Act) — student data handled as an authorized School Official
Hawaii State DOE data governance expectations
7. Violations
Violations of this policy may result in disciplinary action up to and including termination or contract cancellation. Violations involving student data may also result in notification obligations to affected districts and, where required by law, to affected families.
8. Review Cadence
This policy is reviewed annually by the Security Lead and approved by organizational leadership. Material changes are communicated to all staff and relevant district partners within 30 days.
9. Sign-Off
Security Lead: _________________________
Executive Sponsor: _________________________
Date Approved: _________________________