Schedule of Disposition. Data shall be disposed of by the following date: As soon as commercially practicable. By [ ] 4. Signature 05/03/2023 Authorized Representative of LEA Date 5. Verification of Disposition of Data Authorized Representative of Provider Date DocuSign Envelope ID: 64017897-96C3-4D18-9C71-6E6A7BE5FDE0 xxxxxxx@xxxxxxxxxxxxxxx.xxx Xxxxx Xxxxxxxxxx Executive Vice President, CFO The Education Security and Privacy Exchange (“Edspex”) works in partnership with the Student Data Privacy Consortium and industry leaders to maintain a list of known and credible cybersecurity frameworks which can protect digital learning ecosystems chosen based on a set of guiding cybersecurity principles* (“Cybersecurity Frameworks”) that may be utilized by Provider . Cybersecurity Frameworks MAINTAINING ORGANIZATION/GROUP FRAMEWORK(S) National Institute of Standards and Technology (NIST) NIST Cybersecurity Framework Version 1.1 National Institute of Standards and Technology (NIST) NIST SP 800-53, Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (CSF), Special Publication 800-171 X International Standards Organization (ISO) Information technology — Security techniques — Information security management systems (ISO 27000 series) Secure Controls Framework Council, LLC Security Controls Framework (SCF) X Center for Internet Security (CIS) CIS Critical Security Controls (CSC, CIS Top 20) Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) Cybersecurity Maturity Model Certification (CMMC, ~FAR/DFAR) Please visit xxxx://xxx.xxxxxx.xxx for further details about the noted frameworks. This Exhibit “G”, Supplemental SDPC State Terms for Texas (“Supplemental State Terms”), effective simultaneously with the attached Student Data Privacy Agreement (“DPA”) by and between [ NORTH EAST ISD ] (the “Local Education Agency” or “LEA”) and [ Imagine Learning LLC ] (the “Provider”), is incorporated in the attached DPA and amends the DPA (and all supplemental terms and conditions and policies applicable to the DPA) as follows:
Appears in 1 contract
Samples: Student Data Privacy Agreement
Schedule of Disposition. ☑_ Data shall be disposed of by the following date: As soon as commercially practicable. __ _ By [ ] 4. Signature 05/03/2023 Authorized Representative of LEA Date 5. Verification of Disposition of Data Authorized Representative of Provider Date DocuSign Envelope ID: 64017897-96C3-4D18-9C71-6E6A7BE5FDE0 xxxxxxx@xxxxxxxxxxxxxxx.xxx Xxxxx Xxxxxxxxxx Executive Vice President, CFO [Intentionally omitted] The Education Security and Privacy Exchange (“Edspex”) works in partnership with the Student Data Privacy Consortium and industry leaders to maintain a list of known and credible cybersecurity frameworks which can protect digital learning ecosystems chosen based on a set of guiding cybersecurity principles* (“Cybersecurity Frameworks”) that may be utilized by Provider . Cybersecurity Frameworks MAINTAINING ORGANIZATION/GROUP FRAMEWORK(S) National Institute of Standards and Technology (NIST) NIST Cybersecurity Framework Version 1.1 ✔ National Institute of Standards and Technology (NIST) NIST SP 800-53, Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (CSF), Special Publication 800-171 X ✔ International Standards Organization (ISO) Information technology — Security techniques — Information security management systems xxxxxxx (ISO 27000 XXX 00000 series) Secure Controls Framework Council, LLC Security Controls Framework (SCF) X Center for Internet Security (CIS) CIS Critical Security Controls (CSC, CIS Top 20) Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) Cybersecurity Maturity Model Certification (CMMC, ~FAR/DFAR) Please visit xxxx://xxx.xxxxxx.xxx for further details about the noted frameworks. The Provider uses the following technical and organizational measures to protect Student Data: Management controls • The Provider maintains a comprehensive information security program with an appropriate governance structure (including a dedicated Information Security team) and written security policies to oversee and manage risks related to the confidentiality, availability and integrity of Personal Information. • The Provider aligns its information security program and measures with industry best practices, such as the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001, Open Web Application Security Project (OWASP), and National Institute of Standards and Technology (NIST) 800 frameworks. These controls are distilled and incorporated into an internal compliance framework that is applicable to all products and services. • The Provider uses internal resources and third-party contractors to perform audits and vulnerability assessments and provide guidance on best practices for select systems containing Student Data. System assessments and network audits are performed regularly. Issues identified during audits are prioritized and remediated as part of ongoing security monitoring using a risk management methodology. • The Provider’s employees receive security and data privacy training when they start and regularly thereafter. Awareness campaigns are used to raise awareness about information security risks and our information security policies and procedures. Select staff, such as developers, receive additional security training tailored to their job role. Completion of training is tracked. • New employees undergo background checks prior to onboarding, where permitted by applicable law, and sign a confidentiality agreement. • Employees are required to comply with internal policies on the acceptable use of corporate IT assets. These policies address requirements on clean desk and secure workspaces, protecting system resources and electronic communications, protecting information, and general use of technology assets. The Provider’s employees are made aware that non-compliance with these policies can lead to disciplinary action, up to and including termination of employment/contract. • The Provider maintains a vendor risk management program to manage the security and integrity of its supply chain. The procurement process for third party service providers that have access to confidential information (including Student Data) includes a vendor security and privacy assessment review and a contract review by the Legal team. • The Provider has a documented security incident response process for responding to, documenting, and mitigating security incidents and notifying its clients, authorities or other parties as required. The process is tested regularly. • The Provider employs appropriate physical safeguards to prevent unauthorized persons from gaining access to the premises where Student Data is collected, processed and used. Such premises may only be entered by the Provider and/or its agents. • The Provider and its service providers implement physical security controls for the data centers used to store Student Data. These controls are commensurate with industry best practices and local regulations, which include 24x7x365 video monitoring, guards, secured ingress/egress, badged access, sign-in/sign-out logs, restricted access, and other best practices. • The Provider uses appropriate measures to secure buildings, such as using access cards or fobs for employee access. • The Provider uses appropriate measures to ensure that Student Data held in hardcopy are kept securely e.g., in locked rooms or filing cabinet. Generally, steps are taken to ensure that access to hardcopy Student Data is limited in the same way it would be on an electronic IT system i.e., access is limited to those individuals where it is necessary for them to have access in order for them to perform their job role. • The Provider uses appropriate measures to prevent unauthorized parties from accessing or using its systems containing Student Data. • The Provider requires authentication and authorization to gain access to systems that process Student Data (i.e., require users to enter a user id and password before they are permitted access to such systems). • The Provider has procedures in place to permit only authorized persons to access Student Data internally or externally by using authentication procedures (e.g., by means of appropriate passwords), except as otherwise enabled by the LEA. • The Provider employs appropriate measures to prevent individuals accessing Student Data unless they hold a specific access authorization. • The Provider only permits access to Student Data which the employee (or agent) needs for his/her job role or the purpose they are given access to Provider’s systems for (i.e., the Provider implements measures to ensure least privilege access to systems that process Student Data). System administration and privileged access is controlled and enforced on a need-to-know basis and is reviewed regularly. • The Provider has in place appropriate procedures for controlling the allocation and revocation of access rights to Student Data. For example, having in place appropriate procedures for revoking employee access to systems that process Student Data when they leave their job or change role. Unnecessary and default user accounts and passwords are disabled on servers. • Provider’s systems containing Student Data are protected by user identifiers, passwords and role- based access rights. Special access rights are produced for the purposes of technical maintenance which do not allow access to Student Data. • The Provider implements methods to provide audit logging to establish accountability by monitoring network devices, servers, and applications. Where applicable, aberrant activity generates alerts for investigation and/or action. • All employees must use multi-factor authentication for remote access to IT assets within the corporate network. • The Provider takes appropriate administrative safeguards to protect its services against external attacks, including, for example, deploying firewalls and using services to provide 24x7x365 security monitoring of its data centers to protect and defend against external security threats. • The Provider employs appropriate measures to protect the confidentiality, integrity and availability of Student Data during electronic transmission. • The Provider encrypts Student Data while in transit over the internet. • The Provider maintains logging and auditing systems to monitor activity related to the input of Student Data. • The Provider ensures that all requests from the LEA with respect to Student Data are processed strictly in compliance with the LEA’s instructions through the use of clear and unambiguous contract terms; comprehensive statements of work; appropriately designed policies and processes, and training. • The Provider protect Student Data in its possession against unintentional destruction or loss by implementing appropriate management, operations, and technical controls such as firewalls; monitoring; and backup procedures. Example measures that may also be taken include mirroring of storage media, uninterruptible power supply (UPS); remote storage; and disaster recovery plans. This Exhibit “G”, Supplemental SDPC State Terms for Texas Illinois (“Supplemental State Terms”), effective simultaneously with the attached Student Data Privacy Agreement (“DPA”) by and between [ NORTH EAST ISD [NAME OF SCHOOL] (the “Local Education Agency” or “LEA”) and [ Imagine Learning LLC ] Blackboard Inc. (the “Provider”), ) is incorporated in the attached theattached DPA and amends the DPA (and all supplemental terms and conditions and policies applicable to the tothe DPA) as follows:
Appears in 1 contract
Samples: Student Data Privacy Agreement
Schedule of Disposition. Data shall be disposed of by the following date: _ ___ As soon as commercially practicable. _ _ By [ ] 4. Signature 05/03/2023 Authorized Representative of LEA Date 5. Verification of Disposition of Data Authorized Representative of Provider Date DocuSign Envelope ID: 64017897-96C3-4D18-9C71-6E6A7BE5FDE0 xxxxxxx@xxxxxxxxxxxxxxx.xxx Xxxxx Xxxxxxxxxx Executive Vice President, CFO [Intentionally omitted] E XHIBIT “F” The Education Security and Privacy Exchange (“Edspex”) works in partnership with the Student Data Privacy Consortium and industry leaders to maintain a list of known and credible cybersecurity frameworks which can protect digital learning ecosystems chosen based on a set of guiding cybersecurity principles* (“Cybersecurity Frameworks”) that may be utilized by Provider . Cybersecurity Frameworks MAINTAINING ORGANIZATION/GROUP FRAMEWORK(S) National Institute of Standards and Technology (NIST) NIST Cybersecurity Framework Version 1.1 National Institute of Standards and Technology (NIST) NIST SP 800-53, Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (CSF), Special Publication 800-171 X International Standards Organization (ISO) Information technology — Security techniques — Information security management systems xxxxxxx (ISO 27000 XXX 00000 series) Secure Controls Framework Council, LLC Security Controls Framework (SCF) X Center for Internet Security (CIS) CIS Critical Security Controls (CSC, CIS Top 20) Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) Cybersecurity Maturity Model Certification (CMMC, ~FAR/DFAR) Please visit xxxx://xxx.xxxxxx.xxx for further details about the noted frameworks. The Provider uses the following technical and organizational measures to protect Student Data: Management controls ● The Provider maintains a comprehensive information security program with an appropriate governance structure (including a dedicated Information Security team) and written security policies to oversee and manage risks related to the confidentiality, availability and integrity of Personal Information. ● The Provider aligns its information security program and measures with industry best practices, such as the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001, Open Web Application Security Project (OWASP), and National Institute of Standards and Technology (NIST) 800 frameworks. These controls are distilled and incorporated into an internal compliance framework that is applicable to all products and services. ● The Provider uses internal resources and third-party contractors to perform audits and vulnerability assessments and provide guidance on best practices for select systems containing Student Data. System assessments and network audits are performed regularly. Issues identified during audits are prioritized and remediated as part of ongoing security monitoring using a risk management methodology. ● The Provider’s employees receive security and data privacy training when they start and regularly thereafter. Awareness campaigns are used to raise awareness about information security risks and our information security policies and procedures. Select staff, such as developers, receive additional security training tailored to their job role. Completion of training is tracked. ● New employees undergo background checks prior to onboarding, where permitted by applicable law, and sign a confidentiality agreement. ● Employees are required to comply with internal policies on the acceptable use of corporate IT assets. These policies address requirements on clean desk and secure workspaces, protecting system resources and electronic communications, protecting information, and general use of technology assets. The Provider’s employees are made aware that non-compliance with these policies can lead to disciplinary action, up to and including termination of employment/contract. ● The Provider maintains a vendor risk management program to manage the security and integrity of its supply chain. The procurement process for third party service providers that have access to confidential information (including Student Data) includes a vendor security and privacy assessment review and a contract review by the Legal team. ● The Provider has a documented security incident response process for responding to, documenting, and mitigating security incidents and notifying its clients, authorities or other parties as required. The process is tested regularly. ● The Provider employs appropriate physical safeguards to prevent unauthorized persons from gaining access to the premises where Student Data is collected, processed and used. Such premises may only be entered by the Provider and/or its agents. ● The Provider and its service providers implement physical security controls for the data centers used to store Student Data. These controls are commensurate with industry best practices and local regulations, which include 24x7x365 video monitoring, guards, secured ingress/egress, badged access, sign-in/sign-out logs, restricted access, and other best practices. ● The Provider uses appropriate measures to secure buildings, such as using access cards or fobs for employee access. ● The Provider uses appropriate measures to ensure that Student Data held in hardcopy are kept securely e.g., in locked rooms or filing cabinet. Generally, steps are taken to ensure that access to hardcopy Student Data is limited in the same way it would be on an electronic IT system i.e., access is limited to those individuals where it is necessary for them to have access in order for them to perform their job role. ● The Provider uses appropriate measures to prevent unauthorized parties from accessing or using its systems containing Student Data. ● The Provider requires authentication and authorization to gain access to systems that process Student Data (i.e., require users to enter a user id and password before they are permitted access to such systems). ● The Provider has procedures in place to permit only authorized persons to access Student Data internally or externally by using authentication procedures (e.g., by means of appropriate passwords), except as otherwise enabled by the LEA. ● The Provider employs appropriate measures to prevent individuals accessing Student Data unless they hold a specific access authorization. ● The Provider only permits access to Student Data which the employee (or agent) needs for his/her job role or the purpose they are given access to Provider’s systems for (i.e., the Provider implements measures to ensure least privilege access to systems that process Student Data). System administration and privileged access is controlled and enforced on a need-to-know basis and is reviewed regularly. ● The Provider has in place appropriate procedures for controlling the allocation and revocation of access rights to Student Data. For example, having in place appropriate procedures for revoking employee access to systems that process Student Data when they leave their job or change role. Unnecessary and default user accounts and passwords are disabled on servers. ● Provider’s systems containing Student Data are protected by user identifiers, passwords and role- based access rights. Special access rights are produced for the purposes of technical maintenance which do not allow access to Student Data. ● The Provider implements methods to provide audit logging to establish accountability by monitoring network devices, servers, and applications. Where applicable, aberrant activity generates alerts for investigation and/or action. ● All employees must use multi-factor authentication for remote access to IT assets within the corporate network. ● The Provider takes appropriate administrative safeguards to protect its services against external attacks, including, for example, deploying firewalls and using services to provide 24x7x365 security monitoring of its data centers to protect and defend against external security threats. ● The Provider employs appropriate measures to protect the confidentiality, integrity and availability of Student Data during electronic transmission. ● The Provider encrypts Student Data while in transit over the internet. ● The Provider maintains logging and auditing systems to monitor activity related to the input of Student Data. contract terms; comprehensive statements of work; appropriately designed policies and processes, and training. ● The Provider protect Student Data in its possession against unintentional destruction or loss by implementing appropriate management, operations, and technical controls such as firewalls; monitoring; and backup procedures. Example measures that may also be taken include mirroring of storage media, uninterruptible power supply (UPS); remote storage; and disaster recovery plans. This Exhibit “G”, Supplemental SDPC State Terms for Texas Illinois (“Supplemental State Terms”), effective simultaneously with the attached Student Data Privacy Agreement (“DPA”) by and between [ NORTH EAST ISD [NAME OF SCHOOL] (the “Local Education Agency” or “LEA”) and [ Imagine Learning LLC ] Blackboard Inc. (the “Provider”), ) is incorporated in the attached DPA and amends the DPA (and all supplemental terms and conditions and policies applicable to the DPA) as follows:
Appears in 1 contract
Samples: Student Data Privacy Agreement
Schedule of Disposition. Data shall be disposed of by the following date: ___0_ As soon as commercially practicable. _IT_ By [ ] I 1 4. Signature 05/03/2023 Authorized Representative of LEA Last Updated 2021-03-15 - New Illinois Exhibit G 06/07/2021 Date 5. Verification 06/07/2021 Date IL-NDPA v1 .Oa Page 16 of Disposition of Data Authorized Representative of Provider Date DocuSign Envelope ID: 64017897-96C3-4D18-9C71-6E6A7BE5FDE0 xxxxxxx@xxxxxxxxxxxxxxx.xxx Xxxxx Xxxxxxxxxx Executive Vice President, CFO 23 The Education Security and Privacy Exchange (“Edspex”) works in partnership with the Student Data Privacy Consortium and industry leaders to maintain a list of known and credible cybersecurity frameworks which can protect digital learning ecosystems chosen based on a set of guiding cybersecurity principles* (“Cybersecurity Frameworks”) that may be utilized by Provider . Cybersecurity Frameworks MAINTAINING ORGANIZATION/GROUP FRAMEWORK(S) ✔ National Institute of Standards and Technology (NIST) NIST Cybersecurity Framework Version 1.1 National Institute of Standards and Technology (NIST) NIST SP 800-53, Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (CSF), Special Publication 800-171 X International Standards Organization (ISO) Information technology — Security techniques — Information security management systems xxxxxxx (ISO 27000 XXX 00000 series) Secure Controls Framework Council, LLC Security Controls Framework (SCF) X Center for Internet Security (CIS) CIS Critical Security Controls (CSC, CIS Top 20) Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) Cybersecurity Maturity Model Certification (CMMC, ~FAR/DFAR) Please visit xxxx://xxx.xxxxxx.xxx for further details about the noted frameworks. EXHIBIT "G" - Supplemental SDPC (Student Data Privacy Consortium) State Terms for Illinois This Exhibit “G”, Supplemental SDPC State Terms for Texas Illinois (“"Supplemental State Terms”"), effective simultaneously with the attached Student Data Privacy Agreement (“"DPA”") by and between [ NORTH EAST ISD ] Lincolnshire-Prairie View School District 103 "LEA") and _ G_eneration_Genius, Inc. (the “Local Education Agency” or “LEA”) and [ Imagine Learning LLC ] (the “"Provider”"), is incorporated in the attached DPA and amends the DPA (and all supplemental terms and conditions and policies applicable to the DPA) as follows:
Appears in 1 contract
Samples: Student Data Privacy Agreement
Schedule of Disposition. Data shall be disposed of by the following date: _ __ _ As soon as commercially practicable. _ __ _ By [ ] 4. Signature 05/03/2023 Authorized Representative of LEA Date 5. Verification of Disposition of Data Authorized Representative of Provider Date DocuSign Envelope ID: 64017897-96C3-4D18-9C71-6E6A7BE5FDE0 xxxxxxx@xxxxxxxxxxxxxxx.xxx Xxxxx Xxxxxxxxxx Executive Vice President, CFO The Education Security and Privacy Exchange (“Edspex”) works in partnership with the Student Data Privacy Consortium and industry leaders to maintain a list of known and credible cybersecurity frameworks which can protect digital learning ecosystems chosen based on a set of guiding cybersecurity principles* (“Cybersecurity Frameworks”) that may be utilized by Provider . Cybersecurity Frameworks MAINTAINING ORGANIZATION/GROUP FRAMEWORK(S) National Institute of Standards and Technology (NIST) NIST Cybersecurity Framework Version 1.1 ✔ National Institute of Standards and Technology (NIST) NIST SP 800-53, Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (CSF), Special Publication 800-171 X ✔ International Standards Organization (ISO) Information technology — Security techniques — Information security management systems xxxxxxx (ISO 27000 XXX 00000 series) Secure Controls Framework Council, LLC Security Controls Framework (SCF) X Center for Internet Security (CIS) CIS Critical Security Controls (CSC, CIS Top 20) Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) Cybersecurity Maturity Model Certification (CMMC, ~FAR/DFAR) Please visit xxxx://xxx.xxxxxx.xxx for further details about the noted frameworks. The Provider uses the following technical and organizational measures to protect Student Data: Management controls • The Provider maintains a comprehensive information security program with an appropriate governance structure (including a dedicated Information Security team) and written security policies to oversee and manage risks related to the confidentiality, availability and integrity of Personal Information. • The Provider aligns its information security program and measures with industry best practices, such as the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001, Open Web Application Security Project (OWASP), and National Institute of Standards and Technology (NIST) 800 frameworks. These controls are distilled and incorporated into an internal compliance framework that is applicable to all products and services. • The Provider uses internal resources and third-party contractors to perform audits and vulnerability assessments and provide guidance on best practices for select systems containing Student Data. System assessments and network audits are performed regularly. Issues identified during audits are prioritized and remediated as part of ongoing security monitoring using a risk management methodology. • The Provider’s employees receive security and data privacy training when they start and regularly thereafter. Awareness campaigns are used to raise awareness about information security risks and our information security policies and procedures. Select staff, such as developers, receive additional security training tailored to their job role. Completion of training is tracked. • New employees undergo background checks prior to onboarding, where permitted by applicable law, and sign a confidentiality agreement. • Employees are required to comply with internal policies on the acceptable use of corporate IT assets. These policies address requirements on clean desk and secure workspaces, protecting system resources and electronic communications, protecting information, and general use of technology assets. The Provider’s employees are made aware that non-compliance with these policies can lead to disciplinary action, up to and including termination of employment/contract. • The Provider maintains a vendor risk management program to manage the security and integrity of its supply chain. The procurement process for third party service providers that have access to confidential information (including Student Data) includes a vendor security and privacy assessment review and a contract review by the Legal team. • The Provider has a documented security incident response process for responding to, documenting, and mitigating security incidents and notifying its clients, authorities or other parties as required. The process is tested regularly. • The Provider employs appropriate physical safeguards to prevent unauthorized persons from gaining access to the premises where Student Data is collected, processed and used. Such premises may only be entered by the Provider and/or its agents. • The Provider and its service providers implement physical security controls for the data centers used to store Student Data. These controls are commensurate with industry best practices and local regulations, which include 24x7x365 video monitoring, guards, secured ingress/egress, badged access, sign-in/sign-out logs, restricted access, and other best practices. • The Provider uses appropriate measures to secure buildings, such as using access cards or fobs for employee access. • The Provider uses appropriate measures to ensure that Student Data held in hardcopy are kept securely e.g., in locked rooms or filing cabinet. Generally, steps are taken to ensure that access to hardcopy Student Data is limited in the same way it would be on an electronic IT system i.e., access is limited to those individuals where it is necessary for them to have access in order for them to perform their job role. • The Provider uses appropriate measures to prevent unauthorized parties from accessing or using its systems containing Student Data. • The Provider requires authentication and authorization to gain access to systems that process Student Data (i.e., require users to enter a user id and password before they are permitted access to such systems). • The Provider has procedures in place to permit only authorized persons to access Student Data internally or externally by using authentication procedures (e.g., by means of appropriate passwords), except as otherwise enabled by the LEA. • The Provider employs appropriate measures to prevent individuals accessing Student Data unless they hold a specific access authorization. • The Provider only permits access to Student Data which the employee (or agent) needs for his/her job role or the purpose they are given access to Provider’s systems for (i.e., the Provider implements measures to ensure least privilege access to systems that process Student Data). System administration and privileged access is controlled and enforced on a need-to-know basis and is reviewed regularly. • The Provider has in place appropriate procedures for controlling the allocation and revocation of access rights to Student Data. For example, having in place appropriate procedures for revoking employee access to systems that process Student Data when they leave their job or change role. Unnecessary and default user accounts and passwords are disabled on servers. • Provider’s systems containing Student Data are protected by user identifiers, passwords and role- based access rights. Special access rights are produced for the purposes of technical maintenance which do not allow access to Student Data. • The Provider implements methods to provide audit logging to establish accountability by monitoring network devices, servers, and applications. Where applicable, aberrant activity generates alerts for investigation and/or action. • All employees must use multi-factor authentication for remote access to IT assets within the corporate network. • The Provider takes appropriate administrative safeguards to protect its services against external attacks, including, for example, deploying firewalls and using services to provide 24x7x365 security monitoring of its data centers to protect and defend against external security threats. • The Provider employs appropriate measures to protect the confidentiality, integrity and availability of Student Data during electronic transmission. • The Provider encrypts Student Data while in transit over the internet. • The Provider maintains logging and auditing systems to monitor activity related to the input of Student Data. • The Provider ensures that all requests from the LEA with respect to Student Data are processed strictly in compliance with the LEA’s instructions through the use of clear and unambiguous contract terms; comprehensive statements of work; appropriately designed policies and processes, and training. • The Provider protect Student Data in its possession against unintentional destruction or loss by implementing appropriate management, operations, and technical controls such as firewalls; monitoring; and backup procedures. Example measures that may also be taken include mirroring of storage media, uninterruptible power supply (UPS); remote storage; and disaster recovery plans. This Exhibit “G”, Supplemental SDPC State Terms for Texas Illinois (“Supplemental State Terms”), effective simultaneously with the attached Student Data Privacy Agreement (“DPA”) by and between [ NORTH EAST ISD ] Xxxxxx Community School District 2 (the “Local Education Agency” or “LEA”) and [ Imagine Learning LLC ] Blackboard Inc. (the “Provider”), ) is incorporated in the attached theattached DPA and amends the DPA (and all supplemental terms and conditions and policies applicable to the tothe DPA) as follows:
Appears in 1 contract
Samples: Student Data Privacy Agreement
Schedule of Disposition. Data shall be disposed of by the following date: __ _ _ As soon as commercially practicable. __ _ _ By [ ] 4. Signature 05/03/2023 Authorized Representative of LEA Date 5. Verification of Disposition of Data Authorized Representative of Provider Date DocuSign Envelope ID: 64017897-96C3-4D18-9C71-6E6A7BE5FDE0 xxxxxxx@xxxxxxxxxxxxxxx.xxx Xxxxx Xxxxxxxxxx Executive Vice President, CFO E XHIBIT “F” The Education Security and Privacy Exchange (“Edspex”) works in partnership with the Student Data Privacy Consortium and industry leaders to maintain a list of known and credible cybersecurity frameworks which can protect digital learning ecosystems chosen based on a set of guiding cybersecurity principles* (“Cybersecurity Frameworks”) that may be utilized by Provider . Cybersecurity Frameworks MAINTAINING ORGANIZATION/GROUP FRAMEWORK(S) National Institute of Standards and Technology (NIST) NIST Cybersecurity Framework Version 1.1 National Institute of Standards and Technology (NIST) NIST SP 800-53, Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (CSF), Special Publication 800-171 X International Standards Organization (ISO) Information technology — Security techniques — Information security management systems xxxxxxx (ISO 27000 XXX 00000 series) Secure Controls Framework Council, LLC Security Controls Framework (SCF) X Center for Internet Security (CIS) CIS Critical Security Controls (CSC, CIS Top 20) Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) Cybersecurity Maturity Model Certification (CMMC, ~FAR/DFAR) Please visit xxxx://xxx.xxxxxx.xxx for further details about the noted frameworks. This Exhibit “G”The Provider uses the following technical and organizational measures to protect Student Data: M anagement controls The Provider maintains a comprehensive information security program with an appropriate governance structure (including a dedicated Information Security team) and written security policies to oversee and manage risks related to the confidentiality, Supplemental SDPC State Terms availability and integrity of Personal Information. The Provider aligns its information security program and measures with industry best practices, such as the International Organization for Texas Standardization (“Supplemental State Terms”ISO)/International Electrotechnical Commission (IEC) 27001, Open Web Application Security Project (OWASP), effective simultaneously and National Institute of Standards and Technology (NIST) 800 frameworks. These controls are distilled and incorporated into an internal compliance framework that is applicable to all products and services. The Provider uses internal resources and third-party contractors to perform audits and vulnerability assessments and provide guidance on best practices for select systems containing Student Data. System assessments and network audits are performed regularly. Issues identified during audits are prioritized and remediated as part of ongoing security monitoring using a risk management methodology. The Provider’s employees receive security and data privacy training when they start and regularly thereafter. Awareness campaigns are used to raise awareness about information security risks and our information security policies and procedures. Select staff, such as developers, receive additional security training tailored to their job role. Completion of training is tracked. New employees undergo background checks prior to onboarding, where permitted by applicable law, and sign a confidentiality agreement. Employees are required to comply with internal policies on the attached acceptable use of corporate IT assets. These policies address requirements on clean desk and secure workspaces, protecting system resources and electronic communications, protecting information, and general use of technology assets. The Provider’s employees are made aware that non-compliance with these policies can lead to disciplinary action, up to and including termination of employment/contract. The Provider maintains a vendor risk management program to manage the security and integrity of its supply chain. The procurement process for third party service providers that have access to confidential information (including Student Data) includes a vendor security and privacy assessment review and a contract review by the Legal team. The Provider has a documented security incident response process for responding to, documenting, and mitigating security incidents and notifying its clients, authorities or other parties as required. The process is tested regularly. The Provider employs appropriate physical safeguards to prevent unauthorized persons from gaining access to the premises where Student Data Privacy Agreement is collected, processed and used. Such premises may only be entered by the Provider and/or its agents. The Provider and its service providers implement physical security controls for the data centers used to store Student Data. These controls are commensurate with industry best practices and local regulations, which include 24x7x365 video monitoring, guards, secured ingress/egress, badged access, sign-in/sign-out logs, restricted access, and other best practices. The Provider uses appropriate measures to secure buildings, such as using access cards or fobs for employee access. The Provider uses appropriate measures to ensure that Student Data held in hardcopy are kept securely e.g., in locked rooms or filing cabinet. Generally, steps are taken to ensure that access to hardcopy Student Data is limited in the same way it would be on an electronic IT system i.e., access is limited to those individuals where it is necessary for them to have access in order for them to perform their job role. The Provider uses appropriate measures to prevent unauthorized parties from accessing or using its systems containing Student Data. The Provider requires authentication and authorization to gain access to systems that process Student Data (“DPA”) i.e., require users to enter a user id and password before they are permitted access to such systems). The Provider has procedures in place to permit only authorized persons to access Student Data internally or externally by and between [ NORTH EAST ISD ] using authentication procedures (the “Local Education Agency” or “LEA”) and [ Imagine Learning LLC ] (the “Provider”e.g., by means of appropriate passwords), except as otherwise enabled by the LEA. The Provider employs appropriate measures to prevent individuals accessing Student Data unless they hold a specific access authorization. The Provider only permits access to Student Data which the employee (or agent) needs for his/her job role or the purpose they are given access to Provider’s systems for (i.e., the Provider implements measures to ensure least privilege access to systems that process Student Data). System administration and privileged access is incorporated controlled and enforced on a need-to-know basis and is reviewed regularly. The Provider has in place appropriate procedures for controlling the attached DPA allocation and amends revocation of access rights to Student Data. For example, having in place appropriate procedures for revoking employee access to systems that process Student Data when they leave their job or change role. Unnecessary and default user accounts and passwords are disabled on servers. Provider’s systems containing Student Data are protected by user identifiers, passwords and role- based access rights. Special access rights are produced for the DPA (purposes of technical maintenance which do not allow access to Student Data. The Provider implements methods to provide audit logging to establish accountability by monitoring network devices, servers, and all supplemental terms applications. Where applicable, aberrant activity generates alerts for investigation and/or action. All employees must use multi-factor authentication for remote access to IT assets within the corporate network. The Provider takes appropriate administrative safeguards to protect its services against external attacks, including, for example, deploying firewalls and conditions using services to provide 24x7x365 security monitoring of its data centers to protect and policies applicable defend against external security threats. The Provider employs appropriate measures to protect the confidentiality, integrity and availability of Student Data during electronic transmission. The Provider encrypts Student Data while in transit over the internet. The Provider maintains logging and auditing systems to monitor activity related to the DPA) as follows:input of Student Data.
Appears in 1 contract
Samples: Student Data Privacy Agreement
Schedule of Disposition. Data shall be disposed of by the following date: As soon as commercially practicable. By [ ] 4. Signature 05/03/2023 Authorized Representative of LEA Date 5. Verification of Disposition of Data Authorized Representative of Provider Date DocuSign Envelope ID: 64017897-96C3-4D18-9C71-6E6A7BE5FDE0 xxxxxxx@xxxxxxxxxxxxxxx.xxx Xxxxx Xxxxxxxxxx Executive Vice President, CFO The Education Security and Privacy Exchange (“Edspex”) works in partnership with the Student Data Privacy Consortium and industry leaders to maintain a list of known and credible cybersecurity frameworks which can protect digital learning ecosystems chosen based on a set of guiding cybersecurity principles* (“Cybersecurity Frameworks”) that may be utilized by Provider . Cybersecurity Frameworks MAINTAINING ORGANIZATION/GROUP FRAMEWORK(S) National Institute of Standards and Technology (NIST) NIST Cybersecurity Framework Version 1.1 National Institute of Standards and Technology (NIST) NIST SP 800-53, Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (CSF), Special Publication 800-171 X International Standards Organization (ISO) Information technology — Security techniques — Information security management systems (ISO 27000 series) Secure Controls Framework Council, LLC Security Controls Framework (SCF) X Center for Internet Security (CIS) CIS Critical Security Controls (CSC, CIS Top 20) Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) Cybersecurity Maturity Model Certification (CMMC, ~FAR/DFAR) Please visit xxxx://xxx.xxxxxx.xxx for further details about the noted frameworks. This Exhibit “G”, Supplemental SDPC State Terms for Texas (“Supplemental State Terms”), effective simultaneously with the attached Student Data Privacy Agreement (“DPA”) by and between [ NORTH EAST ISD ] (the “Local Education Agency” or “LEA”) and [ Imagine Learning LLC Canva Pty Ltd ] (the “Provider”), is incorporated in the attached DPA and amends the DPA (and all supplemental terms and conditions and policies applicable to the DPA) as follows:
Appears in 1 contract
Samples: Student Data Privacy Agreement