Legacy Haven Academy Cybersecurity Policy for The Tutor System

Purpose

This policy establishes the cybersecurity framework for The Tutor, an AI-powered educational robot designed to provide personalized learning at Legacy Haven Academy. The Tutor integrates augmented reality (AR) glasses, a connected stylus, and a tablet, utilizing passive monitoring techniques such as voice analysis, facial recognition, gesture tracking, and biometric feedback to tailor education to students' needs in alignment with the Academy’s EDGE teaching method. This policy ensures compliance with the Family Educational Rights and Privacy Act (FERPA) by protecting student personally identifiable information (PII), including data from assessments like VARK Questionnaire, Myers-Briggs Type Indicator (MBTI), Behavior Assessment System for Children (BASC-3), and critical thinking instruments. It addresses concerns from the Department of Child Services (DCS) and guardians through requirements for parental/guardian consent, human supervision during all interactions, transparent reporting, annual independent audits, and secure internal-only storage of student data. Guardians can review and amend records via a secure portal. This policy is structured in accordance with NIST Special Publication 800-53 Revision 5 to safeguard student data, well-being, and educational integrity.

Scope

This policy applies to all components of The Tutor system, including the robot, AR glasses, stylus, tablet, wearables, AI algorithms, and integrated tools across Academy facilities (e.g., STEAM Laboratory, Agriculture Department, Library, Courthouse, Social Hall, Chapel, Sports Complex, and Campus Clinics). It covers all users, including instructors, clinicians, administrators, guardians, and third-party auditors. The policy encompasses data collection, processing, storage, and reporting related to student learning styles, emotional needs, mastery evaluations, and critical thinking skills. All operations occur under the oversight of the Principal, Directors of Security and Information Activities, and campus clinicians, with human instructors supervising every Tutor session.

Definitions

• FERPA: Family Educational Rights and Privacy Act, a federal law protecting the privacy of student education records.
• PII: Personally Identifiable Information, including student names, assessment results (e.g., BASC-3, VARK), biometric data, and reports.
• DCS: Department of Child Services, a stakeholder concerned with student safety and well-being.
• EDGE Method: Explain, Demonstrate, Guide, Enable – The Tutor's structured teaching framework.
• Passive Monitoring: Non-intrusive data collection via voice, facial recognition, gestures, and biometrics for real-time adaptations.
• Internal-Only Server: Secure, on-premises storage monitored by security directors and audited annually by third parties.

Responsibilities

• Principal: Oversees policy implementation, approves changes, and ensures FERPA compliance.
• Directors of Security and Information Activities: Manage server security, conduct audits, and handle incident responses.
• Instructors: Supervise Tutor sessions, verify consent, and report anomalies.
• Clinicians: Access well-being data securely and provide interventions.
• Guardians: Provide consent, review records via the portal, and report concerns.
• Third-Party Auditors: Conduct annual independent audits of the internal server and controls.
• All Users: Comply with training, report incidents, and adhere to rules of behavior.

Policy Statements

The following statements describe the implemented security and privacy controls, organized by NIST SP 800-53 control families. Each control is implemented as described to protect The Tutor system and ensure FERPA compliance.

Access Control (AC)

The Tutor restricts access to authorized users, ensuring FERPA-compliant protection of student data and maintaining guardian trust through role-based access and audit trails.

• AC-1: Access Control Policy and ProceduresThe Academy’s security team drafts and disseminates access control policies, reviewed annually during staff training sessions. Policies outline FERPA requirements, such as obtaining guardian consent before accessing student profiles (e.g., VARK results). Procedures are stored on the internal server, accessible only to the Principal and security directors via multi-factor authentication (MFA).
• AC-2: Account ManagementThe Tutor’s account management system uses automated scripts to create, modify, and deactivate accounts for instructors, clinicians, and administrators. Accounts are linked to roles (e.g., instructors access reports only), with inactivity triggers set to lock accounts after 30 days. AI monitors login patterns, flagging anomalies (e.g., off-hours access) and notifying security directors via email alerts.
• AC-3: Access EnforcementLogical access to The Tutor’s components (e.g., tablet data, AR projections) is enforced using role-based access control (RBAC). Guardians provide signed FERPA consent forms, scanned and stored digitally, before any data collection (e.g., biometric feedback). Access requests are validated through a centralized Identity and Access Management (IAM) system.
• AC-4: Information Flow EnforcementData flows between The Tutor’s AI, AR glasses, and tablet are restricted using network segmentation and data loss prevention (DLP) tools. For example, BASC-3 emotional data is encrypted and only flows to clinicians’ secure endpoints, with flows logged and audited weekly to prevent unauthorized sharing.
• AC-5: Separation of DutiesThe Tutor assigns distinct roles: instructors view reports, clinicians access well-being data, and administrators approve changes. No single user can both collect and modify data (e.g., MBTI results), enforced by RBAC policies in the IAM system, with violations triggering alerts to the Principal.
• AC-6: Least PrivilegeThe Tutor’s AI operates with read-only access to student data for monitoring, with write access restricted to system updates approved by administrators. Guardians are notified via the secure portal of any privilege escalations, ensuring transparency for DCS oversight.
• AC-7: Unsuccessful Logon AttemptsThe Tutor’s login interface limits unsuccessful attempts to three, locking accounts for 15 minutes. Failed attempts are logged with IP addresses and timestamps, with email alerts sent to security directors for investigation, ensuring no unauthorized access to student profiles.
• AC-8: System Use NotificationBefore accessing The Tutor’s tablet or AR glasses, users see a splash screen displaying a FERPA-compliant notice, including guardian consent requirements and privacy warnings. Users must acknowledge the notice, logged for audit purposes.
• AC-9: Previous Logon NotificationUpon login, The Tutor displays the last successful login time, IP, and device details on the tablet interface. This is implemented via a secure session management module, alerting users to potential unauthorized access for immediate reporting.
• AC-10: Concurrent Session ControlThe Tutor restricts users to one active session at a time, enforced by session tokens in the IAM system. Attempts to open multiple sessions are blocked, with logs sent to security directors to prevent shared account risks.
• AC-11: Device LockAR glasses and tablets lock after 5 minutes of inactivity, requiring biometric re-authentication (e.g., fingerprint). Locks are enforced by device management software, with unlock attempts logged for FERPA audits.
• AC-12: Session TerminationSessions terminate after 15 minutes of inactivity or if The Tutor detects a user leaving a supervised area (via GPS). Termination is handled by the session management module, with logs stored securely for review.
• AC-14: Permitted Actions Without IdentificationNo actions on The Tutor are permitted without authentication. All interactions, including data queries, require user identification via MFA, enforced by the IAM system to protect student PII.
• AC-16: Security and Privacy AttributesStudent data (e.g., critical thinking scores) is tagged with FERPA classification attributes using metadata in the database. These tags are checked during data access to ensure compliance, with violations logged.
• AC-17: Remote AccessRemote maintenance access to The Tutor is allowed only via a VPN with MFA, restricted to non-student interaction hours. Access is logged and monitored in real-time, with no remote access permitted during active sessions to protect student data.
• AC-18: Wireless AccessThe Tutor’s wireless connections (e.g., campus mobility) use WPA3 encryption and MAC filtering. Access points are configured to isolate The Tutor’s traffic, with logs reviewed daily to ensure secure operation in facilities like the STEAM lab.
• AC-19: Access Control for Mobile DevicesWearables and tablets are enrolled in a mobile device management (MDM) system, enforcing encryption and remote wipe capabilities. Only Academy-approved devices connect to The Tutor, with configurations audited monthly.
• AC-20: Use of External SystemsExternal tools like MBTI are governed by FERPA-compliant data processing agreements, prohibiting data export. Agreements are reviewed annually by legal counsel, with data flows monitored via DLP tools.
• AC-21: Information SharingGuardians access student reports via a secure portal, where they can approve sharing with clinicians or instructors. Sharing is logged, and guardians receive notifications of access requests, ensuring FERPA transparency.
• AC-22: Publicly Accessible ContentPublic content, like general lesson demos, is stripped of PII using automated filtering scripts before display on The Tutor’s AR glasses, ensuring no student data is exposed.
• AC-23: Data Mining ProtectionData mining on The Tutor is restricted to authorized analytics for educational purposes, with algorithms configured to anonymize outputs. Unauthorized mining attempts are blocked by DLP tools and logged.
• AC-24: Access Control DecisionsAccess decisions are logged with justifications (e.g., role-based need) in the IAM system. Guardians can review decisions via the portal, ensuring accountability for DCS.
• AC-25: Reference MonitorThe Tutor’s reference monitor enforces access rules, blocking unprivileged users from modifying AI models or student data, implemented via kernel-level security checks.

Awareness and Training (AT)

Awareness and training programs educate Academy staff, instructors, and guardians on The Tutor's security features, FERPA obligations, and child safety protocols.

• AT-1: Policy and ProceduresPolicies are developed by the security team and disseminated via annual workshops, with digital copies on the internal server. Procedures outline FERPA-compliant data handling and are updated yearly.
• AT-2: Literacy Training and AwarenessAll users attend mandatory training sessions using The Tutor’s AR glasses for simulations on phishing, insider threats, and suspicious interactions (e.g., unauthorized gesture tracking). Training includes FERPA-specific modules on consent, delivered quarterly.
• AT-3: Role-Based TrainingClinicians are trained on accessing BASC-3 data securely, instructors on supervising The Tutor, and administrators on oversight, using role-specific modules delivered via e-learning platforms. Training is refreshed biannually.
• AT-4: Incident Response TrainingStaff practice reporting incidents (e.g., unauthorized AR projections) using mock scenarios on The Tutor’s tablet. DCS/guardian notification protocols are emphasized, with training conducted annually.
• AT-5: Contacts with Groups and AssociationsTraining records are maintained in a secure database, accessible for FERPA audits. The security team collaborates with educational privacy groups to align training with best practices.
• AT-6: Training FeedbackPost-training surveys are collected via the tablet, with feedback analyzed to refine The Tutor’s AI responses (e.g., adjusting prompts for clarity). Feedback is stored securely for review.

Audit and Accountability (AU)

Audit mechanisms log all The Tutor activities to ensure accountability, with FERPA-required access to records for guardians.

• AU-1: Policy and ProceduresAudit policies are documented and reviewed annually, stored on the internal server. Procedures outline logging of all Tutor interactions, aligned with FERPA record-keeping requirements.
• AU-2: Event LoggingEvents like VARK assessments or biometric scans are logged with user IDs, timestamps, and data types using a centralized logging system. Logs are configured to capture FERPA-relevant actions.
• AU-3: Content of Audit RecordsAudit records include detailed metadata (e.g., user, time, action) for events like facial recognition scans, stored in a tamper-proof database for reconstruction during audits.
• AU-4: Audit Log Storage CapacityLogs are stored on the internal server with capacity for 7 years of data, per FERPA. Automated scripts alert administrators if storage exceeds 80% capacity.
• AU-5: Response to Audit Logging Process FailuresAudit failures trigger immediate alerts to security directors via email and SMS, with The Tutor’s monitoring paused until resolved. Failover logging to tablets ensures continuity.
• AU-6: Audit Record Review, Analysis, and ReportingLogs are reviewed weekly using AI analytics to detect anomalies (e.g., unusual biometric patterns). Reports are generated for department heads, excluding PII unless consented.
• AU-7: Audit Record Reduction and Report GenerationLogs are reduced using automated tools to filter non-essential data, generating monthly FERPA-compliant reports for oversight, accessible via the secure portal.
• AU-8: Time StampsLogs use NIST-traceable time stamps synchronized via Network Time Protocol (NTP), ensuring accurate event sequencing for audits.
• AU-9: Protection of Audit InformationAudit data is encrypted at rest (AES-256) and in transit (TLS 1.3), with access restricted to administrators via MFA, protecting against unauthorized modifications.
• AU-10: Non-RepudiationLogs are digitally signed using PKI certificates to ensure authenticity, preventing denial of actions like data access by instructors.
• AU-11: Audit Record RetentionLogs are retained for 7 years on encrypted offsite backups, accessible only for FERPA audits or guardian requests via the secure portal.
• AU-12: Audit Record GenerationThe Tutor generates logs for all interactions (e.g., EDGE method sessions) using a logging agent integrated into its AI, with logs centralized for review.
• AU-13: Monitoring for Information DisclosureDLP tools monitor for unauthorized disclosure of audit data, with real-time alerts to security directors if sensitive data is accessed.
• AU-14: Session AuditUser sessions are audited with start/end times and actions logged, linked to individual identities via MFA, ensuring traceability.
• AU-15: Alternate Audit CapabilityIn network failures, tablets store logs locally, syncing to the server when connectivity is restored, ensuring no loss of audit data.
• AU-16: Cross-Organizational AuditLogs are integrated into a centralized repository for Academy-wide analysis, with FERPA filters to prevent unauthorized PII sharing.

Assessment, Authorization, and Monitoring (CA)

Ongoing assessments ensure The Tutor's controls remain effective, with FERPA privacy impact assessments.

• CA-1: Policy and ProceduresAssessment policies are documented and reviewed annually, stored on the internal server, and include FERPA-specific procedures for PII assessments.
• CA-2: Control AssessmentsSemi-annual assessments are conducted using NIST 800-53A checklists, focusing on AI data processing. External auditors verify findings, with results shared with guardians upon request.
• CA-3: System InterconnectionsInterconnections to campus clinics are authorized via FERPA-compliant agreements, with data flows encrypted and logged to ensure secure clinician access.
• CA-7: Continuous MonitoringReal-time monitoring tools track The Tutor’s performance, alerting administrators to non-compliant data handling (e.g., unconsented monitoring) via dashboards.
• CA-8: Penetration TestingAnnual penetration tests simulate attacks on biometric systems, conducted by certified testers. Results are anonymized and shared with guardians to ensure transparency.
• CA-9: Internal System ConnectionsInternal connections (e.g., to STEAM lab systems) are audited quarterly to verify FERPA compliance, with logs reviewed by security directors.

Configuration Management (CM)

Configurations for The Tutor are baselined to maintain integrity and FERPA-aligned data handling.

• CM-1: Policy and ProceduresConfiguration management policies are documented and enforced.
• CM-2: Baseline ConfigurationBaseline configurations for The Tutor’s AI, AR glasses, and tablet are maintained and updated quarterly using configuration management tools, with baselines stored securely.
• CM-3: Configuration Change ControlChanges to The Tutor, such as EDGE method updates, are controlled and documented with approval workflows.
• CM-4: Security Impact AnalysisSecurity impact analyses, including FERPA risks, are performed before changes using risk assessment tools, evaluating effects on PII like biometric data, with results reviewed by administrators.
• CM-5: Access Restrictions for ChangeAccess restrictions for changes are enforced, requiring human supervisor approval verified via digital signatures in the change management system.
• CM-6: Configuration SettingsConfiguration settings for components like facial recognition are enforced via automated tools, audited monthly to ensure compliance with Academy standards.
• CM-7: Least FunctionalityThe system is configured to provide only essential capabilities, excluding non-FERPA features, enforced by endpoint security tools.
• CM-8: System Component InventoryAn inventory of system components is maintained and updated daily via automated discovery tools.
• CM-9: Configuration Management PlanA configuration management plan aligns with Academy standards and is reviewed annually.
• CM-10: Software Usage RestrictionsSoftware usage is restricted to approved educational tools, enforced by application whitelisting on tablets and AR glasses.
• CM-11: User-Installed SoftwareUser-installed software on tablets is managed and scanned, with violations alerting administrators.
• CM-12: Information LocationInformation location, like student profiles, is tracked for FERPA compliance, using metadata tags.
• CM-14: Signed ComponentsSigned components ensure authenticity for AI updates, with verification logs stored.

Contingency Planning (CP)

Contingency planning ensures continuity of operations while protecting student data per FERPA.

• CP-1: Policy and ProceduresContingency planning policies are documented.
• CP-2: Contingency PlanA contingency plan for The Tutor includes data recovery and failover to manual instruction, tested quarterly with guardian notifications for disruptions.
• CP-3: Contingency TrainingContingency training is provided annually using The Tutor’s tablet for simulations.
• CP-4: Contingency Plan TestingThe plan is tested quarterly, simulating disruptions in facilities.
• CP-6: Alternate Storage SiteAlternate storage sites for student records are secured off-campus with daily synchronization.
• CP-7: Alternate Processing SiteAlternate processing sites enable The Tutor relocation during outages, tested annually.
• CP-8: Telecommunications ServicesTelecommunications services are prioritized for contingency operations, ensuring clinician alerts.
• CP-9: System BackupSystem backups are conducted daily with encryption.
• CP-10: System Recovery and ReconstitutionSystem recovery and reconstitution prioritize FERPA data integrity.
• CP-11: Alternate Communications ProtocolsAlternate communications use secure channels for guardian notifications.
• CP-12: Safe ModeSafe mode operations disable monitoring during emergencies.
• CP-13: Alternative Security MechanismsAlternative security mechanisms activate for biometric failures.

Identification and Authentication (IA)

Identification and authentication controls verify user identities to protect FERPA-covered records.

• IA-1: Policy and ProceduresIdentification and authentication policies are documented.
• IA-2: Identification and Authentication (Organizational Users)Organizational users are identified and authenticated via MFA.
• IA-3: Device Identification and AuthenticationDevice identities are authenticated with certificates.
• IA-4: Identifier ManagementIdentifiers are managed uniquely per student profile.
• IA-5: Authenticator ManagementAuthenticators are managed with rotation policies.
• IA-6: Authenticator FeedbackFeedback of authentication information is obscured.
• IA-7: Cryptographic Module AuthenticationCryptographic mechanisms are used for authentication.
• IA-8: Identification and Authentication (Non-Organizational Users)Non-organizational users are authenticated with temporary credentials.
• IA-9: Service Identification and AuthenticationService identification and authentication use PKI.
• IA-10: Adaptive Identification and AuthenticationAdaptive authentication adjusts based on risk.
• IA-11: Re-AuthenticationRe-authentication is required for sensitive actions.
• IA-12: Identity ProofingIdentity proofing includes FERPA consent verification.
• IA-13: Out-of-Band AuthenticationOut-of-band authentication is used for critical actions.

Incident Response (IR)

Incident response capabilities handle security incidents with FERPA notification requirements.

• IR-1: Policy and ProceduresIncident response policies are documented.
• IR-2: Incident Response TrainingTraining includes FERPA breach simulations.
• IR-3: Incident Response TestingCapability testing occurs biannually.
• IR-4: Incident HandlingIncidents are handled with containment and guardian alerts.
• IR-5: Incident MonitoringMonitoring for incidents uses AI to detect anomalies.
• IR-6: Incident ReportingIncident information is reported per FERPA.
• IR-7: Incident Response AssistanceSupport resources include a dedicated team.
• IR-8: Incident Response PlanAn incident response plan covers The Tutor-specific events.
• IR-9: Incident Response CoordinationCoordination with external parties like DCS is established.
• IR-10: Information Spillage ResponseInformation spillage is managed with sanitization.

Maintenance (MA)

Maintenance controls ensure system reliability without compromising FERPA data.

• MA-1: Policy and ProceduresMaintenance policies are documented.
• MA-2: Controlled MaintenanceSystem maintenance is performed in supervised downtime.
• MA-3: Maintenance ToolsTools are inspected for malware.
• MA-4: Non-Local MaintenanceNon-local maintenance is monitored with video logging.
• MA-5: Maintenance PersonnelPersonnel are screened per FERPA.
• MA-6: Timely MaintenanceTimely maintenance addresses vulnerabilities.
• MA-7: Field MaintenanceField maintenance is logged.
• MA-8: Predictive MaintenancePredictive maintenance uses AI to forecast issues.

Media Protection (MP)

Media protection controls safeguard information media.

• MP-1: Policy and ProceduresMedia protection policies are documented.
• MP-2: Media AccessAccess to media is restricted.
• MP-3: Media MarkingMedia is marked with distribution limitations.
• MP-4: Media StorageMedia storage is controlled.
• MP-5: Media TransportMedia is protected during transport.
• MP-6: Media SanitizationMedia is sanitized prior to disposal.
• MP-7: Media UseMedia use is controlled.
• MP-8: Media DowngradingPortable storage devices are prohibited when not required.

Physical and Environmental Protection (PE)

Physical and environmental protection controls safeguard facilities.

• PE-1: Policy and ProceduresPhysical and environmental protection policies are documented.
• PE-2: Physical Access AuthorizationsPhysical access is limited.
• PE-3: Physical Access ControlAccess is authorized, monitored, and controlled.
• PE-5: Access Control for Output DevicesAccess to output devices is controlled.
• PE-6: Monitoring Physical AccessPhysical access is monitored.
• PE-7: Visitor ControlVisitor access is managed.
• PE-8: Access RecordsAccess records are maintained.
• PE-10: Emergency ShutoffEmergency shutoff capabilities are provided.
• PE-11: Emergency PowerEmergency power is provided.
• PE-12: Emergency LightingEmergency lighting is provided.
• PE-13: Fire ProtectionFire protection is provided.
• PE-14: Environmental ControlsTemperature and humidity are monitored and controlled.
• PE-15: Water Damage ProtectionProtection against water damage is provided.
• PE-16: Delivery and RemovalDelivery and removal of system components are controlled.
• PE-17: Alternate Work SiteAlternate work sites are employed.
• PE-18: Location of System AssetsAsset location is managed.
• PE-19: Information LeakageElectromagnetic shielding is employed.
• PE-20: Asset Monitoring and TrackingAsset placement and protection are managed.
• PE-21: Electromagnetic Pulse ProtectionElectromagnetic pulse protection is employed.
• PE-22: Component AuthenticityComponent authenticity is provided.
• PE-23: Facility LocationFacility access is managed.

Planning (PL)

Planning controls for security and privacy are implemented.

• PL-1: Policy and ProceduresPlanning policies are documented.
• PL-2: System Security and Privacy PlansSecurity and privacy plans are developed and maintained.
• PL-4: Rules of BehaviorRules of behavior are planned.
• PL-5: Privacy Impact AssessmentPrivacy impact assessments are developed.
• PL-8: Security and Privacy ArchitecturesSecurity and privacy architectures are developed.
• PL-9: Central ManagementReview and approval processes are centralized.
• PL-10: Baseline SelectionBaseline tailoring guidance is developed.
• PL-11: System of Records NoticesSystem of records notices are managed.

Program Management (PM)

Program management controls for enterprise-wide security and privacy are implemented.

• PM-1: Information Security Program Leadership RoleA senior information security officer is appointed.
• PM-2: Information Security Program PlanAn information security program plan is established.
• PM-3: Information Security and Privacy ResourcesInformation security resources are managed.
• PM-4: Plan of Action and Milestones ProcessA plan of action and milestones process is developed.
• PM-5: System InventoryAn inventory of systems is maintained.
• PM-6: Information Security and Privacy Measures of PerformanceMeasures of performance are developed.
• PM-7: Enterprise ArchitectureEnterprise architecture with security and privacy components is implemented.
• PM-8: Critical Infrastructure PlanCritical infrastructure is identified.
• PM-9: Risk Management StrategyA risk management strategy is developed.
• PM-10: Authorization ProcessAn authorization process is established.
• PM-11: Mission or Business Process DefinitionMission and business processes are defined.
• PM-12: Insider Threat ProgramInsider threat programs are implemented.
• PM-13: Security and Privacy WorkforceSecurity and privacy workforce development is implemented.
• PM-14: Testing, Training, and MonitoringTesting, training, and monitoring processes are managed.
• PM-15: Security and Privacy Groups and AssociationsSecurity and privacy groups and roles are established.
• PM-16: Threat Awareness ProgramThreat awareness programs are implemented.
• PM-17: Protecting Controlled Unclassified Information on Non-Federal SystemsInformation at rest is protected.
• PM-18: Privacy Program PlanPrivacy program plans are managed.
• PM-19: Privacy Program Leadership RoleSecurity and privacy representation is managed.
• PM-20: Capacity PlanningCapacity planning is managed.
• PM-21: Accounting of DisclosuresEnterprise software usage is implemented.
• PM-22: Information Life CycleInformation life cycle is managed.
• PM-23: Data Governance BodyData governance bodies are implemented.
• PM-24: Data Integrity BoardData integrity boards are established.
• PM-25: Minimization of PII Used in Testing, Training, and ResearchPII is minimized in testing, training, and research.
• PM-26: Complaint ManagementComplaint processes are managed.
• PM-27: Privacy ReportingPrivacy reports are produced.
• PM-28: Risk FramingRisk framing is conducted.
• PM-29: Risk Management RolesRisk management roles are defined.
• PM-30: Supply Chain Risk Management StrategySupply chain risk management strategies are developed.
• PM-31: Continuous Monitoring StrategyContinuous monitoring strategies are developed.
• PM-32: PurposingPurposing activities are conducted.

Personnel Security (PS)

Personnel security controls manage risks from personnel.

• PS-1: Policy and ProceduresPersonnel security policies are documented.
• PS-2: Position Risk DesignationRisk designations are assigned to positions.
• PS-3: Personnel ScreeningPersonnel are screened prior to authorization.
• PS-4: TerminationAccess is terminated upon personnel termination.
• PS-5: Personnel TransferPersonnel transfer processes are managed.
• PS-6: Access AgreementsAccess agreements are enforced.
• PS-7: Third-Party Personnel SecurityThird-party personnel security is managed.
• PS-8: Personnel SanctionsPersonnel sanctions are applied.
• PS-9: Personnel Risk AssessmentsPersonnel risk assessments are managed.

PII Processing and Transparency (PT)

Controls for processing and transparency of PII are implemented.

• PT-1: Policy and ProceduresPII processing and transparency policies are documented.
• PT-2: Authority to Process PIIAuthority to process PII is defined.
• PT-3: PII Processing PurposesPurposes for PII processing are defined.
• PT-4: PII Processing ConsentConsent for PII processing is obtained.
• PT-5: Privacy NoticePrivacy notices are provided.
• PT-6: System of Records NoticesSystem of records notices are managed.
• PT-7: Specific Categories of PIISpecific categories of PII are managed.
• PT-8: Privacy Program DisseminationPrivacy program plans are disseminated and implemented.
• PT-9: PII Processing AgreementsPII processing agreements are managed.

Risk Assessment (RA)

Risk assessment controls identify and manage risks.

• RA-1: Policy and ProceduresRisk assessment policies are documented.
• RA-2: Security CategorizationSecurity categorization is conducted.
• RA-3: Risk AssessmentRisk assessments are conducted.
• RA-5: Vulnerability Monitoring and ScanningVulnerability monitoring is conducted.
• RA-6: Technical Surveillance Countermeasures SurveyTechnical surveillance countermeasures surveys are performed.
• RA-7: Risk ResponseRisk response planning is conducted.
• RA-8: Privacy Impact AssessmentsCritical infrastructure is assessed.
• RA-9: Criticality AnalysisCriticality analysis is conducted.
• RA-10: Integrated Risk ManagementIntegrated risk assessments are conducted.

System and Services Acquisition (SA)

System and services acquisition controls ensure security in acquisitions.

• SA-1: Policy and ProceduresSystem and services acquisition policies are documented.
• SA-2: Allocation of ResourcesResources for security are allocated.
• SA-3: System Development Life CycleSystem development life cycle processes are employed.
• SA-4: Acquisition ProcessAcquisitions are managed.
• SA-5: System DocumentationDocumentation for systems is required.
• SA-6: Software Usage RestrictionsSoftware usage restrictions are managed.
• SA-7: User-Installed Software PolicyUser-installed software compliance is required.
• SA-8: Security and Privacy Engineering PrinciplesSecurity engineering principles are employed.
• SA-9: External System ServicesExternal system services are reviewed.
• SA-10: Developer Configuration ManagementDeveloper configuration management is required.
• SA-11: Developer Testing and EvaluationDeveloper security and privacy testing is required.
• SA-12: Supply Chain Risk ManagementSupply chain risks are managed.
• SA-13: TrustworthinessTrustworthiness requirements are established.
• SA-14: Criticality AnalysisCriticality of functions is defined.
• SA-15: Development Process, Standards, and ToolsDevelopment process, standards, and tools are required.
• SA-16: Developer-Provided TrainingDeveloper training is required.
• SA-17: Developer Security and Privacy Architecture and DesignDeveloper security architecture and design are required.
• SA-18: Tamper Resistance and DetectionTamper protection and anti-counterfeit measures are employed.
• SA-19: Component AuthenticityComponent authenticity measures are employed.
• SA-20: Customized Development of Critical ComponentsCustomized development of critical components is employed.
• SA-21: Developer ScreeningDeveloper screening is required.
• SA-22: Unsupported System ComponentsUnsupported components are managed.
• SA-23: SpecializationSpecialization is employed.
• SA-24: Operations SecurityOperations security is employed.

System and Communications Protection (SC)

System and communications protection controls safeguard communications.

• SC-1: Policy and ProceduresSystem and communications protection policies are documented.
• SC-2: Separation of System and User FunctionalityUser functionality is separated from system management.
• SC-3: Security Function IsolationSecurity function isolation is employed.
• SC-4: Information in Shared System ResourcesProtection against information leakage is employed.
• SC-5: Denial-of-Service ProtectionDenial-of-service protection is employed.
• SC-6: Resource AvailabilityResource availability is managed.
• SC-7: Boundary ProtectionBoundary protection is employed.
• SC-8: Transmission Confidentiality and IntegrityCryptographic protection for communications is employed.
• SC-9: Transmission ConfidentialityProtection against traffic analysis is employed.
• SC-10: Network DisconnectNetwork disconnect is managed.
• SC-11: Trusted PathTrusted communications paths are employed.
• SC-12: Cryptographic Key Establishment and ManagementCryptographic key establishment and management are employed.
• SC-13: Cryptographic ProtectionCryptographic protection is employed.
• SC-17: Public Key Infrastructure CertificatesPublic key infrastructure certificates are managed.
• SC-18: Mobile CodeMobile code is prohibited when appropriate.
• SC-20: Secure Name/Address Resolution ServiceSecure name/address resolution services are employed.
• SC-21: Secure Name/Address Resolution Service (Authoritative Source)Secure system design is employed.
• SC-22: Architecture and Provisioning for Name/Address Resolution ServiceArchitecture and provisioning for name/address resolution are employed.
• SC-23: Session AuthenticitySession authenticity is managed.
• SC-24: Fail in Known StateFailure in known state is identified and mitigated.
• SC-25: Thin NodesThin nodes are employed.
• SC-26: DecoysFirewalls are employed.
• SC-27: Platform-Independent ApplicationsPlatform-independent applications are employed.
• SC-28: Protection of Information at RestInformation at rest is protected.
• SC-29: HeterogeneityHeterogeneity is employed.
• SC-30: Concealment and MisdirectionConcealment and misdirection techniques are employed.
• SC-31: Covert Channel AnalysisCovert channel analysis is employed.
• SC-32: System PartitioningSystem components are separated.
• SC-34: Non-Modifiable Executable ProgramsAdvanced authentication is employed.
• SC-35: External Malicious Code IdentificationHardware-based protection is employed.
• SC-36: Distributed Processing and StorageDistributed processing and storage are employed.
• SC-37: Out-of-Band ChannelsOut-of-band channels are employed.
• SC-38: Operations SecurityOperations security safeguards are employed.
• SC-39: Process IsolationProcess isolation is employed.
• SC-40: Wireless Link ProtectionWireless link protection is employed.
• SC-41: Port and I/O Device AccessPort and I/O device access protection is employed.
• SC-42: Sensor Capability and DataSensor relocation is employed.
• SC-43: Usage RestrictionsUsage restrictions are employed.
• SC-44: DetonatorsDetonators for unexpected files are employed.
• SC-45: System Time SynchronizationSystem component inventory is employed.
• SC-46: Cross-Domain Policy EnforcementCross-domain policy enforcement is performed.
• SC-47: Alternate Communications PathsAlternate communications protocols are employed.
• SC-48: Sensor RelocationSensor capability and data are employed.
• SC-49: Hardware-Based ProtectionHardware direct memory access is prohibited.
• SC-50: Software-Enforced SeparationSoftware-enforced separation is employed.
• SC-51: Hardware Separation MechanismsHardware separation mechanisms are employed.

System and Information Integrity (SI)

System and information integrity controls protect against malicious code and errors.

• SI-1: Policy and ProceduresSystem and information integrity policies are documented.
• SI-2: Flaw RemediationFlaws are remediated.
• SI-3: Malicious Code ProtectionMalicious code protection is employed.
• SI-4: System MonitoringSystem is monitored.
• SI-5: Security Alerts, Advisories, and DirectivesSecurity alerts, advisories, and directives are provided.
• SI-6: Security and Privacy Function VerificationIntegrity checks are performed.
• SI-7: Software, Firmware, and Information IntegrityUnauthorized changes to software, firmware, and information are detected.
• SI-8: Spam ProtectionSpam protection is employed.
• SI-10: Information Input ValidationInformation input validation is employed.
• SI-11: Error HandlingErrors are handled and reported.
• SI-12: Information Management and RetentionInformation output is managed.
• SI-13: Predictable Failure PreventionPredictability in operations is employed.
• SI-14: Non-PersistenceWireless intrusion detection is employed.
• SI-15: Information FragmentationInformation fragmentation is employed.
• SI-16: Memory ProtectionMemory protection is employed.
• SI-17: Fail-Safe ProceduresFail-safe procedures are employed.
• SI-18: PII Integrity CheckingPII integrity checking is employed.
• SI-19: De-IdentificationDe-identification techniques are employed.
• SI-20: TaintingTainting is employed.
• SI-21: Information DiversityInformation diversity is employed.
• SI-22: Information RedundancyAlternative sources for information are employed.
• SI-23: Information RefreshInformation refresh is employed.

Supply Chain Risk Management (SR)

Supply chain risk management controls mitigate risks from suppliers.

• SR-1: Policy and ProceduresSupply chain risk management policies are documented.
• SR-2: Supply Chain Risk Management PlanA supply chain risk management plan is developed and implemented.
• SR-3: Supply Chain Controls and ProcessesSupply chain controls with suppliers are established.
• SR-4: ProvenanceProvenance tracking is employed.
• SR-5: Acquisition Strategies, Tools, and MethodsAcquisition strategies, tools, and methods are performed.
• SR-6: Supplier Assessments and ReviewsSupplier assessments and reviews are employed.
• SR-7: Supply Chain Operations SecuritySupply chain operations security is performed.
• SR-8: Notification AgreementsNotifications and information to suppliers are provided.
• SR-9: Tamper Resistance and DetectionTamper resistance and detection are employed.
• SR-10: Inspection of Systems or ComponentsInspections of systems or components are performed.
• SR-11: Component AuthenticityComponent authenticity measures are employed.
• SR-12: Component DisposalSupplier diversity is promoted.
• SR-13: Criticality Analysis of Supply ChainSupplier criticalities are assessed.

Enforcement and Compliance

Violations of this policy may result in disciplinary action, up to and including termination, and may be reported to DCS or other authorities if they impact student well-being. Compliance is monitored through annual audits, continuous monitoring, and incident reporting. The policy is reviewed annually or upon significant changes to The Tutor system or regulations.