Legacy Haven Academy Security Policy

1. Introduction and Purpose

Legacy Haven Academy, a non-profit grades 5-12 educational institution in Mohave County, Arizona, serves orphans and homeless children, prioritizing their safety and well-being. This security policy establishes a private security force and cybersecurity framework to protect students, staff, property, and data from all threats, including physical violence, bullying, external intrusions, and cyber risks. The policy ensures compliance with federal (e.g., FERPA, 20 U.S.C. §1232g), state (Arizona Revised Statutes, ARS), and local (Mohave County) regulations as of September 27, 2025, including 2025 updates (e.g., SB1618). It integrates a shift schedule with fatigue management, comprehensive training standards, and NIST SP 800-53 Rev. 5 cybersecurity controls to safeguard student personally identifiable information (PII), such as assessment data, biometric feedback, and educational records. The policy prioritizes child safety through de-escalation, human supervision, parental/guardian consent, and secure data storage, addressing Department of Child Services (DCS) concerns. Compliance is mandatory, with violations risking fines, license revocation, disciplinary action, or legal penalties. Annual reviews and updates are required, overseen by the Security Director, Director of Information Activities, and legal counsel. This policy is system-agnostic, applying to all Academy systems and data processing environments.

2. Legal and Cybersecurity Compliance

The security force and data systems must comply with federal, state, and local laws, including ARS, Arizona Administrative Code (AAC), Arizona Department of Public Safety (DPS) regulations, Arizona Department of Education (ADE) School Safety Program (SSP) FY25 Guidance, FERPA, and NIST SP 800-53 Rev. 5. As a non-profit serving vulnerable youth, additional safeguards align with child welfare and data privacy requirements.

2.1 Agency Licensing and Setup

• Obtain a Security Guard Agency License from DPS Security Guard and Private Investigator (SGPI) Unit (ARS §32-2613; AAC R13-6-202). Valid for 4 years (SB1618).
• Submit application with fingerprints, photos, ID, and proof of qualifying party (QP) with 3 years experience (ARS §32-2422.A.10).
• Pre-approve agency name with DPS before Arizona Corporation Commission registration (AAC R13-6-102).
• Post $2,500 surety bond (ARS §32-2423.B; SB1618).
• Provide liability insurance ($100,000/$300,000) and workers’ compensation (ARS §32-2613.C.2-3; AAC R13-6-202.A.2-3).
• Designate resident manager (21+ years); maintain DPS employee list.
• Align with ADE SSP for grants (2023-2026 cycle; eligible as non-profit).
• Notify DPS of changes within 10 days (ARS §32-2614).
• Implement NIST SP 800-53 controls for data systems, with policies stored on internal-only servers, accessible via multi-factor authentication (MFA) (AC-1, CM-1).

2.2 Individual Guard Licensing and Registration

• Obtain Security Guard Registration (unarmed) or Armed Registration (ARS §32-2624). Valid for 4 years.
• Submit fingerprints, photo, ID, training verification; provisional for veterans (ARS §32-2624).
• Renew within 60 days; no work during lapses (AAC R13-6-302).
• Revoked certificates: 1-year wait (ARS §32-2607).
• Identify School Safety Officers (SSOs) in emergency plans (ADE SSP).
• Ensure guards accessing data systems complete cybersecurity training and have role-based accounts (AT-3, AC-2).

2.3 Background Checks and Eligibility

• Fingerprint-based DPS/FBI checks for all personnel, including those accessing data systems (ARS §32-2623; AAC R13-6-102; PS-3).
• Disqualifiers: Felonies; misdemeanors (violence, weapons, dishonesty, etc.) within 5 years; domestic violence (ARS §32-2612, §13-3101; 18 U.S.C. §922(g)).
• Dishonorable discharge for armed guards (ARS §32-2622).
• Mandatory DCS Central Registry check for child abuse/neglect; Adult Protective Services (APS) check (ARS §41-1959).
• Drug screening; professional appearance (calm demeanor for youth).
• Personnel risk assessments for those handling PII, with access agreements signed (PS-6, PS-9).

2.4 Armed Security Specifics

• Employer-authorized; DPS-approved uniform/badge (ARS §32-2624).
• Report incidents immediately to law enforcement and security directors.
• Coordinate with local PD/Mohave County Sheriff's Office (2025 Mohave County school safety initiatives); grants for retired officers.
• Shotgun/additional weapons require 8-hour training.
• Ensure armed guards accessing data systems follow role-based access controls (RBAC) and log all interactions (AC-3, AU-2).

2.5 School Safety and Cybersecurity Compliance

• Develop/update comprehensive Emergency Operations Plan (EOP) annually; assess every 5 years (ARS HB2074; ADE SSP FY25).
• Integrate into threat assessment teams, bullying protocols (ARS HB2022).
• SSP grants: Submit annual reports; prioritize SSOs (ADE FY25).
• Train on pupil health/safety post-incident (ARS §15-341).
• Align with Mohave County Sheriff's Office for joint operations (ARS §11-441).
• Child-focused practices: Guards trained to recognize distress in orphans/homeless youth, avoiding escalation.
• Implement NIST SP 800-53 controls for data systems:
  • Access Control (AC): Role-based access (AC-3), MFA (IA-2), session termination after 15 minutes inactivity (AC-12), parental/guardian consent for PII collection (PT-4).
  • Audit and Accountability (AU): Log all interactions (AU-2), retain for 7 years (AU-11), encrypt logs (AU-9).
  • Incident Response (IR): FERPA-compliant incident reporting, parental/guardian/DCS notifications (IR-6, IR-9).
  • Data Protection: Internal-only server with AES-256 encryption, DLP tools, no external system use without agreements (AC-20, SC-28).
  • Audits: Annual third-party audits of data systems (CA-2, AU-6).

2.6 Use of Force and Authority

• Non-deadly force for defense/property (ARS §13-404); deadly force only for imminent threat to life (ARS §13-405).
• Detain for law enforcement (ARS §13-3884; felonies only).
• Document/report all uses; prioritize de-escalation, especially with vulnerable students.
• FERPA health/safety exceptions for disclosures during threats (20 U.S.C. §1232g); log disclosures (AU-10).

2.7 Insurance, Bonds, and Liability

• Agency: $2,500 bond; liability/workers’ comp (ARS §32-2613).
• Guards: Covered under agency policies; recommend individual liability.
• Indemnification clauses in contracts (ARS §12-821).
• Cybersecurity insurance for data breaches involving PII (PM-3).

2.8 Employment and Labor Laws

• FLSA: Minimum wage ($14.35 AZ 2025), overtime (1.5x after 40 hours).
• AZ Paid Sick Time: 40 hours/year.
• Anti-discrimination (ARS §41-1461); ADA accommodations.
• OSHA (29 U.S.C. §651): Safe workplace; annual training (29 CFR 1910.38); PPE (29 CFR 1910.132).

2.9 Federal Requirements

• FERPA (20 U.S.C. §1232g): Guards and system users as “school officials” access PII under MOU; maintain logs, limit re-disclosure (PT-8).
• CISA School Safety: Voluntary risk assessment guidelines (RA-3).
• Gun-Free Schools Act (20 U.S.C. §7151): Coordinate armed guard policies with school board.
• NIST SP 800-53 Rev. 5: Implement controls for data systems (e.g., AC, AU, IR, SC, SI) to protect PII.

2.10 Mohave County Specifics

• No unique ordinances; defer to DPS.
• Coordinate with Mohave County Sheriff's Office for merit system (ARS §11-441); align with 2025 Mohave County school safety/traffic initiatives.
• Ensure data systems’ wireless access uses WPA3 encryption, audited daily (AC-18).

2.11 Reporting and Record-Keeping

• Maintain training/incident records (5 years); employee lists for DPS.
• Annual SSP reports if grant-funded.
• FERPA logs (permanent); data system audit logs (7 years, AU-11).
• Notify DPS of physical security violations within 72 hours (SB1618); report cybersecurity incidents per IR-6.
• Parental/guardian notifications for data access or breaches, logged for transparency (IR-9, PT-5).

3. Shift Structure and Fatigue Management

The security force consists of 6 primary groups (A-F) and 1 reserve group (G), each with 5 personnel, providing 24-hour coverage. Each group works 8 consecutive hours (4 hours patrol + 4 hours QRF, back-to-back), prioritizing child safety from physical, emotional, and cyber threats. Patrol duties involve active guarding/perimeter checks and monitoring data system components (e.g., devices, servers). QRF duties include standby with full 4-hour training, including rigorous drills (e.g., physical conditioning, tactical simulations) at times, to ensure readiness and prevent lethargy in case of activation. The reserve group (G) rotates in to give each primary group a Sunday off in a 7-week cycle, enhancing fatigue management and recovery.

3.1 Daily Schedule (Week 1, Day 1 Example, Monday)

Time Slot         Patrol Group    QRF Group (Training During Shift)
00:00 - 04:00     A               B
04:00 - 08:00     B               A
08:00 - 12:00     C               D
12:00 - 16:00     D               C
16:00 - 20:00     E               F
20:00 - 24:00     F               E

3.2 Group Duties (Week 1, Day 1)

• Group A: Patrol 00:00-04:00, QRF 04:00-08:00 (8 hours duty, 16 hours off).
• Group B: QRF 00:00-04:00, Patrol 04:00-08:00 (8 hours duty, 16 hours off).
• And similarly for C-F.
• Group G (Reserve): On standby, training, or covering absences; no regular shift unless rotating in.

3.3 7-Week Rotation with Sunday Off

Each primary group (A-F) receives a full Sunday off (00:00-24:00) once every 7 weeks, with the reserve group (G) covering both patrol and QRF duties for the off group. The rotation maintains the 6-day cycle for shift times (Monday-Saturday) and adjusts for Sundays. Below is the Sunday rotation schedule over 7 weeks:

Week | Sunday Off | Patrol Group (Sunday)                | QRF Group (Sunday)
-----|------------|--------------------------------------|--------------------------------
1    | Group A    | G (00:00-04:00), B, C (08:00-12:00),| G (04:00-08:00), A, D (08:00-12:00),
    |            | D (12:00-16:00), E (16:00-20:00),   | C (12:00-16:00), F (16:00-20:00),
    |            | F (20:00-24:00)                     | E (20:00-24:00)
2    | Group B    | A (00:00-04:00), G, C (08:00-12:00),| A (04:00-08:00), G, D (08:00-12:00),
    |            | D (12:00-16:00), E (16:00-20:00),   | C (12:00-16:00), F (16:00-20:00),
    |            | F (20:00-24:00)                     | E (20:00-24:00)
3    | Group C    | A (00:00-04:00), B, G (08:00-12:00),| B (00:00-04:00), A, G (12:00-16:00),
    |            | D (12:00-16:00), E (16:00-20:00),   | C (08:00-12:00), F (16:00-20:00),
    |            | F (20:00-24:00)                     | E (20:00-24:00)
4    | Group D    | A (00:00-04:00), B, C (08:00-12:00),| B (00:00-04:00), A, C (12:00-16:00),
    |            | G (12:00-16:00), E (16:00-20:00),   | G (08:00-12:00), F (16:00-20:00),
    |            | F (20:00-24:00)                     | E (20:00-24:00)
5    | Group E    | A (00:00-04:00), B, C (08:00-12:00),| B (00:00-04:00), A, D (08:00-12:00),
    |            | D (12:00-16:00), G (16:00-20:00),   | C (12:00-16:00), G (20:00-24:00),
    |            | F (20:00-24:00)                     | E (16:00-20:00)
6    | Group F    | A (00:00-04:00), B, C (08:00-12:00),| B (00:00-04:00), A, D (08:00-12:00),
    |            | D (12:00-16:00), E (16:00-20:00),   | C (12:00-16:00), E (20:00-24:00),
    |            | G (20:00-24:00)                     | G (16:00-20:00)
7    | Group G    | A (00:00-04:00), B, C (08:00-12:00),| B (00:00-04:00), A, D (08:00-12:00),
    |            | D (12:00-16:00), E (16:00-20:00),   | C (12:00-16:00), F (16:00-20:00),
    |            | F (20:00-24:00)                     | E (20:00-24:00)

• Cycle Details: Each group gets a Sunday off every 7 weeks (e.g., Group A off in Week 1, Group B in Week 2, etc.). On Sundays, Group G covers the absent group’s shifts, maintaining 24-hour coverage. Monday-Saturday follows the 6-day rotation. After Week 7, the cycle repeats.
• Rationale: The 7-week cycle ensures equitable rest, with Group G also receiving a Sunday off to maintain fairness. This supports rigorous QRF training and fatigue management.

3.4 Fatigue Management

• Rest: 16 hours off daily for 7-9 hours sleep; full Sunday off every 7 weeks for extended recovery.
• Rotation: 6-day cycle (Monday-Saturday) prevents fixed night shifts; 7-week Sunday rotation enhances rest.
• QRF Training: Full 4 hours per shift, incorporating rigorous drills (e.g., physical conditioning, tactical simulations) at times to maintain high readiness and prevent lethargy, ensuring immediate response capability if activated. Drills balanced with scenario planning to manage exertion.
• Monitoring: Alertness assessments at shift start (e.g., cognitive tasks); 5-10 minute micro-breaks during patrol shifts to offset QRF intensity.
• Reserves: Group G covers absences and Sunday rotations; additional rest days every 6-12 days (non-Sunday) to mitigate fatigue from rigorous training.
• Support: Nutrition/hydration access; sleep hygiene education for guards.
• Cybersecurity Monitoring: Guards monitor data system components for tampering or unauthorized access, with alerts logged and reported (SI-4, IR-5).

4. Training Standards

All personnel must complete Arizona-required training (unarmed: 8 hours pre-assignment, 40 hours on-job; armed: additional 16 hours initial, 8 hours annual) plus advanced tactical, rapid-response, and cybersecurity standards, adapted for a grades 5-12 non-profit serving orphans/homeless children. Training is annual, documented for 5 years (physical) and 7 years (cyber), and integrated into QRF shifts (full 4 hours, including rigorous drills at times). Standards ensure proficiency (70% pass for DPS exams, 80% for critical measures, “T” rating for rapid-response evaluations, defined as: 80% critical measures, 85% leader measures, demonstrating competence in tactical, de-escalation, and cybersecurity tasks). Conducted by DPS-registered instructors (1:10 for advanced combatives) with safety protocols (first aid kit, stretcher, first aider, no horseplay, taped scabbards for edged-weapon training). Conditions: Dynamic school environment, hybrid threats (active shooter, bullying, external, cyber), all weather/terrain, possible communication disruptions. Equipment: Combat gear, PPE (vests, gas masks), first aid (tourniquets, dressings, gauze), communications, authorized firearms (armed guards), data system components (e.g., devices, servers).

4.1 Legal and Policy Knowledge

• Legal Powers and Authority (Unarmed/Armed/Rapid-Response, 2 hours): ARS Title 13 Ch. 4 (justification, deadly force), ARS §13-3884 (citizen’s arrest), ARS §32-2601 et seq., FERPA, OSHA, Gun-Free Schools Act. Emphasize limits with vulnerable youth and PII protection (PT-1).
• Use of Force Policies (Unarmed/Armed/Rapid-Response, 2 hours): Non-deadly force (ARS §13-404); deadly only for imminent threat (ARS §13-405). Document/report; prioritize de-escalation for student safety.
• Liability Issues (Rapid-Response, 1 hour): Civil/criminal liability, indemnification (ARS §12-821), school-specific protocols, data breach liability (PM-3).
• School Safety and Cybersecurity Regulations (Unarmed/Armed, 3 hours): ADE SSP FY25, ARS HB2074 (EOP), HB2022 (bullying), FERPA (20 U.S.C. §1232g) for PII under MOU, NIST SP 800-53 controls (AC, AU, IR).
• Incident/Unified Command (Rapid-Response, 2 hours): Coordinate with local PD/Mohave County Sheriff's Office, ICS, school EOP, and data system incident response (IR-9).

4.2 Communication and Crisis Negotiation

• Tactical Communications (Unarmed/Armed/Rapid-Response, 2 hours): Active listening, radio protocols, law enforcement coordination, calm demeanor for youth, secure communication for data systems (SC-8).
• Crisis Negotiation Theory (Rapid-Response, 4 hours): Principles, legal aspects, hostage/non-hostage scenarios, methods sensitive to orphans/homeless youth.
• Active Listening and Behavioral Indicators (Unarmed/Armed/Rapid-Response, 2 hours): Identify distress, emotional cues, suicide risks in students, aligned with assessment data handling (PT-7).
• Mental Health Crisis Intervention (Unarmed/Armed/Rapid-Response, 2 hours): De-escalation, suicide deployment, coordination with clinicians for vulnerable populations, secure data access (AC-5).
• Emergency Communication Procedures (Unarmed/Armed/Rapid-Response, 1 hour): Protocols for disruptions, school alerts, early warning devices, data system alternate communications (CP-11).

4.3 Physical Fitness and Combative Skills

• Physical Fitness (Rapid-Response, Annual): Standardized fitness qualification (endurance, strength, agility) for rapid school response, including protection of data system components.
• Unarmed Combative Fundamentals (Unarmed/Armed/Rapid-Response, 8 hours): Punching, striking, kicking, blocking; stances (attention, natural, fighting); balance, power via hips/abdomen. Adapted for non-lethal student restraint.
• Advanced Unarmed Techniques (Rapid-Response, 8 hours): Lunge punch, reverse punch, upper block to elbow strike, forearm block to strike, controlled restraint holds (non-lethal for school settings).
• Edged-Weapon Defense (Rapid-Response/Armed, 4 hours): Grips (hammer, reverse, saber); slash, thrust, parry; disarm techniques; target areas (throat, heart, abdomen, kidneys) for extreme threats only.
• Impact-Weapon Training (Rapid-Response, 4 hours): Grips (overhand/underhand); whirl, slash, thrust, butt stroke; stick-based drills for aggression, adapted for restraint.

4.4 Firearms and Weapons Handling

• Basic Firearms Training (Armed, 16 hours initial, 8 hours annual): Safe handling/storage (2 hours), law/legal issues (4 hours, ARS Title 13 Ch. 4), weapon care, mental conditioning, marksmanship (50 rounds, 70% qualification), threat recognition, written test (70% pass).
• Shotgun Training (Armed, 8 hours if applicable): Safe handling, marksmanship, tactical use in school settings.
• Precision Firearms Operations (Rapid-Response, 40 hours initial, 96 hours annual): Precision targeting, target-specific fire, controlled takedowns, minimizing risk to students.
• Intermediate Weapons (Rapid-Response/Armed, 4 hours): Batons, tasers, chemical agents; safe deployment near children and data system equipment.

4.5 Tactical Operations and Movement

• Patrol and Reconnaissance (Unarmed/Armed/Rapid-Response, 4 hours): Security patrols, observation posts, entry points, perimeter security; camouflage/concealment to avoid alarming students; monitor data system components for tampering (SC-35).
• Tactical Movement (Rapid-Response, 8 hours): Light, sliding footwork; hip thrust for power; coordinated movement in classrooms/hallways.
• Breach and Entry (Rapid-Response, 8 hours): Breach and hold, dynamic entry, controlled breaching, limited penetration, rapid deployment for active shooter/hostage rescue, prioritizing child evacuation.
• Hostage Rescue and Area Clearing (Rapid-Response, 8 hours): Room clearing, securing spaces, moving adjoining areas, post-engagement protocols, ensuring student and data safety (IR-4).
• Vehicle Threat Response (Rapid-Response, 4 hours): Tactics for vehicle-based threats, high-risk service near school.
• Defensive Emplacement (Rapid-Response, 4 hours): Barriers, defensive fires, CBRN defense, adapted for school lockdown, protecting data system servers (PE-3).

4.6 Emergency Response and School-Specific Protocols

• Emergency Procedures (Unarmed/Armed/Rapid-Response, 4 hours): Active shooter response, lockdown drills, evacuation, EOP integration (ARS HB2074), child-focused for orphans/homeless youth, data system safe mode activation (CP-12).
• Bullying/Harassment Prevention (Unarmed/Armed, 4 hours): Identify, intervene, report per ARS HB2022; coordinate with threat teams, sensitive to student vulnerabilities, using assessment data insights (PT-7).
• First Aid and Tactical Medical Support (Rapid-Response, 8 hours): Standardized competencies; tourniquets, dressings, gauze; medical response for children.
• OSHA Emergency Preparedness (Unarmed/Armed, 2 hours): 29 CFR 1910.38; hazmat/bloodborne pathogens; cybersecurity incident response for data systems (IR-2).

4.7 Equipment and Technology

• PPE and Tactical Gear (Rapid-Response/Armed, 2 hours): Gas masks, shields, vests (29 CFR 1910.132); maintenance, non-intimidating use around students.
• Surveillance Technology (Rapid-Response, 4 hours): Robots/drones for surveillance/communication in crises, minimizing student distress, monitoring data system components (SC-42).
• Vehicle Operations (Rapid-Response, 4 hours): Armored/communication vehicles for containment on school perimeter.
• Early Warning Devices (Rapid-Response, 2 hours): Setup, monitoring, integration with school and data systems (SI-5).
• Data System Cybersecurity (All Personnel, 2 hours): Protect devices and servers via MDM, WPA3 encryption, and anti-tampering measures (AC-19, SC-18, SA-18).

4.8 Planning and Assessment

• Threat Assessment and Planning (Rapid-Response, 4 hours): Identify protection needs (physical and cyber), assess capabilities, mitigate shortfalls, use intelligence for rapid response, prioritize student and data safety (RA-3).
• Rehearsals and Drills (Rapid-Response, 4 hours): Rehearse response tactics, breach, emergency procedures, data system incident response; evaluate response time, child-focused scenarios (IR-3).
• Performance Evaluation (Rapid-Response, 2 hours): Use measures of effectiveness/performance; 80% critical measures, 85% leader measures, “T” rating; include cybersecurity metrics (CA-7).

4.9 Mental and Psychological Conditioning

• Mental Conditioning for High-Stress Response (Rapid-Response/Armed, 2 hours): Confidence, fear control, focus under stress, adapted for student and data protection.
• Psychological Evaluations (Rapid-Response, Annual): Suitability for school incidents involving vulnerable youth and sensitive PII (PS-9).
• State of Mind Training (Rapid-Response, 2 hours): Rhythm, timing, relaxed muscles for speed/power, calm interactions with students.

4.10 Cybersecurity Awareness and Training

• Literacy Training and Awareness (All Personnel, 2 hours): Quarterly training on phishing, insider threats, and data handling using simulations (AT-2).
• Role-Based Cybersecurity Training (All Personnel, 2 hours): Biannual modules for instructors (system supervision), clinicians (assessment data access), and guards (device monitoring), delivered via e-learning (AT-3).
• Incident Response Training (All Personnel, 1 hour): Annual FERPA breach simulations, emphasizing parental/guardian/DCS notifications (IR-2).
• Feedback and Improvement (All Personnel, 1 hour): Post-training surveys to refine responses and training clarity (AT-6).

5. Implementation and Review

• Prioritization: All actions prioritize child safety, using de-escalation-focused approaches for orphans/homeless youth and secure handling of PII.
• Training: Annual, with QRF shift integration (full 4 hours, including rigorous drills at times to maintain readiness). Cybersecurity training quarterly/biannually. Records kept 5 years (physical) and 7 years (cyber, AU-11); DPS/ADE submissions.
• Audits: Annual by DPS/ADE (physical security) and third-party auditors (data systems, CA-2); updates per legal changes.
• Incident Response: Physical and cyber incidents reported per IR-6, with parental/guardian/DCS notifications for data breaches (IR-9, PT-5).
• Contact: Security Director and Director of Information Activities for oversight and questions.