Cyber Security Policy

I. Overview

A. Mission and Commitment to Data Security and Privacy

Skill Struck's core mission of promoting equity in computer science education is fundamentally reliant on the security and efficiency of our systems. We are unwavering in our commitment to being a trustworthy guardian of sensitive data. Our paramount responsibility is to safeguard the personally identifiable information (PII) of our partner schools, their administrators, teachers, and most importantly, their students. This policy outlines the comprehensive measures we employ to uphold this commitment.

This document details Skill Struck's robust information and cybersecurity program. Our practices are meticulously crafted and continuously adjusted to align with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) Version 1.1, which serves as a foundational standard for educational data privacy and security policies. Furthermore, this policy ensures our adherence to all applicable requirements set forth by state educational authorities, including regulations governing student data privacy, such as those inspired by Education Law § 2-d and similar state-specific mandates.

Our comprehensive cybersecurity program is structured around three interconnected focus areas, each critical to establishing and maintaining a secure environment:

• Product Security: Ensuring the security and privacy of our software applications and services from design to deployment.
• Infrastructure Security: Protecting the underlying technology, networks, and cloud environments that support our operations.
• IT Security: Safeguarding internal systems, devices, and user access across the organization.

Skill Struck is dedicated to a philosophy of continuous improvement, recognizing that the threat landscape is constantly evolving. We regularly review and refine our security practices to incorporate the latest industry standards and emerging best practices. As a testament to our commitment to robust security controls and independent assurance, Skill Struck proudly maintains SOC2 Type 2 compliance. This rigorous, third-party audit verifies that our systems and processes meet the highest standards for security, availability, processing integrity, confidentiality, and privacy over a sustained period. This compliance provides our partners with an additional layer of confidence in our ability to protect their sensitive data.

The goal of Skill Struck's product security efforts is to clarify the security and privacy impact of new features as they are being created, enabling Skill Struck engineering to continuously improve the Skill Struck product safely and securely.

Skill Struck integrates security and privacy considerations throughout the entire software development lifecycle (SDLC) to minimize vulnerabilities and protect data from the outset.

• Threat Modeling and Security Design Reviews: We have an application security review process that applies to all new development projects and major changes to existing systems. This process includes comprehensive threat modeling and security design reviews to identify potential risks and incorporate security controls early in the design phase.
• Secure Code Review Process: All code undergoes a rigorous secure code review process. This includes both automated static and dynamic analysis tools to identify common vulnerabilities, as well as manual peer code reviews for high-risk code segments by experienced software engineers.
• Application Security Training and Secure Coding Guidelines: All new engineering hires review dedicated application security training material, which includes secure coding guidelines specific to their technology stack. This training explicitly covers best practices for protecting Personally Identifiable Information (PII) and adherence to relevant federal laws (such as the Family Educational Rights and Privacy Act (FERPA)) and similar state-specific educational data privacy laws that govern the confidentiality of PII.

Skill Struck maintains an active and responsive program to identify and manage security vulnerabilities within its products.

• Active Platform Review and Timely Bug Fixes: A dedicated team actively reviews the Skill Struck platform daily to ensure that reported bugs, which may include security vulnerabilities, are promptly identified, triaged, and fixed. We prioritize and address critical vulnerabilities with immediate action.
• Responsiveness to Security Inquiries: We maintain clear channels for internal and external stakeholders to report security concerns or potential vulnerabilities, and we commit to a timely and transparent response process for all such inquiries.

Our products incorporate robust technical features designed to protect PII and ensure the confidentiality, integrity, and availability of data.

• Data Access Controls: Access to student data is strictly limited to selected members of Skill Struck staff who have a defined business need and are FERPA certified. Our platform implements 2-factor authentication (2FA) for all administrator, teacher, and student accounts, adding a critical layer of security to user access.
• Password Security: We enforce strong password policies, utilize robust hashing algorithms (e.g., SHA256) for storing passwords, and implement rate limiting on login attempts to prevent brute-force attacks. ReCAPTCHA is deployed after five failed login attempts to deter automated attacks.
• Content Security Policy (CSP) Implementation: A strict Content Security Policy (CSP) is implemented across our web applications to mitigate cross-site scripting (XSS) and other code injection attacks, detecting and preventing unauthorized JavaScript from running.
• Data Handling and Storage Practices: All student data and PII are handled in a manner fully compliant with FERPA regulations and applicable state laws. Data is logically separated in a multi-tenant environment to ensure isolation. Processing occurs in containerized environments with ephemeral credentials for data store access, further enhancing security. All data is stored exclusively within secure facilities located in the United States of America.

Skill Struck's infrastructure security efforts are dedicated to protecting the underlying systems and networks that support our applications and store sensitive data. This includes robust controls for our cloud environment, change management, and ensuring high availability and disaster recovery capabilities.

Skill Struck's services are hosted within Amazon Web Services (AWS), a leading cloud provider recognized for its comprehensive security certifications and compliance standards. We leverage AWS's robust security features and adhere to their best practices for maintaining a secure and resilient cloud environment. Our primary cloud provider, AWS, conforms to multiple security standards, which underscores our commitment to a secure foundation.

To maintain the integrity and stability of our production environment, Skill Struck employs a formal and rigorous change management process for all infrastructure modifications and code deployments.

• Controlled Deployment: All code changes are subject to strict source code control, peer code review, and continuous integration/continuous deployment (CI/CD) pipelines.
• Logging and Alerts: Comprehensive logging is enabled for all changes and deployments, with automated alerting mechanisms in place to flag any anomalies or potential security issues.
• Automated Deployment with Reliability and Rollback: Our deployment processes are fully automated, incorporating reliability detection mechanisms to ensure stability. In the event of an unforeseen issue, robust rollback capabilities are in place to quickly revert to a stable state, minimizing potential impact.

Skill Struck is committed to ensuring the continuous availability of our services and the rapid recovery of data in the event of a disruptive incident.

• High Uptime Commitment: We strive for and maintain a high uptime for our services, leveraging resilient architecture and proactive monitoring.
• DDoS Protection: We utilize CloudFront, a content delivery network (CDN) provided by AWS, to defend against Distributed Denial of Service (DDoS) attacks, ensuring the availability and performance of our applications under malicious traffic conditions.
• Resiliency: Our disaster recovery plan is built upon best practices from AWS, utilizing multiple AWS Availability Zones to ensure geographic redundancy and high resiliency. This architecture provides fault tolerance and enables continuous operation even in the event of a regional outage.
• Data Backups: Data backups are generated regularly and stored securely offsite. All backups are encrypted using industry-standard cryptography. Backups are subjected to secure deletion processes when they become obsolete, with data retention policies ensuring backups are not retained longer than 60 days, or as contractually agreed upon with the Educational Agency.

Skill Struck employs robust encryption practices to protect Personally Identifiable Information (PII) both while it is being transmitted and while it is stored.

• Encryption In Transit: All PII transmitted outside of Skill Struck's private network is encrypted using industry-standard Transport Layer Security (TLS) / Secure Sockets Layer (SSL) protocols, ensuring secure communication channels.
• Encryption At Rest: PII stored within Skill Struck's private network and cloud environments is encrypted at rest using strong cryptographic algorithms, specifically AES-256 encryption.
• Key Management: Access control keys used for encryption are regularly audited, rotated, and managed securely to prevent unauthorized access.

Skill Struck implements strong network segmentation and access controls to minimize the attack surface and prevent unauthorized access to sensitive systems.

• Virtual Private Cloud (VPC): Our services operate within a Virtual Private Cloud (VPC), providing a logically isolated network environment within AWS.
• Port Blocking: Unnecessary external ports are blocked, limiting potential entry points into our network.
• Multi-Factor Authentication (MFA) for Production Access: Access to our production network is strictly limited to authorized personnel with a defined business need, and all such access requires multi-factor authentication (MFA).
• Bastion Host: Access to the production network is further secured through a bastion SSH host, which acts as a jump server, providing an additional layer of security and logging for administrative access.

Skill Struck maintains comprehensive, centralized logging to enable effective security monitoring, auditing, and incident investigation.

• Event Logging: We capture and retain detailed logs for product events, infrastructure activities, and all access control attempts.
• Integrity and Access Control: These logs are tightly access-controlled and integrity-protected to prevent tampering.
• Archival: Log backups are securely archived for forensic analysis and compliance purposes for a defined retention period. All elevated system-level actions in production are meticulously logged.

Skill Struck proactively identifies and responds to potential security threats through continuous monitoring and analysis.

• Monitoring and Alerting: We maintain sophisticated monitoring, alerting, and response processes designed to detect suspicious activity occurring in our infrastructure and applications in real-time.
• Testing Detection Processes: To ensure the effectiveness of our detection mechanisms, Skill Struck regularly conducts various forms of testing, including but not limited to, penetration testing, vulnerability scanning, and red teaming exercises, simulating real-world attack scenarios. This proactive testing validates our ability to identify and respond to anomalous events.

Skill Struck utilizes purpose-built tools and services for the secure storage and transfer of sensitive secret data, such as passphrases, API keys, and other credentials, avoiding the use of insecure methods.

Skill Struck maintains a rigorous patch management program to ensure all systems and software are up-to-date with the latest security fixes.

• Regular Updates: We regularly update our operating system images, container images, language runtimes, and language libraries to the latest known supported and secure versions. This includes applying security patches and updates promptly to mitigate known vulnerabilities.

Skill Struck's IT Security program focuses on securing the internal systems, devices, and user access within our organization, ensuring that our employees operate within a secure framework.

Skill Struck maintains clear and comprehensive policies and standards that govern information security practices across the organization.

• Information Security Policy: Our overarching Information Security Policy is readily accessible to all employees via the Employee Portal. This policy outlines the principles, responsibilities, and practices required to protect Skill Struck's information assets.
• Data Classification Standard: A detailed Data Classification Standard is in place, which defines different types of data based on their sensitivity and impact, and prescribes appropriate handling, storage, and access controls for each classification level.

To protect sensitive data accessed or stored on employee devices, Skill Struck enforces strict device security policies.

• Full Disk Encryption: All company-issued devices that access or store sensitive data are mandated to utilize full disk encryption to protect data at rest in the event of loss or theft.
• Screen Locks: Devices are configured to automatically lock screens after a period of inactivity, requiring re-authentication to prevent unauthorized access.
• Remote Wipe Capabilities: For devices that access sensitive data, remote wipe capabilities are enabled, allowing for the secure erasure of data if a device is lost, stolen, or compromised.
• Permitted Software: Policies are in place to control and monitor the installation of software on company devices, permitting only approved applications to minimize security risks and ensure compliance.

Skill Struck implements rigorous account policies to ensure secure user authentication and minimize the risk of unauthorized access.

• Secure Password Management: Employees are required to adhere to secure password generation guidelines, including complexity requirements and regular rotation. The use of approved password managers is encouraged to facilitate strong, unique passwords.
• Multi-Factor Authentication (MFA) Mandate: Multi-Factor Authentication (MFA) is mandated for all sensitive internal systems and applications, significantly enhancing account security beyond traditional passwords.
• OAuth Policies: Where applicable, we implement secure OAuth (Open Authorization) policies for third-party integrations, ensuring secure delegation of access without sharing direct credentials.
• Phishing Avoidance Training: Regular training is provided to educate employees on recognizing and avoiding phishing attempts and other social engineering attacks, which are common vectors for account compromise.
• Automated Account Activation/Deactivation: User accounts are provisioned and de-provisioned through automated processes linked to employee onboarding and offboarding procedures. This ensures timely removal of access upon separation and prevents orphaned accounts.

Skill Struck prioritizes robust security education to ensure all personnel are equipped to protect sensitive information and adhere to privacy regulations.

• Comprehensive Security Awareness Training: All Skill Struck employees are required to complete comprehensive security awareness training during their onboarding process. This training is reinforced with regular refresher training for existing employees, ensuring a continuous understanding of evolving threats and best practices.
• Explicit Inclusion of PII Confidentiality Laws: Our security training explicitly covers relevant federal laws (such as the Family Educational Rights and Privacy Act (FERPA)) and applicable state laws that govern the confidentiality of Personally Identifiable Information (PII). This ensures that all employees understand their legal obligations regarding student data privacy.

Skill Struck maintains a stringent process for managing third-party software and engaging subcontractors to ensure alignment with our security and privacy standards.

• Security Review Process for New Services: A thorough third-party software security review process must be completed and approved before using any new services within our organization or on official, company-owned devices. The level of verification conducted is commensurate with the risk profile of the service.
• Contractual Obligations for Subcontractors: All subcontractors engaged in the provision of services under any contract are bound by written agreements that explicitly outline the same rigorous data security, privacy, and incident reporting requirements as those applicable to Skill Struck. These agreements specifically include adherence to all relevant federal and state laws governing the confidentiality of PII and mandate timely reporting of any security incidents or breaches.

As a fundamental administrative safeguard, Skill Struck conducts criminal background checks for all prospective employees. Furthermore, all employees are required to sign comprehensive confidentiality agreements that legally bind them to protect confidential information, including PII, accessed during their employment.

Skill Struck maintains robust cyber insurance coverage to mitigate financial risks associated with cybersecurity incidents. This coverage is regularly reviewed and can be tailored to meet specific requirements of partner schools and districts, demonstrating our commitment to comprehensive risk management and accountability.

Skill Struck has established a comprehensive Cyber Incident Management and Response Plan to effectively identify, manage, and respond to data security and privacy incidents, including breaches and unauthorized disclosures involving Personally Identifiable Information (PII). Our plan ensures compliance with legal and contractual obligations, prioritizing the rapid containment and remediation of incidents.

Proactive measures are in place to detect anomalous activities and potential security incidents.

• Monitoring and Alerting Systems: Skill Struck maintains a centralized log for product and infrastructure events and metrics. This logging is coupled with advanced monitoring, alerting, and response processes designed to identify suspicious activity occurring within our infrastructure and applications in real-time.
• Bug Finding Program: An active and dedicated program continuously reviews the Skill Struck platform to ensure that reported bugs, which may indicate underlying vulnerabilities, are promptly identified, triaged, and addressed. This proactive approach helps to discover and remediate potential security weaknesses before they can be exploited.

In the event of a detected or suspected data security and privacy incident, Skill Struck will execute its formal incident response plan, which includes structured procedures for containment, analysis, notification, and recovery.

• Notification Timeline and Method to Educational Agency (EA): In the event of unauthorized access to or obtainment of student data or other PII, Skill Struck will provide notification to the school's authorized representatives within a reasonable amount of time, not to exceed forty-eight (48) hours following the discovery of the breach. Notification will be provided via both email and a phone call to ensure immediate awareness.
• Initial Security Deficiency Resolution: Immediately following the discovery of any breach or security deficiency, Skill Struck's security team will prioritize addressing and resolving the security deficiency accordingly, working to contain the incident and prevent further unauthorized access or disclosure.
• Notification Content ("Notice of Data Breach for Skill Struck"): The formal notification, titled "Notice of Data Breach for Skill Struck," will be written in plain language and include, at a minimum, the following information:
  • "What Happened" (a general description of the incident).
  • "What Information Was Involved" (a list of PII types believed to be subject to the breach).
  • "What We Are Doing" (actions taken by Skill Struck to mitigate the breach and protect affected individuals).
  • "What You Can Do" (advice on protective steps individuals can take, if applicable).
  • "For More Information" (contact information for the authorized school representative for further inquiries).
  • The date of the breach (or estimated date/range) and the date of the notice.
  • Whether notification was delayed due to a law enforcement investigation.
• Adherence to Applicable State and Federal Laws: Skill Struck adheres to all requirements in applicable state and federal law with respect to data breaches, including notification obligations, mitigation efforts, and coordination with law enforcement agencies when legally required or deemed necessary.
• Protocol for Direct Parent/Guardian/Pupil Contact: Skill Struck will not directly contact parents, legal guardians, or eligible pupils unless expressly requested to do so by an authorized school representative. If such a request is made, the head Skill Struck IT manager will facilitate contact via email or phone as directed.
• Reimbursement for Notification Costs: If a data breach did not originate from the school's use of Skill Struck's service, Skill Struck will reimburse the school for reasonable notification costs upon proof of expenses.
• Cooperation with School: In the event of a breach originating from the school's use of Skill Struck's service, Skill Struck will cooperate fully with the school to expeditiously secure student data and assist in remediation efforts.
• Post-Incident Review and Continuous Improvement: Following each data security breach or significant incident, a thorough post-incident review will be conducted on a case-by-case basis. This review includes a detailed inspection of our data security measures, directed by Skill Struck's security director, to identify root causes and areas for enhancement.
  • Incorporating Lessons Learned (Detection/Response): Lessons learned from current and previous detection and response activities are meticulously documented and integrated into our processes, ensuring continuous improvement in our ability to identify, contain, and remediate future incidents.
  • Incorporating Lessons Learned (Recovery): Similarly, insights gained from recovery efforts are explicitly incorporated into our recovery planning and processes, strengthening our resilience and ability to restore systems and data effectively and efficiently after an incident.

Skill Struck is committed to ensuring the secure and responsible handling of Personally Identifiable Information (PII) throughout its lifecycle, including the secure transition of data back to the Educational Agency (EA) and the secure destruction of data when it is no longer required.

Upon the termination or expiration of a contract, or when PII is no longer needed for the purposes for which it was transferred, Skill Struck will facilitate the secure transition of all relevant PII back to the Educational Agency.

• Secure Data Return: Skill Struck will work collaboratively with the EA to securely return all PII. This will typically involve methods such as encrypted file transfers via secure file transfer protocol (SFTP) or secure cloud-to-cloud transfers, ensuring that data integrity and confidentiality are maintained during transit.
• Agreed-Upon Data Format: The data will be provided in a mutually agreed-upon format that is easily usable and compatible with the EA's systems, as specified in the contract or through subsequent agreement.
• Provision of Documentation: Skill Struck will provide necessary documentation regarding the data format, structure, and any required decryption keys or access procedures to facilitate the EA's reintegration of the data.
• Commitment to Providing Written Certification of Secure Destruction: Following the successful transition of data, Skill Struck will provide written certification of the secure destruction of all copies of PII remaining on Skill Struck's systems, including backups, and any systems of its subcontractors, as detailed in the secure destruction practices below.

Skill Struck employs robust secure data destruction methods to ensure that PII is rendered unrecoverable when it is no longer needed, aligning with industry best practices and standards such as NIST Special Publication 800-88 Revision 1 Guidelines for Media Sanitization.

• Methods for Digital Data: For digital media, including hard drives, solid-state drives, and cloud storage, data will be securely erased using industry-accepted and certified methods. These methods include, but are not limited to, cryptographic erasure or overwriting with random data multiple times to meet or exceed NIST 800-88 Purge standards. For data stored in cloud environments, this involves utilizing the cloud provider's certified secure deletion services.
• Methods for Physical Media: Any physical media containing PII, if applicable, will be physically destroyed through methods such as shredding, pulverizing, or incineration, ensuring that the data cannot be reconstructed.
• Timeliness of Destruction: PII will be securely destroyed within a specified timeframe after it is no longer needed for contractual obligations or legal retention requirements, adhering strictly to agreed-upon data retention schedules.

Upon the secure destruction of PII, Skill Struck will provide the Educational Agency with a formal "Certificate of Destruction." This certificate will serve as official confirmation that all specified PII has been securely and irreversibly destroyed. The certificate will include:

• A clear statement confirming that all specified PII has been securely destroyed from all Skill Struck systems (including backups) and any subcontractor systems.
• The exact date of destruction.
• A description of the secure methods of destruction employed.
• A statement of compliance with applicable laws and industry standards for data sanitization.
• The signature of an authorized Skill Struck official, verifying the completion of the destruction process.

Skill Struck is deeply committed to upholding the privacy and security of student data. This commitment is reflected in our adherence to all applicable laws and regulations, including relevant state education laws concerning data privacy. This section outlines the fundamental rights afforded to parents, legal guardians, and eligible pupils regarding the privacy and security of Personally Identifiable Information (PII).

Skill Struck is unwavering in its commitment to protect the confidentiality of information that identifies your child. Such information, which includes student-specific data, is known as "personally identifiable information" (PII). Under Skill Struck's Cyber Security Policy, which is rigorously aligned with applicable state education laws concerning data privacy, we ensure that PII is handled with the utmost care and security.

If you are a parent or legal guardian of a child in any school district utilizing Skill Struck's services, or an eligible pupil, you have the following fundamental rights concerning the privacy and security of your child's PII and data:

• Prohibition of Commercial Use: Your child's personally identifiable information cannot be sold or released for any commercial purposes whatsoever by Skill Struck.
• Right to Inspect and Review Education Records: If your child is under the age of eighteen (18), you have the right to inspect and review the complete contents of your child's education records maintained by Skill Struck.
• Mandatory Safeguards: Robust safeguards must be in place to protect your child's personally identifiable data when it is stored or transferred. These safeguards, as detailed throughout this policy, meet and often exceed industry standards and best practices. Examples of such safeguards include, but are not limited to, encryption (both in transit and at rest), the use of firewalls, and strong password protection mechanisms.
• Right to Lodge Complaints: You have the right to make complaints about possible breaches of student data or other privacy concerns related to PII, and to have such complaints addressed promptly and thoroughly by Skill Struck.

For any questions, concerns, or to lodge a complaint regarding this Cyber Security Policy, data privacy, or the security of Personally Identifiable Information (PII), please contact our Chief Privacy Officer:

Chief Privacy Officer
Skill Struck, Inc.
826 Expressway Lane PMB 816
Spanish Fork, UT 84660

E-mail: legal@skillstruck.com
Telephone: (801) 251-6787

This section serves as a high-level overview of Skill Struck's alignment with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) Version 1.1. The comprehensive table, detailing our practices across the five core functions—Identify, Protect, Detect, Respond, and Recover—is provided as a separate appendix to this policy. This detailed alignment demonstrates how our various security controls, including our SOC2 Type 2 compliance, contribute to meeting the objectives of the NIST CSF and the requirements set forth throughout this policy document.